Malware Analysis Report

2024-09-09 16:08

Sample ID 240527-lva8vsff2v
Target 78bd894d527bf6e5e36b87f4436155f5_JaffaCakes118
SHA256 0813f423639b63645104b7c85f20a245d83dd3c61badee2de231da66fe9b4d70
Tags
irata banker discovery evasion execution persistence collection credential_access impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0813f423639b63645104b7c85f20a245d83dd3c61badee2de231da66fe9b4d70

Threat Level: Known bad

The file 78bd894d527bf6e5e36b87f4436155f5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

irata banker discovery evasion execution persistence collection credential_access impact

Irata family

Irata payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Queries information about the current nearby Wi-Fi networks

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Schedules tasks to execute at a specified time

Checks if the internet connection is available

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Requests cell location

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-27 09:50

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 09:50

Reported

2024-05-27 09:53

Platform

android-x86-arm-20240514-en

Max time kernel

28s

Max time network

156s

Command Line

khone.deservashirini

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

khone.deservashirini

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 ce1f04e906c64be4a5ab7d21062b6d0c.s.adad.ir udp
US 1.1.1.1:53 ce1f04e906c64be4a5ab7d21062b6d0c.s.adad.ir udp
US 1.1.1.1:53 ce1f04e906c64be4a5ab7d21062b6d0c.s.adad.ir udp
US 1.1.1.1:53 ce1f04e906c64be4a5ab7d21062b6d0c.s.adad.ir udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 tcp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 4.ifcfg.me udp
US 34.172.225.131:80 4.ifcfg.me tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/khone.deservashirini/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 fa45e8cdadc720e40a830554f95ef8d7
SHA1 a3a85a54fb47cac9d8b71d65c2a074a48b2b98f1
SHA256 141e1174c70d455795a068aa5c55ddeb6360437475d2187ab32a498cd7db794c
SHA512 99790fdce92ab9f04e4831114775d2f629cd0ae98a9458727413b593afd4a5c71b0f9575005802d3b026ceb4405c7c7e22d0861e98370a8fd08340435f088c59

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 978fdf85b8448e3a7c9015e51477eb49
SHA1 793bb88398dc9457935a4416638d5ed3974baf19
SHA256 8f72919eebbe45ed6d33b7b763d7e45d76a880128aee9aa5c29d28ab79689a92
SHA512 852b2d3e2607c96625e9bcd454c702ccec6a0f07aba3410976d6400ecd2d48ccc92d93c8ce7fcc87a622d04357bd6805a996f11d339ca7fc3eab99c0e991fe38

/data/data/khone.deservashirini/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/khone.deservashirini/databases/evernote_jobs.db-wal

MD5 db5129f69f4cd52f1b15f604111bb050
SHA1 77ed01d6e989e21c108f53c7ae5ad47dfcfb488f
SHA256 e3fdee9fc65e5f3c9d435c7ab2a8f6b7d441462c554b75e7fd0770189eabc99e
SHA512 2580098298e78bfad373c7904b9ad2605156bfe6442e8852226beba5c7f2d1e9de4836a1aaff44893e7636e4c4e79c54343196ffa9e9234ec4d75d86c3efdb21

/data/data/khone.deservashirini/databases/evernote_jobs.db-wal

MD5 04cd8175f936ecd11f8d9faadececca2
SHA1 5e31f781453b82028a798d4794ca269b69e0c4d9
SHA256 3f29ed7da8e693aa39ccb3cc92c03cc8c0b23da2934cd2e578b6ad678616ef62
SHA512 619ce013261fb5f92f1e9232c309a21225bf093b49c1348632ad73823126ea45a6f628522b04fc2232f0212c28679d8abaff4473272585fbec4b1b616a024974

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 79b35fe1b88796e60c7b97a53fc35abc
SHA1 6ab07ac24d58e2d4b44ed11a762e8603721b5cb8
SHA256 34bf26fbbfa3917324678b8cc6259f3e843241cb51928620febf9ba26e210604
SHA512 5b3c093987074bf49ca1bbf9baf39611abb6bd6d8e07d793ecff1c200cf89be88d67a678b2d7d992b5183e3b5f277656d2cb366d16e23ce84eb94097786d7f1d

/data/data/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 525c6ba42fb647e58a41e4b8b019f3be
SHA1 702fb966246127c2283cf6e214b3d1965ecc4256
SHA256 c72610fc78a6f109ff5e0dcfac8bda21b1252a355b78d2831b746999bb44dac1
SHA512 79324857ee54f5f5c11803e352518bea2e931c11baef02ded6c6163f359f3603176f17ee2ed44ab6afab95a833ee30ab7c27da8856ace9160ccad9652718c1ed

/data/data/khone.deservashirini/databases/__pushe_base_lib_db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/khone.deservashirini/databases/__pushe_base_lib_db-wal

MD5 c75e9ea2c2a6700c1d374fb13f51a59c
SHA1 94effb3b3000a3c30bec547f0f9a93154a078815
SHA256 584d4eadc0b070342e921d5a172217c583079f3f0e611b3b422c9d0211a3e1fe
SHA512 2eb1d29bd2fe72cefb924b3b1902713260509cfc0e941ca45d767d73cfc3e5c6c369086c8c933299d6b8af974caac3dc48167b5342f0c8dd12693ce697d32e99

/data/data/khone.deservashirini/databases/evernote_jobs.db-wal

MD5 7fd503c4865998fcc2262e2081a8f94d
SHA1 06d9a6a74338e3dc57c3ad36f204abd190133a33
SHA256 449ccb52d1f856d05d1831abfc5c623a333d666bc3f91ea4a5e9c04d4d11673f
SHA512 b62118c50b062dc74743d63ed4351399d9d751dcb8e4a63d180e433b32ce50473b487b5454430548a2372c4f596df9b67cf4ad341e0602cea6dc6431058b9d98

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 f8323d60aa312ed3b37c5a326d208a09
SHA1 5ca422772e2e18ca60582b0722e2b140b9d6784a
SHA256 4cad21457cf5e13fa2ce645b8b75da2164a7a0c6039e0caa4d82f6fd23ace64a
SHA512 be4b602b9e09411f8ef7f36fe15464aebe2926a42772001921ba2a8f25d0f7a6c1e024aff2890385a171e22f96dafd111d8ce8fc3d2907a08fe41bf37547ab8b

/data/data/khone.deservashirini/databases/evernote_jobs.db-wal

MD5 546f005e57e4a4907e1c612cc637fd50
SHA1 822f74998b413494a047459daf081ecae4c302d2
SHA256 026ffcce2d12e24c1bb0aed0fe591a03a02ec7cb355492973bb71c22b15285f7
SHA512 6944f830d8cbcf49a3526acba7948901e2b14d005c957788cfe11e0471327020a45c1e4816e82f533f5c71caab23b27f606b2da7061e85327629d81c6fd09d3a

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 40e7ce69872c5ce8b961b25c5ec4117e
SHA1 e77b1a9712313e4c69aaaaa5244360d58d078c6d
SHA256 d97c3c9ddaf4255b157ad541c3b1f1f8ad6ccd8bbdb05edeb2f5682a042daba7
SHA512 3ebf4cac7b20e3985243664fc9169d41655dd15e52a1ae86cbab488fa89591daab66d8fcbe23f8c1fb7208f6e670047459ac3261cce82e703f0f2be2908db62e

/data/data/khone.deservashirini/databases/evernote_jobs.db-wal

MD5 08815508f25c7bddb49136efe93031f2
SHA1 ba3690068c324a1cfbf1f7e82d447f8d69bbdf2b
SHA256 57d3e663ae31df70d232fb57f55db93f165ac044372aaaed726994961de12d6c
SHA512 0cbd65ca52b530f49f6a62803340c098e424826dc0f2c23be9db2520e933438fa509912d83dc17b0bba78dc6f3fd907bc6c4cabbd19f5cbe71dc995add49dadb

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 09a8d47f1621806543942bd759c8fe91
SHA1 0104fb12b70a6b4b186e1f1083272f12953091bb
SHA256 6a79188e1a74f45021ecaec8997ab01ab5d581e8b7e8faa0f8655f810ecd58b5
SHA512 03adfcebcdeadd840b2f602039cf8cdc92b63e6a4d9513040e67f25a037be4336b2d70b24a71e0b1c959133ad7a2b68de1139c5e47cda121c7b76fcc7e9cbeec

/data/data/khone.deservashirini/databases/evernote_jobs.db-wal

MD5 323b3ea0bef035781f062d701f1445ea
SHA1 be08830bb1bbd74ce3b6d628cfc0e6372b182a22
SHA256 6afe18d953a57f8da2a6b22ed5056489c0807803b9679db7d234692fe3dda1aa
SHA512 b04ef0054a9bdacbf0c213324083589ef8409dac9bd17149bcd71806c1ae098b0b9d2a24915544458beec170bae8a4ce3bd748cb61400708cf12b7b9582fc09f

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 60fabb7199883ea2d249873e0082ed4c
SHA1 3687721768290863b44ae6b181481006ba3dcde2
SHA256 eacf2e421ab56d7b64490e7420aa05ba7da45ac5841d8dbadc147cc8e06fa6e9
SHA512 a583d7d108963ef679ad76ca5714e9a1a7764d03733d700d739c1d199bb1745a83ecec80f2eb5a5ab0366aa9cc6efd7924332cef224d39542bc3be44342f4cde

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 09:50

Reported

2024-05-27 09:53

Platform

android-x64-20240514-en

Max time kernel

50s

Max time network

184s

Command Line

khone.deservashirini

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

khone.deservashirini

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ce1f04e906c64be4a5ab7d21062b6d0c.s.adad.ir udp
US 1.1.1.1:53 ce1f04e906c64be4a5ab7d21062b6d0c.s.adad.ir udp
US 1.1.1.1:53 ce1f04e906c64be4a5ab7d21062b6d0c.s.adad.ir udp
US 1.1.1.1:53 ce1f04e906c64be4a5ab7d21062b6d0c.s.adad.ir udp
BE 74.125.133.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
US 1.1.1.1:53 4.ifcfg.me udp
US 34.172.225.131:80 4.ifcfg.me tcp
US 1.1.1.1:53 ca.pushe.ir udp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 172.217.16.228:443 www.google.com tcp

Files

/data/data/khone.deservashirini/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 30d86864a170979b0ad633f8793ab609
SHA1 7ca450d241bbb52d3192eeea2a138cb1a61bbf1b
SHA256 d9d57dff722729e8a6eebf4dd9b0d2ef6fa266b0cb03e7da70f73df2298f6309
SHA512 9658ddb0c7e932dbc867f61d6c16b97064f6fff892f4d8460ad482853b204400dfd6509ff5f9c45191e44c1267ec69c48ac949f88cebcaf05d6a2c4aed55b2cf

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 00e829076f54c72b50b63fd6de296a03
SHA1 fbeb1b8be863931f98a7c29224a03b89f9616ab2
SHA256 c479f839c0bc15e9a9749cb5a5a3eef4e09c0163160073477f72fa78b2e300df
SHA512 1c6b0bfe980050072927f8d407ca86353098d03502f7194f141d43c045a3f35103261811281f023262f4823a4fd70659d6802b76e126e991120dc14cdf74bbcc

/data/data/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 ef76423cd0f40218293cdb56a965df12
SHA1 f9888687373736e5bcdcbefa1e97b67d581fde05
SHA256 382a38f2ca68dcd198445af467bd776551658ff9586f6533fa46a994a76e771c
SHA512 5f5d29748eaeb9a1b3b62ee45bea4de07f04cfc3509aad8a6e984fde57f3249fc2461c3c7c15322adf5ea335ccb10676eb0dab4944377468293b51c9b55619ad

/data/data/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 9daf04b39884c246c0e0e373d42162b8
SHA1 8e0d2b57e9c1b0f3294423cbee380857c1a9ff0e
SHA256 fd30c5deb33794a80ebe7c143196af7d505754c38db80b1b0e64b816d66afee3
SHA512 c8e7ef6bfabc4fd6cce7654829f76e5dfc049206c542c5cc02e2f630eb4205ba1fbeb7abe8a4432f28e9d65b26071d8fb85fad61e70c8f5718892ee4367f9df8

/data/data/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 4a566301abd3628647add781d45da1d3
SHA1 d4c323875a64a28e2ecb93a0b94d619d3ee32f84
SHA256 6ae9f998960a35169dfa4dbb1b1b695ab10c4b33caf4fe39cdde84ddd62d8814
SHA512 bc12f77cb58aa686d186cf54fec2806d49562846af284e17ff8419820f10430cd6c887448e4126b05f70a596ee448660d4543270f9c5617f88d6f02713c84bd6

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 f13bd78a13a165bb5030037558619a18
SHA1 203521b9c8e85d2ba6c58c3f023717a1ebe5fef8
SHA256 2a91184659114e4971b4d9d481fe2b18b18fa9bc7ba26a0d31d42c8ed2d1f461
SHA512 7bd962a701a12d1611a8c455a7a76ec3bf3965e2508e503b1d8c7858f4f45a054a554ce91f0819e2508c296e8a0142c42f866f839d5124eca01f3550346fad4d

/data/data/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 f75d8e14aa9a54d7b77afd007b00c0f2
SHA1 b9aac4953ef8f1693950f6494d854fc10aa6c674
SHA256 51a7fd2dc121546e577fd08e15d94d9f2e15825d50a6651a1486bf3ea556bad7
SHA512 b1586c640b3b81a77a5093008d28548dcc613725341583eb41b02377a4e30a6e831f3c51de1b26013ae22f9c84e48fbda42ec0e514600be069d65d4c3d82636d

/data/data/khone.deservashirini/databases/__pushe_base_lib_db

MD5 acfb31786adce6eb83f66e7c4e1a64a7
SHA1 6dd06392f7474f00c462a423813de76e242c76d4
SHA256 db7c068162e5e2886e7a560d5d5ae09b3b5c273f67ad0211721e6c10a6b79e7c
SHA512 ee33af5a1cb92990b8369321d029bc2d03342e0a634619a134e6c7bf7c6be38913f9541da4272c61881ffeef0b66e437969e0067fd3f3e52363249f57085a1b4

/data/data/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 dcfee748509ca46f15a8891f69ec7980
SHA1 4c5c1170d381511d335de762ccd11cd17a65fea7
SHA256 cbf280a8c053821b765176dcae95b36665be4b519cf486c2f2ef691aa74f88ae
SHA512 d71be7559973e4255a28ceb44a4649dd9556afd24860b48db8285b069625ace3ff21beaa10b9d832290445b4a1e8fb0c3c8fc4f0534437ea9bf9f2284c3616d0

/data/data/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 5e7e54e5c01fcf99a4133e450291b4c6
SHA1 e485870ad7449392b57591e13c41460c72530aba
SHA256 0e08101781dfc12f19ffe5eb54ebde43d8c9ed24e8cdb6e492529bf8189cd347
SHA512 9b46226c0e91b34da5e15caa72732bd5c25062f47351af474f12f4f8996f6157de7afa7bb4c1b0ad2de8948a982d04baad8a462fdf9a671237b188670d81104c

/data/data/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 4d846afa379b24d785838b37ef183b43
SHA1 edd4f0a686059111e20476842770119523983948
SHA256 dd91a045c7eee55448d1d33b484bee107d6f700fbb735e06dc3528b7eccec01d
SHA512 cd24ce43c222a9a7a94c1b987c7900de7513dce89fa44ab23f45097728dd5ea3da63b8ae6662a9e90f4ea66d65881fd75d2dc46c1dd5a7410bcce1f62b096f96

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 0f633fe3df0b0584a03782c8c82dd6d3
SHA1 eea049b3035b7d12f2e3af28ff0eceadd2fbc59c
SHA256 a4817840c79bb978b4642ed44a0de0ad5981c56a4701394da2cb951679ce9c08
SHA512 f551bc3ebfbf095362439b19b8dc0855d00a2f68cfd51543c77fa2f9d55c76b81ade12d8c798c0bb42bef18eafde898d7ec243f32dba518389f50246d9b3b0d1

/data/data/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 a8d287010c91c0f1d0227c5fbaae1e79
SHA1 9cfc43e1b5245db603ad9024bf241ce918b77d2a
SHA256 6c31fcc5217c53d3eba8cdc2eeaf421d77efbf34929c5a580640f493c6afec36
SHA512 94091ea6490b75819bc55372ebd2044fbb9a62500a52ccba0ebe7f57cab57b18787bea69c979bcec1a4c32bbe176dee99968abff5755231a613bce0d6891cc94

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 ec46d0aa0840e132227badf57edcf4ad
SHA1 73a119f3240a3ee71ca277dcce4dc60c5fb0985d
SHA256 27e51e72236feb24eed27df209c65819ac48d5e19fadf91820e966054ecf535b
SHA512 f7ed5d28b935f0415f8b0bb02914d0c2a0b5b63cc59fea9cc85e4fa1f6d2b5da22d75bd0636757d75feaa7252045f9c6023a1dee176d52066d64cf142dc4ef47

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 b8f678f6d85fe543e6a7c236581c9010
SHA1 68a5830f4c20e52b8b1fda5b6207ca1b5d936aac
SHA256 aad1e3e93fb591494646021824df435e07ee06a74e21e1099fff02fd3239d910
SHA512 6b492b7264f70b09065f59f85a4c32d46c8241ac79db30bcd445d16fb3b96792337afe7ad18243883b9f263be6c61c5812605d73fe7213b1588d1c4812e78b6d

/data/data/khone.deservashirini/databases/evernote_jobs.db

MD5 73dbd02ea33757e0df3c2a2eda0a1bc8
SHA1 d302d4afea394417bd0a67da20ba95844f3ee2ec
SHA256 00fba2f2f6bee6a289154a31a907f1cc91a895ea2805241ad68c474fc9e1958a
SHA512 db367b7d3c5816a7db7bb2d4ec90862d885c954aca8a6ca7376605dca95e4057a0d2a55abbccf920aed6ae54d4a1d178b5a754093ae3f41180deb15ba329f130

/data/data/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 c731f61037d92277190161f56109dfcb
SHA1 73ca2dea7ecbda8e80159f78b2146aef3007356e
SHA256 5b9ca7752bd079a1c79b2585373b2566edf45a0abec7f2f30d8084476d5cecd3
SHA512 d23f62e31563d1153978c628c1195d406e09cd6d925ec5e8facb43ea63645b007ea01f3de9d422b0f94bdefcaf517f297edd856e5ac7e97c4289ba1d07f35744

/data/data/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 3c7fbfd852d6cd976c72006ab333b6e5
SHA1 20c27c17dc3a4477699813829cccf866eebfedab
SHA256 66ff434a02be70aac47a0c09da7bcc091156416ce9daa114964ce435a95d1c54
SHA512 4d52535ce9e590c7d3cc685216109599ebdce22130847201ec947e8d113dc94de15901af4de63ad6e94bbe7759964641532e9b2dca1f0238861c2fd081a11593

/data/data/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 133c1a49a40886043f554fcdb4278c39
SHA1 ad5c64a7cc53feb105f62a7bc58893b722693c4f
SHA256 efbcd28c5af1ca0ca9426fbeedb522a6b8fea8883c806f3e8ae0f1261c103808
SHA512 40f7188d8550f89ce5308dcb1649ec6805fc31bde9708dbcc5f81e1dc1a553f5421a5b0bbad32450128cf5bdcfba19c5871d442d7fe3ca8b2d22fbae583dd671

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 09:50

Reported

2024-05-27 09:53

Platform

android-x64-arm64-20240514-en

Max time kernel

40s

Max time network

186s

Command Line

khone.deservashirini

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

khone.deservashirini

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ce1f04e906c64be4a5ab7d21062b6d0c.s.adad.ir udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 lrwzefasvurhdk udp
US 1.1.1.1:53 tdisvrdpq udp
US 1.1.1.1:53 hmrwkrgmihgrum udp
US 1.1.1.1:53 4.ifcfg.me udp
US 34.172.225.131:80 4.ifcfg.me tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 ca.pushe.ir udp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
GB 142.250.180.14:443 tcp
GB 172.217.169.34:443 tcp

Files

/data/user/0/khone.deservashirini/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/user/0/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 45c34c4b7dc58fc7550fb000f0aa6364
SHA1 b54cdd21ee4a7f63709ac84f3f058e67435f86f0
SHA256 f13a037dfb21cd873ac0a9e0fe3603aa03656947952a1d4a74be91d8bd2f65a3
SHA512 3180ca1282ad2ab964c31bc2b6f056e1f1174e09e7eb8d40945f0e2e0024032e3e520381fe26989632b0cfb2614d55198955cbc640bf8d29df6bdfc5bfea5395

/data/user/0/khone.deservashirini/databases/evernote_jobs.db

MD5 47080e3bfcf2db9b8620f2faf6c5857a
SHA1 6f63c1851255e0fa99567f047382074b086d38bc
SHA256 dc4f8a73f49d2a6b41ff425fd08b85c1eba5280c438a1a1ff9832e91dfa56cbb
SHA512 e757043d82798926a5ddd716457accf6616894ad1ad79ec832293a1f662910b663239f899bf05a5c8d90fed5bcb093c5529e5bc842fe9003c1d5902f9ed84473

/data/user/0/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 65488f26a9771fdde5dceafbca175362
SHA1 98044a5649c38a541dfa921ec90c08cd0600a519
SHA256 abcf6fe49ad47bb9c981046d7069ab0641aa921482e1bd24c7adc7a0d210162e
SHA512 2cc80d4a7958ad1bc3c5d5b9947a519916cfd1dc3129b33cb2f596e3107ae17d65e46c55422a2d3904ee6bc2ecde9c4753cb0f6f27338600b95b126378eda77f

/data/user/0/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 964d5592cd12f453d4cc92d5aa92a6d0
SHA1 bc70b34e0789cffe85fb2755c3b1da6aab747d0b
SHA256 8990443dfc84c97fc83a7b5d319ac18077f1324b0301f2ace2de07f7c2d687a1
SHA512 6b906a9752e1c9a40c7c5e828e03f9f1456d14dd644536f7f440942a860c678ea1daa625f862cd85bd9877e6a8a9fe2cbbe10a0e295bad66227f0dfa71e8c816

/data/user/0/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 a0b4ab0ea4678584a54d319eecec74c7
SHA1 0f8762681b09fffd407cf5bf0dcb16942bfd8826
SHA256 bb65e696709d9cc86b4a2e309f30546551d1d26650aa2b163d73d537c70b1ce0
SHA512 585dec343e4fc6d4a65fc5ba559f5d061351ef5870cebb6e3f3dc9d13639cc7340ba13cfecbff6f87d342b95808e608d292189935a33157168a7aae4a5dd6e87

/data/user/0/khone.deservashirini/databases/evernote_jobs.db

MD5 000b95f2bc5a8f56e0aee563c1046575
SHA1 03f8e9a434378e066779319d875cee162919acea
SHA256 f2e73ae0ec6d6a2b256de2f0cd99ae221a1e3b54b4a1cae9bb0eb2c7101d3f48
SHA512 11e27f401a2c45c5493cf002e8da025f78c32760c1798dbff3bbd00ed2237a910771688c7dc59cccda2714f9b6167b141486fb11bf2ab6d9539fb377cb74fff2

/data/user/0/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 38e3b5578e129759d2e660de0e07d209
SHA1 ae2ae132bd2cc4644d28bae9d258f3cd16010815
SHA256 f099cd12dcd3bbcc920202d7ee0754a6d1c7a4426993e131a96fa951eaba29fe
SHA512 aeac96ff9b9167529599bf139bd11e0dccfc89fa8fcb946bb6b21ca129a971e203ebad54f810d410e38fd125d3aa234f2a77fc7236c9956293c4f8ca878a3ba4

/data/user/0/khone.deservashirini/databases/__pushe_base_lib_db

MD5 3257f1f35fafe2d93e2f75eba3c69b29
SHA1 a74e218a3b8c77c08c348fd1fb090af0df82a263
SHA256 f2be8055b666d65981445b7c18cee2bc55d09e65591dd424569b15737d21aa67
SHA512 05b45e1515f0cd094624425a2267a85a45a49dfd4e5651cf0462614c2853f796b7dd119d24157109208b2733268a8e66cb62555cd3d4113e618e532722773b01

/data/user/0/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 15d875aa1ac3c44282448998c6bb55ed
SHA1 8953f2d7d4b0194c524d958d3f36800e6d0f7cf9
SHA256 51bc7c2ec36d52a92df5b51636343c4afe3423193c4a0a8dfcf036783260239a
SHA512 ed42a86a37f1b8aa0ef716694f7f6fe089adbf07b1d596d736f1921937abce55f31742870120562075e4a94226f15cc288d955638847161668c101cf84a28e80

/data/user/0/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 e8c858f7d043f0bb868833e00eeb10fb
SHA1 a6418785e169813d89d498b5c7836ad8e0bd479b
SHA256 3b5a69c8c497d4418c7cf83544ea2fe3149055c1da24e9675004f6c9e9b8b51b
SHA512 1bd5504c5a28bbab510a1825a069b4cdddf0d08f9eec3c8f9b7ed8603b6e87f76690d588ae1eeb81b84a00ddee2176b124ba1b2536b6f2d69073797fadd1674b

/data/user/0/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 0c6a92f2bb941cd31ba70c38817da7d7
SHA1 4b8dbc390640c95e099febf0e920b2004f949ea6
SHA256 1b5582da42e4fe66fb9328732f06f7f9db936a1e2fb56375306e30525346b914
SHA512 f87d9fbbb6adf6627fffae9b0276894005592204ce4a9c541dd3b49d9a0d47d4f13059880a4a8ef488ee98b561a13a8e8758cfcc9a6ed7df66af8dda407792fd

/data/user/0/khone.deservashirini/databases/evernote_jobs.db

MD5 3c2abe32664ffac9bbf8e84763afd1c3
SHA1 d7a7eff4ad5546953551e1f009efa0ae86ace0a5
SHA256 f5cda75ea20bb3e7c6e7df388336e93fd02faebfc7f6fa7fabced7cf09cfc12b
SHA512 9c73359289d1d43239188fb282bc762f277514c025cb66cefacd7b0c8d0f8c64b8991bd97bb9a9d5028d32adbb3edd943770441271937b4a166435c880925470

/data/user/0/khone.deservashirini/databases/evernote_jobs.db-journal

MD5 922221e7ab5c903d3d0aac032a54af1d
SHA1 07b02925155480da9fe94231c445896a09f1e73d
SHA256 d201055b5f3879b4a07f2ed5c4ecc395c3afb6a185c5e81e5160dc471f3ff308
SHA512 ed23665a686be216523f3eeadc7045c8e92806c2a351cd5067bfb542db36dc57cb143c76284dcae9da2db69ac94225553218d8936604e2e2f82353a412a01b3f

/data/user/0/khone.deservashirini/databases/evernote_jobs.db

MD5 814cc975ffa88c80c056f10e842bb758
SHA1 b3592c1e83ad9e6a4df7a86c9ec2683bde3c40c4
SHA256 b893299effc14e233be369caa69089ce4589dfce1980d3cbb6a863c1ab0aab37
SHA512 964af37a9ebcc033ffdab59daeb00838cf4482dc56a9c3a72fee4aa52d1faa5ec99b51b36060d636624ab0ec483cfe14bd5b20824267e52fe3ea713c761de4f7

/data/user/0/khone.deservashirini/databases/evernote_jobs.db

MD5 17c71870d2f71429d546581065c65a80
SHA1 f92e5217ffa26589d851f7e03edf275264267fa3
SHA256 6098133537da5a65e73b8f9afed438286d1aabb0090eb3d77618eeb470df055d
SHA512 f97c3f705b38424350f1f725fd69101a29208b4aff2957c07535bd01fc5346cbe02277576c62f5d734b7e0f8c3fb3640ca18fd3f23f9ad3c1cb5637a76dfc4a7

/data/user/0/khone.deservashirini/databases/evernote_jobs.db

MD5 4d8e811b4649fb16fc6250cf24edc4f9
SHA1 bf9cb310b6b15ade130bb09a08f83b1bd4c1f41e
SHA256 c7930aa0539efa87036b27f8da4f5dda34ce4f48de44232b0bcca3603da013fb
SHA512 b5c7f1862eda09ae5581d7eb845a9448f99a6c9a5d6f5eaf20fcdc1298d5af03adbae5987e67055bfdd39a0a983474b1a15c6970ba74997de323c54e40562ffa

/data/user/0/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 9c6ad31d01ac38ab5f8bd3746a24dfc0
SHA1 5c17f3d1393b78b5f018402d454b083041ddec6c
SHA256 7fda89cc732f6884e01486c098788fff231e332b7943abbfca7effea66b933b4
SHA512 55fa9d3b3bfb8405ed2137e10e7c0be0ab3255f0bdd7b5a3910b0ddd47c7031fb335bb2d38168fc56b8e69a34cd7a993c4e788ffec577ea76b9dee3bde648746

/data/user/0/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 a768923da7aa5202f72e7d7e60050d7e
SHA1 a477abca241c5d030dfbbfa9250a1309d83c4ff1
SHA256 24323d45093f69fd9aea3abee05fa36de51227938580b618e3c453c200da1636
SHA512 0629b18f80d353ff5923ff60f992788fad12476569c5a1ee48eaf799ac8b66cae7b5d2741201703b60b769079de81849073fb6ce74313181ab495aaf8e20bf34

/data/user/0/khone.deservashirini/databases/__pushe_base_lib_db-journal

MD5 0a6e3c7441f4c7dff991b3dd40cb38e6
SHA1 6b8dbd1a851e613afb46ac27690078e594ea8f05
SHA256 cad1e71c4b64db26d024155c047d4f1459fd76847d7a3a113dfc02812bbae917
SHA512 4753e5ae436955485bff3c4cdd4837e19d1049120f3d2c79332e45310ff3aebf224bbdf0f1256338af1c72f761ef98d0e621c20ec6f0e3f20c5551e073df239d