Malware Analysis Report

2024-09-09 16:13

Sample ID 240518-vj8jnadf4v
Target 55d36a9ea95f5264426b1e225c27cd11_JaffaCakes118
SHA256 6c6740ad4344878c8ceb7df2a88edfbafa530cbd3f2c020408dd572e1aa050b3
Tags
collection credential_access discovery evasion execution impact persistence irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c6740ad4344878c8ceb7df2a88edfbafa530cbd3f2c020408dd572e1aa050b3

Threat Level: Known bad

The file 55d36a9ea95f5264426b1e225c27cd11_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

collection credential_access discovery evasion execution impact persistence irata

Irata payload

Irata family

Requests cell location

Checks CPU information

Obtains sensitive information copied to the device clipboard

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Queries the mobile country code (MCC)

Reads information about phone network operator.

Checks if the internet connection is available

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-18 17:02

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 17:02

Reported

2024-05-18 17:06

Platform

android-x64-20240514-en

Max time kernel

15s

Max time network

147s

Command Line

ir.pedar.halva

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

ir.pedar.halva

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 af26c14a0fc4467881c66c952b24b9e7.s.adad.ir udp
US 1.1.1.1:53 af26c14a0fc4467881c66c952b24b9e7.s.adad.ir udp
US 1.1.1.1:53 af26c14a0fc4467881c66c952b24b9e7.s.adad.ir udp
US 1.1.1.1:53 af26c14a0fc4467881c66c952b24b9e7.s.adad.ir udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
BE 64.233.184.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.36:443 www.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.212.194:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/ir.pedar.halva/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 357cb2675a53d7ca2ad349b3576f1ba2
SHA1 9bee1c2a8a1791ca7ba347e50f37a47564391e7d
SHA256 dfb7bf8722518b7634b1b3f0964e7797f774da01d0264367da0de4d1980fe0b4
SHA512 9382cffad2cc300ba74e0dab7cea43d25ec40f842d40e3691bfbe81a978ca0b4c2505ebe488b0c8e140c666c404b30c4014daf8d2fc3150ea585f320348a8a3f

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 00e829076f54c72b50b63fd6de296a03
SHA1 fbeb1b8be863931f98a7c29224a03b89f9616ab2
SHA256 c479f839c0bc15e9a9749cb5a5a3eef4e09c0163160073477f72fa78b2e300df
SHA512 1c6b0bfe980050072927f8d407ca86353098d03502f7194f141d43c045a3f35103261811281f023262f4823a4fd70659d6802b76e126e991120dc14cdf74bbcc

/data/data/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 fb18739203516e7d02e3b2683f1a815a
SHA1 c6b3a25f4d8bf4f5b0cec81dbc23c07db7552422
SHA256 b1aedc80ccecebbdb61ed4be6f52619f50f8d447a2a878b56f530e937b7ef7f5
SHA512 7a861064e04697ad178d0531b16851c322fdd9a214f278122c42d4b8a2293066e6a39fb58fb3735cc88e28f8522a846a7382ea60a90a302584abee3f2ce831d2

/data/data/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 504e13dd6b4fe580d7482c81ba06c5da
SHA1 09bc12b8438cd765841136ca0836179a87359f94
SHA256 807246a8c25a84e0cbbf311de9fc9a4c38481476f209699775769baac339a27f
SHA512 527949a6b1134cf325d658d7866cc8021b527ba338f44d259792cb88a316f7e7e7521167337676d853035d10f55750a90b959e4ec1ddb7c9c1cc7857fc97caef

/data/data/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 31417918d5e9cb7b869474138ba1deb0
SHA1 ad83841f32ec8220eaf521875ffb9ea9ffe37087
SHA256 5ed6fd42b235ae1d503274a99414532c6f551da408a67ed0f10ee4238668a089
SHA512 9bd0435dfc16dae1c2cb1f186e60ce3a17f1fbf57240c623ec334bb805ed3d3260d86ca4485bad65d3ac7664717b593fbb0551b468519313790ff0d223ce3c75

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 fe9e69bc66fec6c9997c431c265835fc
SHA1 ba798d6036145c950686a6d188ab9d788c0f38d4
SHA256 c8624e80a207d8fab5a2a0799232b775e103df2904325bc8584e67e3820b2242
SHA512 0486374e2176a9048cfdf720d8a3da59626ad1fc7c0dd630a40faa2b16765d16199e05f4e3f3be954f56e5a6418814d246acc73dc5120a03334cab78078d700a

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 e6dc92afd54799a018ee268d2a560402
SHA1 17e26146d42eda2a94a03e34f03d962a5e0cab49
SHA256 409181e86431fa89245a530620c5629978482ede3618ab31970e6a5d7cae8007
SHA512 a81555eb6bdfa842b4594a7673981b707a732745e3d4b97be2b69cb35da356e61c8611f4f1b46e0e813e8a3b63595cb2a57880f27106f7dc987482c2dcfe7ba0

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db

MD5 b4bb44bfcf3cc53a508e547c6dcf0c7a
SHA1 dfc5c937c21dc4606256576e6b3a2a7fb00a6383
SHA256 1c076c07027aa451b6727e0e007ae35bef7c69962ec1774b5838cf3657cb9e0c
SHA512 aa7ba1a2a07b83ab9b0ba5635c5c722ec7fe21f2432ab3e710b707e05bd4bb3547b6edcee8095de395e71eb10471d2fa4f81fe3cbdd5568dcc5af92a8af2e016

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 89f65293b07e95d949ee8de8a940e1b8
SHA1 ba62f258f78c01a3df0ad910356c7d68bbeacea1
SHA256 a097be13d727c2331788eb6d202a5b3824788cfca8b2d1ca0cb7b118df7f7152
SHA512 9854dd74b14c1b3f6e9197a99ef200050ebee8bd727ed49a8c144db6ccfe1d2c27b05e2aa9eef2ac1316096fc1d7a35f2de7cef8b56c7556460ad2407f5b13b6

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 6b3d43ba733c62c88a0c1fd366e06e28
SHA1 d071e7bfbaf1b9d6eaaa8d54d463c984b730086b
SHA256 e3e4d117baa40f5b695cbd717415ce13990f82acf78a31642a3dc0dd8a0e07c1
SHA512 ba85b61636093e1b7609f5fb21b1a20b156bbd031096cb1169842db996976901ec253400cfcb65558fb7d419790d2fde2ac0f70dd45e2eb3890e88c312155fd6

/data/data/ir.pedar.halva/files/halva.db

MD5 ccc0c1eab906f7cc08a6d6b35edabe47
SHA1 9e77c691259d22faa2409b8360eb440479b949f6
SHA256 244c44cbfa632b986e7d9c25eec6013a3e8e29cc32176e478482d7a631863d12
SHA512 e50757582aa3cdb1ee511450bfe576b3c8163d633d99bca7f42f1e33f5bba992c7edd3aa84fbe5aee1488b305c95e214b1a240b68637621e8d479efb47382002

/data/data/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 35b448ce33799813b3e7eaff94bcab64
SHA1 f97df02d16811e63ed4cc7ef5fe48b7f66656105
SHA256 099cb61d59c301949c75ba186ecc6660b91b9730e571875cd06e7bb2aa58e767
SHA512 58dfec702f4b2ea3dc3bedaa9ebb3b14f0aeb2072b63d416d64a89ef23fa08b4e433ccb8bdb840e937aff59c46ef93c409a66cec7e991c2f0e3901892cce8e01

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 04110d00727ecc9a3bec65c11bd46905
SHA1 f8a82d39e2ae3e185fc7967fafc614e395ccbae9
SHA256 e8659805c05615390a80b4c7d77abba63601f0d1b61f192e3c00ec41e2567a8f
SHA512 f627d72e195cfba792109aa83d471659baa536bd7361b7a13bda17005df270d6681c0f41915fa288734629238709649a06071128d406baf9245556290aef1cc9

/data/data/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 3521f61838363810574eb38bbc311b54
SHA1 55c1e478613b687cb3a2a7c332db8ca2c1c5f7f0
SHA256 302c138d3c60848d31814b986415f6d036c16d510bce3d6cd99a0f5be8c77a7d
SHA512 fd808907d4050450bf87c392ceac3241fbaa6e19a129624c026c2e70430676b0fb916e0c7560d20408c0ba7073087cce42c7a31adb3dd91c998548477f77e5fe

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 f593bc8de46596e175626869a4635020
SHA1 c305dddaae921e2b987ea50bfbb882b222a3a04a
SHA256 01f91c9e0520e852e875cc584208d3cb138f6d8f05f680bf0cbd4b5b2eb5e2b0
SHA512 9ba40d8f31d24802e6b031b411aba08bff2cdb00a759f870487100985b3a647b3aa53c6dec53025e9096c9593f6f5317a6bff5aa8f9a24a99e296f90d8b5f59d

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 e3db58711bbfd0d720d4b345f08dd8e9
SHA1 c848910f4dbd8210457b13353f6ee3b40b8db987
SHA256 1f727efab2dde946eb33395dc6a5a0829937bd61d1759271c66e64fd968b0d24
SHA512 325efab5eba7bd8a388e699294d50d2f76fe242d39835e6341c5dcbb351b95341b77915efd6fef8ac6862b1a2722727d63b2f9f6d9c93b3dadacb0d08cf69cec

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 15196aec581871cfdc31c84b57fa8e6f
SHA1 74ad674665dd0b0694bea4b59f6096b0bd094f38
SHA256 729685fd0a12c4686d8b18cec6fe0dda07036dcdbf0a7cc5789a8f4e085a489e
SHA512 0703fd51f98581134497aec8de2e54a30625c0732053f5ffa3120bbafbc3b82bf4441a369b36b2a80aeadb3088019b8169f5192e07a23124f0f224f6f2b1e619

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 edfee7357000466827290f3b9466eb53
SHA1 74c77e5e9ee1074826ed6256272239cb79e867ab
SHA256 5ee882a45b211245721eafe48e6a5fa0a47c03ce85217bb48c5f7a2848049b30
SHA512 31602da5afdd7a0e6f762201c90a9a901822fbf0bbb601f390d69c7cabe4119d1e53d6145592d2e46fa2e611eda4c2c8f588840dd6f213d0377fbcb4b36adbc8

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 ca31ba18af2c81cbcdabc33dbfbc2f50
SHA1 d9d59347798e732e104abb82f04938b844a2a1a2
SHA256 aeecb64baf2bcc69b7ccf1c95da6ada79f6065b05a5d2f125ebf75d5d3bc7e85
SHA512 3bacdd30634d8ec3190515b77550a63d79daa9d7669e6acedd3524208e1a570229820f3e72cce2b14dabfdb6115c45586183a7e7cacaabce4362df9604ec3fcd

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 17:02

Reported

2024-05-18 17:06

Platform

android-x64-arm64-20240514-en

Max time kernel

20s

Max time network

131s

Command Line

ir.pedar.halva

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

ir.pedar.halva

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 af26c14a0fc4467881c66c952b24b9e7.s.adad.ir udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 ca.pushe.co udp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/ir.pedar.halva/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 5a64eafdc329628f4ab491c755b9c38a
SHA1 63a67ba0bfaec00d0ae6f8b51a78620a6088dc63
SHA256 fde35c0320ae5bda792bc686f8cb12d822af3ccf62b47093cac1e0d0bd36e1e1
SHA512 f0eb3cf1c652ea0d1c5c7741d2874d8d92c96e2076613f308722152f4cb4698963d21b6dd61990da1d41f775d542f4a89744928afffab79f948b015d2ec3aeff

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

MD5 47080e3bfcf2db9b8620f2faf6c5857a
SHA1 6f63c1851255e0fa99567f047382074b086d38bc
SHA256 dc4f8a73f49d2a6b41ff425fd08b85c1eba5280c438a1a1ff9832e91dfa56cbb
SHA512 e757043d82798926a5ddd716457accf6616894ad1ad79ec832293a1f662910b663239f899bf05a5c8d90fed5bcb093c5529e5bc842fe9003c1d5902f9ed84473

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 4ff764d61f792bfe330a76056495e49f
SHA1 ee7c81db2a447c5d589e4c65bfa86118a5b34885
SHA256 a6fb9eb0157b75244389ec3f0b8ea92bc7eb90bec39dc5e914df3ed7eb44b6ed
SHA512 ff7019aa3b0298ccea45e0101a818154423628bce2c925d1fab9df189a35c59a0a8926faa91ad54f77e87cce796229531cd6d8a3201a2254e1280d2115b34afb

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 6863d330b0c9f2e7db48c1e9f8bccb83
SHA1 a0c26eee4aa6516b402a6268701793b94a5c418d
SHA256 be82b155047515963907cd0703fc3b57ee54f20d7dbdb11ecf42a96f5537b3b1
SHA512 a183bfde252de2a34163bf920640f3c889d3aeeda3965f164bd27559b8b528af5579b19757dec6328b4e558d6be0d0fed8b01af02e8d90bf8ec8681819934d81

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 e01d269d3b034886cf349ea3d3d6d294
SHA1 3961c25c22074024d2223985674f95ceb612676c
SHA256 138c9c2be82cfe973449b273dcb4653c78fc48ecf9fdf580961d880e35ac46fd
SHA512 9b7adce328d7593465e4956a2c8cbe03dc7a08f63cb6b9d54bc83d7aaf513bcbf38bdc7e85c0cdef328f0a64c1bbd53610590896d8075512b321dac21e0566d8

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

MD5 0384d4a460bc74bababae0ae172a458d
SHA1 5324311c62ac834ca2683c753bfc494e0e8a674e
SHA256 ce6712e1685a6ce66196104cc3a87254c0c0e7610890a4778b9838bde0bea73e
SHA512 71a4e7d58cbec3cf927b0e7d3124328d3923463ade788ef60300e3a3e652c0786f60eae88c577576ec444db3732ba245516288f56a6971958f147fe4c683145d

/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 e669e087092255289dc98a519884962b
SHA1 4b9c36ee0e4dc354cdb75a6216d887936198e908
SHA256 00be7e4f93cfaa6b919b7f502a1decd5186404519a0d8a12a6fae60e76aa35f1
SHA512 dd8dda9d5e795bb4c2ebc77913a2823e6554163ed8a20461fb9e13a9a2df72f87c5916b43eb6f6ea4266219f957df89e833c367c390b38c3f1d2a028e6b7eeeb

/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db

MD5 d66c85906e4bf9c94e062b9e56d3c7de
SHA1 eec36812635c568175a379f982b10c38d6a43a02
SHA256 abfb5dc5723ba72416179a8747184f4ecac372abceaf927e15adea6299dc7453
SHA512 71ed55d477e1e9d2902fd025024d5b9078b5872730220960bfcb7ee627339e6caf0c7228a85a4d7cb871b590bcd9da955d65411428df7680cd7e4cd4f33f63eb

/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 31e025fa66b0eb34ffb297465ab416f2
SHA1 3cabd133a36bd329c302a1790a56d9f10349b76e
SHA256 dcf91885f909d8b784c159173f4209648164c1b83bd3729d059de215a05569b1
SHA512 36d2c54c43533bf8dc0ac8a1c7535ac87fa810e0d0e8f76f12c078ca12f772b26dcdd163a4b716db0b80fa6519a9f24effc8215ef0e6a9348b8954f0e4878b2c

/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 c4efe8c6e7a88c8704953b81504d1e9e
SHA1 ef6381dcf587123839fbb5f48ab5fa835c78ecaf
SHA256 950e4342e37a84240f4c34a10dff9b3bfcfc7f19779c2db73740d2fabb2a458a
SHA512 94de339657ad9d266fb2d1671aea33403ac9578b8518207207aeee2301309442451d5f42782d29be4aae57e9211310cd5b0c023acb6b948b8376a42634df6a08

/data/user/0/ir.pedar.halva/files/halva.db

MD5 ccc0c1eab906f7cc08a6d6b35edabe47
SHA1 9e77c691259d22faa2409b8360eb440479b949f6
SHA256 244c44cbfa632b986e7d9c25eec6013a3e8e29cc32176e478482d7a631863d12
SHA512 e50757582aa3cdb1ee511450bfe576b3c8163d633d99bca7f42f1e33f5bba992c7edd3aa84fbe5aee1488b305c95e214b1a240b68637621e8d479efb47382002

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 1f2039b0f6553f6fc280191b5045caeb
SHA1 3b74f46cfcfbe0deb4c8e103a7313e60b3ba1ec0
SHA256 47b177f45ee7e86b58bf0078ff8a8ce074f8ac9e8da0fe541919130e87cf56b5
SHA512 47a41a7658cc0f84272b11b37a09aa51b76cb3c404fcc5bca687fa5f284ccd41e655d6fab5325e0eaab72ea99a8a1668430870d1d570a3822edb2069a5e9ceeb

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

MD5 163242409c9a9bfd7a7819760482390e
SHA1 c01212a0c889b133b569946b6f0a28f9a9644b32
SHA256 956585dd6a34a1cdbbb40051ec575716e95dfa00e0d7c82846513dee44a530a7
SHA512 6507f815af0809352b7fc3e50636cf51edd5a2058ca149fa983f22f7059fa74cd0b148f2728d0a0b847f98426db215d63e844d68bd315c0cccdf27c3672e9bee

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 ff2bbc5869418a31a1b6dc2e9e413e6d
SHA1 5593541f9af73d25d5cd602f8aba05c931e5ac6b
SHA256 810a3544a3790f25aa67c4e782b7019d81254a55647e4029ff0c274a70aed19e
SHA512 49b6621904645a1cd7b9dc43946f90a2472d057f09db558b63510361d35b1fcb13d3fe4801126076d6964496da0dd1aa315865eb69f78a14880fae041bfabd1a

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

MD5 1048560c88f79667200751af8e8d37e5
SHA1 82a7bb54fc86d1299c8c9f55ae4016eb5aaa61ea
SHA256 30d233754ea36df55194bf7eb701174add939d9a6948ba0ba837db70d49dc940
SHA512 ca66d5c4fcf4e021deb942e55ad2a09f8ffa7517a2c6b92e1e7d43a71666e8c612c2bb8e7d3e035a945544456b7afee39c835feda6974722728678f838e3c44b

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

MD5 93d015fa3816a76d9a6bd1c95424bdb6
SHA1 266614ef3bc472127d5738a67671ae58579a0e49
SHA256 e945ed165bb442c83d18abb160daadefcab33d95a8c0d6f1cba4731008ba65a6
SHA512 d649171fc3cd119f97604145508a2d7977f2e6c57af7db40ad87d8d25624a8341759ff4ef8e869c91e1e3ba9497a779bc222fef0646761acd46752732ef9ff5f

/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

MD5 899ed45e88ee81372c73460e5dffbc7e
SHA1 d6287e42e9e66dc6264991ebb0ab3d33c9aaea65
SHA256 92e04c2ac0aa982af4302c3c6eabb0fe4cdedc9bdedc9997b9931f46d81987a8
SHA512 d8d6d9864bb74f56b21d96ad4675710e88b60f84253d23d7d647d3fbf7ba5c3fdd831c37766d75c610fd3bb508b4373104c5b08964c68f1eaa22737073fca7ff

/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 64188ed55fc08b1aa2572cc4b78885c6
SHA1 c4d677bdf664583b7066d2324a6731cef2fb69ce
SHA256 7833a435f854cb635bf63671ee821e690ea97fb32189ced844b94b0318223cbe
SHA512 e8c6a426097eb575a2b143068007c12feea2a3bcc308f1f4d87f3e537f164d7c7c95c73955b24544abcec46c7e84e283f9d96f2cbdcd47c2e34bb8a804739750

/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 bb51674a10882990bab6527bc15211b6
SHA1 43071fb96ea4ae9f1729b341efb16044ae76346d
SHA256 06838e442fd4383664743e5820691a8c0735809b759057c5a0dda8101f39ab28
SHA512 dfb27a0ea5c7a357f94001f95b901c4ef352bcc261d8a790ceb8dd15abe022340390cef44b405ba0aa334357a2aa18bc5ef22f351d188541cb653d95893df345

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 17:02

Reported

2024-05-18 17:07

Platform

android-x86-arm-20240514-en

Max time kernel

21s

Max time network

130s

Command Line

ir.pedar.halva

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

ir.pedar.halva

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 af26c14a0fc4467881c66c952b24b9e7.s.adad.ir udp
US 1.1.1.1:53 af26c14a0fc4467881c66c952b24b9e7.s.adad.ir udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 af26c14a0fc4467881c66c952b24b9e7.s.adad.ir udp
US 1.1.1.1:53 af26c14a0fc4467881c66c952b24b9e7.s.adad.ir udp
BE 108.177.15.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 tcp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 ca.pushe.co udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 gbpjcshjla udp
US 1.1.1.1:53 jpazlnpvezoex udp
US 1.1.1.1:53 yvvfjkjetrpk udp

Files

/data/data/ir.pedar.halva/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/ir.pedar.halva/databases/evernote_jobs.db-journal

MD5 729d84333d4eb78c6b23a45f6cf60eca
SHA1 cda1317ca56f4241581acd6f7454d81a38eff709
SHA256 9105ed18395f7457715fb1c6b7955b572cd9d0c960e4c31f2b7712ec8124c35b
SHA512 0c343951adf16590e716a23fd88e32d1b722afe40a754750c79c7b222174ce0bbcedbffad7531ad617e7ff464ca6e08a22c18a7e2ef19a6976abe4c828801edd

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 978fdf85b8448e3a7c9015e51477eb49
SHA1 793bb88398dc9457935a4416638d5ed3974baf19
SHA256 8f72919eebbe45ed6d33b7b763d7e45d76a880128aee9aa5c29d28ab79689a92
SHA512 852b2d3e2607c96625e9bcd454c702ccec6a0f07aba3410976d6400ecd2d48ccc92d93c8ce7fcc87a622d04357bd6805a996f11d339ca7fc3eab99c0e991fe38

/data/data/ir.pedar.halva/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

MD5 6bf891a64f25cf2504d30d45fc4ebc63
SHA1 34d27e8140d7fc31576e3c8b6a3eef36aa87a3b9
SHA256 fd3bb5aabbdec1a175b8bf37fd881713636270de5318e86dcef7c66525875803
SHA512 0c919ab13bca7dff600ff5cbba65e0be4a02a7ec8ebcbd02ac72a92e2c3d4260b738d01302807de1a147c552f6f8ff86bd6302b606f27a52ff6ac161be83468f

/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

MD5 62cd237ed54914dd3e16e90b999d5100
SHA1 b037ccb5691655520e385f14f9851f5a369cb4e5
SHA256 f632627eabdd99a2be6790635b3535d03cb9808962266dd735a174b59657530a
SHA512 91a928167c880b5b4de5669e4b2b42f57499f77b68c61d4a29c4e501b4ab6f5c2755a6d69153e0a91df7268136da40d4b87977929d5f6485f39c06cfaa979f42

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 96a6b55ff02bfcd4c5425e3be965e3c8
SHA1 ea82ecc2b8b5be550c263af378267eb8e8392e71
SHA256 6d0ffee274f76eaf9576bafc5839ca24cbd2c9f16baf6344a7fd2145b39ec5bf
SHA512 817631034473e6e4684cd5f5ab783f1f77a012ab47caa4894fe6832ffa0c58e935c2a9730522cb31a4e35020bc38035b666bd0c3c1119d798ff490b7cd433290

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db-journal

MD5 951a1be76fe312f0385045eb8f1eb858
SHA1 8457ebd03f2460bb8dc4766610a2ec3d3754680a
SHA256 363a1c31e599707fc0afd81797ff4c3fc06a747983c958a246efc07a3ddaae85
SHA512 15f909eac2d86334629af731773b4857393587beb9f845c723893f0cb41f072735b3c27496cc888945d13f0e086dc37b6f1d99bbd1d45fdc59d6a1f169fe799e

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db-wal

MD5 3dab151dcb18cda043a02578833d478f
SHA1 ec2de56be3f2e80d15bde2df8aa206d7a756b69b
SHA256 93f2a2233c31a66cf7b357b098475eceb9192deda576afa74871e15b8dc345b8
SHA512 56c98f6ca46d2ac18a2c5d1a6d31bf675ee82b08a7500cd564e3bd3a1d2bf65bf001791d94c4d7682dd07a0454d77af99343569c33948dbae200ad34b9e5507d

/data/data/ir.pedar.halva/files/halva.db

MD5 ccc0c1eab906f7cc08a6d6b35edabe47
SHA1 9e77c691259d22faa2409b8360eb440479b949f6
SHA256 244c44cbfa632b986e7d9c25eec6013a3e8e29cc32176e478482d7a631863d12
SHA512 e50757582aa3cdb1ee511450bfe576b3c8163d633d99bca7f42f1e33f5bba992c7edd3aa84fbe5aee1488b305c95e214b1a240b68637621e8d479efb47382002

/data/data/ir.pedar.halva/files/halva.db-journal

MD5 a2a50fbeb8900f844a75d19d09e1900d
SHA1 51b66dcf4b41588a4b900fcdc92e2ce20b76b76c
SHA256 b63f2a4a59663727639393e52ac3088dd5bb5a6d49f47dee6da8b50746a77ef7
SHA512 c35f44a332781282bcc73c9c954ca902eb4153bb9c8687c8eb0c8661d7714b8b8eac13a83a81976c2b25d43adf81b26a2188e96633dd0562fa56374ef862676d

/data/data/ir.pedar.halva/files/halva.db

MD5 3fd7876e74e4e3b117a9d12ef6a19f9a
SHA1 9cd14ecf0916cb6d5fbc3535045a827674bf0616
SHA256 2f7ab51f71cf635876fc8b0d11d5bae683a2761222542ffaed856f1c99cea5a3
SHA512 9c0c15d696cfc6746e833cb439fb6b8ac4a99ba082e0dd9661cc81b89ce1b5edc72ad8e7f9707e3c4115f8b4f3706d2e8294bd85f5e7c7822489e70165a887e5

/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

MD5 f09681ee11914605e63e155cad0c75c1
SHA1 58ed2be8058187923ee561a5187c12315764c342
SHA256 2006dbe4b71f3736e4107a9e12115dbf375100acc0e7e6f58d249de5e1e2a269
SHA512 e81d1f6d17d94604741441edd1ca05b7673ac1a13f786b9b26ee544cc2aa8737e202a68b971a03c90f28124e00b74ebfb0a8be7c64de2539b95e4cf69d7baa91

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 5bfa42383d4d7732d3bff1d314da7e72
SHA1 f09819abe89ab317bc8a837293613c122b5d6369
SHA256 4846da950ecce67a363757235446b449074fa392d374784899b9948b5b873e3e
SHA512 d4e77b884a1840b45f80c400c3e10952361b3e843ae68f46cbb90d182c7fd81f023889c4702b29015000ce57d8bad33b0594ad96554bd18d8110ff96ca071598

/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

MD5 555e63568cdb8b70d233a2061a323a31
SHA1 8794b53c0d917d4701f3e39e7ea1934266e57ed7
SHA256 2ab3ffa55a11016cee8f04a7c9e6714ad0835ada5ff3a42b1409c3f142622090
SHA512 8f537a6639ff478d0166f1a798329c17e76668aa9c8925c8c2fe979197d2bf2d29ce141cf64c4af9b455ff9e214ba37b60f25657f2bfbe91d5e57bded14a0d99

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 39967ed7892504a50c13ea7e9624fb41
SHA1 54d30295690473edddf72610552fff4f0a901a4d
SHA256 81067b1ebfc3fc8743ca86678a656e791d81bedd63bd9729fa75c0948079e081
SHA512 8adbb4d21ac07564fb814d2bc807924b2fa2f06fbbcc2ca50e3a3780829e9a74ec339600643a45df8430602c25dac19c5f491b2f683f15a720700f2ae995f1a0

/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

MD5 573600d0282f8e94611c95a293a7591b
SHA1 5ca64a428def2834b8f2bd40cbae90956fe486d9
SHA256 4eee47e13077da92b4fbe1595ad2f96b507c92aaf6f24df0045745f9f67741c1
SHA512 df94308f8df6c172781ba1b3bbd84cac17135f2415acadb23ff24ede69723d94f0c4e89661d8275a887fe75f3acce6cf1db13db529735b98663ce2bd9ad3f091

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 9d8fe4dc42991d2746d7c2776ce67c69
SHA1 e7e22739e2647cc086d9c1819eb8315dedee6b0c
SHA256 974bb1db91d003089f2911e00024cbbeddb0f35133a6db121a4a71df209e6793
SHA512 8949d0b078ee97765bd7b21308eaa7ed67d5a564ef785639bd097d49715e74958b68de9b5a57f08346861e16a0bef576f53d9212ed247e98ce795c1476377cec

/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

MD5 1d42d19c14915e9a3645571886a598a6
SHA1 df5d3a9f69760b254dbdac5286899e2399bde45e
SHA256 0b6af0342d035cf42b3cf0c3de6ea846721f587c649d36d479a2dce0794335d4
SHA512 2242da504f51e89a4e67e6a48b1a3edfd0df3b8a04efef46625bc6494312c19d25c94b860cb2eb1ed8df4ed88a23743c0fc425020e16a0b1689096ac1307724b

/data/data/ir.pedar.halva/databases/evernote_jobs.db

MD5 8cd2605e63c2c162d75798d7796b71f7
SHA1 8cc3e7b5fc1ab5542a1d0ed4c42ae6c6a2018912
SHA256 e975572f676f10cfe69d8960962ef980ed0c4bcfeabb35ca397db7c2f7fab0d6
SHA512 7879759325716ba431dabe0d37054d83cf9f8cd17709b61c3ef295e37c4f53d2cedaa55c0806d59223da4c9e9203e733cc12e4c8b7078ff30bf725ada7e06544