Malware Analysis Report

2025-01-19 07:02

Sample ID 240523-prdrcshg8z
Target vpn3000.apk
SHA256 3277e4ffaa712e938996baa02f765a82c804924dd3bd10f7a1467644770772da
Tags
discovery evasion execution impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3277e4ffaa712e938996baa02f765a82c804924dd3bd10f7a1467644770772da

Threat Level: Likely malicious

The file vpn3000.apk was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution impact persistence collection credential_access

Checks if the Android device is rooted.

Queries the mobile country code (MCC)

Obtains sensitive information copied to the device clipboard

Checks CPU information

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about running processes on the device

Acquires the wake lock

Schedules tasks to execute at a specified time

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Declares services with permission to bind to the system

Legitimate hosting services abused for malware hosting/C2

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 12:33

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 12:33

Reported

2024-05-23 13:07

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

149s

Command Line

com.gi.vpn

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gi.vpn

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 firebase-settings.crashlytics.com udp
GB 172.217.169.3:443 firebase-settings.crashlytics.com tcp
GB 172.217.169.3:443 firebase-settings.crashlytics.com tcp
US 1.1.1.1:53 graph.facebook.com udp
GB 163.70.151.23:443 graph.facebook.com tcp
GB 163.70.151.23:443 graph.facebook.com tcp
GB 163.70.151.23:443 graph.facebook.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 NA udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 1.1.1.1:53 www.vpn3000free.com udp
GB 51.195.171.180:443 www.vpn3000free.com tcp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
US 1.1.1.1:53 102.11.175.108.in-addr.arpa udp
US 1.1.1.1:53 112.80.208.74.in-addr.arpa udp
US 1.1.1.1:53 19.131.208.74.in-addr.arpa udp
US 1.1.1.1:53 172.74.79.51.in-addr.arpa udp
US 1.1.1.1:53 110.180.124.138.in-addr.arpa udp
US 1.1.1.1:53 220.98.39.54.in-addr.arpa udp
US 1.1.1.1:53 134.167.215.85.in-addr.arpa udp
US 1.1.1.1:53 235.170.222.92.in-addr.arpa udp
US 1.1.1.1:53 99.164.165.82.in-addr.arpa udp
US 1.1.1.1:53 65.53.38.54.in-addr.arpa udp
US 74.208.80.112:80 74.208.80.112 tcp
US 74.208.131.19:80 74.208.131.19 tcp
US 1.1.1.1:53 vps-024fd901.vps.ovh.net udp
US 1.1.1.1:53 vps-b8c93a20.vps.ovh.net udp
US 1.1.1.1:53 vm1251750.stark-industries.solutions udp
PL 54.38.53.65:80 vps-b8c93a20.vps.ovh.net tcp
FR 92.222.170.235:80 vps-024fd901.vps.ovh.net tcp
US 138.124.180.110:80 138.124.180.110 tcp
US 108.175.11.102:80 108.175.11.102 tcp
US 1.1.1.1:53 ip85.215.167.134.pbiaas.com udp
US 1.1.1.1:53 158.208.227.212.in-addr.arpa udp
DE 85.215.167.134:80 ip85.215.167.134.pbiaas.com tcp
US 1.1.1.1:53 230.245.14.45.in-addr.arpa udp
US 1.1.1.1:53 29.90.233.194.in-addr.arpa udp
US 1.1.1.1:53 vm2005027.stark-industries.solutions udp
US 1.1.1.1:53 vps-b73a79d7.vps.ovh.ca udp
US 1.1.1.1:53 19.237.106.87.in-addr.arpa udp
DE 82.165.164.99:80 82.165.164.99 tcp
US 1.1.1.1:53 115.142.227.212.in-addr.arpa udp
RU 45.14.245.230:80 45.14.245.230 tcp
US 1.1.1.1:53 vmi753586.contaboserver.net udp
US 1.1.1.1:53 212.126.82.185.in-addr.arpa udp
DE 212.227.142.115:80 212.227.142.115 tcp
DE 212.227.208.158:80 212.227.142.115 tcp
US 1.1.1.1:53 vps-718deb0c.vps.ovh.ca udp
SG 194.233.90.29:80 vmi753586.contaboserver.net tcp
CA 51.79.74.172:80 vps-b73a79d7.vps.ovh.ca tcp
US 1.1.1.1:53 200.75.68.77.in-addr.arpa udp
US 1.1.1.1:53 37.93.233.194.in-addr.arpa udp
US 1.1.1.1:53 197.80.233.194.in-addr.arpa udp
US 1.1.1.1:53 vmi855469.contaboserver.net udp
US 1.1.1.1:53 93.212.142.45.in-addr.arpa udp
US 1.1.1.1:53 48.78.233.194.in-addr.arpa udp
ES 87.106.237.19:80 87.106.237.19 tcp
CA 54.39.98.220:80 vps-718deb0c.vps.ovh.ca tcp
US 1.1.1.1:53 vmi858857.contaboserver.net udp
SG 194.233.93.37:80 vmi855469.contaboserver.net tcp
SG 194.233.80.197:80 vmi858857.contaboserver.net tcp
US 1.1.1.1:53 192.128.26.154.in-addr.arpa udp
US 1.1.1.1:53 71.133.26.154.in-addr.arpa udp
US 1.1.1.1:53 vm2170685.stark-industries.solutions udp
US 1.1.1.1:53 104.84.222.51.in-addr.arpa udp
MD 45.142.212.93:80 45.142.212.93 tcp
GB 77.68.75.200:80 77.68.75.200 tcp
US 1.1.1.1:53 vps-a069bbd5.vps.ovh.ca udp
SE 185.82.126.212:80 185.82.126.212 tcp
US 1.1.1.1:53 7.17.7.50.in-addr.arpa udp
CA 51.222.84.104:80 vps-a069bbd5.vps.ovh.ca tcp
US 1.1.1.1:53 8.1.7.50.in-addr.arpa udp
US 1.1.1.1:53 25.14.7.50.in-addr.arpa udp
US 1.1.1.1:53 vmi950825.contaboserver.net udp
US 1.1.1.1:53 vmi925950.contaboserver.net udp
SG 154.26.128.192:80 vmi950825.contaboserver.net tcp
US 1.1.1.1:53 vmi875527.contaboserver.net udp
SG 154.26.133.71:80 vmi875527.contaboserver.net tcp
HK 50.7.17.7:80 50.7.17.7 tcp
US 1.1.1.1:53 15.154.26.154.in-addr.arpa udp
JP 50.7.14.25:80 50.7.14.25 tcp
BR 50.7.1.8:80 50.7.1.8 tcp
US 1.1.1.1:53 16.100.91.77.in-addr.arpa udp
US 1.1.1.1:53 28.72.91.77.in-addr.arpa udp
US 1.1.1.1:53 42.246.14.45.in-addr.arpa udp
US 1.1.1.1:53 vm2005240.stark-industries.solutions udp
US 1.1.1.1:53 vm1391382.stark-industries.solutions udp
BG 77.91.100.16:80 77.91.100.16 tcp
US 1.1.1.1:53 vmi1120820.contaboserver.net udp
AU 154.26.154.15:80 vmi1120820.contaboserver.net tcp
US 1.1.1.1:53 vm2019978.stark-industries.solutions udp
HU 77.91.72.28:80 77.91.72.28 tcp
US 1.1.1.1:53 91.1.7.50.in-addr.arpa udp
US 1.1.1.1:53 156.249.159.45.in-addr.arpa udp
BR 50.7.1.91:80 50.7.1.91 tcp
US 1.1.1.1:53 vm1158123.stark-industries.solutions udp
US 1.1.1.1:53 198.249.159.45.in-addr.arpa udp
US 1.1.1.1:53 165.206.231.185.in-addr.arpa udp
FI 45.159.249.156:80 45.159.249.156 tcp
US 1.1.1.1:53 99.97.131.94.in-addr.arpa udp
US 1.1.1.1:53 231.144.160.217.in-addr.arpa udp
US 1.1.1.1:53 14.116.126.185.in-addr.arpa udp
US 1.1.1.1:53 235.38.164.95.in-addr.arpa udp
US 1.1.1.1:53 vm1388772.stark-industries.solutions udp
CZ 94.131.97.99:80 94.131.97.99 tcp
US 1.1.1.1:53 vm1218516.stark-industries.solutions udp
FI 185.231.206.165:80 185.231.206.165 tcp
DE 217.160.144.231:80 217.160.144.231 tcp
US 1.1.1.1:53 vm1204726.stark-industries.solutions udp
FI 45.159.249.198:80 45.159.249.198 tcp
US 1.1.1.1:53 6.231.153.45.in-addr.arpa udp
US 1.1.1.1:53 71.15.131.94.in-addr.arpa udp
US 1.1.1.1:53 16.75.227.212.in-addr.arpa udp
DE 212.227.75.16:80 212.227.75.16 tcp
US 1.1.1.1:53 vm1409479.stark-industries.solutions udp
US 1.1.1.1:53 vm1232918.stark-industries.solutions udp
US 1.1.1.1:53 101.74.91.77.in-addr.arpa udp
CH 185.126.116.14:80 185.126.116.14 tcp
US 1.1.1.1:53 112.19.164.95.in-addr.arpa udp
RU 45.153.231.6:80 45.153.231.6 tcp
NO 95.164.38.235:80 95.164.38.235 tcp
US 1.1.1.1:53 vm1328948.stark-industries.solutions udp
US 1.1.1.1:53 vm1306044.stark-industries.solutions udp
US 1.1.1.1:53 198.242.160.217.in-addr.arpa udp
US 1.1.1.1:53 104.33.164.95.in-addr.arpa udp
EE 94.131.15.71:80 94.131.15.71 tcp
KZ 95.164.19.112:80 95.164.19.112 tcp
US 1.1.1.1:53 vm1294154.stark-industries.solutions udp
US 1.1.1.1:53 238.39.182.5.in-addr.arpa udp
US 1.1.1.1:53 16.24.33.185.in-addr.arpa udp
IL 77.91.74.101:80 77.91.74.101 tcp
US 1.1.1.1:53 vm1375203.stark-industries.solutions udp
PT 5.182.39.238:80 5.182.39.238 tcp
US 1.1.1.1:53 188.36.182.5.in-addr.arpa udp
US 1.1.1.1:53 vm1499471.stark-industries.solutions udp
CH 5.182.36.188:80 5.182.36.188 tcp
US 1.1.1.1:53 vm1349786.stark-industries.solutions udp
NL 185.33.24.16:80 185.33.24.16 tcp
US 1.1.1.1:53 238.116.126.185.in-addr.arpa udp
US 1.1.1.1:53 88.21.181.5.in-addr.arpa udp
US 1.1.1.1:53 75.62.164.95.in-addr.arpa udp
US 1.1.1.1:53 45.32.215.85.in-addr.arpa udp
US 1.1.1.1:53 vm1575289.stark-industries.solutions udp
BE 95.164.62.75:80 95.164.62.75 tcp
US 1.1.1.1:53 8.14.7.50.in-addr.arpa udp
CH 185.126.116.238:80 185.126.116.238 tcp
US 1.1.1.1:53 vm1533080.stark-industries.solutions udp
DE 5.181.21.88:80 5.181.21.88 tcp
US 1.1.1.1:53 218.11.164.95.in-addr.arpa udp
JP 50.7.14.8:80 50.7.14.8 tcp
US 1.1.1.1:53 147.254.119.160.in-addr.arpa udp
US 1.1.1.1:53 252.186.62.149.in-addr.arpa udp
US 1.1.1.1:53 vm1749829.stark-industries.solutions udp
NL 95.164.11.218:80 95.164.11.218 tcp
US 1.1.1.1:53 149.62.186.252.hostvps.it udp
US 1.1.1.1:53 191.59.165.194.in-addr.arpa udp
IT 149.62.186.252:80 149.62.186.252 tcp
US 1.1.1.1:53 host01.iqweb.co.za udp
US 1.1.1.1:53 vm1911301.stark-industries.solutions udp
IT 194.165.59.191:80 194.165.59.191 tcp
ZA 160.119.254.147:80 160.119.254.147 tcp
GB 77.68.75.200:80 77.68.75.200 tcp
SG 194.233.78.48:80 vmi925950.contaboserver.net tcp
UA 45.14.246.42:80 45.14.246.42 tcp
US 1.1.1.1:53 vm1390664.stark-industries.solutions udp
SE 95.164.33.104:80 95.164.33.104 tcp
DE 217.160.242.198:80 217.160.242.198 tcp
US 1.1.1.1:53 ip85-215-32-45.pbiaas.com udp
DE 85.215.32.45:80 ip85-215-32-45.pbiaas.com tcp
US 1.1.1.1:53 firebaseremoteconfig.googleapis.com udp
US 1.1.1.1:53 firebaselogging-pa.googleapis.com udp

Files

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events-journal

MD5 ef5e35ccb74ac1126f7afc8ebd555dab
SHA1 7374cf6d8601bf16d015e2ba6df49e4be1eb89b9
SHA256 e3d17b150be05fd4ed438c320ce2973eb86e851940bf75b21b187d253970fad2
SHA512 9e983c79e52f6ec7a8b5c43edb3ccfdeee49976df99c0cea630606ee85254151b2416a3c409f0aa2f376b81fd7182e45064dad48ebb74effaf682791a68aac83

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events-wal

MD5 0acd3f38d6c736d75fd8e4e20906540c
SHA1 448cd473a828be2f1ec40b53c43a4770487fdc0c
SHA256 9007e9599a5d0d898622c6ff78f7a450bd3eb2527af7c5ae74096cbf4101816b
SHA512 899402137774a7a06ffe6d614c11b83a0c65581f22e760e2663ba34e9198ba5cc7035207566a1c37d54db81c11b7cdb1a418febc63dfc97cb71358e3b6dd8870

/data/data/com.gi.vpn/files/PersistedInstallation2337642130597025996tmp

MD5 f7764c93953cede4dc7c3356ddbce188
SHA1 65828794f87bea30965bc5040dd00815075f5b60
SHA256 cacadd2b8b811c7b818f91995ea88b4dc549288f70eb7ace16860815fc561538
SHA512 6046a8cd59862ad2e32b8db30d76be0a857261e5a913a77da11a46ba644ca7e621d86a6da6836a72e1a944baca2642c00867ff89c9668d80fbb6da47123f2a57

/data/data/com.gi.vpn/files/.com.google.firebase.crashlytics.files.v2:com.gi.vpn/com.crashlytics.settings.json

MD5 15ee2675af2c2fabd8fa2ab15398492a
SHA1 4e960c3d6a9446416df2c7e623272e7e2ea1b58a
SHA256 24d024fc61ed82ad685c0efa314e25584f0959a4ee5b7601376a20714c5f980e
SHA512 ff7bacadf5e70e0829009a0199196a3113aa68e6d198d4a6b48c46d3654e479d93a1d2ccf6c424b84950e94ba5ee7e4cbcede1371d364d19c802bee3c2f34ecc

/data/data/com.gi.vpn/files/.com.google.firebase.crashlytics.files.v2:com.gi.vpn/open-sessions/664F3EE300E7000110C145FAF76AE0F5/report

MD5 687eebfd9917c2aef78927db3a00c718
SHA1 feced1578dbef384999e03b689c1e04d62b5dfff
SHA256 9cead6f61351281d24c71356095f1df740eeff187f6ea0475d5af0e699fb7713
SHA512 56ce3cfd747044781fe1d83279cfbb9e2b6feb9ca433d3854b6d26d5799416cb9a0557e88be3af2a5a4ab90540a4d33c259cdc626bc2f724dbcf966f688a0ed9

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 35b51faac8b5af3886e70bb5a885dab1
SHA1 e6cb282da46cd4bf113e25c8573268578dcd11b6
SHA256 af5b3362ec35985974c6b73eeba53e5063861f2491252d61d8cd42168aa5ed6b
SHA512 6ad5e9766cc03a4436e1440b9e47c44da6c6440a3c94b1cc988f8c5680043cde6f7b7e02b2b4c71b25df4209c39ed099fb65fdde02a9f09464609a1abe6af8fa

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 944e6a5a08cb971370c65c06061f0ab4
SHA1 84d47725cc29bf167b782c702575bce4bf2ecc5b
SHA256 ba8f4af0e35f93cc15649f4c51969f5279421fc12deeafaddec5e5c48aa58dab
SHA512 bdc404233927a6a99160492d0b3e2cf00776d51b33612b8c9ecba395747b3572cf1790269fb199915aafe84c546d30e3259833c9d00af8c412823396882ca783

/data/data/com.gi.vpn/no_backup/androidx.work.workdb-journal

MD5 fb6fa1c35f393560cd8a7df1adb10d42
SHA1 6445efa65ecb450a1e55841f1df64889dfde3cf9
SHA256 2f59a5e1191e5586b20b112d84b438c02fb89a0fe9ab9b4afda23b6b38bef887
SHA512 82f3a3a3289a9dbc7754b8f5b07cb89bf21afe67cf1c2dce638ff98f6ee3860377537b90913c0f28ac96cb74d9003df7f914c8296104d127ddaed3a72f634b43

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 ffcbf87665a36fc21782400bd0537e79
SHA1 3dbfbdbfdcde953317b089f9a9fa0bbe50c698ee
SHA256 a21d3bf2cca0951e9e7b3fed43cafe9f89a4cf9d844c82279b260852d0ee473d
SHA512 7f98ac150c422eb4f1126d86501d0435817ceaa7eb5549e4d21a295d57be3d3fed4388cda782c084130c4ac8d57a4f225139a2e42e8a12b34cc1679140d16b57

/data/data/com.gi.vpn/no_backup/androidx.work.workdb-wal

MD5 61a485c59e0f0debc91c8203417077f6
SHA1 5cca22bc1274e8caef15cea395a01de1330cebc8
SHA256 c6c4329506db0cd92149e00bcb77d874fef19884bdd54889da80995978a11e46
SHA512 4cc58d7519a9e3ce05e398a70637ddf729ae1c5add91e4cde2a60eb9395280fcb9586182ae2605137d10a771ab85beb73043ae0cadd6ed69fa076eb72ba49094

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 dcf7d6c1cfd5e7b56074e3001577c78b
SHA1 b8eba89aee9f6688ecda6675ef8ff4998da0b141
SHA256 ba0830617929c78abca9391c2059f89c78049911f502ef5525d39341e4da2b91
SHA512 42d75be824d69de23d2e8605d60c3608db20ed5c059f5b67c63ca2845484c67150aea88a3aae36aae12a4ea266fb6b469d09f765bbcd444350d836ab83f7695d

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 5158e5b35c264ef5f2d96c909ed7d962
SHA1 6c6349d20ece14455f3ba5d8ad03febd8908a0f4
SHA256 84134fb4b7297606f168a88baa4df2ceee6603c05cca1a17eb620632938ad770
SHA512 2f7da56197fec648a557a1c9c619764bf2f53dbfb3b01a5f796f277f25e957790e351886249d7a9794122f4af8c49dc82b2934e479065bb5fb7d544a6464378b

/data/data/com.gi.vpn/files/PersistedInstallation1000356303148120911tmp

MD5 e57508f80dee85dc5699efc648f0c9de
SHA1 5edcd4b22e2795ec81426797e4e76322afd1d25b
SHA256 470bdc81fd478f0fb7ed8dd254371030d28cc0e532d7c191a082474c277e5284
SHA512 203b41a5ef20d4cd7541a95a8e2f0c9be6e5bc8ab38c31bb4f454afa0ae8e10d1bdef4c963a0f95d0ef14577bcd50a1895f295e29252a7891b8bb37bbb975326

/data/data/com.gi.vpn/no_backup/androidx.work.workdb-wal

MD5 946369cff6318daa193470e8ae1bdb74
SHA1 ff7b9c4b2cda3f91b35322e72cb5a4fead63cbf1
SHA256 b35e84cf9f86481446747d60fc30ac1ac9184b6a34e8ad5254a85ef33db62ca9
SHA512 3607c1f98c79368b471deabe1729f1f5fa8888c0968817165162d6fc7b158dcf9fe8489119c6dc2c9293e9c94f9a6af2c3ab2099cde984f4862153946e6bde09

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-journal

MD5 d07034f93c91551356eb4d9a00ae72ac
SHA1 ab2ee8c8fbeb376977ae1c0a1c963b504f8e2aa5
SHA256 939df8c3d053a6ba4ea7db61c4490165235624c82696a197bf7c27657fac229e
SHA512 dab26132faaab0abcf33b2449612edd7c5d09f0930cd0369123ca70e43ddef4355e6f82f63b64e9ec55640113117df411cc9102df17d0a0270cf4b8549917c6b

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-wal

MD5 a383fa4726069dbf52e27b4651f735ed
SHA1 4cba74137a2af3ee684e5481a10fc550431f4aba
SHA256 ea3f12cc68796b921a62f50a530f73960f7a082f5c05e935cdb1f9ad306ecbec
SHA512 7dab2991cfc95ebfd75727af0732d99c9185df990593f3f974bafe0d21de3eb5efee39c0419362d17297d0dab7dd23250e16cd47a73fcc753ef231d4535dd8f6

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-wal

MD5 69c11c254c3e9b7641f46e09c464dc6a
SHA1 28ee62b8f11ed127fa2dd36b9d098f21848d7d48
SHA256 cba2e935397b27232229705a47bf8e4b877a43a814b6a27dd8419b79af3a3a6a
SHA512 93d63cf8330db30805807e02a2c5ac2174e7b8fe76441dea97f60f862e203e8a712f77121233fc7bbb23074cbf31637fad6e7f2a30fb1b288a1eefa2bab3be27

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 3fb73aa6d3f8c4006b3614659e08d98f
SHA1 2b08cfb2b13d29fb333f50bbcedc75f76fca2038
SHA256 efeb4710500d56a61f5ae09b6b8433c9aa4717bf0b0c39cf71b9cf3cca0aae0a
SHA512 b762e4b89e0756d4ac16ec3f6b232fc5ba47cc856cb9d774839a905bd2c209ca636ed03253086e28b3f797476c84759343d5c01876b32e20df05c83058709f23

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-wal

MD5 6adf7682de3855a7991b1e8af7a9cecc
SHA1 04ad392871bb7cbf2eb57942db03f01e006baf2f
SHA256 f9cd898ded1b7785cdbc7c1263cbbab6896b1f8817030fa0346d70020cb4fe68
SHA512 195d1157ff8cecd20cb522d4b56a9798bc71e5cbd5a7f30decc28f4b2e05b861d60b7df573d8b96b1e984ce71638a91459f40ed063cb4ed12a11bc8ab5e70de0

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 49adee71a4204266b34e0daece002d3b
SHA1 63e8aeb4155f6c836c06a05adaa1841c46cb00a2
SHA256 95c49d19cd20cd2ea2aca93b7b20e9f8a46cf999c020981f6dbbbfb482a91017
SHA512 31b4f623e91a6ecf5ecbb12539fe586e24bcaa8a321c47c8d49a3a725752767d4fb023a18b4d291b01ee795143cb6d98419d031f0d5b47cfc8e1ba09dc77afb6

/data/data/com.gi.vpn/files/.com.google.firebase.crashlytics.files.v2:com.gi.vpn/open-sessions/664F3EE300E7000110C145FAF76AE0F5/userlog.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.gi.vpn/files/.com.google.firebase.crashlytics.files.v2:com.gi.vpn/open-sessions/664F3EE300E7000110C145FAF76AE0F5/userlog

MD5 64bac39a39c33bc5a8fcbc48d4ae7d1e
SHA1 29502714605938a025f99416a9a2ecc74177ab6e
SHA256 9716d3ac40b1a07aefff4dd2dd6204b64590d57d4a2d0087a41c786737dc12e3
SHA512 4d9923b0f587a6c87eafc89b272c5d3715cc628ca3d18e51bd0d0636c3ba71d9e85b43911429fe0951d1643dbfc1cebd9d51fe20612957dcc79552fa638e4133

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-wal

MD5 50f782b44e4f1649d3f2ff20c65b3a2b
SHA1 b88015382ac0e1ee24b75b4b8f1bb4ae40840133
SHA256 c5042e3d99ac14bd7c7eec42930ca63b4824e1b8c2db126e8a29c0e7546c9587
SHA512 14ccbef4acd8289e05f9ff6d2d069c1a181cc1fe17d9bb3221fb12b6b49971e83b7c52548f6d32eea939d26c8b15fa8aaba115f0df2193773d54880bad29eb6c

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 7cb5fbdf2bbcbe6b41d3b53c4eb0843c
SHA1 9101183a662d851dfab3526669f6497f1936a92e
SHA256 13429361c1907da7cd73c9b1c6784d7b15ba93ce75bad9df02c990a0316ac61e
SHA512 7fd6f362658ec18fa313010ca2f94456792043ed148181deb3dd160c427652fe1d414416a17272361404fb56c33caddffe663b265f1d7a9af8dfe95c914c540c

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-wal

MD5 ae8defd5f1298ad98bed1566ad2be023
SHA1 ae2357b6a7c058606d9dfed02fad665abefbb88b
SHA256 dee57921c3142a6da58e2ecde1bc361fb200188f2039db3f974f3c2715f56a5a
SHA512 55485a555315be4304860f695f3da98c0d7044af452d00b062089f1d3d10530eec10f94fb74503af523bc5ad821103b1192df6a3536f0b29b9fd45369d1bf0fd

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 c35a209ba63cceacc7d6769248ecc9e7
SHA1 f59130470c87d5f5d8b520cfa023f9e9f0977ce2
SHA256 755abf3c5cf46becd7c555b52d5fed7ea97c69c6d719de562a4b6f97380d5940
SHA512 7985d0bbec225d7f10f881b89bde128bf392a14e1c75a475e55c6e1fdc9e53eb77fb83220c97ccab916ea30d2dccb246019afc165fb4121cbcb348a46231abfa

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-wal

MD5 f0d8ab0ddd33b5216eda724a826c530f
SHA1 1e29dcdc7f7dc30adb58cdfa664a0bca028bf18c
SHA256 872267feef7036a150345e6faa967f1f8b03100654304ba1b315f3fbbbf43c61
SHA512 0fb320e1a79349b73031db612608aad5727674ef70b6baa194b28bbc170213dec244c5cf47d811a53cee2eaa7f2c14d5a253e82fc9f35b6a678e4ac66d49ba4c

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 a795f5142414298905b38241b6b269ea
SHA1 5bf699202b8519ecb1c87e0c19354204dc6e98fd
SHA256 1892fca27d3cada0822c3f0a725281e30074095444803c2756e3715527921d31
SHA512 2a31689ae2c472394422f764be9b6ddda9726395f057a78c0312a515d1632c3cc74010c28d9bb303ee5fca122442c45ebc82e8e74de4e0e2c2103492c4e6eafa

/data/data/com.gi.vpn/files/AppEventsLogger.persistedevents

MD5 6443983e831ca1f8e2e2c0a009578eef
SHA1 9fc61ac7a07cd32dc3019192d5f1b07fe9e31b31
SHA256 c60992e811a73149a37838e4ad660d64fa67dd931050d0806014a80d748e7532
SHA512 1663dd15da0cdd2e6092b42fab759a86f894a2185554e7f0981ec1b872c6873a48bdacd7f8c69425bc7eec3b3220ac5915be8a0d92267ec56dcd32244e9c738c

/data/data/com.gi.vpn/cache/volley/-6860137-1423777433

MD5 a9bcb64f50ee34548d905ecab4cb2480
SHA1 32a4c5c3638b6c7147fe94706e49e050aab383fd
SHA256 ddeecb6b1596e2b8ba81e41d462894e3c7695fe584d701c9a06bcf5953ec1ef2
SHA512 475466b3c00eb6e56077662b7d8fc7a5213b0c70cb8ab2dd4d36a99ed78dc7e282e7f468f77832150861952981b7112a49d9d957c5528a5d16aa9d056b15669f

/data/data/com.gi.vpn/cache/volley/-6860137-788939276

MD5 6d6a952261588e90e5140b551a576322
SHA1 0f33f504e6bedefc1400072b997fe1652e6e8ed5
SHA256 54e77385a9c50da919d8028e44865e6fd206e872a607d4176c8662ccbd9a5b12
SHA512 5ebbb46b16b6a4ac9d0f8153d4352fc59192323edc939b9694712676812d480f6de99a0b5d00c34cd4ff2e47aecd8493b94afab8eeb8fb5d7d696fc58f5bc24b

/data/data/com.gi.vpn/files/AppEventsLogger.persistedevents

MD5 e5a55e22369b47b3a6dfd4ce884fd3f0
SHA1 8fdc5616ce982b4708b5ce4adbb709c5a823471d
SHA256 d3fc2e520e9158e5fc7902c26899fc91f90bac09019595a169bcd9f440555398
SHA512 cc87975f81e8c28075087b31a9585cf4981fcdfdca12bcd59c0e52bc41a71ef47eb26d8adb298e8bbb59e7d5f64d2371df483d7a4d0faab420e1b38c63e0f828

/data/data/com.gi.vpn/files/frc_1:103219403778:android:c6c30ae623a6924d3c9b1b_fireperf_fetch.json

MD5 10c652527e6174a6906efd6564d55de4
SHA1 bf251d8a6b5635b27caed51a473d0ba3b1d91abe
SHA256 1138997f23af39142522d82e2cdabef5e3c0c985914aaa6954f0f77c4d9e7e9f
SHA512 7cb8cf00d8f458d9e83acbbb845841b506bed7e0569fd9b8d984d7b27a05ea0beeb5c231c572121f86331706da60d0b5258af31507f30e6cbc40af5b1538d684

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 12:33

Reported

2024-05-23 12:59

Platform

android-33-x64-arm64-20240514-en

Max time kernel

179s

Max time network

128s

Command Line

com.gi.vpn

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gi.vpn

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
GB 172.217.169.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.212.202:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 gmscompliance-pa.googleapis.com udp
GB 142.250.179.234:443 gmscompliance-pa.googleapis.com tcp
GB 142.250.200.14:443 udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 firebase-settings.crashlytics.com udp
GB 216.58.204.67:443 tcp
GB 216.58.213.3:443 firebase-settings.crashlytics.com tcp
GB 216.58.213.3:443 firebase-settings.crashlytics.com tcp
US 1.1.1.1:53 graph.facebook.com udp
GB 157.240.214.1:443 graph.facebook.com tcp
GB 157.240.214.1:443 graph.facebook.com tcp
GB 157.240.214.1:443 graph.facebook.com tcp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
US 1.1.1.1:53 NA udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 1.1.1.1:53 www.vpn3000free.com udp
GB 51.195.171.180:443 www.vpn3000free.com tcp
US 1.1.1.1:53 19.131.208.74.in-addr.arpa udp
US 1.1.1.1:53 115.142.227.212.in-addr.arpa udp
US 1.1.1.1:53 75.62.164.95.in-addr.arpa udp
US 1.1.1.1:53 102.11.175.108.in-addr.arpa udp
US 1.1.1.1:53 235.170.222.92.in-addr.arpa udp
US 1.1.1.1:53 15.154.26.154.in-addr.arpa udp
US 1.1.1.1:53 110.180.124.138.in-addr.arpa udp
US 1.1.1.1:53 88.21.181.5.in-addr.arpa udp
US 1.1.1.1:53 112.80.208.74.in-addr.arpa udp
US 1.1.1.1:53 172.74.79.51.in-addr.arpa udp
US 74.208.131.19:80 212.227.142.115 tcp
US 108.175.11.102:80 108.175.11.102 tcp
US 74.208.80.112:80 74.208.80.112 tcp
US 1.1.1.1:53 vm1251750.stark-industries.solutions udp
DE 212.227.142.115:80 212.227.142.115 tcp
US 138.124.180.110:80 138.124.180.110 tcp
US 1.1.1.1:53 vps-024fd901.vps.ovh.net udp
US 1.1.1.1:53 vm1575289.stark-industries.solutions udp
US 1.1.1.1:53 8.14.7.50.in-addr.arpa udp
BE 95.164.62.75:80 95.164.62.75 tcp
FR 92.222.170.235:80 vps-024fd901.vps.ovh.net tcp
US 1.1.1.1:53 vps-b73a79d7.vps.ovh.ca udp
US 1.1.1.1:53 200.75.68.77.in-addr.arpa udp
US 1.1.1.1:53 8.1.7.50.in-addr.arpa udp
US 1.1.1.1:53 165.206.231.185.in-addr.arpa udp
GB 172.217.169.78:443 tcp
US 1.1.1.1:53 16.75.227.212.in-addr.arpa udp
US 1.1.1.1:53 91.1.7.50.in-addr.arpa udp
US 1.1.1.1:53 104.33.164.95.in-addr.arpa udp
US 1.1.1.1:53 vmi1120820.contaboserver.net udp
GB 77.68.75.200:80 77.68.75.200 tcp
DE 212.227.75.16:80 212.227.75.16 tcp
US 1.1.1.1:53 vm1533080.stark-industries.solutions udp
US 1.1.1.1:53 220.98.39.54.in-addr.arpa udp
AU 154.26.154.15:80 vmi1120820.contaboserver.net tcp
JP 50.7.14.8:80 50.7.14.8 tcp
DE 5.181.21.88:80 5.181.21.88 tcp
US 1.1.1.1:53 7.17.7.50.in-addr.arpa udp
US 1.1.1.1:53 vm1218516.stark-industries.solutions udp
US 1.1.1.1:53 vm1390664.stark-industries.solutions udp
SE 95.164.33.104:80 95.164.33.104 tcp
US 216.239.34.36:443 tcp
BR 50.7.1.91:80 50.7.1.91 tcp
FI 185.231.206.165:80 185.231.206.165 tcp
US 1.1.1.1:53 99.164.165.82.in-addr.arpa udp
BR 50.7.1.8:80 50.7.1.8 tcp
US 1.1.1.1:53 192.128.26.154.in-addr.arpa udp
HK 50.7.17.7:80 50.7.17.7 tcp
US 1.1.1.1:53 vps-718deb0c.vps.ovh.ca udp
US 1.1.1.1:53 71.133.26.154.in-addr.arpa udp
DE 82.165.164.99:80 82.165.164.99 tcp
US 1.1.1.1:53 14.116.126.185.in-addr.arpa udp
US 1.1.1.1:53 101.74.91.77.in-addr.arpa udp
US 1.1.1.1:53 vmi950825.contaboserver.net udp
US 1.1.1.1:53 42.246.14.45.in-addr.arpa udp
US 1.1.1.1:53 99.97.131.94.in-addr.arpa udp
US 1.1.1.1:53 198.249.159.45.in-addr.arpa udp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 vmi875527.contaboserver.net udp
US 1.1.1.1:53 vm1294154.stark-industries.solutions udp
IL 77.91.74.101:80 77.91.74.101 tcp
US 1.1.1.1:53 vm2005240.stark-industries.solutions udp
CH 185.126.116.14:80 185.126.116.14 tcp
SG 154.26.133.71:80 vmi875527.contaboserver.net tcp
SG 154.26.128.192:80 vmi950825.contaboserver.net tcp
UA 45.14.246.42:80 45.14.246.42 tcp
US 1.1.1.1:53 vm1388772.stark-industries.solutions udp
US 1.1.1.1:53 vm1204726.stark-industries.solutions udp
US 1.1.1.1:53 156.249.159.45.in-addr.arpa udp
US 1.1.1.1:53 198.242.160.217.in-addr.arpa udp
US 1.1.1.1:53 218.11.164.95.in-addr.arpa udp
US 1.1.1.1:53 197.80.233.194.in-addr.arpa udp
US 1.1.1.1:53 vm1158123.stark-industries.solutions udp
CZ 94.131.97.99:80 94.131.97.99 tcp
FI 45.159.249.198:80 45.159.249.198 tcp
FI 45.159.249.156:80 45.159.249.156 tcp
US 1.1.1.1:53 vmi858857.contaboserver.net udp
DE 217.160.242.198:80 217.160.242.198 tcp
US 1.1.1.1:53 191.59.165.194.in-addr.arpa udp
SG 194.233.80.197:80 vmi858857.contaboserver.net tcp
US 1.1.1.1:53 vm1911301.stark-industries.solutions udp
US 1.1.1.1:53 25.14.7.50.in-addr.arpa udp
US 1.1.1.1:53 28.72.91.77.in-addr.arpa udp
GB 142.250.178.2:443 googleads.g.doubleclick.net udp
IT 194.165.59.191:80 194.165.59.191 tcp
US 1.1.1.1:53 vm1749829.stark-industries.solutions udp
US 1.1.1.1:53 235.38.164.95.in-addr.arpa udp
US 1.1.1.1:53 252.186.62.149.in-addr.arpa udp
US 1.1.1.1:53 16.24.33.185.in-addr.arpa udp
NL 95.164.11.218:80 95.164.11.218 tcp
US 1.1.1.1:53 112.19.164.95.in-addr.arpa udp
US 1.1.1.1:53 vm2019978.stark-industries.solutions udp
JP 50.7.14.25:80 50.7.14.25 tcp
HU 77.91.72.28:80 77.91.72.28 tcp
US 1.1.1.1:53 147.254.119.160.in-addr.arpa udp
US 1.1.1.1:53 134.167.215.85.in-addr.arpa udp
US 1.1.1.1:53 vm1349786.stark-industries.solutions udp
US 1.1.1.1:53 vm1409479.stark-industries.solutions udp
US 1.1.1.1:53 ip85.215.167.134.pbiaas.com udp
US 1.1.1.1:53 149.62.186.252.hostvps.it udp
US 1.1.1.1:53 vm1306044.stark-industries.solutions udp
NL 185.33.24.16:80 185.33.24.16 tcp
US 1.1.1.1:53 48.78.233.194.in-addr.arpa udp
NO 95.164.38.235:80 95.164.38.235 tcp
KZ 95.164.19.112:80 95.164.19.112 tcp
DE 85.215.167.134:80 ip85.215.167.134.pbiaas.com tcp
US 1.1.1.1:53 19.237.106.87.in-addr.arpa udp
IT 149.62.186.252:80 149.62.186.252 tcp
US 1.1.1.1:53 230.245.14.45.in-addr.arpa udp
US 1.1.1.1:53 16.100.91.77.in-addr.arpa udp
US 1.1.1.1:53 vmi925950.contaboserver.net udp
US 1.1.1.1:53 host01.iqweb.co.za udp
US 1.1.1.1:53 231.144.160.217.in-addr.arpa udp
US 1.1.1.1:53 158.208.227.212.in-addr.arpa udp
ES 87.106.237.19:80 87.106.237.19 tcp
SG 194.233.78.48:80 vmi925950.contaboserver.net tcp
US 1.1.1.1:53 vm1391382.stark-industries.solutions udp
US 1.1.1.1:53 71.15.131.94.in-addr.arpa udp
US 1.1.1.1:53 238.116.126.185.in-addr.arpa udp
BG 77.91.100.16:80 77.91.100.16 tcp
US 1.1.1.1:53 vm2005027.stark-industries.solutions udp
DE 217.160.144.231:80 217.160.144.231 tcp
RU 45.14.245.230:80 45.14.245.230 tcp
US 1.1.1.1:53 238.39.182.5.in-addr.arpa udp
DE 212.227.208.158:80 212.227.208.158 tcp
US 1.1.1.1:53 212.126.82.185.in-addr.arpa udp
US 1.1.1.1:53 6.231.153.45.in-addr.arpa udp
US 1.1.1.1:53 vm1375203.stark-industries.solutions udp
US 1.1.1.1:53 vm1328948.stark-industries.solutions udp
US 1.1.1.1:53 93.212.142.45.in-addr.arpa udp
ZA 160.119.254.147:80 160.119.254.147 tcp
EE 94.131.15.71:80 94.131.15.71 tcp
PT 5.182.39.238:80 5.182.39.238 tcp
CH 185.126.116.238:80 185.126.116.238 tcp
US 1.1.1.1:53 vm2170685.stark-industries.solutions udp
MD 45.142.212.93:80 45.142.212.93 tcp
US 1.1.1.1:53 65.53.38.54.in-addr.arpa udp
US 1.1.1.1:53 45.32.215.85.in-addr.arpa udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 1.1.1.1:53 188.36.182.5.in-addr.arpa udp
US 1.1.1.1:53 vps-b8c93a20.vps.ovh.net udp
US 1.1.1.1:53 vm1232918.stark-industries.solutions udp
RU 45.153.231.6:80 45.153.231.6 tcp
PL 54.38.53.65:80 vps-b8c93a20.vps.ovh.net tcp
US 1.1.1.1:53 vm1499471.stark-industries.solutions udp
US 1.1.1.1:53 ip85-215-32-45.pbiaas.com udp
US 1.1.1.1:53 37.93.233.194.in-addr.arpa udp
US 1.1.1.1:53 104.84.222.51.in-addr.arpa udp
CH 5.182.36.188:80 5.182.36.188 tcp
GB 142.250.187.195:443 tcp
DE 85.215.32.45:80 ip85-215-32-45.pbiaas.com tcp
US 1.1.1.1:53 29.90.233.194.in-addr.arpa udp
US 1.1.1.1:53 vps-a069bbd5.vps.ovh.ca udp
SE 185.82.126.212:80 185.82.126.212 tcp
US 172.64.41.3:443 udp
US 34.104.35.123:80 tcp
CA 51.222.84.104:80 vps-a069bbd5.vps.ovh.ca tcp
US 1.1.1.1:53 vmi855469.contaboserver.net udp
US 1.1.1.1:53 vmi753586.contaboserver.net udp
SG 194.233.93.37:80 vmi855469.contaboserver.net tcp
SG 194.233.90.29:80 vmi753586.contaboserver.net tcp
GB 142.250.187.195:443 udp
CA 51.79.74.172:80 vps-b73a79d7.vps.ovh.ca tcp
CA 54.39.98.220:80 vps-718deb0c.vps.ovh.ca tcp
NL 185.33.24.16:80 185.33.24.16 tcp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 firebaselogging-pa.googleapis.com udp
GB 172.217.169.74:443 firebaselogging-pa.googleapis.com tcp

Files

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events-journal

MD5 4d625df6e32bd2008773cbabe63d7a49
SHA1 29d57f2af09c96f3233f704750c4c2406764a4d5
SHA256 d53035a7f04561c8d72f78c6d477813691ed999680e7867b1581cb39642afebe
SHA512 61fddd0c35e02db765e9bd75a7644ba7d2ea22dccf3a0f06fb715bb1605714f86d38fa39f0c044409603cea445b16c75160720db095a1deb3f123c951fa2df7b

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events

MD5 4c0e867f6b155cafc823b152766d9e55
SHA1 e8ba8d208ce2746a2fc357f434a945a70ae9d58d
SHA256 beac6a83ffa3eec1560c51cddb8d6cb21a87dbcfff358a39fa18f6e41512cbc2
SHA512 10384ade8ce0505147d8447f6b190b4d09fd4c3b63855b91bbbf4221f57e21a09207d307f203f55431d6d02a7cb0bba354afe29c41ad4d70a98c5aa8d26012c7

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events-journal

MD5 63339cb8a11209ee9d5c0306afddfd16
SHA1 e61b30ae1831bb6f1e5fe5f076b89923db1e4913
SHA256 a4dd5863b0b4dd8f98870854d9d8623ae3af014ca22845f5b36e6dde0f5d536f
SHA512 ee7494e2d0394573c98c9f16bee00ef6eb128ae94c38acd4761160d0aaaa47fd48a8a4a9bd0944e4319a3cc333657b8c33d067e2ec978f4341ce5d29811aff6a

/data/data/com.gi.vpn/files/PersistedInstallation8744840027129149006tmp

MD5 bee30a0fb41be906da84e437eb7406ef
SHA1 c6154802a9312a0feb4a0e3318225c8d2928ec00
SHA256 1a739a941d9a462115a86276859506951cf43910727561a796423454365d665c
SHA512 0d71fe32fcf41e4b0e5976d0ff73366c3ef29883105b7b50e69bd9432b6615bc8383b8d98328ff112c06a5e515e527da9ab9a6e05da6b7f64689af330b46a416

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events-journal

MD5 830b8f6906245a9068910aaf782a4758
SHA1 e755f20a8120d4d75878db68e4eaee8e75b67571
SHA256 6bd0b891fc7bd2e545c539144d340a23a85b9189cbc1f5af987c3cf85a87a993
SHA512 c81418b30b42d343611383a46b24a71165edf498c6f489eda71ecf8b059cbba72cd2bb2909ed963d378971e788f3e7a51e111f1e77d40ae27612e3d2f5cc1a4b

/data/data/com.gi.vpn/no_backup/androidx.work.workdb-journal

MD5 4db7d39a1056cb8caac6d832d3d3ddc9
SHA1 de5eb30475f080ab59bdedce78eaccfbff2ea6e9
SHA256 98e774fc32074ed9ffa949dd6e4a997e3609617691679fe3e3af7121cec3362c
SHA512 614d71388c3f49ead0e18f95d81823c9d6c1141ee72b7d70da3b4a6f414b02bd66bd0b252e22b43ba2e7b1ef92674535a530ba29c17e187fd7e3b6b624262626

/data/data/com.gi.vpn/no_backup/androidx.work.workdb

MD5 0eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1 fee434f784e73cc7916322e949f727caf8363102
SHA256 b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512 b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

/data/data/com.gi.vpn/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gi.vpn/no_backup/androidx.work.workdb-wal

MD5 4081b86612ad43ae10def2dda2e5ec0f
SHA1 0800febb74db6b5a058ec5c65806ebaadb58551a
SHA256 5ba9cba8018d48aa9903875300a133bffcc7fd8fb94e324e8b5fa2185b6d3e46
SHA512 e44321522492cf2fbeb11430cc1087bfe7a15b01461af83d734f0f6cfe7b2c3f821d3764735b9ede6575132809c1e523a9654c7ee3b42b2291a6c7fdb368488b

/data/data/com.gi.vpn/files/.com.google.firebase.crashlytics.files.v2:com.gi.vpn/open-sessions/664F3CF200DF000110FBF30A7E723859/report

MD5 05b0498b0217c29dbed9d4ed8f85e4d3
SHA1 27c36be9b64fac8f5316e93c0631b1d8333d7552
SHA256 a82c3e0a3842672225842789e0fc7e6b4b5a7b4ed7f71a30359502fa32617fa2
SHA512 041fb2bea24c1d9cb2f74435da6cdf283b1433384c21742504c7dd5b549e53ab4f03c315fd296e2037e746e636d869485710410e15131814a797875ec9504a14

/data/data/com.gi.vpn/files/.com.google.firebase.crashlytics.files.v2:com.gi.vpn/com.crashlytics.settings.json

MD5 e3234999e9657b8804ef7f17f264ee13
SHA1 fce6ac838602d6e3e2cb30fee9e2a57a50d8fd36
SHA256 8137fd588b9f2035304ee859e8d57f19bfa5497d25e0cbfdc6e5c29015bd26b6
SHA512 08ea88a3af0eb266937a0ca7798b6b065ea17e7951c0973f493a7b2f41534014e7bafe6a532645377a51befc3e2297eb97a9d063e30da39c724a3e100c9cdb0c

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 35b51faac8b5af3886e70bb5a885dab1
SHA1 e6cb282da46cd4bf113e25c8573268578dcd11b6
SHA256 af5b3362ec35985974c6b73eeba53e5063861f2491252d61d8cd42168aa5ed6b
SHA512 6ad5e9766cc03a4436e1440b9e47c44da6c6440a3c94b1cc988f8c5680043cde6f7b7e02b2b4c71b25df4209c39ed099fb65fdde02a9f09464609a1abe6af8fa

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 944e6a5a08cb971370c65c06061f0ab4
SHA1 84d47725cc29bf167b782c702575bce4bf2ecc5b
SHA256 ba8f4af0e35f93cc15649f4c51969f5279421fc12deeafaddec5e5c48aa58dab
SHA512 bdc404233927a6a99160492d0b3e2cf00776d51b33612b8c9ecba395747b3572cf1790269fb199915aafe84c546d30e3259833c9d00af8c412823396882ca783

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 ffcbf87665a36fc21782400bd0537e79
SHA1 3dbfbdbfdcde953317b089f9a9fa0bbe50c698ee
SHA256 a21d3bf2cca0951e9e7b3fed43cafe9f89a4cf9d844c82279b260852d0ee473d
SHA512 7f98ac150c422eb4f1126d86501d0435817ceaa7eb5549e4d21a295d57be3d3fed4388cda782c084130c4ac8d57a4f225139a2e42e8a12b34cc1679140d16b57

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 dcf7d6c1cfd5e7b56074e3001577c78b
SHA1 b8eba89aee9f6688ecda6675ef8ff4998da0b141
SHA256 ba0830617929c78abca9391c2059f89c78049911f502ef5525d39341e4da2b91
SHA512 42d75be824d69de23d2e8605d60c3608db20ed5c059f5b67c63ca2845484c67150aea88a3aae36aae12a4ea266fb6b469d09f765bbcd444350d836ab83f7695d

/data/data/com.gi.vpn/files/datastore/firebase_session_settings.preferences_pb.tmp

MD5 f4ba1cb0d7cb13f4f24b79128d8aaa70
SHA1 81ec888322a1fcdc6288f706b5831bdc3f7bd4cd
SHA256 136dcffb61c1beda7e896c3a5ac3482c5fca76f33e5b65adb5175871d1a370d0
SHA512 bd739baf4b3e8b61f226dc1ef89ead60ef0ea58f8369af21dcd1a1cbe85f5a863d709debda6cd976ec3e37759f75b8e7480586bf01c4ff360ab5da676d6c3d77

/data/data/com.gi.vpn/no_backup/androidx.work.workdb-wal

MD5 27d82d536c304643c737c8c361ac59e4
SHA1 eaadbd122a9023323a9c864fe3aed686011a5f12
SHA256 49ad84688674af83d2fae68b8f7bb879d837a4bd86f7c33efc5a45ad4f3bbff8
SHA512 3df70d59af3a0acc061d9218fbdc1e79c0a6977313941d2d23b50f1261528f4d8a4a98bd265fc0dae4bc7b901e820139f2785e29628c8f480da904817726630c

/data/data/com.gi.vpn/files/PersistedInstallation4309835687892865015tmp

MD5 bf5128ca0346ddf735e02ce36afe4416
SHA1 e9ef0e322069f555c4e0d35be28147a1a962f9ba
SHA256 4fea561178393e1642f720c01df94e54ee7ac0de85da4bd90e7c8f60c75512fa
SHA512 367718d2392b6d0e842d9f583e3b5fefcf3061df3183df0d125d842e78e70801f66391fa9248f44b11fb2c98761332357b22a095f0f8d1c2d977c869d0375349

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-journal

MD5 94a7ba268940aebfcdd29291f51c8ef8
SHA1 4fa8503ed58e853f3371edf3b98fc2147960a794
SHA256 27ca59b5cbfaf979bcb7e44c61aeb2e4e3e7aa02efe7cddc5f8da91a188ed754
SHA512 fc47fedb47b2d1f17d49bd78bf7d2ea2a49ff39fadc6ec19d97a12e9513bf1822c73028da711a8fa1481ec60d108fe2e7b4606f2d92b1fbf93d264b57b43fa53

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 62ad4a05cbdca7f47b3206b7dbda487f
SHA1 4f4044cef7b7b1e5c6184ed9025267fc92bf0cd3
SHA256 18b909096c7c61d51ab076ae8e562effb0d4ada28e2a4ecd0e6b88ef58f6b2a6
SHA512 0936531ed1b2b356a247123200739a43cfc765469ab47a424dcd6e3d1176092a212b0a28591d07f8c2d0cc9d2e0eeddfcea8dde314c2f9343783c61075b071a6

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-journal

MD5 4eaa6244a2f128b34267a84f1f1c45b3
SHA1 5f6549935c060ecc77f9b874ce5ee8695f92eeb0
SHA256 8692d71a697a7235fc496810258eef9c6125239d44cd7cee9831a18863d8726f
SHA512 f3c8ad72da8d2fcc96895cc24f820def812b5b2774228c2bf642fad2c46e428dc0bb1841d0f189398d2aae910d5df0ff25aaaa31466fc2d484a857ddf9911561

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-journal

MD5 87f5ab6077d7cddb9a79ab697177ddeb
SHA1 038a469fd17225a09afd71785b48245d4e7d3655
SHA256 c2744f1af4cff35fdbfac6eeb251fa7913d996cd3113711418dde5c17ab8fb1f
SHA512 4fa3a63c2a0c156908a5ef7b7dfdc9fcc982451919752a06b2d3854a33bc425676f66c98526bba0be96bcaed273e29e01ab58874cef7976a5476d4bf0429b16e

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-journal

MD5 36e9a42216fd843f9be14a003ad8f077
SHA1 1a5416077d2ff60fed88adb5a5a0147ed6021bfc
SHA256 db9c76be98a2d039c97899d80ca94f62930dc7012e73b8f2cb552dd8eb2007b0
SHA512 cb083400554b5287f7ef288f8ce7034c5ee480f02cab1557c17f15a518b9d87a81adadfe6e867ed4e43b53d7e3ae6e7a26c059a33782df466308ffac145db387

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-journal

MD5 b4344267e3c066b5a6a3a97f1788aec2
SHA1 de763ca495ea885f63d568387c5f13f2f390aa6b
SHA256 738158bf660660f540ddd293cb687775c01a8694d4444e28ae56e9002573dd75
SHA512 2af9ff0b803088d9b53605cd31736deecca5f409e6de67ceff8b97ef0be75f4b24345889f316280b39f2f477e75bdf93ff40d38e439ddbffe61a50f6d678a7da

/data/data/com.gi.vpn/databases/google_app_measurement_local.db-journal

MD5 ca6881f0d0544aead5b47da5f678db51
SHA1 d36ea84589829fccedec6a3e356e7944bdc13b56
SHA256 ce9b0e7165967a5e9c64e6f72d52934f14658e36daceae65c9d0a5d400016e25
SHA512 cf55184c28c9b484fdcaca02edd4dd687a705ecc25d38058f5ecfa99f24056d2cbbc3b25866bca8bac0a0ad14d1f2a6023bf7cb6eb02566151ada3d2753dae1d

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events-journal

MD5 ca40293d4bc08c831ee7541a0642f940
SHA1 aef294a27b71c644370531fb9b7cb3ba0fd2988b
SHA256 8f4d5503526aa48f1c1ebc4b534b07a3d8ed0e536169593cc190e797437903c1
SHA512 cb8ac6fd23fd02892c53b83d09f54e61adbb80ddc38df58b258ef5076a1744f4cd9c889292e23f56b446e99accd4966d9a0edc084e9cb3ee84aa2577e1d95ea6

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 f174f5a98e110cf6cfd25d7e628f027a
SHA1 ab84eec89dd8602c1a1fd2abd231e2d4c97b782e
SHA256 c03193c3d1e351bb0ae08e6bf759772493671b71b124748d28321aeb1708e153
SHA512 3286bffad60e65cbbdc6d620e8366ea2424d750fde19595c9b51f6b891a1034f693dcfb4b75f0fa7f3d137b1fec2f570f6aa7fb7b420c5930c7dd1e659aa19da

/data/data/com.gi.vpn/files/AppEventsLogger.persistedevents

MD5 6443983e831ca1f8e2e2c0a009578eef
SHA1 9fc61ac7a07cd32dc3019192d5f1b07fe9e31b31
SHA256 c60992e811a73149a37838e4ad660d64fa67dd931050d0806014a80d748e7532
SHA512 1663dd15da0cdd2e6092b42fab759a86f894a2185554e7f0981ec1b872c6873a48bdacd7f8c69425bc7eec3b3220ac5915be8a0d92267ec56dcd32244e9c738c

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 51b5775b1c9637249101778ab7c2977e
SHA1 d4830d223b4e557121eaf798c91eb26c854ffab6
SHA256 96bdab38c0a318146ac57fd9697ab9a45f3d975c143d3ad4130201cbde1c0e0e
SHA512 7f6a9157aa50034c29d17e011049f83ecfa72db898137426e16129098c1c6a924158626fd265f61d19c00478801f30b307133007ad363751c7906f0acf353a12

/data/data/com.gi.vpn/files/.com.google.firebase.crashlytics.files.v2:com.gi.vpn/open-sessions/664F3CF200DF000110FBF30A7E723859/userlog.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.gi.vpn/files/.com.google.firebase.crashlytics.files.v2:com.gi.vpn/open-sessions/664F3CF200DF000110FBF30A7E723859/userlog

MD5 67b19f05d41cd8518c5f4ab976d57570
SHA1 cd0a2a0e2f36ac07637661d9ae0cd18b523c0abc
SHA256 fae314afc9cad1853d3cb895d8224a158113470f569cef299d7115b15d6d015c
SHA512 1af491d970e41bc535a7f6bd411bee8e5a049044e22e1118ae07b55295d75b81c64f7cc8e4eec8e58823bd647957b58a5927ada3fe44785d054b057a73fff65f

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 7f8618d4f722548bf5926372d884e5c9
SHA1 57a63b3cf636bdc2a9e7d0bc4b33c5870d4e3a1d
SHA256 c95d17f9065b293dab842e4bdaf70846ec84c96073df673ae56c527eae4b5093
SHA512 ac8a75145f972bc87998028a39424db05e9c872262fdd45bd293648bf5f8bf0099015c126b3691e067d5e5380801f87cfa4c664e7de141df7b4b954c46a9957e

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 0a499ba7028e72617c6f9993356f60eb
SHA1 8b17de76d14a5b34fad84b31af3224d06d32bb5d
SHA256 091c2e49302459fb0f94183a89c391f8b6554817da26631b14d00b67a54e10f8
SHA512 09bdde81c138f418d36efc4441c709597ed867332b093871a32e9b2943ddc82147d8866dcb4446426d2fd925342c2f5a3d36371c64d662dd2a04f317f58fcff5

/data/data/com.gi.vpn/databases/google_app_measurement_local.db

MD5 7848f63d5c39f43e754fb5b91cc94ba5
SHA1 e08f2b51180348247e9e16f79eb5570635ed305c
SHA256 007678b3a687602169791a4bcb6d18d162a9a8efa6f8a90652838e6c68c3d025
SHA512 5e7f57361600aeb43594f5afe4f24b59990797d7e554d671ddc72cd3d484f45a8dc167846d8d73ae2edc910927f5db974dbbbaae9da7747084380c84c87c451e

/data/data/com.gi.vpn/cache/volley/-6860137-1423777433

MD5 89a08c499bd0767188378b2a39fd0847
SHA1 f849e34b9c5c275310f856d36da428f4dc27d16a
SHA256 faf94b551e6e12c75d92090bbebfaea39cc334a8ded923376bdd7d58d5bddc8d
SHA512 96607214ba6db9c3040bf304ab52e6dfe21b7f72e9f44d3db04d60ab7e2e169fcc0532818fdbdb2a95186e1721a36f68947ae8bc70fefef3c463f26dda513808

/data/data/com.gi.vpn/cache/volley/-6860137-788939276

MD5 7f66440a0797144d709651ad913493b4
SHA1 e123b072d781d112d7e015b6ccfbd3faf0bcdd87
SHA256 b0d7ebabbd7f30a9ab1b236ae06340cc971c5d09e613d1320b3a3928a21f21bd
SHA512 d4390d885454615be817adc27c54b3596273e6ce984a229ccb59d04702fbfcf73ce11311b8bf3cdfb4966190448d03f79773b908e6bc591b78e421d2d77ddf9b

/data/data/com.gi.vpn/files/AppEventsLogger.persistedevents

MD5 e5a55e22369b47b3a6dfd4ce884fd3f0
SHA1 8fdc5616ce982b4708b5ce4adbb709c5a823471d
SHA256 d3fc2e520e9158e5fc7902c26899fc91f90bac09019595a169bcd9f440555398
SHA512 cc87975f81e8c28075087b31a9585cf4981fcdfdca12bcd59c0e52bc41a71ef47eb26d8adb298e8bbb59e7d5f64d2371df483d7a4d0faab420e1b38c63e0f828

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events-journal

MD5 01a915feb4caa8209f7b721f6fa4b788
SHA1 4eda8e6cfe1fc71760208c4e47f3dc870ad86e54
SHA256 7e88da8639974f640a0ecd34402f0a2e1b3b4b0104827bb4113bc757dc74c12e
SHA512 8e50eac7f97b183336e645410d20ddc91a742cd68d438a3f6d8fedca3cfb3fb31b10a91225d3ff55d498d2b89f846dc69fe7430d03793fb23ba3e9d8d6839266

/data/data/com.gi.vpn/databases/com.google.android.datatransport.events-journal

MD5 c3f15c070004100bf54de118f2c11c70
SHA1 301eb4b34c96f1c651b27926358ca2d21ac2631c
SHA256 67a4ba4012f5f162a0798d1f981f0d4cad4088519e235aa42c737914fb33ca65
SHA512 79d7b52da7fefb1711575e785b4417521326fec4309523073d14d83e2ec57728a32a981346cdf5262311ee1742b090799cc5a2ee140008c17d3d0a41c3728778