Malware Analysis Report

2024-09-09 16:08

Sample ID 240526-f6labahd35
Target 747685f90d49d320c544fa1b50903d55_JaffaCakes118
SHA256 fe466224bac7b5c3c12c92716a365e98b60aa91c427e8ea6ff644223fc079648
Tags
banker collection credential_access discovery evasion execution impact persistence irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe466224bac7b5c3c12c92716a365e98b60aa91c427e8ea6ff644223fc079648

Threat Level: Known bad

The file 747685f90d49d320c544fa1b50903d55_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

banker collection credential_access discovery evasion execution impact persistence irata

Irata payload

Irata family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current nearby Wi-Fi networks

Checks memory information

Checks CPU information

Queries the mobile country code (MCC)

Obtains sensitive information copied to the device clipboard

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests cell location

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Schedules tasks to execute at a specified time

Requests dangerous framework permissions

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-26 05:29

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 05:29

Reported

2024-05-26 05:32

Platform

android-x64-20240514-en

Max time kernel

50s

Max time network

174s

Command Line

roman.eshghe.ghadim

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

roman.eshghe.ghadim

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 2f1b34d066104086976399be982b30ac.s.adad.ir udp
US 1.1.1.1:53 2f1b34d066104086976399be982b30ac.s.adad.ir udp
US 1.1.1.1:53 2f1b34d066104086976399be982b30ac.s.adad.ir udp
US 1.1.1.1:53 2f1b34d066104086976399be982b30ac.s.adad.ir udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
US 1.1.1.1:53 4.ifcfg.me udp
US 34.172.225.131:80 4.ifcfg.me tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp

Files

/data/data/roman.eshghe.ghadim/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 94168e1296afa34c7299564a9f5a97a3
SHA1 17083f59f6e16849145b40fec340e388306dd506
SHA256 ec982fe960e110620de0d55362b565d19c03dd874abeaf163f2831a3ce94af04
SHA512 e5a27a468cfdfdad05cc6d44227e826bf0a8bcfcb13b7a6e20d7760c9c0453ba4b838a4919c6e242ac2769135617859afa3c1459f422e24e08ef230b498f2c29

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db

MD5 0ea8b68a22e6ef364d76edc959f21046
SHA1 30b432004517af3894efdc864e006cb4bc0ef686
SHA256 a39c74213d986ed2a839d9810f09089391ec6a1f041ec843b4a476d435d35e4f
SHA512 2a52ea14a800e18b488a579f14745a16189795bddf45b408e466e26264e8f6310a3a4cc76303714da43d7b2ee1ddee0202d072b505e52c0e687a8dd527eb2e24

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 4eea2e457b8948d4452fc289bf829dff
SHA1 ab65e8c740c64f49fcc7a1541f3d39142bb9cdfc
SHA256 02c220ac637a17160cfa698eed8e447beb2fe5034fe94fb1bc0a0973189f9163
SHA512 776daa37787fb3426410204bc8ef41024d19607ba2aa321da8f5e46760ccf80e87c7416c09e3ae616df61a1e86c1f6bbfbd8a6687e8c35912366307afef31e89

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 7cdc643cbccb1b2f7be22d4ff723683c
SHA1 80ea15044b5497d46bc8517533a5a6f5e3c3a0e0
SHA256 1c7dda7ddc280e8917f3854f58129f9d65b7adadf35b984148f90a12b4410faa
SHA512 61ee2a4db309b9bea64cac19a228afe9f4ca58cb940bf6dfab825e6ce85f24a1e22d6b02a17f476e2f7a1ad95723ed1147de4654af916dcb5be8b4e979f1c358

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 0242633320258828fff5e1152a58d306
SHA1 861045915bf74bae50200e425f666d0ffb6e01ba
SHA256 d976fce662d316ddef07bc2d252ab09b10eccf290871668104b6c05b2786132c
SHA512 3a29f49557fb46feac01dc21180e4a8f4e4af390d4debfeb81c384202ff6fcd71a83818d3a619aa72fcf652822aa1b868aa603f30785b7b405652f81333b1680

/data/data/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 4ba108242caa1443dec69b4470afb61c
SHA1 ecfd9695441e07a53433efc58fa336be3d5e8f95
SHA256 12d1b9911f2b68ae5441a7c691d9085d391c53095fec86fbbdd2a01cd869e49c
SHA512 2e861e057f1bb4090385ae55421b8bbb8dad481cdcfc19c8555ebdea112afd1268bdcacc1f868967d866d2d00907e687aafd90511acd37131a0c9112bed35860

/data/data/roman.eshghe.ghadim/databases/__pushe_base_lib_db

MD5 c92bd7fb8aba47c831676dae48dbcc99
SHA1 253b1f00889e4186d1d311ef1e53d80963d64e11
SHA256 82090b4d867a8694a9183b9f4d56f022f9bed12df25d87a57cc995f4447133f9
SHA512 59606ef19c5f5683125ec8c9b1ae486992d38f8f1173bee8a55681e6864efd27db36020d5f6b426aea35bfc4f1371bd0ff135744bdd87c46d16ab81f0b0a0780

/data/data/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 f77c2d951156a068a77ed3fa6e022be1
SHA1 cd05302af3ea7ef4b03094c1dbbe3b39b19ef881
SHA256 8c17bf89aa58a1da1141bb245dbc75728b256b25fa08263b5922ad7d9f06ccc5
SHA512 5865a084fe886d86f2b595286a56fd8549c121c2b8bc905c83c2bcb4a0de4ca8f0914d350b8dcfcd7217292263eb35bbd45f5271779f4b1f94528892dc491cec

/data/data/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 b9ee6be14ad3944cd41f5cb5efd460a9
SHA1 94eab7ca266242043772fedf91babf30f5526a9a
SHA256 b6a5e91770411947e94a59799969cda1951541da6a1cbb6f51bbb1c70f187b06
SHA512 3764a70ae1f4d7e65ce2c45f50dcedcfe83a86329720c8431b87691dbca9742708ded4b1deb72aeedb9510af00f771b8dbfe955bc6e031e15203a34f9515123c

/data/data/roman.eshghe.ghadim/files/db.db

MD5 499fd65c375c7bec13bb9e372cfafd07
SHA1 4c0f8bee521577244441075e757957e7e9299493
SHA256 6bed001bad2e0bdf16806dd3b5ed9810cca9a361cef909e9125d508825bb46fc
SHA512 aa79a82859e42fcd4e4c718ff071bf0aac8ba64cf917d23f49691809ce9edcbd2354dbf26849e078e7503d682940c9cb662b9b9f861c4227befee70b27109c7d

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 fe810a92d8cf0e9deb5b7fb0dc3a114c
SHA1 4328864f2f702b578c16d649c7c472b79275f355
SHA256 f48f3d20ba364db62d0755daa5fd9b471e719c1dff5f222080b91a292539cd99
SHA512 30b7fa92da64887315dc316a95140e71703140c3b467609004bc35301110f839786931efaf80be5bad7789ab66b3c2e6c76fddbc24f0ce37288519662d761942

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 35928b18203b531a62feacba90abad0b
SHA1 28b28d773e9425a1a792630121ee2f56aabcefa7
SHA256 3ea9b14cf26daa917fd768d232bc27962bf07f4c3db50f26a1a0224a75921168
SHA512 5d17a8c3b373df066e93b6866a1b8a5d0f49b021da06e4dc86d74ea602a243c3a885919e2ace3b426a8535d7ce6e712f3c342a946d7e996996cfd50e4fdc1f7f

/data/data/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 27f72cbf4ba9d93d174a2c4052ebbd95
SHA1 84150c48a386c2cfaf77ab0ba3b61d0e272d5af9
SHA256 6adeedebaf64d783880da1cc04052a9b17993cc28773b1f44ca4193bc643fe29
SHA512 ef2a9a30703e2acf34a5c9cadf4be5162eb0e9691b28d22514ce018738cab92d92d7ef24575e7dc38b70b601a3507d370f1949d624dc6d5c4e15ab5ffb130893

/data/data/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 65c84582a5387d6df7d1b053519dc877
SHA1 c3e19baf15603eeb606471464269d7604eafcf53
SHA256 6953aebeb293826651c606c229681cb0da7c161001dd2a7b15ec1ebf745f9ef9
SHA512 ea1cf66f82337d02bbb44700128612049b1f13cc041819dd088168991cbf67e28b398060777d971850a0b00de1ee1023e9becef240761e6341b960e0625752f0

/data/data/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 9b0dda90ff2577b6544a79b262c0d77e
SHA1 2e7ba38b2b7dcc6037243e62919e7bfd04f5a636
SHA256 1c6827890415a8c0cd051e686d9caf68dbeef3bb520953c2ba95b078be710d71
SHA512 92529334ec2088c34e14c6e26d2b6f073b3df25ede2bc051df5917dc7fdbe6fd7f24972b3c0d4cabdf7442cfe26009155c8dba8c485ec87c43ba70db8a8f71a8

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-26 05:29

Reported

2024-05-26 05:32

Platform

android-x64-arm64-20240514-en

Max time kernel

145s

Max time network

187s

Command Line

roman.eshghe.ghadim

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

roman.eshghe.ghadim

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 2f1b34d066104086976399be982b30ac.s.adad.ir udp
BE 74.125.71.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 4.ifcfg.me udp
US 34.172.225.131:80 4.ifcfg.me tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
GB 172.217.169.68:443 www.google.com tcp
GB 172.217.169.68:443 www.google.com tcp

Files

/data/user/0/roman.eshghe.ghadim/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/user/0/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 5770c304ade9d152469e49fd845cf19a
SHA1 2d936a4db506bf37b2788bb3ec3cb641f0de6924
SHA256 40065828f9d404d4eeaaa98a42af23e5b3c02caf5c575e524804efec9aae1c2b
SHA512 3f2e3bd996a989534f6b7e4ef88889ee7f79ebe40af5ca294bd9ec8100cb9d20bdc987a6609478433405aca69d6f9177d21e56ceb010b6d56287257c4358b704

/data/user/0/roman.eshghe.ghadim/databases/evernote_jobs.db

MD5 a5cec0d5011e447b33fd5c7c7eb5ac42
SHA1 2e5e4157fee78b1d148003a6bdb4199296f1a5c8
SHA256 2cc3302ea35bc1e322e7ea088c7bf50b21d03cda6d0c89caacb48928db43414f
SHA512 29c3df7819bc9684350722a9c6fdefe2948106fd5ab05bd7de759f491fec66f00514365855fab733cc1269a2ab6c30424a745b79f3fa82ae069600482928c46c

/data/user/0/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 b5e40be614418226f659578dce9582ee
SHA1 ba0a3f8c12902387374648e5ad07233db0dbb823
SHA256 f8807fd96c175c1de4ebb0323efa1351805160ebf5ce7ca4f3249b576d097a0a
SHA512 2fd27c1860365e2dbed1c59d8b3fe6d6e6f5a6c6fc1b2849d801b28b21f79c51bb6b50ae312255a35bfe6efe5a61b1a7c125e2eb8986fa3d3ccf2e5a74fe9c12

/data/user/0/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 067c167ef618939c7337e8fdf8d0aa14
SHA1 055ab095a5fbe3ff2cbb45b04fcf37a40cf5aafc
SHA256 2a5f5bc835a658274d69fb0c4a2b6a905707fb6f2b660a22daa814832312aad3
SHA512 230ac49efb70cb97d521ee056f98de94d70d1c1ff97c3661aaf7c20414a76a9f487ea3fe3e0a2f868e9aff4a32b9ad8330fb04188b8ab0b2042edfd1610c42ba

/data/user/0/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 38a4588db85659c5575447841d4851e0
SHA1 8ab3317677560715161d5014720c3c0d57df56d0
SHA256 15d064af21efb6cc6dc170f231239adc1121e728787c3c7b9dbf70686a671d11
SHA512 35978ed5e31f9aa47222d997e63a2901a1aebd08d8569a4642772418e5830ccc1e29cb97e07e0d24d4a9d59a20bd1c6640d2de81270e47573080d5487f12adf3

/data/user/0/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 dbb3d476cc325837fc1627ab6328e16f
SHA1 791fde031ef978b9d23e6088b34eafeb59b0c869
SHA256 c3620bb8545df7eefd71327cde524696348b63931faddd88e9033cfbd6370a22
SHA512 81af111808acff8829ade78acc50718ae7ac8e547f3249d3962815590b5dba6225fb5fcd994043f1abb3fd8d3b3d0a5ebf92587bdf10a787914c910900e055b9

/data/user/0/roman.eshghe.ghadim/databases/__pushe_base_lib_db

MD5 28f6296ebc606f20a76d59cd81ecf253
SHA1 206271401b5deeff48bd98dde896e9e761b126a8
SHA256 9cd3c46e4a86bee0a0ca1d8fbf620d1a816c57aec46e9cf9b4ae37ec108092e3
SHA512 b9cb78e888fd0491b405ba1bac1f751431549e158358536264ac4019d899c861fb4d2150b3c8b13347e176fb235639c851c4bd42e23b35966dad5ac785dfa7cb

/data/user/0/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 ae58c10f24a3f3725db75664a35135c4
SHA1 c8c004fa5d117a48415e6f9c0c3a9b7d8e5182b3
SHA256 f346ce8eef2c1c98c0fb1e8065471caea1eac9dd32613a9a6141569b778844b7
SHA512 9443d5b1a2322e8261c443b904f856ffc05ebe62c9405c268235ad2f8b10035a2bad7e7c3a0e7cb544ede86407115e4cfab9d8f3d1717d79cc1b593dfa51b92b

/data/user/0/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 3a558cb6d9de84fef494a7fd600f8e18
SHA1 30ebf80307e4855df63a08e528d2d8732e6947a6
SHA256 38aa233b464495fefd30a6f77f2dbe7e3bad6ad29fe113c579a62570df7e24ad
SHA512 132e7817c3be1d84a2d22c6e323e6505169513573b32d115886ccfea8510cc28359ef94e57cf4d6916bdd0c87a735289d576753e12eb9d5626a5d4b675304c69

/data/user/0/roman.eshghe.ghadim/files/db.db

MD5 499fd65c375c7bec13bb9e372cfafd07
SHA1 4c0f8bee521577244441075e757957e7e9299493
SHA256 6bed001bad2e0bdf16806dd3b5ed9810cca9a361cef909e9125d508825bb46fc
SHA512 aa79a82859e42fcd4e4c718ff071bf0aac8ba64cf917d23f49691809ce9edcbd2354dbf26849e078e7503d682940c9cb662b9b9f861c4227befee70b27109c7d

/data/user/0/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 6ce5978d66a70593d32584e2f6573ea3
SHA1 8cc9bff42bfa0e6eebf55b861c8f3c8be581da71
SHA256 9cc2b2fc3b0168ddfb04f83212b70f5975de7ba8f7c9fba28998909bc00d4d1a
SHA512 26edfed83ab3acf3a7a5ffe3cbfd7d0168056aac01966b484682847291848d520f2ec904e1dc27ee69b42ded8bb89b424399c989de0cca48e11ae31fd81a7138

/data/user/0/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 bda7e660df3075dd24d7274236634dfb
SHA1 a978049ab4118f5ff644cef1a6d1f18549d939c5
SHA256 e416765fba3dcd07722b49684149e8cc29c00ef371a31abbbaad5dc3abc9f878
SHA512 2541c87f2e6bb7e770517c7b1cf0beba534e620e190f465e6b526fe19c4d82d6243e959fca5f47876afa877f9e68c074c59624eca3c6f691f1c2e3049761d1d6

/data/user/0/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 12eae9beebebf52a119815a6836bb910
SHA1 7aa28fb88032b0e75412023e68e3c0069afec7b3
SHA256 a13c2acc8bbde32cf92f2a854f37286f0962b34f1d10a708c8cf89a8d3c932d2
SHA512 cc3110f3b6aa21c7f9cc94f8f530ced90dd2ff9eb8ebe0ae07b8bfd13567043691cb8a55fe664a78b243cc89cf19859928d26d33f26317663c8ff72617ac9a9d

/data/user/0/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 5f0f171a4525adc2d091df8bb1dde9a1
SHA1 1b21ec4d710f0ef8319080c9794efad1a734ab28
SHA256 08064a8d7aacbe2c8da20331ef78a0fd8a15104230427b047b875bda67fd3a6d
SHA512 2377e9ff0eb340fd5f2ab17348b2f01ac495b72cace53d952d27f7a902d1a7cfa60afd3bb8ff76d801f40ba674299944d467b13ee232348f229b2ab2aba07c18

/data/user/0/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 9c89d490bb8b49242220629296d6c5ff
SHA1 5a34611e479244695041f4a2b7d9949461a32629
SHA256 b726de7c4ab6f584ce0ff67234a49c5877e2388d8e83d88918fbb228c1538aa4
SHA512 8f33e9623f484bf7b36708d813aa6f8eedec941c96b1bd77024f84c8588ca3ac574f4b9c0fc8b33879912feae834edaae608f3874875bc84c0a75585c60a82e7

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 05:29

Reported

2024-05-26 05:32

Platform

android-x86-arm-20240514-en

Max time kernel

28s

Max time network

173s

Command Line

roman.eshghe.ghadim

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

roman.eshghe.ghadim

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 2f1b34d066104086976399be982b30ac.s.adad.ir udp
US 1.1.1.1:53 2f1b34d066104086976399be982b30ac.s.adad.ir udp
US 1.1.1.1:53 2f1b34d066104086976399be982b30ac.s.adad.ir udp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 2f1b34d066104086976399be982b30ac.s.adad.ir udp
BE 142.251.168.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 tcp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 4.ifcfg.me udp
US 34.172.225.131:80 4.ifcfg.me tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 34.172.225.131:80 4.ifcfg.me tcp

Files

/data/data/roman.eshghe.ghadim/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db-journal

MD5 5840a47bed7d2f2551ada7f5e9e48808
SHA1 e90a3c63fb71785c4e2c881c522ad067e4c285f7
SHA256 ad157f11b70e00d208ff737daa09b7e7d809ca77a685c900fe6033301d6fda3a
SHA512 8c14ae58e1a823afcc104dc99d1d1d15a30c9b950ff201f85aa020610ce2512c4f285f1f2dd84c6a877a4cc906f98e390a99fb67050bf8b576a55a3ce95e929d

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/roman.eshghe.ghadim/databases/evernote_jobs.db-wal

MD5 5bd374fa57259b8a2e29d5d28a6afa99
SHA1 aec7ae99932e0fd42cab4b89d63bb4678fe9717e
SHA256 e9e5628533c688791568ca1a3b00d1b8d6b133d406e40e63b8b65b14587bb621
SHA512 c42b39eeea14777d4c2d437ef2c4d55d39b9e9575ac12717963415625a0fe05db53915a7ec1fbc6edd9084d380278bc103e4dd0bfb4c3bbb64e119b5d7ff4e29

/data/data/roman.eshghe.ghadim/databases/__pushe_base_lib_db-journal

MD5 97c7b059e55ca7d15936c34e2cee1b44
SHA1 2d10432e7aa7a1d2e13b632105faae13684753a1
SHA256 9768b31618e4603cc0dc3f868c56ab311b770e695969d2184f04d798dcb55d40
SHA512 c54771cb5a369f29e264664e4a6451c914631df5e302b64eee9fb1030accdc01ce587a4c3e530c3411522e4c7d24415d1a9949a264aaf52645100d081aa81463

/data/data/roman.eshghe.ghadim/databases/__pushe_base_lib_db-wal

MD5 a5a1def7e90eb0279b72b70cce22e93f
SHA1 6d9922cbf670a82538dc91a1ccf42cb5aca0e613
SHA256 99b81a35b4bffc145389a4b640d6a75d04f3a25dd236b9175bc8d355286b840e
SHA512 b5d024cd0a845e868e8bc588551b7b5847ce891b53340c4548ad1aa02792532eda2b9afacce2b2bcac91e69b06d153b1afb6561ce3009aebaaaf08dfa50d4c09

/data/data/roman.eshghe.ghadim/files/db.db

MD5 499fd65c375c7bec13bb9e372cfafd07
SHA1 4c0f8bee521577244441075e757957e7e9299493
SHA256 6bed001bad2e0bdf16806dd3b5ed9810cca9a361cef909e9125d508825bb46fc
SHA512 aa79a82859e42fcd4e4c718ff071bf0aac8ba64cf917d23f49691809ce9edcbd2354dbf26849e078e7503d682940c9cb662b9b9f861c4227befee70b27109c7d