Malware Analysis Report

2024-09-09 13:35

Sample ID 240611-h1pfwsyhnr
Target 9d630872f0b900773b681dcc81f24efc_JaffaCakes118
SHA256 fe82930171c52fb55a28fd17f40489816268dfb082931e1a404e43689c703879
Tags
discovery evasion execution persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fe82930171c52fb55a28fd17f40489816268dfb082931e1a404e43689c703879

Threat Level: Likely malicious

The file 9d630872f0b900773b681dcc81f24efc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution persistence stealth trojan collection credential_access impact

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Acquires the wake lock

Queries the mobile country code (MCC)

Queries information about active data network

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 07:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 07:12

Reported

2024-06-11 07:15

Platform

android-x86-arm-20240603-en

Max time kernel

24s

Max time network

131s

Command Line

com.tocaboca.blocks.hack

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tocaboca.blocks.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 onesignal.com udp
US 104.17.111.223:443 onesignal.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.tocaboca.blocks.hack/databases/evernote_jobs.db-journal

MD5 829df6ed39cab71c244c6e79303ceff2
SHA1 a4669c98a4c8448fd22dd7ea0ac9d09c516bedd1
SHA256 e620978c5549c25deaf4dba7a530be78749dd625d67db181d2be196ee533cb4c
SHA512 0ddcfc4f58269643ea116f77eaacdbfe517c177b40322e14cbffd19b0c740a26db48c7d02edd8953d052b44293a951b3300e553f05cb2b8c5ed1e12c5cfed08f

/data/data/com.tocaboca.blocks.hack/databases/evernote_jobs.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tocaboca.blocks.hack/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tocaboca.blocks.hack/databases/evernote_jobs.db-wal

MD5 1f256e5e3ed9a37379936e3eb3daefc5
SHA1 4b0b9061184d514078b84756dcddf0af47f57796
SHA256 69626e282713cc27346de94f11a3add71bf2ba59d355667dd3030f6459ec590a
SHA512 9de7c339ed6d286979201a51129945f97299279028656f986be344c1017acae564e3f7d69eb91691000d1b91fb99e976bc348c69de17bda58b63f9f7cba65cc2

/data/data/com.tocaboca.blocks.hack/no_backup/com.google.InstanceId.properties

MD5 a82fdbe465c966b2d181402001d42a31
SHA1 6ee98c945bda0f3ff44702f118df9e7d79688c9e
SHA256 e8f3a0f10914384c20a92d5b09f0938a3fe05bd023952dc9740289fc85884843
SHA512 32fb17a7aad1522e2f16fadfbd2b820b0d5597cddc80702f8b2f12d8f8a1e8fc7c24784073b31d6b0161d3499c5914dfc8170ea2684e3423f9e2ae2abd8f6dba

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 8d47b0297073efd4e67c02b5fff14732
SHA1 63172dbaa46b221696212e4b30cde653a367b40a
SHA256 a052ee3e86cddc1fe511fb09f74aa88a131285d5ea7697563d39b6a9abca7805
SHA512 b1b7794907aea294c94df06d9a84910d3ec7634275edbff29229d19d20987efe8b155830944f1696a6417eea346a9d16a828133ca091633cebb5fb9f49c7240e

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-wal

MD5 386b2e0428e8b1eff415f3520e672b13
SHA1 3bc6834f59e12912e8b00097007d9cc0d9787095
SHA256 7be6e9895567695ef3bea7a4e34d27ec0d3ebf669df3f71af7179f1a204606e7
SHA512 8f28a7cbcf9ad8473f37c89d1db0986fecf5feaecea7b59abca1ad45344010c2947da46883eaf32bbeb1ce46407a9e278df7b3afbbde3282c80ffd4260fe5dd7

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-wal

MD5 b840017a74952e78c8e9e4179fa646e5
SHA1 d8accf08b099ca8d2021f6b31bc77b9e347d7f90
SHA256 03ea8adec257313df9fcf232f358d86f6666625552f535bfb8b35b94c8ca0b73
SHA512 08093986a713d55d4d3476dd821577de0ce4aef0a17075a32b3cfc42f9248c73c0ce5994966746931dd8da052c331e816b9ab8a641aafd5eb157d17c5ee0db54

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 5bb307c4fa33eee3c9c28530c639577f
SHA1 f35cff6780b94c010455b3383e6487de28c19e3c
SHA256 29b54fbe83fc4360697930e180541e18752391b6050bea9a196a9c7347e42aa0
SHA512 a0a2165615aff3e0add926fd89d4dd05e3c8b9e1bb07423b9fec58099e128e1dd15952049608fdc4eff4000f3adb90d8c5faeff6eca424e8a4f32e706152b04e

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-wal

MD5 45b1eefcdc47890a0c8fd2831bff8546
SHA1 2137bf45c72ec068373063b228ee3bcb79dda5c2
SHA256 f392423971384700db80f6a1eb803ed792dc8ed10ff91605d207d32d4d4de0bb
SHA512 03a7f7a86ad7f054a3b0bd4461b7ea58f3cfaf72f53e08cad47e5773e5d415fba255c59da18264ded7fcd81ee5ab4f1e5e7a3e3d09786f983d8d8cb9b94bdbe7

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 42d753c061eab15ef844c70398e0e0a8
SHA1 ba07b970c1cb297c0e8f95e4e23bcc71fd6a1583
SHA256 9bcbe6e18b3e980b981fe8903fb7aae28d578723977fd025001cebbc4f2c52d5
SHA512 b873cf22e5f682ff9f474d5bbc8d24829af4976af7e81ae5180ab3adce05201d9b96df7f101211da761b088ee3c88d3a887695acf298b14b7d85974a38b7d51c

/data/data/com.tocaboca.blocks.hack/databases/OneSignal.db-journal

MD5 86f2072ee81a02d466ad0fe730b5e332
SHA1 9f3aa8d9821f179033403d3f1f500c15ffff880f
SHA256 ea84ebf7d7588d77663afa78a94d0e960c837034e5c89f5efe730857019fd536
SHA512 cf1f9c8a605febdd3e7461957dad8c917318b04b70f34c0c35bdad4f403fc1e72bd5a04d225ad7279dd352fe89d3bfa32c0f271dffb7853cf19e55e51134cdc9

/data/data/com.tocaboca.blocks.hack/databases/OneSignal.db-wal

MD5 32f42205526525d1fe5588862b92f4ea
SHA1 603a2f58328b1110e6da1fa8081590347e6861f8
SHA256 1d83e1d112d6940bd2e31de5760aa362bc4fcd4a52e2d02966fe20e686afe78c
SHA512 3ddf0611c3b75e41d96e4ce84083b722d5f1d9d09b6826e2d7959d981e8371f742ee2208122cb5036c2eb6210939c93390aaff88ce73c8a77811a95e8a5769dc

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-wal

MD5 7290229b93825c03f72dd0d37c1e18d1
SHA1 21e92b3302fbc39fbc006957de058ba391e034cb
SHA256 5c99186ca1257dc91c217eabec3e03b28dc636a25eac86ca99386173f36829f5
SHA512 a18f5559c336faaec13977d9e23c6a482dd81eac2ebbcb11b231a8f763027d051af7f4fb3d4a4956a840741b9167b29c34b35b509017aa62965b318b93629369

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 aeea81b5cf845462b96716259bb52e88
SHA1 5af1d5dd9e5f47c805ec262ccafabbd872a41ed1
SHA256 96c207dc420ae9499cd15bce8217b72e2ea6daa901193de62338f9276d68003d
SHA512 20f37977324cf5ec6a643c58fd44b466b4fe4a9f617dd9ce63892ffe41a47a8a1ac1ee5b80a275563172bc4644bca8ae8307a5ed30a0980f33af49480b92c50a

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-wal

MD5 3308fbf403e6fa93546930e5dcef33c2
SHA1 b0ad9e9e172a1cae563e162ea1e61b786f79baec
SHA256 36f763df83bf5934e8a2b8c5ee58868f7e2fdfb88984492a7cb636a57c8f728d
SHA512 bd4eadd3686989dd75be9029419aa5c6ee6067b37b54b582163abf3f51fa1317ff7ca6da6dfd1deef041317dfc454b4ac5ca08617ed0758dc2d2aed786fb3f40

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 798210340e00b4c585272b6896962bd1
SHA1 11d8752d0afb8c36e53d6bedfcf7a2f2eb147332
SHA256 e8a58b3df7791eb1ffcf1072e349703c04f7414801a6bf00295c0d6086829238
SHA512 86291954912ac8ba1bc1ca1c137a8adf949d54364f8a9515f6ac1fa03315794671c1a1d22f4b294166f3a8f8ae82a513ddc2cb7be6363666dc0a191e91e023cb

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-wal

MD5 f84ca6e61ca9ca213915ed7ed1eb877f
SHA1 1ce1a71b71f126d1cc021267480615ac740d8f79
SHA256 439eb0bd487a6b8a135a60d051da4198f4aea25befabb3edc797cf52fb716767
SHA512 dc3e0eb6c5df860d8fba6c7ed3b1cc41dd96362aca6c93c51b7deb39f83e1af3a1ae22508276bf8822ae8d57f5566be276201c0f5404908a2813f44ab424f95e

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 44693692da738db6eb133cf0e4cde91b
SHA1 e6bda56494c325d8d37ad89552263ae85d9b0550
SHA256 8fe0ac9db76d4a2dcd3b3d54c0efedcd223e25aabf716506493d50e243a7a2d4
SHA512 b34ddfe1ae343b1b12f7029ae476a0ba8e1b4043ccb520afb412b3f71335ef679bf29723c9a5c00af7e922e9982d5b3af54b2ed779da8cb601f378e5b9d26be5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 07:12

Reported

2024-06-11 07:15

Platform

android-x64-20240603-en

Max time kernel

43s

Max time network

148s

Command Line

com.tocaboca.blocks.hack

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tocaboca.blocks.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 onesignal.com udp
US 104.16.160.145:443 onesignal.com tcp
GB 142.250.187.195:443 tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.34:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.184.84:443 accounts.google.com tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.tocaboca.blocks.hack/databases/evernote_jobs.db-journal

MD5 4f639afd83a7d2b46bd04de86189c360
SHA1 9c9c5a425fd2c02eecb918867c0c88f8d62d199e
SHA256 ec227667fd7937419d1b4bf6e0beb601395e428bb0158d6cbb180d55c797483c
SHA512 3e1dcad4928ce75ae7aab066b7c45320ce8f4a559fdf90a4cf6487a80f8606a41d9fc5d87fd9f5e0d98339cc55686722933fa1c6d5d013281b0ffaa52450a0af

/data/data/com.tocaboca.blocks.hack/databases/evernote_jobs.db

MD5 d2610470601bf6beb5513dafc2520b86
SHA1 59d7f27f77a62b594cd403cc6c164bd38e26d4bd
SHA256 9aa54ee3c6a71265d78d41a8fa4b7223b1e9720293d7b0f549a37ab15bab0f39
SHA512 7f0b0dc64c22d3fff2e71b9ae3680d78549f34723b3563a9b616d1ef4c782b5374dd266f31e7e7bc750c12a58743a809fa9551d29dbc4105341f066dbdd0ab62

/data/data/com.tocaboca.blocks.hack/databases/evernote_jobs.db-journal

MD5 dacd14dd147df12510dd03328e14c0de
SHA1 e9f4b080e4407ac216c9c27fe5a8a562598d9a1b
SHA256 33c58133f56164975cc05dc3bf37c6c41df29771b795c8b404471dd4923b75e0
SHA512 a4d47201eed211fba73c330aa4caf9290981408b997dd972e597ea5c965f1abf54d193d7bfa4efb9d7443ce2bd05df8e1889b624267eef7aeb9500d5ee7ef89f

/data/data/com.tocaboca.blocks.hack/databases/evernote_jobs.db-journal

MD5 d88418e23dc697197ebd130628668aaa
SHA1 73bb39f66f42a1f3794ac9438a33524ef9afa68e
SHA256 78bc52f49904ad4f80eedbadfcc7cb98ace4d7207ddb0acd001a7d71e2d896eb
SHA512 e3e2155458d61e7ab96652bc331b6df6892e6f099c9f3d6b514a1d88ab75c8912d7cad862e78ea4ca6468a079eff534f29cddc7c7efa66494c918d6cf02c2933

/data/data/com.tocaboca.blocks.hack/no_backup/com.google.InstanceId.properties

MD5 2014856e9bea239b2626a73798ec2700
SHA1 825a834c03e207868f8fe2768c71a5fe1427dbad
SHA256 3dc2c0596e5e802ad00f52ead0ed2a818262fc0ad1b2c80f17209ac45fed011b
SHA512 3ef12dcf8899274eaa31419178b6f44583ac3b2e53b5ddf2cfae664ad0ff09ba597cacfd92ebee44890023ef736a7fe3601eb1a5ea3a28f9eda795f0031ee5b1

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 f41f618c99765a2d6d6f7b42368abc39
SHA1 ff8e045412e4c60c7bd661ee5aaee353e852bdcb
SHA256 8fb1b96c09cd6a66de0513e90803e6f0832d91fe7bd2156a473b1211cabe3e49
SHA512 8344e2dd61748229fe49ab1ff7e2de14e8d6d9e8aa7001ff964d7b75f3df94127c6f9e694ec7c544299a16ade6846a8ecce113720da206585112bfbc45ee690b

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/com.tocaboca.blocks.hack/databases/evernote_jobs.db-journal

MD5 2a9f8a9303019682a9c3497ca4e85c8d
SHA1 3d3cfcaab6108f43c1df3a37b02689d91397b9d2
SHA256 3710f2ca573f42c077b06f8c48999fefc27b808301ffabc28c65fa3bcaef7170
SHA512 828158324c9db702519ca4def05b3dfcd293110bc6d4dcb3e202cb924dc714bc147e75bccb9b8f3bfe905827e04bd977dbb6e8e072895f3f59a4a77aa9fdb265

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 d9ee5a2c6a0926ff310483ea4c0d67b9
SHA1 ef17aead9c2ad266d52cddfa98f1131e4bfdbdbd
SHA256 fb962505e8f3d5c0aaf85f4c1b68d10e7e49be06276b7ebebd66965c14aed374
SHA512 6a49cb8b1be9092e52d0e4118dcdfb9e4c084e814d9a0cb08e91781f55c9ccb121f06333f9c6aae724c15d1a6797390bc69d2ec68148400115b369bb279a227d

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 cf6f083c2b2c5577e177fda6f8f67307
SHA1 1d78359a7afa6c36a6e5a1f612230508930a3536
SHA256 3c70b644e142366fc11f923c68f75be86063127b12365ceaad08b4196209d7a5
SHA512 a5fc1b07a48a9f808c46d7b58c4364aba31b3c39c9bd62db479f00b5ffbadb2bb0a58accb7e498aae2e4489aae4c4cf78eb1bebcb6672d2b4ada42e9097ab7d2

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 78ccefb38c55681b011b27fb5156ed86
SHA1 6bb7a92e6d55f10e39e0ab54d0f5581bdf33a0c9
SHA256 08d87d2338b5f7f0ba21a205ec0ad61c76d491f2bd9e4e6cfbddfbccccdda5c4
SHA512 9f7b9e0d8fb596db192997ee0a5df55bf1823b86f2a56e39fe5c01e488fb4ebe15524df3ce6a961e99954ed69aa9c5f40d260471a903bdc0d1fedb7ccb99d05e

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 e2226ec9043a90c88703549bc7f0c115
SHA1 10c858220029a36d64cd83cee65859858bf0ba4c
SHA256 ecdc05d8b0e87064da4f71c1b95bfbf6bc14503345e6adce402761b62f89281e
SHA512 cb9a4f65296b265e065987e85e526afc5aa4c9638d2702d9d85d7c5f5b6fe5f25a53cdf93b5c57bd389420f30338d7b97156e831d010d7d630608fb2be046ad4

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 539d56b2ce5c41ef2b6f471969f3878a
SHA1 49386649de2afaf0533f05a6e34cfc0e500083cc
SHA256 9a26fc7d19efc9b5066523e04a905536d6bd2c631937a8fb0c6b40bc210c5864
SHA512 f116752f280f25ae48e1576239472055d047628490cb466d720f3f50d58c0934afafea5f11bb545cbb4bd5968019b3a5cdd6fc6da6185ae44c38069128a7c134

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 52d155d8ca4bf8205a8f1c1e17d057cb
SHA1 0ce381a94008b1d44a785d325b7ff9c08477b1eb
SHA256 e738c969083bac93db04fffe71abc69b6c189be0e85e7a380192d026a2c26f56
SHA512 290dc515ee36c37a43c3cf3a5c32003ca0b6bd6ea6c4bb4829c0f355b3adc5aa6c78b5aaa9ded303506b9d55cc02a2bcd3ff536f4b25a9baae24dbb5b44b8edd

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 46ab1f5b0254c3735af3dfa23b531091
SHA1 7c341ef23348c14f03d0f723bc7704110f79e1f4
SHA256 a4205d3bb90790ef46f6e23e0b7ba0ca5ef3d07421ca1a2f270df4057ae6a347
SHA512 0724a090bae6d91381ec1db8a8bc2599429df59cb14510f836f3d968ec0cdd364429f9a6de9d63afac2f61495ee9998b6839861c1430887e651b1ad92a70af16

/data/data/com.tocaboca.blocks.hack/databases/OneSignal.db-journal

MD5 5ba2ab451d4b684969e0262f41e3e62d
SHA1 d55c301d59f4300d15255f2b8751557c32f5ce7c
SHA256 47551e27068031bd32a89f129dd31e95ee7442ef134525ba6a60ed9befb9e833
SHA512 d38ee9cd8134e785420087e81f6a5902246b9672e85f976624a9bf310b59b66c832cd9060a60ce7b949d60541998072246ddbc97b536943cc0bb1741a5c2fbfa

/data/data/com.tocaboca.blocks.hack/databases/OneSignal.db

MD5 6ea5817dfb71687d648b0e4763152545
SHA1 b5a1a2a1fb579520ddeb9861c0eba5f7109d0d74
SHA256 be512b097518bdaba39e6106c143a267f56e98d8f980ed6295773c4082149824
SHA512 cafff4c86b710428753e528aed212096fef264a36cd6d6ff48af487ce1d5cf90065b4be0ad6460e4e7631040f7a28657f31811be1a5cb417c4b2725c51fb5186

/data/data/com.tocaboca.blocks.hack/databases/OneSignal.db-journal

MD5 2b0c57547ae8bc38a352b3bd9801405f
SHA1 fc8d3b0bbded29ee36295cd7aaf78559b25fc1ea
SHA256 0d3d578e11999c71dfa186848a74207bedf5bc506db7e068872c805af1ec78e6
SHA512 41d1b1c228bab2c6c9c60d28f378ec13934bbaff1b026a39ef9ee53ce83b55bda93cd9dc3baa00e397617d64adb31b3aa0dd328625fb46732ab56da1164b70af

/data/data/com.tocaboca.blocks.hack/databases/OneSignal.db-journal

MD5 de987daa30b7f01c092ade929284bb9e
SHA1 3790b13245908383bfb90d8348e1816e4cfa3d9f
SHA256 e98bf09b6f1e4502ee21e51638e6802129addd7a8d7d81b39d4f8a3ca5a2cf34
SHA512 c33e6883f5426368a5eae30b7b5052b40fc3842709b7984466c6d6100f42bad050fa4bfa0cb07b65bf489a89691df346154309122877247c86c861c6331a38f4

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 01a26d8e8f6fa0117c70c68c8895abc1
SHA1 27be753959ee6b3dc268f1a4748cd64265e24add
SHA256 9ac36bc56a5fa68246103395ad93ced913cb369ba2dd325a8dd6c1279fd6097f
SHA512 fd51549547ecaf58158289a1ab7dc820679792bf5e2d9753e6e74b2fdeb3e5719615ade7f403e2c2b6efaf01fa140d832d8ef03cd2ee817b413e8687e8de45c9

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 dace8902d68fc947ebe36f07bc4ae92b
SHA1 932a1971bcdaaea5f8660a5a63460386ca0788e5
SHA256 7def2f5429315ad898121650a37e6ff8dcc0270282cc2f4482c0ccd1166fd5aa
SHA512 a84af264c55197fa7f3a3e319bdb07366171887925ff488c8e50cee0bb49454723ac469088084f732746d56a32b4057c2bd68ab2ec6ed65ec6f1a7d070c34c9e

/data/data/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 2f1eeee3602c828b8e9f81f6fbd20d41
SHA1 d240b568bb6929702815b9a5edd05ad635671caa
SHA256 458aa953a9e0adbf5b8765ebcf6b51bc5b5a48b7664e85d25c7a8ce9781a2d5c
SHA512 a8642cc12cb9af0cd9d3fdc4bb1fe3b246d02af6b36714d80cdd2809def699b0b93eb585187c17f0a8e19801879e2e9edef7963ee416ae9e8cc35fd9cede2859

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 07:12

Reported

2024-06-11 07:15

Platform

android-x64-arm64-20240603-en

Max time kernel

43s

Max time network

162s

Command Line

com.tocaboca.blocks.hack

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tocaboca.blocks.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 onesignal.com udp
US 104.17.111.223:443 onesignal.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 onesignal.com udp
BE 74.125.206.84:443 accounts.google.com tcp
US 104.17.111.223:443 onesignal.com tcp
US 104.17.111.223:443 onesignal.com tcp
GB 172.217.16.226:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.195:443 update.googleapis.com tcp

Files

/data/user/0/com.tocaboca.blocks.hack/databases/evernote_jobs.db-journal

MD5 501e9e1f7b679272b99b9f949268a7eb
SHA1 a6f277d3df58c4e6c2136cd641e032228655f429
SHA256 5b1bd11b92b3a2f267004a7cfceeb9cf082dc6520257be4c32e1622344ec7b9e
SHA512 4f454963c1584e4ebc110671884bbe1bebc191971e45d0959c538ea6aac1ad71f43b40da5d1dde785f29d1a130237f6226f79439b3c467dc471dd112cd1ae076

/data/user/0/com.tocaboca.blocks.hack/databases/evernote_jobs.db

MD5 4657aca4d1597800fa3c1a05bea027a0
SHA1 231ca83b38289328c52519d61afe86063feed5dc
SHA256 286ffde4082f4aa7ad336f8f5e0ee3dbd2236e3866f360646255e2b2166a01e9
SHA512 13378a8777448f948eaf8914a359e2a1e742f2e15431b31ee7df4114350903552a5ba81d9a65a98e00d8d77523482d25b89ba32cc6f0e408fdda1b0955d7cf9c

/data/user/0/com.tocaboca.blocks.hack/databases/evernote_jobs.db-journal

MD5 8ba7af1d92fda1bc539b1c3489249035
SHA1 6a128d8f413451ba6456fdfe084cc73f0bd62bb9
SHA256 cb3228cdab0779cdfc9353e14e070b5993ac3516c85a1f32af5f7c4d2618e9fd
SHA512 bfcb44454b5bfdf862c7843f76d3f2052477d38152925902cfe846cc9f3124d9fc87f0ec5caa33c11ffda3c0abc5aa603e9a4fb116d3004495a6d9fe74ff53e7

/data/user/0/com.tocaboca.blocks.hack/databases/evernote_jobs.db-journal

MD5 b278a3829bc2aff1afb5733518162a40
SHA1 8608f10e46039ff982d511d99fd39bbd3a04e573
SHA256 a0413adcfda1763a49d6b5e19b2ed14fbfdef681450859ebb727b59140cd9885
SHA512 dea87935d36d5d3893b4664b1dff9067a8e1f5b531e4f1104518a3baaf91229141edc6e74338f6d535275714d700827a42d6480597b6593cd7b4485775fa01a9

/data/user/0/com.tocaboca.blocks.hack/no_backup/com.google.InstanceId.properties

MD5 8332e4e8a635b4d01ee0673d708cb442
SHA1 979269c18792514721ea8951300ce5779c6a25b2
SHA256 28aee5ffa6edcafce77c4e385e5f428b5a45e8d5f1f1eb3d2862af21db57f9c8
SHA512 f2073f9cd97a1ee37c8481c6ce5fa74615fd87fba59a8c4baa2b9d61e5d8b5c7ba632c46e330ee023d8d6e4bedd1f2eee5f4763eb05cf5ec2955e8c2f21d6317

/data/user/0/com.tocaboca.blocks.hack/databases/evernote_jobs.db-journal

MD5 55043ed731103fe28d6e821a7cdd0aeb
SHA1 097b60937bef5dcda8a5997ee4abff77747ef3bb
SHA256 746b15d0af2260d9274c6512270308cd402226c1aa5c0cf0da4dafa21f40621b
SHA512 1fc1fe6530f05df948f7728cc2af6361a286361eaf40642036d830db8663243843beb24de574611f3b9747df337f9de8b748c5eadfd93953cb9e7ed3c37c7fec

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 16d02a02cca431ac3b14de51d96ecc1f
SHA1 6c2b7a3cc53f4baddb10df5f269af3ec1e4342c3
SHA256 81ef69da1144a08726813d716c2db6cd01f1a39d15ddaa05772e194d61a348eb
SHA512 483a3af4639d468a6e2f55212d2473f365223115d81a8bfdb5b5242b9e6162c25252c20dd59620ed2fb483cdf4f4d14ec75db5833af29fa52b38549bd018eb38

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 1ee1b53b600f6fecff8d433c21854942
SHA1 613c0056c939bd423ffb1c623169f9ec8b03b44e
SHA256 f3470914e064e72932d57fe5c167ba7e96a56b21837924b3b9a19bfd1f0b5e28
SHA512 7cc63e120efcfa9ae4370befff7f017ebb5b843920d5c455274f35f085971a243da6166c4488828ef5c266c57c3a25ed279be501d57736dd96ed758db9bd53e4

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 855c2329c48043bac2a9b01d3896c2db
SHA1 0dd58fee92cd21a24f4b13fe2851a3a430bdfb19
SHA256 3d1babb3b36c50c48a9e868b29acf1a3f34fd12aee34af45f88fb4eb26ada0e1
SHA512 190b8223ad06b5b880838504287c52b25c7caa95547ec32b525be01f0658d5115ef36e303634efc20fbe77d3cc77e4aca685ebb43d1891ca5f5dd70165623279

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 b8ee4e8e9c4a80cd5471a74b48282ceb
SHA1 14ad42cd3b1e903ff5a2b29f6469a4adf909c597
SHA256 1b43a7bf994fc1011961bc337bd656a396be1e2edb7f77830478ef590773432f
SHA512 3f4cde0bfa028311508f0dc2b4eaec5ec54572c07da313b76c503892b4daeac67001dedbfcd07cbada23df64ad1d0b19813d08826c5c0466d12956af66288efd

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 0e0238252d7eefe4524e2a60464ab3fa
SHA1 30fd71f204144e67b49132e27f0fc3ae9d1d187b
SHA256 fcbfbccefb0c37666a37d60259b1b46f6bca9f24c25c28dae89c8b0fa4bbda65
SHA512 d26e6df57c09ceffe343dcc16fca4032c296f455f38a0665db55f5ed88eddfb85b45c05669f4c198cccc06ee827b20a8795f1dc79806bfb671fa417f89322e36

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db-journal

MD5 9b127f27c900ce982be9c3526508a73f
SHA1 1d07eb95ad9ed536c397ddc6f9aabe5391d8e34e
SHA256 b95e52497fc5786ca83ab0571933b629ed27abb45d5585284157198507c6bdcb
SHA512 86a43fc8fe1427a544a9ddbe9c39ebd92f2845335d1f0b66243fb5dd29f0f86d69bf3239eec0fc02b00c1a00c13a2f55df58a50c3f8c00d64201f15d52f24416

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 1677deb9b6d12bf46835f10d55ed80ee
SHA1 0a363f0de4fe8af8ba49f4512fd825c1af8ed7f8
SHA256 7074993ba674bc04ec4ffde50992826bf4f1c7874e0d41a0311da4f94331a2a6
SHA512 aec2cc4de2224cfcb73e0cc210f1d63dda090eb5eac0f9eee9d37b01819a51e10286028a5509ba48b1751c521d5581a5f67f40839467b1e764d48032953462c9

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 87c1cf17c2573c4b746ad877ce17ee17
SHA1 d3348c8a1d593f9b3579185fcdd2eda03c871141
SHA256 7881b3c71a1644c7e780443165349011b44cc49b155a374347a5be74c98da06e
SHA512 4f5efda29a37b6ce9fb4c8acead7f2e846342da2086371bc507e26d11349c9fe1f6cf95a6cacd319e0719e04842ddb134b871fcfcd51dad2d6ee1851acb5cddb

/data/user/0/com.tocaboca.blocks.hack/databases/OneSignal.db-journal

MD5 dd1086c084c3a52031a5f99fa906dbb4
SHA1 29b4dde16e0577e3afadcc9f83fac66b3ce81ffb
SHA256 bb4788a665d5a918d483ac17128549ff293fbc732c2c01f3fff252fd67de9907
SHA512 9245536cf04af6adfb48f9448f0235a2929360ddabc99f1819f46a49189585d6ab9ecb80add2bc81c4b95f9951073f23dedde8c18056d9304d87be547aaf9088

/data/user/0/com.tocaboca.blocks.hack/databases/OneSignal.db

MD5 2479ff01e32c1445266304f37e9e7b35
SHA1 63a2b50d03eff98a4b5e684f1f95996b78219e6c
SHA256 c276033016c0ae04c4e1a7128d443a01aab24d99c434696ee1b01fef2d3acf15
SHA512 14b24f8be6f9a88e31a2d74f3f13cf9e84817bfe445b8b8a873c1678f274714237b3f1a2fc9c5821c300fc72418e3229439107c2a2ff307007409dee6fdf16d3

/data/user/0/com.tocaboca.blocks.hack/databases/OneSignal.db-journal

MD5 87df3bbbb13097cc5e65524e3e47d55b
SHA1 b8fd0c1b35e5cbd5e1ad3e85b2daef7e727abfda
SHA256 686afc3d5ba2aae18f5625971e563724d24dbc28486206be4fd9f8d5e96acc35
SHA512 b931a532cdd6814919f7188090354f1353563930875cadfeed6ea25111b9b10cea5b824d421cea22152034b8f0e7f574ad0dfa0343714071831c67a9a46af3d2

/data/user/0/com.tocaboca.blocks.hack/databases/OneSignal.db-journal

MD5 dce19739e9e323defb0b89ea0725e3e9
SHA1 a566e4e122b9a872dd9bdf7ef29106a296af2493
SHA256 bee04ea61e4a17a1feca1ee162271c6730fd848e489f5f621e01753161825a8a
SHA512 b4e6c7cc15e93061435f29618e8ebae7aee83b8af95716e3aedea26023917d5573c9d0bde8db69a3093979651e5eb7bfbd226a64bb01ad56ca5af236b6607609

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 9256efaf60be4edd0f12e191dbf37a4b
SHA1 73b0cb45c5660ca9fb416710214ec2b45182e889
SHA256 4b4c7e69d4fb9da9aa6d721b2190340e2ffd6a7ae9f7c2f05b3626665fa1393b
SHA512 5cab76e36d52a2b4fe8ebe684df5e23ff6d9dee07232c92e8cde4aefdbf16a6fdbf651361d85b8d5c78845760df6689cb7b78f2f5d7bc9a15b02fa588f01a6b3

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 9f6cbfab1b89270c0fa979669948b429
SHA1 bf49a3591dcde73cd93eed7fe9c292afe9968d5b
SHA256 3bbd4ca0ba5b1fbc773662a2ce1e109888c86578a4080d94ccec2b33ee242763
SHA512 3c281cda801e743f8193361e7cee7b373a301245c4f614a70986012333feb3b95cdba165b6fce94771eaace2bbcdc23316f7d88db484fc4854679331283c0716

/data/user/0/com.tocaboca.blocks.hack/databases/google_app_measurement_local.db

MD5 818548be1885386cc995f564f36a8e8e
SHA1 008b0c602ed55b1122dadfb3a20db517d55c10b3
SHA256 b4765a86f69c122307448d0c6e81cebd52ffbc59b0d19da42971e2857f773e6d
SHA512 47840561a1eded73600b656576a7a9195bd1beddb79b08090b9e6bd9ab610de6cfb0a334310bfefe0b33ef157d420aaa17c6315fa2e689398da3328c4460a02f