Malware Analysis Report

2024-10-19 12:07

Sample ID 240521-bqafnadh81
Target 619699bc05aa8c38d67eaf6dde54571b_JaffaCakes118
SHA256 b388990fde8dcfcde731b3188e59975d3c1f51f2f6678a23a4935259681018f4
Tags
banker discovery evasion impact persistence stealth trojan collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b388990fde8dcfcde731b3188e59975d3c1f51f2f6678a23a4935259681018f4

Threat Level: Likely malicious

The file 619699bc05aa8c38d67eaf6dde54571b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence stealth trojan collection credential_access

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks CPU information

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Checks if the internet connection is available

Requests dangerous framework permissions

Declares services with permission to bind to the system

Listens for changes in the sensor environment (might be used to detect emulation)

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 01:20

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 01:20

Reported

2024-05-21 01:23

Platform

android-x86-arm-20240514-en

Max time kernel

30s

Max time network

157s

Command Line

com.nanoinfomatrix.Edu_Pathshala

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar N/A N/A
N/A /data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nanoinfomatrix.Edu_Pathshala

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar --output-vdex-fd=146 --oat-fd=148 --oat-location=/data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/oat/x86/1582435991586.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 172.217.169.66:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 graph.facebook.com udp
US 1.1.1.1:53 api.mobula.sdk.duapps.com udp
US 100.22.20.86:80 api.mobula.sdk.duapps.com tcp
GB 172.217.169.66:443 googleads.g.doubleclick.net tcp
GB 157.240.214.1:443 graph.facebook.com tcp
GB 157.240.214.1:443 graph.facebook.com tcp
GB 157.240.214.1:443 graph.facebook.com tcp
GB 172.217.169.66:443 googleads.g.doubleclick.net tcp
GB 172.217.169.66:443 googleads.g.doubleclick.net tcp
GB 172.217.169.66:443 googleads.g.doubleclick.net tcp
GB 172.217.169.66:443 googleads.g.doubleclick.net tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp

Files

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/vTlMPCGmf

MD5 823346d9cf7ad857698594efa439d03d
SHA1 c4b3ed17fbaf5baaaa7cadd606490261a59ec6a2
SHA256 61f2361d12d6e00f21b4f1a3b3da88e3a83be0377e65c114db8933aa4e8b7dd7
SHA512 f1fa3b49932b7c8728d22980b8909b80fc7f74f1d235941c7fe335dd7d0b47b64b92cefedcdb1e68100b3c53f090916a0098bee13408b99778b77013e9962d78

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/vTlMPCGmf

MD5 e14aa374a3098d17bb1f2c224edf4939
SHA1 63020b5cf238c66265a673c402d5cd814e987da6
SHA256 53233f371734357aaccb6c2648f61df974891430d0fb4c4289fbf02f05546660
SHA512 599d9b2f4f23c2cf879fb29c89b5aa25e83fe749faf5f01933019d0f50974992da3c4dbf8180be4c194ed4b5cc5fdade273fe5f02290e13d50fe57877b777fe6

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E603E0-0001-10DB-5EADD81D3E9DBeginSession.cls_temp

MD5 4af88f6d3c604e809904a25a40c00d17
SHA1 9770fe6fd18199917695d72ca1fdc18c54677712
SHA256 c5822e75a536a1b59f82d36d83f7ebe387db5a5c4470f188ea566baa4edf833e
SHA512 cc33dca5a88a304805f252ac48d0cbf711c52336984fe3dfbb1defb82838f48507c13c32af1f6604b05b2855de92a61a96e56f1add0e003b47f86e036217cabc

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E603E0-0001-10DB-5EADD81D3E9DBeginSession.json

MD5 1c4c76b67c11d785d9dcc29cf382f4ec
SHA1 5c3cc956bb424e092cdae3be144a99151750228f
SHA256 a94f3cdd4629fbdb70a55d92f9c135e75b62ade52a4d49bbb22cef8ca93fe920
SHA512 abd4d1a0bcf7e83875d73f6d81527047917cfe072aacd4c9239949849aca927505808623c547d9c8ed356105852a4aa6321ca0fee6da094c95651a26669d19e9

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 3da93c62583f1e4dfba69149f7dc72e8
SHA1 ea1ca8d4a82a0bb163f813533aa34e2331de8442
SHA256 c4b5bcec517c99f00d3ec81233d1c099e1510a5cd5646a26fb41a7ace9fc9214
SHA512 7aa5755ceadfcce9b4cdd6a653e72da489285df4a5f320d558603d2315a3ce2b915fac18f92369751e5f2c39a0faf514cca8510392d3b7de430669a0c67feada

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E603E0-0001-10DB-5EADD81D3E9DSessionApp.cls_temp

MD5 f73d665ab9a4cb59589260e0bedcc81f
SHA1 270298c6b54024691a5afc33d8f357e5700c4460
SHA256 bc9a5f13e6a5aa3a5cdb5f8545c32df62c680bc532bbd87460595721a5c32328
SHA512 c898bacf7cce9755deb541e07087da10285b75917991ee4b42591b651361da9bfba17246907ee1cef71a6cd0fbf8902f83668974c51a7f4d8e7ebb1a98758f81

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_1884be0b-a455-4125-b5ba-9fe57fe8d939_1716254439677.tap

MD5 6a0e5647286873bcbeb39de3334bec7d
SHA1 39296c0ed0a7fe82a2449df9f472e23f7b8a6847
SHA256 f8fb2a20375290d9cc6a8b5436778f6531ea2692505632a4b1d472d6b5efc336
SHA512 dd3fd3922058eeae0536f4868dfd30fce01c05fabae026bec4f3a1c366c364eba98afecdf538f8c87931873d741e5127b620abab22bcbb08dfefb804403d6f23

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E603E0-0001-10DB-5EADD81D3E9DSessionApp.json

MD5 0ea7a15282e3ab2da1020b21d338694e
SHA1 6f145707ef1f819a8cc9c1668eafd787b1478d9b
SHA256 050241acfd4d1d6553908436fd082b93e09994a4704101320d9db013de80f6fb
SHA512 657fe981d592e4c58e78ab00cdbc74893914918f7c285eb0bcd94427161b4f8dbe94a44a37116911946d3c924b941405cc62f475c6e116bacb741dc9efceec5a

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E603E0-0001-10DB-5EADD81D3E9DSessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E603E0-0001-10DB-5EADD81D3E9DSessionOS.json

MD5 93023624eb8dff5c20050da136aaae0a
SHA1 acfd1ffed752c28fb135ba83c0c6345ddf2f6995
SHA256 968bcd7c4f1abed89a09cc0e6dadd238a81e8655e64196b39a86be49ceecd39c
SHA512 bb25dfa144d3f0e17203936c503c5fedec5f9ca710e177f99e273010ba4a682199d4bda5684151d65f3cb1549f4611b3a645ce39646d3db9a1b2c17d6b160579

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E603E0-0001-10DB-5EADD81D3E9DSessionDevice.cls_temp

MD5 190a8b09a6ea32d76654cc4e71499257
SHA1 f49b9e1fef4bca0972eb3cc5244ddbc95da035fd
SHA256 53d9cce177f62c4852d56c74f4a6c36192b35c99c8fb332bb3f734396f38a8f2
SHA512 7b101337e1321a75880dd1466977c348912bd018812e5c5a34100d6a8cadfc1ccab266ee2d9938a6bb535d4bb48fc95bac89c3ab14c2c05d328c10fb0b2111f3

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E603E0-0001-10DB-5EADD81D3E9DSessionDevice.json

MD5 71215d8820809736b3f67c0d13aca469
SHA1 62c03b2c23016ff6e3934b359099da149de0fd0b
SHA256 32275d53ea75da059fd86aca9facc7580d22e075fb006fe9f98a575fae06d216
SHA512 425c74bfe6da820a7f2a3e241c7745434cdde8f164fa3ebe92ed6d73c22db5c7482cfc31508e7662a4388f58f313bf69d3d46c01f9fd1e707c08ad93892090ee

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/gaClientId

MD5 f2d62dfd8deb6e8c8aaad81fa410a71f
SHA1 ee0b861651e4b92c782edb2cb52332b3ed8b5ca6
SHA256 a0183f14a3904f9c155f39dc55e900c943a95ca66e5c0641de1fba93048a88e3
SHA512 f81df522e34c0cfa76255ee6d1498a902a0e90b4226e813722d4bd3779f9f74d0d9fec4335bdf5514b067b8e9399680f32f6eba1f102cbdef0207ebbca4545af

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 ad72b39617297e1a97e57df6fbbd238d
SHA1 cb3f5efaa2921687d6c39c41f869299a6fcabc20
SHA256 bbb6131b9e09cbe6d65431c4ffa561081d4490945be0f1ba1c0737469650c656
SHA512 b90356f7019a5bd29a36859721e563ef71536ccf1d4e294c046aeb82985cb30ece8d5b7c57f9ac0c0f49e3f6f702ed4bc95514048a41149713dbeb61ab8c9a17

/data/data/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar

MD5 2048eb6124a452540ee51dae4145aadf
SHA1 d05005b2cd7fe4cd652b0d7fd1bdac2c19d51451
SHA256 105c54b6fe3f25350e92187467761598e4c21d62b1091b77d091f65f3bd98864
SHA512 bb6cb3853dd2a5d0701e20607d4e153ae201268dd2e5e2d06cc2df208b3b4dc50132a4ab428251b1644d2399fcc717662438d082ff14203387bab8794109d44d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 01:20

Reported

2024-05-21 01:24

Platform

android-x64-20240514-en

Max time kernel

49s

Max time network

134s

Command Line

com.nanoinfomatrix.Edu_Pathshala

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nanoinfomatrix.Edu_Pathshala

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 graph.facebook.com udp
GB 163.70.151.23:443 graph.facebook.com tcp
GB 163.70.151.23:443 graph.facebook.com tcp
GB 163.70.151.23:443 graph.facebook.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.234:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 api.mobula.sdk.duapps.com udp
US 52.35.104.167:80 api.mobula.sdk.duapps.com tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 216.58.213.14:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp

Files

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/vTlMPCGmf

MD5 823346d9cf7ad857698594efa439d03d
SHA1 c4b3ed17fbaf5baaaa7cadd606490261a59ec6a2
SHA256 61f2361d12d6e00f21b4f1a3b3da88e3a83be0377e65c114db8933aa4e8b7dd7
SHA512 f1fa3b49932b7c8728d22980b8909b80fc7f74f1d235941c7fe335dd7d0b47b64b92cefedcdb1e68100b3c53f090916a0098bee13408b99778b77013e9962d78

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/vTlMPCGmf

MD5 e14aa374a3098d17bb1f2c224edf4939
SHA1 63020b5cf238c66265a673c402d5cd814e987da6
SHA256 53233f371734357aaccb6c2648f61df974891430d0fb4c4289fbf02f05546660
SHA512 599d9b2f4f23c2cf879fb29c89b5aa25e83fe749faf5f01933019d0f50974992da3c4dbf8180be4c194ed4b5cc5fdade273fe5f02290e13d50fe57877b777fe6

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF71F00A4-0001-1428-A1262BF1DDD0BeginSession.cls_temp

MD5 530fc39646cc1b8abe7ed2b05062be10
SHA1 ad7ddaa9ffff0e8079cf88e3381567417d91d7a3
SHA256 4e2e3b65f08d69282660ea09d6765c4c7d14c1c390158b66762ba343b9b890eb
SHA512 b458015df72f938c9abf82ab8c69037dcd7a47a18c269607b52c2e60e077133ba5b0d083caef577a6b6a396925b748480ea1bbe359fe586e37f2c803914235e0

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF71F00A4-0001-1428-A1262BF1DDD0BeginSession.json

MD5 d998e62e379886cecbdfc8b8aa087863
SHA1 46c3b29fd1a32d4c65d346a4ad84c1109984b3ad
SHA256 12751e3ad2070f9999a52fbc519c8d54c864247384c78371e86b25631a878a26
SHA512 969978104bfe44d6ab8c3741b292319522b501c748669a13e257a5cd9e3d3bc2e77dffc412ab751eefaa02001fb272b08ed69d4cd8df5376e1b38836de312289

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF71F00A4-0001-1428-A1262BF1DDD0SessionApp.cls_temp

MD5 38580b9f1b0e0ad09da660a4e3f2e154
SHA1 d2dc601cbe445615def3f181073af725093ed2b7
SHA256 b833de70e51f084b3f941d3514a7d2254852e35732e5ba36a8a7f182593f3172
SHA512 4de24ce1cbf8da92cfe9dbe93dceb6d3fe68ff378c6f930a5eb044193759b85b8ccb117e8266d93a806f50e23ec9281a5787d11a17bc61f6295ce8b369c866e5

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF71F00A4-0001-1428-A1262BF1DDD0SessionApp.json

MD5 fdbd04809535a6bb206976f9b8aaef38
SHA1 4514d966b04cf5da922c5420f60a3b89c071b870
SHA256 75e6bd2de2c3a101ea95c2cdd41bad981c2e55643a749e874a9867d35a09683e
SHA512 e7213fafd04130162bca37ae21869b6c1893f4bd57d72273b341c6846e1d99504fc64a8c5f7a6e9a7a54eb97239fa6a2560a7222106fdb2ac1715d37a752b14c

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 a0ed73afd7e9e411408409f61cdf7532
SHA1 9ecec0c232cf43a98d01c447e2251529cf52b0d1
SHA256 0b52a65b95bbd544863a332d8422544d068cef015c0ce82d956533a84252f0fd
SHA512 e39aaaf620bb161097960a97d18f35c17449889e87393eae38ff425565316283a4ec3c5eee49ef19d8c2ddc2c08ed46ecae86a54060f44794b99f01f806b8e37

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF71F00A4-0001-1428-A1262BF1DDD0SessionOS.cls_temp

MD5 2566d27ce8c28d8961f082c375d7535e
SHA1 92fe585b1a2c9c523d2fa1f65ab5c1b6a1a6edaf
SHA256 5acdb54ddba2e264f6822fbdbc4e9b5158f57d43785c2f01d981956b18f7a90a
SHA512 1c70679bbd25a57f9ac02083d5af0fe72b1417cf3070a195497f03d6f492e87b1ed3f570de7ea7c814c995a1530e32610d9570f31a480648f4062e8d3287be8f

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF71F00A4-0001-1428-A1262BF1DDD0SessionOS.json

MD5 5caea4b68c57072f7f52a5a41720566c
SHA1 4d9712f1702c7238949da43f7d8ae6efb233a666
SHA256 3223857b618b924c2b0fbc7bfb373a1aacf300a7b5ab585e18fffcf19039f363
SHA512 fe1455d21c521aeae3292bdcc386f6d2005dc253930c03e44dbcb972f96b849670d2aba039ea59e1a5ebc0350e6315151d17bcda55c161a62987d4bb01e91f9f

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_07ff4427-9d2a-4324-9f62-969039d42911_1716254495691.tap

MD5 12ee31c8e8399b8f38a034de0c46062f
SHA1 dd02d3c25a1fe66a846f150cb665b59b02550025
SHA256 97c026b64cf045d93708b9f9b8fefda1be92f92151ce63f3f88c4bd6df64cef7
SHA512 baf1aa997e7c2a6c9981ec1d9f1d000a599cbf9610a4b7629a954dc5c8eb0a9ca237b595cf402718b162aef80a8cd965ec249b8ceb8ed0c733607cc47c90b427

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF71F00A4-0001-1428-A1262BF1DDD0SessionDevice.cls_temp

MD5 c4b644f9e4f17e691917c0582e61762f
SHA1 56fa34f86dfb41c67baf535b1f8931188eae9708
SHA256 10a9b3c72e78e15018ae8e999648ad32985a64bb198dc363f3d7d8249aeaa9ad
SHA512 3affc5f116cce3b79a2d68687980289562353e26040f7af355979a4497ad8d288df83cb5921f498ab4f31f7a3e032ce00ac278332ee77484a6d9478018353a5c

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF71F00A4-0001-1428-A1262BF1DDD0SessionDevice.json

MD5 18381eb4d32a22c46d8c43ff9cd4a74f
SHA1 d071c3ee567c2d6df45a918d867abf04af2fa097
SHA256 91e90d5d04a905dbd38f9f0c5a4edd37da724fc8234ff0464811925d98f3ccbe
SHA512 4ac69d4163bafe7910bf707f0459faba06863169a9ffb14b03776036757e66251e2f404d7fcb4bc954d51e5da14584111c23a0fcd4b2cae81b60daee7c62b771

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/gaClientId

MD5 1cee4ca83a5b8773864674c7674c25e7
SHA1 09ee929a41c0d29c8b4647d234d3f4db95092614
SHA256 354f9593aa87078eb173f0c112dbc5e3006d83df76c1dd2c88dfe16388078a7a
SHA512 10c6451e8d9aba0eb08f79573a07f5eb2300fa70ab5ef47a77855c0938a06837f7d88f71d443a63a1f8a27455d7d6653551b77cf51c6618981a99efffa702c85

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 fff5eaf47a409fc33eedae8cdec5a81a
SHA1 f42486e3cd26f6a83ffb9e35d14905282e3adbcd
SHA256 37eca132a181d55a5fa41b5b00369d51afb0e1bb190ec13d6a07a630b42a9620
SHA512 cc0c31d9a572ac30b811a630f3e786f88447351e870453c36649d252c6354cd69b339d86ec94179bdd223ad545e38d227e1a02d3602d951abd40f0525d082801

/data/data/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_756a191e-65cb-493c-a2c4-ab667e23c7d2_1716254508540.tap

MD5 f3c18a2f93d11a6447dc70a97eef3933
SHA1 4c1c69a0c103a2295a5554fcd591e40d89eba0db
SHA256 40b6d29413702e7a416e7cadc7b1250d958dd8d0942bc187a156546bd5376d63
SHA512 275f0976bcf84962154ed6d9d7c0c7c0d56bdb9ca58b28da500cd5e12be6c7fac928db8a82503a7bfede5404b8ec20f105bf3ea1ad6080aa7afbf22b3e4ef624

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 01:20

Reported

2024-05-21 01:23

Platform

android-x64-arm64-20240514-en

Max time kernel

73s

Max time network

134s

Command Line

com.nanoinfomatrix.Edu_Pathshala

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nanoinfomatrix.Edu_Pathshala

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 graph.facebook.com udp
GB 163.70.147.22:443 graph.facebook.com tcp
GB 163.70.147.22:443 graph.facebook.com tcp
GB 163.70.147.22:443 graph.facebook.com tcp
US 1.1.1.1:53 api.mobula.sdk.duapps.com udp
US 100.22.20.86:80 api.mobula.sdk.duapps.com tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.180.8:443 ssl.google-analytics.com tcp

Files

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/vTlMPCGmf

MD5 823346d9cf7ad857698594efa439d03d
SHA1 c4b3ed17fbaf5baaaa7cadd606490261a59ec6a2
SHA256 61f2361d12d6e00f21b4f1a3b3da88e3a83be0377e65c114db8933aa4e8b7dd7
SHA512 f1fa3b49932b7c8728d22980b8909b80fc7f74f1d235941c7fe335dd7d0b47b64b92cefedcdb1e68100b3c53f090916a0098bee13408b99778b77013e9962d78

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/vTlMPCGmf

MD5 e14aa374a3098d17bb1f2c224edf4939
SHA1 63020b5cf238c66265a673c402d5cd814e987da6
SHA256 53233f371734357aaccb6c2648f61df974891430d0fb4c4289fbf02f05546660
SHA512 599d9b2f4f23c2cf879fb29c89b5aa25e83fe749faf5f01933019d0f50974992da3c4dbf8180be4c194ed4b5cc5fdade273fe5f02290e13d50fe57877b777fe6

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E803AE-0001-11EF-0E2EC73CCB1DBeginSession.cls_temp

MD5 9a99ae1209600f3594924aeb29acab40
SHA1 db4a2ca30fd2e0884ad86b1b97028bac150a1be1
SHA256 c74d030a70341c9979a7310b1686204299c230a70e822f506a1f767df7edf2b0
SHA512 dd29304a9d4bb899387e4461b744848d09a93d85e3a476e45aacd3d047988aa2a337f3b8bc6e9bfb0a0a0829529ccb3dc390c77f20a591b5f5b0ed733d358211

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E803AE-0001-11EF-0E2EC73CCB1DBeginSession.json

MD5 bf5fc2b291b7ec3a9dae8a65f3c0e2d2
SHA1 62d4cdb26803438bc86ef9c961fd7e0e1c363219
SHA256 c1dbaccf958c326615d6292a8f03754ac48a59d5fc217d13fa38b0b1bc330e34
SHA512 831ffce90dc821fce336321a89396990b56c1230c7c84e8f0f70ab5deab69cef73bf201948ba665c293d7f6824985d8c81bd293a43ed973bb023208531491edf

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E803AE-0001-11EF-0E2EC73CCB1DSessionApp.cls_temp

MD5 bc2ea2c2d45fe8de12f34090ac3d9a6a
SHA1 4f396affd727d6d67e91522de5671273bd979bd9
SHA256 7ffb84d43f23b0d7d20a0c22ad2422cb30a8f579ccbd83d27bc7b54ac9fca08c
SHA512 73a42b0a071efb31e0a97d578f9b44a622ffdf1378587deeda25ae8be513141fa8af55476d51e60da1372d89bd79414562c4ff8268da464042b78cd50214aba3

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E803AE-0001-11EF-0E2EC73CCB1DSessionApp.json

MD5 4b07d8c8909cd8cb3856da20d935c3d9
SHA1 91001c59b995de2071d7450fd938ec70169f445c
SHA256 e82fc2d6a05fb559e2f3b14891c0415713123690ba040507b08b2ef0a578dd50
SHA512 6543c2853529b0412e6e3c9465eae5a54ec3f33da118a8a5a09c81f3d15038ca427b22a4dfb33be3835d00fa9c3934f93b4720785a147c614edc3f71d192522a

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 34f9958c333062c26fe58f82e28c7f01
SHA1 5e518afc445c07e21a2a9552193cd77d33c6bd37
SHA256 46490ad7db701067ad2acb4234cd03c7b0e367ed1a18f7451b31eecac4deb076
SHA512 8af99a81f88ea0acdc2140b482d7714f83b99978547a2d1ea28b29ab194320fac5cdf7f29d1b7397d556fb800bb71fc30e64b3b9735f44ba8231775e1d38d92c

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E803AE-0001-11EF-0E2EC73CCB1DSessionOS.cls_temp

MD5 b3d9541cc92a9153d14e5160f8d8c008
SHA1 2e1ac80eb381dd82a03795b682f92020348c0113
SHA256 1ead5b213c87f182ffce484c34f7d9f140ad3425c0f303f460492efe8a26c56d
SHA512 78074409135a210ba4e1407ad9b3f784f5683e83aac4ce3482d4e8135425cf2b30db1ff5dd0041901c490a551a477237c6d255671c7b1fad74090980dcf3334f

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_c510c8ad-7208-4fb0-a869-11c75ec44620_1716254441349.tap

MD5 1ff07b4b4a81462d303d6683f8767388
SHA1 ab5df35dc30f6489b96b2834c4175792c1d250f3
SHA256 d9c15a2a4439da9cfd0f23e111a64f7874bd7218e2f0fa27bc7aa9bda74c0dd7
SHA512 eebac554db1a6a53e272883c53efd721e8bcd133744531f1bc7a0307d25aa7cc918d9e263fd1c24ce065e125d8da5864f7770b9c6a72386eb2fe83c602c2a5f6

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E803AE-0001-11EF-0E2EC73CCB1DSessionOS.json

MD5 fc1dcee4e422d77e7fab7c08c8a41344
SHA1 d5340127e9d5f735b9d33b9dc61c772fb0e2dc15
SHA256 b843f05ed78cd137c272ba7f0ce8ede3aa853098a856863e51d5c223b58f21c7
SHA512 3ec07617e3e1008572f6f2528de9d4b827050cc5a7cf19a1604c961f9ec370ede6f5fd83bfcc252c0ee286fe244ee6734046ef1aa638dcfc689cd4407a6a8f61

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E803AE-0001-11EF-0E2EC73CCB1DSessionDevice.cls_temp

MD5 2209a06d89f4cb30cd4d4c77fa928c7d
SHA1 2f2b8946538a4a79686d911c91eafbcbd998ff07
SHA256 1eb87e1d5ce6357137e3e4883328dbb8cb5a09379bff2a452c2c9935ab132d3e
SHA512 b650878c754bb4e51a3c9cf00847284c7a07fe6c4427de9a6bb45c631cd710bda3b140b366e56fa6f0cfa39a42e5c727cb4e2c15550c81aa7eac5b977f038a93

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/664BF6E803AE-0001-11EF-0E2EC73CCB1DSessionDevice.json

MD5 cea190e17847586babb06db23116c75a
SHA1 3b3425579bc7e56ebf2d83b089c8c07edfc81e17
SHA256 679c508891e72355ab13d2d8f0c861910aa8a823aa7d54167c5ca7c75170f622
SHA512 44f674adb39e403fc4259c11bec7f25a952a1817f7735d91d068f037c4a11d4bdf382f67ddcd5203176406e6714bd8d5a2ad2136120b4274e8cf06dcaa7a26af

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/gaClientId

MD5 cb7d32bc1ae34af6d33e6600ea1f0410
SHA1 0916bb16012d353a22401b6e1236f75262695dfa
SHA256 96d2a86b6bba7a201820716392e86ce3645fd68332cb1497621ebbd07c2f8f13
SHA512 7d568ce2dc6c89243ce8afabb267cdde96d890ed06ccf5c387a0b4a040e1e71c73effb4b8aadab256bcdaa9d1059b850286814f0e8fb8d91cd02f7b400b65130

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 62ed1b5e8e30f44528384a365b74ccca
SHA1 bca825bec5dbef9aee959589dd47107b938b92cc
SHA256 a0a0f49ec795e5dd3b77a4baf3176561d62ea1a560908f0fc5c82f0418b68bb1
SHA512 f50658eef1589caae19a29f7fda9ed06d57237b47d3eb3d1a0f5504fb5462975dbdf3670bdd2f194543f00bc6cdf1ef8a1d1dd41157c81c3dc94f19446bbd2d4

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/com.nanoinfomatrix.Edu_Pathshala/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_364e889d-04e1-401f-949b-ec65b6bec5fc_1716254457521.tap

MD5 f21d41932b8691e81d4a09794d8bb726
SHA1 0d0fca878a42ed56bd0d423205adad95ab9c2c43
SHA256 d38a6efc42cf2c2682f396b0ac502f526f0037b72d785460d4fcc78b22d08baf
SHA512 fc453b20dbf7367f953394052c8529f16cca7acb3d7f79eb4b7899b54b7a98dc999c00dd85dc811706e1910b54b4da642404c91b202662e41d3824ef68c00f9b