Analysis Overview
SHA256
e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8
Threat Level: Shows suspicious behavior
The file e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obtains sensitive information copied to the device clipboard
Requests dangerous framework permissions
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 02:27
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 02:27
Reported
2024-06-12 02:30
Platform
android-x86-arm-20240611.1-en
Max time kernel
19s
Max time network
139s
Command Line
Signatures
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
pl.spyone.agent2
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
Files
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | 248578d442495b36486bbc4e5ea99e4b |
| SHA1 | fa8508f657d4351caf3b8899c3ea20b2c51cc7a3 |
| SHA256 | ee5f1b41ded06c74751454730f5a0914cab14f5c28eb4e1da9e35abe40ade8da |
| SHA512 | 3f6477ed2fcfc63e6256d37ab4f42f17b4a881895d5bfbd314a42ff600fd11c5ab0d731b33fb394e5ac0bcb1c1273dbb0893a570f1c007565a62ab8480d9183a |
/data/data/pl.spyone.agent2/databases/database.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/pl.spyone.agent2/databases/database.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/pl.spyone.agent2/databases/database.db-wal
| MD5 | 775fc463dcd0db5af1cbcfaa6ce8952f |
| SHA1 | bdb9698c0da7940f5d356849fc8b456bf267abe4 |
| SHA256 | 4c319ee7337deb2e179f59ac8c2a6cca79c6ebd40508d306cfa78c093b63d299 |
| SHA512 | ba3427795078dc8836c2abb9aa043a18cbc96ed4357a1225283d523ed673f9cdbce8efa123efab37d3be64a38231798eee187bf3a9e9b80390fb4bf42589050b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 02:27
Reported
2024-06-12 02:30
Platform
android-x64-20240611.1-en
Max time kernel
3s
Max time network
186s
Command Line
Signatures
Processes
pl.spyone.agent2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.234:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.204.78:443 | tcp | |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 172.217.169.66:443 | tcp |
Files
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | 7d75cb7c2b7155bdd417cd8b0da4de87 |
| SHA1 | 629e772bff0a2fa84d2c180cb3f3cb2453e23ab4 |
| SHA256 | f89b20b80901c89248b57fe75e9f91d3d173140595df20a9f6cdd4014f115509 |
| SHA512 | 5cacf6b2f96799106284a195e5bca1520afc5da9ce3835e00ad824385f5781f69dfdcceabd073488932f2e70396d956c90d9bb52e42bf3ce8004057ef69a1552 |
/data/data/pl.spyone.agent2/databases/database.db
| MD5 | dd46d6cae176055d8617ceb3d40f1d96 |
| SHA1 | b7a971b5f755f7fd5f9041bb1a0ffb1a74d9dd57 |
| SHA256 | c4d2fc19a3c54c2d2cadde804546ce6f62f960865b829ea240026e1ea2706e96 |
| SHA512 | 54d353f7e746aa3935848cc2f694cd6cfbd1c59b6f56e276b76fad0f0a4c8ea09cd4835be8a8ccd615a7714d3e212a091d93a2b3b835f4ea767c8ba5950a5516 |
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | 2e794ee3001794869942510baffdb647 |
| SHA1 | feb3ae6d6044ae47f82f92e90b943e813ea25822 |
| SHA256 | ce7877d8a14c1e287308b2719ecf57f50799eb8b6a6755afd8cc9fe1f2eed798 |
| SHA512 | 60eb604784bb65fd0851924bbdc55f0da1739b2229d8fbd1cf5475f56a5e9f903ea5f1f05e33029a22ff9df6c05a363c74e1bc08974beb67e399f2e99adbd11e |
/data/data/pl.spyone.agent2/databases/database.db-journal
| MD5 | cc30d4ad77a2f36c770aced992308139 |
| SHA1 | 1c8cdf34ee0ff07ea9c6ccdfca34e189ccd46a0a |
| SHA256 | 4a97e3758831318937fabbeec42b2e11b1e925a12b954a05b54f9c905c1c20ca |
| SHA512 | 874530430554b372a2b7a640ee9f6478198d1663a63b1c461e0aca39bb4adf049e1e6a0081555b77c5ff7e5e0fe0477695e63d60324c5e6060c4fdc3ee0e8072 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 02:27
Reported
2024-06-12 02:30
Platform
android-x64-arm64-20240611.1-en
Max time kernel
26s
Max time network
132s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
pl.spyone.agent2
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.212.196:443 | tcp | |
| GB | 216.58.212.196:443 | tcp |
Files
/data/user/0/pl.spyone.agent2/databases/database.db-journal
| MD5 | cab078894fe97e9d04e910b1e39c8c04 |
| SHA1 | b28c73104065dbb6d76e97d0cdaafb8dacd10761 |
| SHA256 | dd769aae4399850615476dcf3d4bf2161725f905c7503613ed7da8dd0fdfbbbe |
| SHA512 | 6a86c1f54ba6afd319a4c6ecaf325028f456f9b2d71616a8525bc07d7fad1f420201778a76449e1b75e24279da718bb82906c482486a616e23fc906489c67b85 |
/data/user/0/pl.spyone.agent2/databases/database.db
| MD5 | 0379f2b646309bcd59a19760005dd257 |
| SHA1 | 9185b00c3401321841b1c7edd10624a13c2dd47f |
| SHA256 | 62c0d663334435c7b56f7ef5ee45ef1e1476f9ef39ea6667dd48962eadb0216f |
| SHA512 | 387a118af4cd9315a8e5323b7a2b78e5214b0556448cdf6a68335ecda5615dfd0c1ca0313d8b355e8489980635319d90f2b7b25889b1e556c11b7657bc184fe8 |
/data/user/0/pl.spyone.agent2/databases/database.db-journal
| MD5 | b41b9ff4da88dc558ddf80393ea608a8 |
| SHA1 | 00a820d508803b49dab87663b45872de511361c0 |
| SHA256 | 9cc57a8ca43e6804dd71bb20db83cbdc4a4bd822e9c2e5a56e5d0f114b4ef84a |
| SHA512 | b61f53a8a45062142427a7c04fbcd49acad0da60767d636afd5336c4b78ecb0a34daf84214a89f4811cbe499bc9704d70fc38123caa09888e76f0228fcf4942c |
/data/user/0/pl.spyone.agent2/databases/database.db-journal
| MD5 | c3312553c9cea5ffe067e234279a4b21 |
| SHA1 | 01387c58e71e9880df771a13cd2d7cb6f6c0367f |
| SHA256 | b8d282a16b853d72ba6f942f785d7d68a6cc4bcf82cc18862e4269af865dc57a |
| SHA512 | ef9d95f1e43a7b4cee75e33a24b509a29d82ac34284bec17916eb32790c9975e4b2bf744659032c225815382d9576f18fd07d57d39bd0559e7959ab088fd8f1b |