Malware Analysis Report

2024-09-09 16:14

Sample ID 240514-gma6nsch9v
Target 3e1d7bcf1d82b84925de1535a83fb825_JaffaCakes118
SHA256 fbc061df4aeb65383fad78890df1c464bd847db236068cda42a9e564ed945c46
Tags
irata banker collection discovery evasion execution persistence credential_access impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fbc061df4aeb65383fad78890df1c464bd847db236068cda42a9e564ed945c46

Threat Level: Known bad

The file 3e1d7bcf1d82b84925de1535a83fb825_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

irata banker collection discovery evasion execution persistence credential_access impact

Irata family

Irata payload

Requests cell location

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Queries information about the current nearby Wi-Fi networks

Checks memory information

Checks CPU information

Queries the mobile country code (MCC)

Acquires the wake lock

Schedules tasks to execute at a specified time

Requests dangerous framework permissions

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-14 05:54

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 05:54

Reported

2024-05-14 05:57

Platform

android-x86-arm-20240506-en

Max time kernel

24s

Max time network

131s

Command Line

ir.pars.ash

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

ir.pars.ash

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 330b7e1ccf9742419a5ba3b4466d7924.s.adad.ir udp
US 1.1.1.1:53 330b7e1ccf9742419a5ba3b4466d7924.s.adad.ir udp
US 1.1.1.1:53 330b7e1ccf9742419a5ba3b4466d7924.s.adad.ir udp
US 1.1.1.1:53 330b7e1ccf9742419a5ba3b4466d7924.s.adad.ir udp
BE 173.194.76.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 tcp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 ip.pushe.co udp
US 162.243.147.245:80 ip.pushe.co tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 162.243.147.245:80 ip.pushe.co tcp

Files

/data/data/ir.pars.ash/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 674bb94ac4deb23f3838dd3128e303c9
SHA1 ff2e064a77dd5ecdc42e238766da02b95e556c42
SHA256 90cc9353dea376d136afcf7759e7bdb895e5182d4fda7951ff17658fadcad507
SHA512 f53e28f0cdbbbee9aac1b599a59d076572b30184033a22664eeee5d5584d127e0fc95488afc5df28a38dc6ce3bfad7e285d232adce3506f6f22012d928b8f2d6

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 978fdf85b8448e3a7c9015e51477eb49
SHA1 793bb88398dc9457935a4416638d5ed3974baf19
SHA256 8f72919eebbe45ed6d33b7b763d7e45d76a880128aee9aa5c29d28ab79689a92
SHA512 852b2d3e2607c96625e9bcd454c702ccec6a0f07aba3410976d6400ecd2d48ccc92d93c8ce7fcc87a622d04357bd6805a996f11d339ca7fc3eab99c0e991fe38

/data/data/ir.pars.ash/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/ir.pars.ash/databases/evernote_jobs.db-wal

MD5 c137ee7227ae0562c9d1fb263e359d25
SHA1 2744800d4e6c11430049863020776a7eda6747a8
SHA256 d35fb75c20097b0a4333823d34270aa24e030b4c23a619f0aec4b1560c792541
SHA512 ff6791420651ee02f55d4e251cb07303d7b245283851b1f4f1c7ffd9a11da7dd0eaab2215258891f6d40aa4db048b530f76097875f636e620f02b02c37d1f8f2

/data/data/ir.pars.ash/databases/evernote_jobs.db-wal

MD5 1b10b4cc43aed0e2acf1c2310caa9297
SHA1 a08fa0f784c16f626ee02766a8d35984bfe1b324
SHA256 d1bd71bb1486e5904721391ffd5e542b8cb22ca1f6f548b26a74ccfe673e0168
SHA512 739a778ae6e9598bfcde1f9c204a8ebc14cf3d6ebd3e43993f8a8807fb798d7b2dd66e62df0c8549b4bbd402c54497ce68b3dea5858303a8bfe439934a1d1329

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 48d6159eecf2ae99b199dcfa8eb4c158
SHA1 98035fc4585fbefca191b19bbcf464258132b55d
SHA256 3600cd39d40e5945a9dad5c39556a0e5b504e4cd2501c4347201da15cc0464f6
SHA512 4efc8edf7e2dd3e04b27ca947a237c666ba9624c7527d7818cd5edf6ef2ec58ce1342187f78b11ed198f1ef7863897bdf9ac72c580adedce0b11e26e9d4ee927

/data/data/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 dc57cdd2432aea304a923d820cee0227
SHA1 0368d27fe0c9662f8dcb062d6a65749a8bf4bbd0
SHA256 4fdb7bdba7ca1a450e79924687085b9ab3962b6d38e02e5d62e9c17415e4ea3a
SHA512 a99b0944581825f1cb9330612678483ef2f84f4b3ab890d875cd6c7e12cbcd2e45390d1141b44c854d8609165b3cae98944e6a6ab106424b4307cea19cc2ba9e

/data/data/ir.pars.ash/databases/__pushe_base_lib_db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/ir.pars.ash/databases/__pushe_base_lib_db-wal

MD5 655aaee7d689c267ffed4b08507fa54c
SHA1 0532fed8134bc788253b983b15517d0211a7555d
SHA256 fa686c4c3e81e4d387d777b4508ef944e66f3e7b282d18021529295dfc062202
SHA512 28d9e233edb53c22f8737d6ea5c7e6196080665dcd4c33546b921e43842c58360fd1863451ecbe24fbbd8c776183955288471584e9db23f3c39d08f5b3bf7378

/data/data/ir.pars.ash/files/sop&ash.db

MD5 5f1b372d2a74ccc6f23bf056d2ab11e9
SHA1 ffe4843014b1abf493412d997410eb5596d3e839
SHA256 9b75d26962b6eb5ac7227091cbcf332411b293ee0451b512f9aba39b38d44791
SHA512 7137ece4ee60e215f36d96c32cb56b91deee2cc91b0eb9a4c651b779bde4159491a5bce2e93f0cd5dd54d57b0758d0e39ba0c4bb1d9a195d15dc085c159b5f7e

/data/data/ir.pars.ash/files/sop&ash.db-journal

MD5 ca1f4bc7de7b3c93ba842930b8f6f7ff
SHA1 53a86f66d865e72b4440eca2e5811f79e06b3a1e
SHA256 f6710a5807995fae24b8d431b811c211554426846324a0e47e8deed04dcf38bb
SHA512 53f74fbcdc5ee596a242310c74be7b46e2f87649efb5d790edc8d700813660d227b63cfff002a2e3891df27b157617b1818bef4a06d35eb901167a4c09eebeec

/data/data/ir.pars.ash/files/sop&ash.db

MD5 8c8a1c9cbeaa451840ed4aff8ec9e6c3
SHA1 0aa7779e949307a929c179990e7bdd41dbb8d310
SHA256 8a9e1633d139ecf186f7c466f4e738f07eb62690de8ae6f028cde3e23d35f1b2
SHA512 5d7ad1c14255aac69be4e1148be354e99c54188d5755ef903dcdcf8fca0f3ea0f3f033160f0147cf87c2f38d65e363a0463586b2119f548ba9b574f84d09ea69

/data/data/ir.pars.ash/databases/evernote_jobs.db-wal

MD5 4451028663f0aa16e4d925c9c27c7c8c
SHA1 497e172d02001c0bb6f4d4c0325e2d4590262c09
SHA256 ed49f77520bae80a6717615705242832983216b25bec2d6f3a6baee4d31a8192
SHA512 b95b434c19fbc279df5ea78aba65487ece8c72d02b009ac72388c6b783f8fcede699bbddce872c6aa7ae5a195da492165137d9a5aee9e4355f0ca88b9d5216d1

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 a2d4a8738bb2ee9638e427687a802016
SHA1 5a672a3e9d2bc11317f0f51bd11454773496b2d0
SHA256 027694a6229d78ee1229aec66c1c4a73df0a3d255c6d4799e0d970fe5e8a0677
SHA512 bf7f9fb434db7e3458691204f42276255d28f932168a6d85323e56906137328b41f5d7fdbb1bc418371d51e3d00046459aa0e9781c205dc94dee6749dc9413b7

/data/data/ir.pars.ash/databases/evernote_jobs.db-wal

MD5 eb7ed2ca18eb31f68fb726ab23bf1583
SHA1 faf4e48be7ba19dfa3693c45546b9a09aa223119
SHA256 c7de936d909c0e67b6db51660e24a81f5db02a02b829ba4394afa11a3b9179da
SHA512 cfc534b807505c1ea8caafa8c041e89a50f4a64181306053fd9a8f557a6e8317668a0c368848e43342b20cc664152efaa4b6603e579401685e9398561a68e914

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 06fc17e4f6774adeff660ae2c6d5ab4d
SHA1 daf6a41df7a9ecd09885aaebf048ebfdcbfdb949
SHA256 51451affe95e3982163d9a6d5059de98f7d5686d3698b18bb0c32324cb351285
SHA512 0319944e72e5b49e8f0fe8e4c00b0ce6bb45e462a3011159781d8c4e1d7dad4e370b390bb3dd74c8d425bc93b03a7bcccd0762980a8533e0f16c89511494134c

/data/data/ir.pars.ash/databases/evernote_jobs.db-wal

MD5 2b477d060536147867c0e3bf82bfd747
SHA1 a00b4907f25bc400713c2da127155642df414a6d
SHA256 162b13a1f4a501ed21e00e57b1dfeb538bb07864f51fa73deb0ded1a7bf51fab
SHA512 edb943d0a09e2a05b15764064da356ec7de7faccf551cdc13ae4ec030cd40180eccea3ffba5f73ff3cdc07e71e17550a20598513473a24ee653e641e05cd5398

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 bb04efdc2e4784547654456c2d30b81d
SHA1 435eb488fc5efb07e34044ca1971641f0fb72e5b
SHA256 9a82e2b19a7f0d6c58359d43bdeb208992cae4e8c13c8cad7b9b2dc7facda3f0
SHA512 c183f4c5060db2c16debd3f4463c711310f2bf059a241cb07579fd454c7e813b02e0259bc8d273ec381e855608849793f8ad91dfa18d6d81588b11519721f9aa

/data/data/ir.pars.ash/databases/evernote_jobs.db-wal

MD5 c8f7dd6d8b6c0e603cabc0d506a251b3
SHA1 8daec0e6b6838d4b1a794f9a04b71fa69f882acf
SHA256 ce4ed54ec7ff1cad3ebcdf39576d73e162a2016ac7c544216e63cf7bcf24822c
SHA512 4b7b90389c413714eb7224dc4651cc47608f37aef58a1d300c0cdabba2331b5d02544c764ced876c8ae09323f9a71848a1c8af48fa37c576a3d2f272f861350a

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 1980059ac17a7573db907a494855bf5d
SHA1 c35b3841ba0f3a1227376ef277a7c36d8e78414d
SHA256 ec2fa2b43c9f20ed0923b7f8d31c9d485f29b73bbe201db0f062427442b644d6
SHA512 2aaf59509ed70e0e024ef3c12e2f780ffb705892a31a3dad303420a5b63452eb0b9267c71a3cbde1cdf55a0294420ad28f9fb87236d51e6b1c7fe723e98e8fb2

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 05:54

Reported

2024-05-14 05:57

Platform

android-x64-20240506-en

Max time kernel

51s

Max time network

157s

Command Line

ir.pars.ash

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

ir.pars.ash

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 330b7e1ccf9742419a5ba3b4466d7924.s.adad.ir udp
US 1.1.1.1:53 330b7e1ccf9742419a5ba3b4466d7924.s.adad.ir udp
US 1.1.1.1:53 330b7e1ccf9742419a5ba3b4466d7924.s.adad.ir udp
US 1.1.1.1:53 330b7e1ccf9742419a5ba3b4466d7924.s.adad.ir udp
BE 142.251.173.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 216.58.212.206:443 tcp
GB 216.58.204.66:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 173.194.76.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 pwsjtcjshifgt udp
US 1.1.1.1:53 wjjlucttmyc udp
US 1.1.1.1:53 jwvlismswlw udp
US 1.1.1.1:53 ip.pushe.co udp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/data/ir.pars.ash/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 a5dbff0d0ab3d99f6dd17349adb9c362
SHA1 d2c29c2ec9949ebb4fb311d54de2977b3cf24d2f
SHA256 b091e900b2cd2afdd8617700669cef694e942beeb0711cc655dd4dbcbf15a921
SHA512 144bb94a9a68aa4a94dc9daa5517fb96a9977ebb65ccfd6837c037908fb21444a332d197bb15b6f02cb1297654778ff8355b33a4aa16279c0459084e59c5df04

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 00e829076f54c72b50b63fd6de296a03
SHA1 fbeb1b8be863931f98a7c29224a03b89f9616ab2
SHA256 c479f839c0bc15e9a9749cb5a5a3eef4e09c0163160073477f72fa78b2e300df
SHA512 1c6b0bfe980050072927f8d407ca86353098d03502f7194f141d43c045a3f35103261811281f023262f4823a4fd70659d6802b76e126e991120dc14cdf74bbcc

/data/data/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 3271b7a568fa43521174b108dd595162
SHA1 d6110f7c71414b63577fb9c99b0b00a6d18a8ff6
SHA256 985236ac23dfb72eb18d6880dfa9bdffd9967c0818fd5e817bbeb2bbaf4b87fd
SHA512 3beccc309a2435efd7952204be5dab8540a56dff9e2afaa926a6768047e24e7f52831884d40b2b09fc050dd640b10a38398cb63e1ebdb1fd865c1515464b0994

/data/data/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 489e00400fb1588b46688fefd6b9ebb2
SHA1 91742ef223dcfde98a4e07622e715f1cfc1036de
SHA256 0e829fb9864df206fd68ef00bb55216865cf988e08666b45882786dae574de42
SHA512 a6c801ec77ac28a254188f521888f37657bc086eccc15da10638231b0ae3d50122954ca06c33d96beacbde4ad87f9f9f41ca6b590e7548a1ad916977d73d59e3

/data/data/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 a95a5b4ef50866a7c8a9280a6758e2e3
SHA1 6d24027998ac92d3a4a219205b6d368ea7518131
SHA256 6b21cfa7cc17fd478c9cce2f044bda7f0162042c827421f56e3f193a073ddaab
SHA512 c1bc9271c39cc778b1c262ef66bacaea5d9a9567a82e42c3831a51435a966a351bbfb75fdb0e29fad7eb40461e1521498c1b7d79852c1d08079bd8a339ebadd5

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 8cc9a9bb5316b737896fa8309318b1bc
SHA1 49ada0d74f2aa827a6f37c7f9ce3367c13c2a871
SHA256 228c58c85f35b782d425ee00d7eda6a9211ac099bda70c65555d9c1046ba645a
SHA512 6c9fc9e0a9392df9f2c76672c6fca7ac18274d643e4ce94703dee298f720bfc288e2ebc1a91091f39739f744125242417d3a936fab512004e4cf4fb09c5f039d

/data/data/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 c841001df337d6299b808ebead9e0b68
SHA1 bbc8f694740f95e8a351fb47d1afd493e4571c07
SHA256 9a6fce9329df94e0f53d405a41f21a102c6c6fcfdbd564dfdb8dc6e0fe55cc90
SHA512 49b1b3c501c806a90b23cfb6b520fa2b287fd653e71fe9af4a61499b824d2050e291a6594e2efce802016620f20bae6d3bd4ba63d0184467d676fb70e287fe3e

/data/data/ir.pars.ash/databases/__pushe_base_lib_db

MD5 d5a3ec1f841cf6b1a5976291d5413c08
SHA1 575ccf6133dd05626ee72172194787fedea88775
SHA256 614053e9f08705db506bf1b31db5b1fdc062ef2c7c313263bbd36ac4276aadda
SHA512 21a0bc972633726ae31f8f4c3bf8895bcd1bf05822a08fd96a24585cdf190d6bcb43a6cd77e1394f90547d7f8fbf03fcc8e0673888cc07f12246d461f5118014

/data/data/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 209ed972594504311ada0e869eee0649
SHA1 956dff23f5e9887b2a79eedda78924f22eec065e
SHA256 b0a7e90ba1249f786efafb01abbf70a46da805c9e3fd618455a19a6ac3d9859a
SHA512 929e96a102ab607c81ea651eb7443d7598e78f446cd043ea1415356769a2f1f1d94f4770872b079890a82e6117c03d6e29d76ed8712c21c4e80db5b8ea9a367f

/data/data/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 72481b27d5fae37b1da7c5a6098bba9c
SHA1 9d1e130a86a1538f230153643f0a89b0a198c59c
SHA256 0fea471790265a4724d7e5d95b6ec9de80090ffdcf819008dcc2b57c8fe7c427
SHA512 8d09de61ae6713f50ed8c54a55ea28b8f84cd4ebe2e75ccdb0a4541e9c6f69889d7d1621771bbcb1f00f061e7300182fa116184c50122fc73a0c1060c80f4466

/data/data/ir.pars.ash/files/sop&ash.db

MD5 5f1b372d2a74ccc6f23bf056d2ab11e9
SHA1 ffe4843014b1abf493412d997410eb5596d3e839
SHA256 9b75d26962b6eb5ac7227091cbcf332411b293ee0451b512f9aba39b38d44791
SHA512 7137ece4ee60e215f36d96c32cb56b91deee2cc91b0eb9a4c651b779bde4159491a5bce2e93f0cd5dd54d57b0758d0e39ba0c4bb1d9a195d15dc085c159b5f7e

/data/data/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 220515e99314613e7332bc2e65aae056
SHA1 af91c18d8dfc8e01ae046b94470fbe8b146e43da
SHA256 289cf5fce38b3d40a728c3932f78c619494c1d104c4becd521c7083fdb3162d1
SHA512 462acce9997272006cd59326447d40b61cfcc600134e4a568f5bc56e17030412321bb288b5a64366e3d99f38d47dbb82a8c08ade1abdaa9844af62aa313a78f3

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 31ca5b79b6731be021000d6282a59af3
SHA1 71d7dc6eeb93d010ed553f60c21b7136abc9fd2f
SHA256 5fcaec1b76754bd8cb46cd18161fb3e744441d393245c4e11dfbd28b486f9579
SHA512 2be811ed66a4f25464160fd1989f5b5cc9df11db3316eb118c9f6fbbf97dc5fd3757a977e2b359f879090179c1418174e31148733336afd528fb4dbe67cfd6df

/data/data/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 379bd0da16854a32176eb7b6cd739b7e
SHA1 944cb6b00b1761d1e2c68abd6d7198577df11e01
SHA256 2c29d7f605c7d26aee72ad9a542415595d82814dc5175f4b67e3ea21c65cc665
SHA512 9ac495ae7a1eee45c835ada7dc593c824dd6958a399c5c007f6d6c7073fa07384097a7c024ca4f0bddef94334a2c17b4f578472b976cb594c3c89b6361e377ba

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 c1275b87877f25bb546ff6a1ff063f43
SHA1 da7661c168fb207e0ad4f88dfb9eab53a293b576
SHA256 dcecbe01dea28dd2b310428260d58a57ec15f540081a8a47c32e203f60716a5b
SHA512 626b8b06530094327265bc56a88f40113cf8870acee4b8a62c43a1cb012451ba9dd4d98d689ab6944e647f4998683323a5715bd258f53b115f5ce92356412f56

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 81bf797f95ffe936398d57f6f128dce6
SHA1 f5fe5b762d8661e3c2a13073f022f489c5a09c9b
SHA256 cc186fb3cbcd54e886578773bfe3f307ab3535b4d33233b0e3dc5f9072f2baf8
SHA512 f814a8c83312fab8eee922c0739e044eb5b0ca78bd6de47aeb3f668d6af645df3323b397b7aa98929938abb85d72692c00af307833decc9e770614f120d93c31

/data/data/ir.pars.ash/databases/evernote_jobs.db

MD5 9e851a1e9f0f3bb4436959eeab19de47
SHA1 5224eac0d320725d8d7b8f103b342c7b0f2041ba
SHA256 ceeb24f3d3603b2ba96807ad6479141dc7fe7b668eb717bda8b5736946bf4267
SHA512 2469932f0e91c1dc13bc58d69766b08ba6491e3b314afe92d1dbc39ffffabf13e891ea7b971a28d323261085309fcce4e56d69107d0b19350d59b692588dc0e2

/data/data/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 91edbcdfb1f977d7cb9be6a10107e551
SHA1 8db42a8ee3662b525d44eeb3d6b4e7f26de32809
SHA256 c310489baa204a9df99c8d1d6d94c10ab79f9b7b98e02cedd42a1240fcd42bd8
SHA512 00e66a6ce0fc054529648b707c756cd90c9ebea8c814278ac603cc02c4c5b5f7d509c704372baea8a799ed08efa5eb75b44e8ef36a2ce3c24f2353f3719e7ee8

/data/data/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 84ce884baac9ae9447bdf182c8f393e9
SHA1 872d96e18ab77f70609eab9cdcfa34091ef5edd2
SHA256 c3b57e10b2b26660eb593166565aa91bc4dcdff59962257b44c57595e9908f3d
SHA512 040ae4f0a08112c06c335f69c334c1cf4778ca6549bb40c658486051b57f5851c5472d2f382f65cff06facd2d0fb4f8f85076d30cbbd50cbd64e085fd242c8ec

/data/data/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 a9f249ae07bb5737a64dba927b0a4193
SHA1 1001e62948a79c75c563932a1faf73df2d8b1322
SHA256 e81952d311fcb0be8fc5c48c6339a44609135006053aedd20ae4bd12986670b4
SHA512 8556b12e33b2df2a1a5c6dd02df6c3a4d00a8c3ac8de2b39424a128242b9e8d9359a2a2ba2a07ae8fe9492c270fc71deeb22f9851c6dfe53b12ba9682145f5f9

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-14 05:54

Reported

2024-05-14 05:57

Platform

android-x64-arm64-20240506-en

Max time kernel

42s

Max time network

132s

Command Line

ir.pars.ash

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

ir.pars.ash

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 330b7e1ccf9742419a5ba3b4466d7924.s.adad.ir udp
BE 64.233.184.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 ip.pushe.co udp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
GB 216.58.213.14:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 162.243.147.245:80 ip.pushe.co tcp

Files

/data/user/0/ir.pars.ash/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/user/0/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 fc8be71b67eeb9257f9ed043213675bf
SHA1 cec21f44e2ab4a936c579c09d2d78a968a6972b8
SHA256 6b06396899a20fecd026674ab956e92437d4a7a72f0f218dce078e7bd21ede8f
SHA512 87d0d1ae411d954bdf04114ec504c4f6bcb5bf2fbcb451924b8940b3be13f2344315458d2caa965c717f5e32357120b5a2e89e27c27233d9a4173c1e97199d1b

/data/user/0/ir.pars.ash/databases/evernote_jobs.db

MD5 47080e3bfcf2db9b8620f2faf6c5857a
SHA1 6f63c1851255e0fa99567f047382074b086d38bc
SHA256 dc4f8a73f49d2a6b41ff425fd08b85c1eba5280c438a1a1ff9832e91dfa56cbb
SHA512 e757043d82798926a5ddd716457accf6616894ad1ad79ec832293a1f662910b663239f899bf05a5c8d90fed5bcb093c5529e5bc842fe9003c1d5902f9ed84473

/data/user/0/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 80ff21d96525938eb568ae22ee53f15e
SHA1 820674f889eef0a738f03528a924867bd408f229
SHA256 0e75316a54e8b6fc1aa123dab72223257ed60164d4b268099c9e06006775eff9
SHA512 58b5354e988e930ef5db2154a362b2b649534ad24cba961d054b9e657d02a132142cc350680db2ba3f2e1ddbe26c47765c615ef011fe4342fe62e1b85e532a68

/data/user/0/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 05e4d72acc839a97d77abce0b6b3f15e
SHA1 83ac9fab5bd8464e579d7fba5547bbd09916dfa7
SHA256 c452211cd495426b40549f0df55b2562bc9f68d1c5409cccc2e546dafd9ea967
SHA512 e8126be9d6fc018a0d54a01ef11b8672a699acfb55c12794765a03a09109271b7ead3440223c85620ec1e8a1054c2772e9737007eb517b0dc3c00145cba050ca

/data/user/0/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 1a61aab1b715674278abe0b12015ac73
SHA1 b64216545c0f3f5c619db22229eea82e98249018
SHA256 f2260c5741912927f6e34a117930cf4a84119efd67b4651577a88dc2b065655f
SHA512 1313794f8d86e5689da6233c5f78aa63c9e6e69eb32c62efb3bf9d12784e11a0e43bfc1a1011c32f5af0b6d9cff508b504b70c81a333be28382528f58a08b724

/data/user/0/ir.pars.ash/databases/evernote_jobs.db

MD5 496a7e861c9cb282166229a18c4e1120
SHA1 2276a216b15783a6081d0ff7f2e5baf9f513ad52
SHA256 c358017327539f360fd6a38889d9fb319c790bfbdf187801dc208ef4f8303135
SHA512 9efa66f81cdd6a29b3b32c5fd412eb749f298f1fb58951b425ffd03bfc2b8bb4fd6d4268daa09e762755a6bd4920911bf1acb1ff70a8a35ba0f0fe17da64cc85

/data/user/0/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 2ea349283b86e2f537f442d0828ac26d
SHA1 cfe6914a60cb59314dd31c276325f109b35299b2
SHA256 c229fd7b53a97b210d70817a56629a6a03d3266b1fda222f1a534c2ef4718145
SHA512 6f6082089b4421c9917788b59e6128c63cb836e836e88955b9183db8124bc29b9aa43712e69b0cab2215c6cb1a5031e23e3de242f0fc4b3fb3c5217c49406522

/data/user/0/ir.pars.ash/databases/__pushe_base_lib_db

MD5 84a596c9111a5344c9a96f15a53cb043
SHA1 34a05626da40e5aab088b0a9b27c5471c5240b94
SHA256 b9bb27211de818330a355c09f54602b03021769250310daa519602545194a9e0
SHA512 174f3156747942a30bc5a22bb77cf16094db46ebdf7cb0989d4cade4bb19a05745503b99145f396e20ec2b9f9ea5deb324d134ccf0cb2b61f8c62e60beb84c35

/data/user/0/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 84c3f14c3a76ca2d5f2bad6edeaf6758
SHA1 2c23801dfbfa2c12c9b228023714b074acc08fbf
SHA256 a9730cec4bd7e95d85cfd8e7e676f012bf8b6c507ffd701f23bc8e8917647d30
SHA512 176df8999e7560833a284ef1d5d1f86b1cc4a8d1452c5f057ed52e782a87bba674cc0d82fb596ea03824408c9950cec0337ceede8b1aad1f95bfb328e548cd4d

/data/user/0/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 ab8a405f5a3868e8242d8631e39e4e38
SHA1 f30578a19bc9ce00ab003765e5c9323ccbfb178d
SHA256 b6b54b6fcb4203ff13a0d7b029c885ea19b6f7b10dd434c0b4511a153e21e9a9
SHA512 42ef59e8e2b1a7679155dccb7cf775f52028b72d8a6d5c2923c58125d8412bc271e7561f40d2e90e3c6eacdb00f8dfe7c0f966635c115fb34b505a6a9df54528

/data/user/0/ir.pars.ash/files/sop&ash.db

MD5 5f1b372d2a74ccc6f23bf056d2ab11e9
SHA1 ffe4843014b1abf493412d997410eb5596d3e839
SHA256 9b75d26962b6eb5ac7227091cbcf332411b293ee0451b512f9aba39b38d44791
SHA512 7137ece4ee60e215f36d96c32cb56b91deee2cc91b0eb9a4c651b779bde4159491a5bce2e93f0cd5dd54d57b0758d0e39ba0c4bb1d9a195d15dc085c159b5f7e

/data/user/0/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 2c8b0dcf617f91b20d1304268298eb3a
SHA1 6b2c9cc4c124eb3d518d68aca313304f13542bdf
SHA256 abbde2f894dd84c4037bc5d4763306da6c0fbec5cf6c1aa583869af7f8b481c2
SHA512 e357ac395489dc0ea490d5158f3e28cb02e23aa8715818ef5c203b2b119470f1e78520a29c16b19c016c82f1b0af04593334f8015bd5fff9ed74d8865992a909

/data/user/0/ir.pars.ash/databases/evernote_jobs.db

MD5 ac41df1104469ee4683dee6ecce210b0
SHA1 174b3a262756b2eb6e0f2237b3cec40a2551e056
SHA256 8765963ba4253fae527868fdfbdc820a836be53f5e6335fb16a998ebe8bce4d8
SHA512 1bdfecbc5541e9a71399ed9ae2cbc69a61fae8bb2b9c5548e2b63a58f34b0aef5436c0786df5ebb4ef91272cfc912ce0e1923560b8753f1d08cca122209b658e

/data/user/0/ir.pars.ash/databases/evernote_jobs.db-journal

MD5 0e4c286d174a726e698181dec003f0d4
SHA1 cc49dfba387b8658f2d29b03150ea28097492539
SHA256 7e6e0faba9bfcead1e6a7af26cebfdf7e3f678ee44f4f6e5503b26ca0ea3b9e8
SHA512 3443db65d43df3532a5b0bd95367fe23e4a2e445f9f9ab3b315bdb63d5640f11d56dc878691b64b463f821aeea0d5be6f53a3bf8d61554ea8e17d450342ff78f

/data/user/0/ir.pars.ash/databases/evernote_jobs.db

MD5 a4797f70ef68509856bb2ca5ae2c0505
SHA1 d3b48fb4c9aafd023f529dd6cbfc97e4965985a7
SHA256 d88281f0c4e9623884839bf3a1177c476852fc33830f734242c88d3ff5ee2c38
SHA512 889ab707e6399a39fa44baee0fbc70b30fe80217502a16276a54b508807f2d16a47a0ce6b6a2b4d1a696fd61bed356ca7d52ba220c41b502b3b85bce04caa12d

/data/user/0/ir.pars.ash/databases/evernote_jobs.db

MD5 c1aaeb33e804cdc5ac95ac43424d6d38
SHA1 72587ce9f2476adc36b0e3a9d04ff8915bb61b75
SHA256 609d448e1b20d4c1da612e2d0e0941842c797341382cb8720f001057fabef6ce
SHA512 51d65f6e88590cb90f1615281f33940151f8fb9ce106c20510e4fefad9619dd6707c6f055d71ada18422c834364277c36ae1eb50003a8b94dfd8794b057dfb7d

/data/user/0/ir.pars.ash/databases/evernote_jobs.db

MD5 79b44d2105e924f8ab8eb16bd051e8fd
SHA1 76545ec85816116bb146e67807903e5030b12776
SHA256 f61a5dbaf79080720a18db824006968d25bb90017bba8030065d0a11aafdb86b
SHA512 71203c3a4ce57a51035795caa51d6bb973ba58e775c01761fa05448eed3bfcda61c2e49c3b4f09196a3d0def7b9c6024870765fb52d6edf5938312585d58ade0

/data/user/0/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 66e19245b5f932a58145b25a38807777
SHA1 3934b9d66fff4633fa0875d42cb3de1ca3e42c30
SHA256 842725a6873f8cc4af0a8ad6bf7eca36b07cd47eab905be878a77161c88676de
SHA512 44bb252396a37a2a860cfc9c4259ad193da3af13c66fd1a3337b41701017522e72509908e65c3281674bad7265bfe2a5351b7644970ab08af1b5591874b9f1df

/data/user/0/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 4d2c04f735cbda2fb52ea284676ded1d
SHA1 4742965e7d6cbb03af39a730841cd5b5df82fe28
SHA256 be6ee9869318fc60bb905647152222eb165b9ca8f6e2826d07ccb18b71555d1c
SHA512 755a19ea13243dcee5da82b44bb77609b1506b2582c33debbfeb6a0130f3e2f271d76c138dbaccb23393a39029eeac3c4e7675544cd4b3eceac87abc61bd567d

/data/user/0/ir.pars.ash/databases/__pushe_base_lib_db-journal

MD5 50d7ae0b1157c839ddbc794cd4f12e20
SHA1 822bd235697f31525ddbfafad441b547750a2d0c
SHA256 9125406ea004ba101b74c7c1744d329d76e4b596c5482feda531cb5e540c9a81
SHA512 4303f11c1b148351b4a6ddb9c76a49a88a5cf2f31946f566e49855ddac72faf15dbdee689bc34889897fa6e68189ae7fb95857930d171a48a6b75754fb5fdc7d