Analysis Overview
SHA256
e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8
Threat Level: Shows suspicious behavior
The file e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obtains sensitive information copied to the device clipboard
Requests dangerous framework permissions
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 02:12
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 02:12
Reported
2024-06-09 02:15
Platform
android-x86-arm-20240603-en
Max time kernel
18s
Max time network
131s
Command Line
Signatures
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
pl.spyone.agent2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
Files
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | 05da30ed43299811ea196b73bbb1ad96 |
| SHA1 | d406c049ef2703521ecc384f828ac09813132bec |
| SHA256 | 59dc74ef2d215da26e000d92d6a7212f035a3ed32689d07886eea3c19c139d47 |
| SHA512 | 962bfa6ef56e54516d33e7acd65d2af0ec0d5b38af8f251c6d36ed48842ef4f7de6ac923bdc8ece69d579f285335f66ff14410713bc911166f37d9951380ed37 |
/data/data/pl.spyone.agent2/databases/database.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/pl.spyone.agent2/databases/database.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/pl.spyone.agent2/databases/database.db-wal
| MD5 | 913832b838dbc1c76b9d2cad94ab7a83 |
| SHA1 | cedfd671490d69af7c46a483b7434dd97e8530ff |
| SHA256 | 39b4d515f38e69ffdeefd4795ee53046af48e8ac06fd4709e367f5c2119b12bb |
| SHA512 | 26ea3a0407533b93d3d9054b7aa7ed5c7078de4777e68d7fdd372a4cd31869b30244a67724d53ae22205818348b94c7bbd79edc26ec349ef85269ec1736fd3aa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 02:12
Reported
2024-06-09 02:15
Platform
android-x64-20240603-en
Max time kernel
20s
Max time network
131s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
pl.spyone.agent2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.206:443 | android.apis.google.com | tcp |
| GB | 172.217.169.14:443 | tcp | |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.200.34:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | 353f6fc2a3efe0258e72b092ca9acc08 |
| SHA1 | 0a10fdaecc7041076ee7d7877d4ba4462b3f7d89 |
| SHA256 | 9cd16e220348f2f1a0a8a38ce20fc6e7ff0edaa63545bebdfa462a96635b9427 |
| SHA512 | 54dc9e154ce7e522ccf8a3928c2d6be6cb19bce8fd38f2284d1abafa5022cb43e6bc95ee1d6053614472e8ca452db1864ce7156ef5f081f3a4ae8f18677444d2 |
/data/data/pl.spyone.agent2/databases/database.db
| MD5 | dd46d6cae176055d8617ceb3d40f1d96 |
| SHA1 | b7a971b5f755f7fd5f9041bb1a0ffb1a74d9dd57 |
| SHA256 | c4d2fc19a3c54c2d2cadde804546ce6f62f960865b829ea240026e1ea2706e96 |
| SHA512 | 54d353f7e746aa3935848cc2f694cd6cfbd1c59b6f56e276b76fad0f0a4c8ea09cd4835be8a8ccd615a7714d3e212a091d93a2b3b835f4ea767c8ba5950a5516 |
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | c95e63dc191a08ad828f6837e9bb852f |
| SHA1 | deba3a22bf9e173acef14aa64ff0f6f2da66c606 |
| SHA256 | 2746c73a239ff81348b28571ab1abe8d212e624960c99d374d5c529d71f46601 |
| SHA512 | 4fa3d0da016bb96b1f3696e711520de11c8289abfed1302b5a69bab3051e3f8bdc3c659077ea5eab7da6ff5247aee78fb258ce676894fb9a6e8fc5124730755b |
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | 64a041fd0fdf9dee7c91936e74cdec6b |
| SHA1 | 96f232c8a6c10c86f5f53976b5b0e673aa4979ae |
| SHA256 | 3ab3996aa5519f8ec341d27969f580b7ae1f96863205e1c06140ce2a35c0434e |
| SHA512 | e35f565d47efc0eaedf393660229752bf0d5da14ff10f8b7764ee61d8f9dda7cee02ff19c686259447b1bc9d4553f2dbe788996a99b68ae39e2112b5557860a9 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-09 02:12
Reported
2024-06-09 02:15
Platform
android-x64-arm64-20240603-en
Max time kernel
20s
Max time network
132s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
pl.spyone.agent2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.42:443 | tcp | |
| GB | 142.250.200.42:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp |
Files
/data/user/0/pl.spyone.agent2/databases/database.db-journal
| MD5 | 40b54f23119c2638a1b8824641f60213 |
| SHA1 | a8f6c8711f651890eeadcf8389d2f0fa72100b27 |
| SHA256 | 2a82add04a8af901684005afc7c81621472241db5e49b5bfd11efb0c7c0a6050 |
| SHA512 | d8c9238f946253514ddc006d74955bf65cbc239880a5e547e79a79fc0187bad5eebfb16616527429ddfc96a2f82206fa98b9917b8a4002505c4431b213277adf |
/data/user/0/pl.spyone.agent2/databases/database.db
| MD5 | 0379f2b646309bcd59a19760005dd257 |
| SHA1 | 9185b00c3401321841b1c7edd10624a13c2dd47f |
| SHA256 | 62c0d663334435c7b56f7ef5ee45ef1e1476f9ef39ea6667dd48962eadb0216f |
| SHA512 | 387a118af4cd9315a8e5323b7a2b78e5214b0556448cdf6a68335ecda5615dfd0c1ca0313d8b355e8489980635319d90f2b7b25889b1e556c11b7657bc184fe8 |
/data/user/0/pl.spyone.agent2/databases/database.db-journal
| MD5 | d8d7b0cc67fbb8262038acecb1b392d5 |
| SHA1 | 80385676594ca419f4aff5558e824d4b8fa950b3 |
| SHA256 | f54cbf2c1324bccef3b4be2056901f653e0d3c2a603bab16e9c2ca888978bd9b |
| SHA512 | e02b1203a11e5ae38619925f06fd9500d303850245d915995ac1005be7366337366d27b96651c3538ba56242826fd658cbdf85ee18a23d73afc6f27811802ca6 |
/data/user/0/pl.spyone.agent2/databases/database.db-journal
| MD5 | 25264201cc09405c9bf50052afa2a8e4 |
| SHA1 | 562b270e62c9ae7b3103393fb8e06bb09454b57d |
| SHA256 | 90bd33f5a3f386facf93813d0efc6b6f2952d76a37b78f7d4467556d072c8a9c |
| SHA512 | d218e45ebae966d74c726281bbc9e1ba92405862eca4c1ec518486dfb00d354691bc681c5b6072519d2360c64f8e179553985b89311fcb690f54aa8513660238 |