Analysis Overview
SHA256
e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8
Threat Level: Shows suspicious behavior
The file e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks CPU information
Checks memory information
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Obtains sensitive information copied to the device clipboard
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-23 02:09
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 02:09
Reported
2024-05-23 02:12
Platform
android-x86-arm-20240514-en
Max time kernel
18s
Max time network
131s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
pl.spyone.agent2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.3:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.39.110:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| GB | 216.58.212.202:443 | tcp |
Files
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | 5741ed1000c2bfe47e8e6b24ad76b0e9 |
| SHA1 | c6387d50cac7004e314c7bd9150f9a17b6cf39f9 |
| SHA256 | 4b6c9cfc489aa5ce9cfb9363eb2f8192f8ea09babf35851de463c37003c95e03 |
| SHA512 | 43b1fb082308e2857344f71b09c5615336e6388a5bbc979dffbaa06a2741e35fc198faa372540f7ebb64602d11552690b8bac704fd1f9e92793288ec1b0cbf8a |
/data/data/pl.spyone.agent2/databases/database.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/pl.spyone.agent2/databases/database.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/pl.spyone.agent2/databases/database.db-wal
| MD5 | 4e260a793a2605145f432b32707d66e0 |
| SHA1 | 3333998e465934d39af3a91e0f6dce50c02f839a |
| SHA256 | 4e61507814e9edb134fa0a0052026e2aa925d1656012b006830c40a3ff73d410 |
| SHA512 | f4f10f4126aa70588333a4f95a676e0d1406afa23e0e9ea82ffe4d12cdd44788d0e01dd5eabece3b758798564d26e902201837a63d172d0f69388870d1a1a884 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 02:09
Reported
2024-05-23 02:12
Platform
android-x64-20240514-en
Max time kernel
49s
Max time network
137s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
pl.spyone.agent2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.200:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 172.217.168.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 216.58.213.14:443 | tcp | |
| GB | 142.250.200.2:443 | tcp | |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| NL | 142.250.179.174:443 | www.youtube.com | udp |
| NL | 142.250.179.174:443 | www.youtube.com | tcp |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.169.42:443 | tcp | |
| GB | 172.217.169.42:443 | tcp |
Files
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | c6c3e8db82a35ec86021e71953bd875b |
| SHA1 | e81d87b6c650c64212438e75ad33df52a6e0c964 |
| SHA256 | fd39e282a985afd66fe9b3c9639025425a765f24b13ed294c3754c4ad2364f93 |
| SHA512 | 744abf766200132263283bf4d0c18350a3d08cc104c0e9a0fae34c798a4366123c0c0f7f5452e834bea9868f7853bfdf487ff805119e516332046ead26715280 |
/data/data/pl.spyone.agent2/databases/database.db
| MD5 | dd46d6cae176055d8617ceb3d40f1d96 |
| SHA1 | b7a971b5f755f7fd5f9041bb1a0ffb1a74d9dd57 |
| SHA256 | c4d2fc19a3c54c2d2cadde804546ce6f62f960865b829ea240026e1ea2706e96 |
| SHA512 | 54d353f7e746aa3935848cc2f694cd6cfbd1c59b6f56e276b76fad0f0a4c8ea09cd4835be8a8ccd615a7714d3e212a091d93a2b3b835f4ea767c8ba5950a5516 |
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | d774750071ad5abba30bf0e297603f16 |
| SHA1 | 935341e8ce38f8c050e5b5a26ad3a5aab2e157b4 |
| SHA256 | f40ecbcb8a460f244a6c9b88337b8d5a04349d2a1d1e87a58981b104ce1794e9 |
| SHA512 | f7962917d491256b962e53844dcca534775a89864385b732a7c40e4f5c6c3488939caf3de2ca1c6737af126c426da14f82e0797d787939fb258ccbab8bf1e0b1 |
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | 82a8ea85d8b3fadfa10ed6883b6f16bf |
| SHA1 | 472690334a9a0c3412675e449cc0b11492bd2a53 |
| SHA256 | 3bc33531a8dde370bbc2d246229df0806140b86f70bb0036fd03c55433ede381 |
| SHA512 | e42aa45ad7ba007060f186d48aee7981818925974f08cb24d8a4b1bc4c18d905a30044efd7ffcaa280d3fba31f74f0b5c2a5f923ad58a845192da23617ec9c99 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-23 02:09
Reported
2024-05-23 02:12
Platform
android-x64-arm64-20240514-en
Max time kernel
95s
Max time network
132s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Processes
pl.spyone.agent2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.46:443 | android.apis.google.com | tcp |
| GB | 142.250.178.10:443 | tcp | |
| GB | 142.250.178.10:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.40:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/pl.spyone.agent2/databases/database.db-journal
| MD5 | 7dc10aab01eccca1d26ff0ff900f3820 |
| SHA1 | 6ced820992774652c5048584c274322c4e039e52 |
| SHA256 | d2707ed0a6e99af95623e5cdf79342bc05100027cc42fb371ed7402c8a30b2c4 |
| SHA512 | 3f2164e710e45ef48de4097a3029b1d204271c1bb98f9bc0ff2120c8bf23f347466611caf087404a8a17122c5db73b5d5f17398f1d6f0d4408768633fe95043f |
/data/user/0/pl.spyone.agent2/databases/database.db
| MD5 | 0379f2b646309bcd59a19760005dd257 |
| SHA1 | 9185b00c3401321841b1c7edd10624a13c2dd47f |
| SHA256 | 62c0d663334435c7b56f7ef5ee45ef1e1476f9ef39ea6667dd48962eadb0216f |
| SHA512 | 387a118af4cd9315a8e5323b7a2b78e5214b0556448cdf6a68335ecda5615dfd0c1ca0313d8b355e8489980635319d90f2b7b25889b1e556c11b7657bc184fe8 |
/data/user/0/pl.spyone.agent2/databases/database.db-journal
| MD5 | 70ad3cee0bb6e0f810dcb442beed1fc2 |
| SHA1 | 39d59325d56bfc681be8ee032e4789f7c3291220 |
| SHA256 | 1ca1feb4bf74bae99920e3d084038ddf42080788760c99bd82269415f68159ee |
| SHA512 | f2dc46eff1221ec75b07d4d77a7b94db6fc8e2829051d8d9abd71cdbb83af4fdbefac56021112fbbc601e33e980c4ffbe42e51fe38cb11cfe057cdc13c1d52e8 |
/data/user/0/pl.spyone.agent2/databases/database.db-journal
| MD5 | 23846ba76e82b15369714e90e05537eb |
| SHA1 | f403c9cbdc3a11a6043a2f98b5cf5f76ed2bb0b8 |
| SHA256 | 89bd7a1c9b60f9b13214a34eac35cc80682adf315598d6443b605f3e2106437d |
| SHA512 | f69c1c71bf36b85aa6cf3c437bd1c95773dc049d20d0e2bde2504a546444e6489a5c79d1a897a73f13655991e05134540e7941bd5a93b128f77c1a996fcdf881 |