Malware Analysis Report

2024-09-09 16:22

Sample ID 240612-rlbe6axhmb
Target a0f6c199b4919a55123d405290b6a7d9_JaffaCakes118
SHA256 cf5bad95a299fb3c3f29ef77cd33ac9b3da0fa0afbb8b13346d55f2f69506ca1
Tags
discovery evasion execution persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cf5bad95a299fb3c3f29ef77cd33ac9b3da0fa0afbb8b13346d55f2f69506ca1

Threat Level: Likely malicious

The file a0f6c199b4919a55123d405290b6a7d9_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution persistence stealth trojan collection credential_access impact

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Queries information about active data network

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:16

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:16

Reported

2024-06-12 14:19

Platform

android-x86-arm-20240611.1-en

Max time kernel

29s

Max time network

169s

Command Line

com.abtnprojects.ambatana.hack

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.abtnprojects.ambatana.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 onesignal.com udp
US 104.16.160.145:443 onesignal.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 lp.androidapk.world udp

Files

/data/data/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-journal

MD5 9bb3f7db4f2c7a3f10863b5fe4ee8edf
SHA1 34ac47ab8c9d8677c4e7a7e51462ac2b7347b87a
SHA256 371305d13c44a52e23539fee9d3188339844686c03b06cb2e5c3f50b406affa9
SHA512 249c1bdf7c62ea494864eb45898f12db59ec7d7ca5051fea51c3f691df43aad785f7936f2a88f7c60d7b1c5e5e26ef65a8902b03d1d6dec7d36860b3f2a4c9f5

/data/data/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-wal

MD5 45289281443bb05f4d9d7d94e1a187ea
SHA1 5814a727b4b082fe84f01dd999881529b3526306
SHA256 2c823f5004bde462f186abd4d01b3a9a92097609d5f3b10a392b6c181dd91153
SHA512 da02b42bddde4a5cb4f38ee5a929b28563b860feb0fae40d7b5ce78558f9d40e6007707afbab79c2ed3b1cf6db933b5e8bb691dd33ba4c9184320a6890d0f77c

/data/data/com.abtnprojects.ambatana.hack/no_backup/com.google.InstanceId.properties

MD5 fba513f4ff358b2a040e5138bee2f485
SHA1 ec95774c3df21805df8f4778ca93b32efd54b204
SHA256 9ce26bb83607abd62f89b476bda4efae2e3eeb94d34399df6fb6ffde214bf2a0
SHA512 4309a28bbf8e09913658ede53f0336b354f7328e94804bd5dbcab370effb8c95a9959a9ff591b688ce08d8c8b0d16a0ade912f092e5718217fcb3730e4b2c90f

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 18cee840a0f524225a820bbddce22087
SHA1 0b5975838eaa60f3dd63e39d02c5586e41a667e1
SHA256 fe441ed852636de0bfec2d41c5c24a05585ca5bbf15a3fcb80ebf09785a8790a
SHA512 8258eabc115de3d9091e206ed665e7c39dd2d0e4ced9ea0c4bd0b3462fa0d2770e4cfc92584a0deb75e676c3fab2d78552727fd393185762d69ae2efda390183

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-wal

MD5 8f55bd140c8f835fe6925f7fba17523d
SHA1 7d0fd3b91afd35ccfec6559a7f70ce25e00563b7
SHA256 5ef7eea022b0ba47d0426afd0b20527ea7a5737b465c4fe81e705994f00ac87f
SHA512 4ef259b116ccb7cf9e08f0ce1fa9b500048f6c591bd9ba2f088b22fd97f6a761204a53d0ed3bf6945e2299edbdd77979136d10e1460f37a63e1dfe02bd0cb879

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-wal

MD5 687c1d897f7e9d30e9a0fd711b81c5cc
SHA1 e0a77720a0772258555962b53c9fe216fe3b0d7c
SHA256 48ba47d330cd34b1ee63382668de4678f7d4b5b89d9eedb67aa37416c219a6f2
SHA512 0e40371b44ba52e16f28245b025c95139c339669e1eb1b05be381496c0e59623a2ea748c6e0486bb87b112a2ef6abd72e3b03bc4b8eb049480eee4e441204b1c

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 ab833a806f3cd164146953533f5716fa
SHA1 2a224e70be0a8c4e7f6355ce335f45f88d86377b
SHA256 f9da64fc6464ed176c80dd46d883260a8295838a9e76e5444526b50f92cb80ea
SHA512 060a297d76c5d59d92d7f49ba725c0a48ba72ed827a5152120ca54d41a25d5726df78b8b81f1bed6d3759dd3eff73b96fea02b24bfe134691be27b57a2f46f4d

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-wal

MD5 c3acab9d0c76899e3273a1d9abfd1cec
SHA1 adf7afce77321f2eddf9b2bbd920702c2ccc0278
SHA256 d4106cfb5ee2016023553ac8abab9d48094567a5df9d4f59cc22fed1632ca178
SHA512 498262be85510712ea46efc9897d1ed9f793c65ee673d1481364c24f9af44c6bb39ccbe3981ecf1f215938a5274b5068d1239f2f9d73a42130e93f99bdb27f7f

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 580b6f0a3c824397261c463f6f043bb4
SHA1 b13d579144a8cd041fd99d0c50aecdce1de7d9de
SHA256 b73eaf57a65973edf6cc4dca61c515526fd07e2adbc9c461cf2e7c2aac966441
SHA512 62886156f8af58b6614d5bfc011825e85817556884309f1ff1c65fbc586a723e3c71756879c006e208ae9254fa3310eef765d897bf15b5b3549eea2cbebb6ec4

/data/data/com.abtnprojects.ambatana.hack/databases/OneSignal.db-journal

MD5 c9602f3ca257eca12f8f8967b1903650
SHA1 379db0432ee396b025296f258aa249873390147b
SHA256 fc771f5e8a3dd933030af65bcd757af6d6a4760b1fd7cb4f1eda5e3d588c3ae4
SHA512 b689479fb052ad91530a38ee1eca57b1e273ba4966b8d620f97968941c72a5a07176a03d8cf96efc34fc0f4aeacb9f07c802108b262264bc512fc15495be6eb4

/data/data/com.abtnprojects.ambatana.hack/databases/OneSignal.db-wal

MD5 412f659e7b8fd6e9d35ad11abe0d5664
SHA1 ba4778f5e351fa76fa0715b6435c3a24b2fffda6
SHA256 1de8c0a1c72e8a2b7385760532eac29c825dfa64860c3a5078e067b047b415e5
SHA512 94eac9e6870933822ad7ca07b93b8eee319c24ca9265b722e8842f2650360e44864ecdd3341e3cb33eeee17a81cd71596f53c28cab83b9fd577c2b6c0bb66f56

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-wal

MD5 17e4347971a47060120383bece4849fe
SHA1 ea5df1a5dee9cc433c81699057a1f2712c04ae83
SHA256 cd8687eda4a3858efae30b2eda1a4d70d2520791aa9dd45ecf0447b4436ef13f
SHA512 a1b5668e22bc8d7d07bb3d450cbf0848a0a708bad08a9c5162dba145486f241fb09af53a09cb1b537060aa7e769e034bcd4a388817e48ac095c35d3e94331375

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 ac9876a1c840fe2bd60d420667c9557f
SHA1 4f2f1817bc0c5b722c8036c32fd4cf75d5706ea3
SHA256 63cf9063b0f02d9de6cce2f584dee090a8dca03cc41aeac620bf4bdf9000c66a
SHA512 4f6b297b5e47e64be494b6a55be07d46290f41b76bf9e47fd93889347d0062ad90accc7783e68d4e88a10ad660fbc2112d0d9388aa2a403008dc3ab222f88140

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-wal

MD5 34760c0468e4a01a503c48d20eb327da
SHA1 1e7a7f5ad519c22acc677109d0cd3013cf95b026
SHA256 115b50064d6f06831984d1c45b15a2ab9784aa04b6ee0f0f94c712786d8e4dba
SHA512 293bf2d54445dd1d98aee48e42de35e0789edde3790aa7551d67753eb9e229c7f3dfc5f40681dbc352e196469b6aaf65d65e83b8aaf551bc0182f52d11635f51

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 b40d29754c603d9a3a247c7b908bb71e
SHA1 bffd69d264e3d8113aac374ca23c5742bac46e44
SHA256 fc16bcd8bb24d3552774ceb1c1d8d1ce6a2322a26dbe0bba22ac3008b72194de
SHA512 37082fc48095e48670be3cd0305a101c4c471f4f861c84d047e74b2851f39be80b8a80c3ccfd893d84cdaa1577bb94f9bf80e112c8287d6ae3695ac0452d61c3

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-wal

MD5 f54fcc90a93e84d20ad8977f895c1766
SHA1 23798c15a336ab43edf62d35629a97e31a4d044c
SHA256 022d90db916571f5d1e2da0ceeadabfa67554b1618da9b703fd9c7b728c851fa
SHA512 969b3f15b3a714b73a29af235a6b8d67ed097bda0640c155db5ed56862f1f80b03b4a6e738bc714e8ee0995649f1274f3c214a302607989254588a499a4b42ac

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 44693692da738db6eb133cf0e4cde91b
SHA1 e6bda56494c325d8d37ad89552263ae85d9b0550
SHA256 8fe0ac9db76d4a2dcd3b3d54c0efedcd223e25aabf716506493d50e243a7a2d4
SHA512 b34ddfe1ae343b1b12f7029ae476a0ba8e1b4043ccb520afb412b3f71335ef679bf29723c9a5c00af7e922e9982d5b3af54b2ed779da8cb601f378e5b9d26be5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:16

Reported

2024-06-12 14:19

Platform

android-x64-20240611.1-en

Max time kernel

43s

Max time network

146s

Command Line

com.abtnprojects.ambatana.hack

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.abtnprojects.ambatana.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 onesignal.com udp
US 104.17.111.223:443 onesignal.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 accounts.google.com udp
BE 142.250.110.84:443 accounts.google.com tcp

Files

/data/data/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-journal

MD5 b30e3b0bb9262a2510c1287199c50621
SHA1 cea6790610f866e95e287d91e96c74cf88d274ae
SHA256 cf6893e230eda1b49b2162a26e2ee9b77e0484d5bc6b51c13eb2b898289c4c7f
SHA512 34469fe000d440c9dd7324650538d97d8ad015b64499460196f1a135de88a6b71201d2e74eef2d53118ad5267705b2d78cd7441a4f0150bcaadcd1af3e829bf6

/data/data/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db

MD5 a4ebdd523acab6b3e8095fe131b1903b
SHA1 0746e2b41b28c13f9ef6c1adb8bf5acdeabc0f08
SHA256 4e838211e254a79602b643872f2bcd5881d6a46e9b2cf06b92e3a583085bf9d1
SHA512 624f5fc472c777bed807930fde35efb6c0d82439d0fb7da96edb7855b94ce5c3229d15d00ded1d2007ff35a67d968faea1f656ac092a1696cfef82d495fc6c8c

/data/data/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-journal

MD5 1a14668da9ccce5839732d630c1704b6
SHA1 86344c30e8b70c3d2d58282b2935389911738565
SHA256 e7b087e0c76c2bd51ca0bf135395530c95616784acc69c991b2accdf0e30377b
SHA512 bb67e44763882c506d14909fc2148795c867697501af4bd9ade667329712a68c554706ae57fb0f150aecfa68411a4706bda78ea81925f017684d5e21969fb62e

/data/data/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-journal

MD5 4bf5cbfe1289e5da1b913a0c0e65f1a0
SHA1 34e3d48c191b7f1137160b202b8335c239627f82
SHA256 5378a20b4ab8f555510e50733da4ea4b3f39fa5468e159292e7d440fab960d33
SHA512 7840968c605924aad675873f31fa7cb3a6640be1e6523f16c48d6c95e247863a5c7a4ca22acae9292dacfaf04d0bfd0a40d6cb8212591800e6b962dcf5838866

/data/data/com.abtnprojects.ambatana.hack/no_backup/com.google.InstanceId.properties

MD5 faf7f6470cef2e246b6e61aad03f874c
SHA1 3379527d05cb65ecae6c1bc0defda6b1a19ec38e
SHA256 c56e1c331bc820b726a02f41786711ebb27d5a88c17828aa0d30ae52dab54c0d
SHA512 a695fac9b22e7f82c9f0d88c1a674329c77cce9545197da40bbfbca76ee6a2a64161c289b46856a2e535a951f297ff1219681fd440ee826caa4434d5e0d3aa23

/data/data/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-journal

MD5 76cc3897363fa92d52d6a3397deccfce
SHA1 fa6c1917cb76dd54d6721b02c1a5113b8cd26a8e
SHA256 598d00b53e5a29530b57ecc9569633773937af38f00e551606b3a5b9efd21de8
SHA512 ecb3def69c3e7ec8f95af966019005510e89cc2a8bca1487a83f52c84d8fd4dc7a5f52829801bff7ad07398ee2096206eb710330fa7a0fe36af06d51effd0c38

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 d04bebd19ec423d784560bb8a693b0cc
SHA1 5901fb3095c6a276a6d0dc23051700a370af1134
SHA256 2c132f1d9862aa8f979d53a0355287beb8ce634fb42adc5d868b802ee10b380f
SHA512 2503a1e49102f1a709bf7cbbb9c6192cad898a0020bfbdf8c08131b361e57399c6361dbecde5bfd94427223fffd937119be7f6f91dd1b7100dd7ad5e001746e5

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 bcd2a056a2d908ffaaa3454d633497e4
SHA1 262f6be619528e011dc2cbc85ecd7731782e6bb6
SHA256 85cb56370557d255391027add687adb7a5e544c83d892130adc202f37897b334
SHA512 48d3a4f799ce9fb032f9f583b2a4fe23cbf10f31846798c142d67874e4a4bc0c688b9c976f3897af81b28813daf106d04e9617fc6ebd3d6ac884e44f17028468

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 c5e98e98cabb47fe4e8c7040c191738d
SHA1 58eb059cd8b0fa95b02919bfef9c20ae644756e2
SHA256 208157d10fa77fd18297f8a54319023810319db9002ffdbfb687775b8e29ae57
SHA512 fe4955499130220591017c671f72c5283674f27bd47bef64a4b0f995b51a58f5470971bec99fed1445d1577667fa8c863256a3b8aacaeb3e7c1e8219a8502bd6

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 2afbccb2d79404f06ae5b1f2b852974e
SHA1 f076e72fde9a1ca260c9a1227dc12b3173a84dd3
SHA256 0f3dabbbdf447eea1c4433c3819da39099196648808f8a28231e73cda809f0aa
SHA512 94a5a2724cfd94ef80866385bac445bb7b3d89bc3d19eed8bda09746c8782948bab345a72c6053f88cf467b88638d09258fe631c2903a4e6b03158d142aec483

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 981ef4d58d3c03791ca715e546e542e0
SHA1 d0cc0a42ebd9508b7ea534c013fee153a33b4cb5
SHA256 92fd779a31b393dbd3a5a105629e368830078671917d630283a99ba9da8413d1
SHA512 d36785cd27d5d2226c2b58db71138c0a7a6389800286755bcefb4e095d8cb51c2755e2e0f9ceb4a11e093c849f3be6a3d160da08b6b1e1908d1f42aa38a7604a

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 fb359f87094ce2bda0e3425ea4116d63
SHA1 18d6612548cfdd33245d908a9ce2932ea512585d
SHA256 b0ec5008d5d0d25c52100507f62b4df150d5ff8eb7fcd02d5853a72e82b130b5
SHA512 f61a2c5099621224acfc86c1c41cad869d95d867f86858182f9918ccfaeb8d0a1978d28f875f16beb7fb1ac3a6792fc00b6bd2ab64424a035c1814db517b2430

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 0f07d433d15317b38ef33029bd033198
SHA1 4fc20e5286357c024c63dad401325d3f32b61620
SHA256 dcc13f6702cf8d688fd8b61fbee99644196d3f7a25bb9d385a5eefce591497e8
SHA512 14812089e3f27a391568d4f9cc12f1f2798dd20be741235106d61fcd7f11d066a643a5d95ffd9edd061a929e4cf9c979a32064b7c56b16e116453fa8c4b8e038

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 57cd6ab3333a7ad49b73b065622594e3
SHA1 e14d3f8d3fa9eb713fd4f832199a894ca5ecc516
SHA256 a6ea822b8a7f26bf4c3966a3e96c65dbbc11e65015b6ec7839ceab3f35dc8352
SHA512 f599fd9ffd2a04480354a188824eb07fc225b6a03f2c176966465f9f6bbd939113287cef254eaf1a7e190166bebde9aa2b225685bbd8ba4aff70bf008ded4f83

/data/data/com.abtnprojects.ambatana.hack/databases/OneSignal.db-journal

MD5 60946541ea94b49cee6d61fffc372670
SHA1 1ecb8ae5723536def1e4f660754c9a34d43cac61
SHA256 1b3b4a005abb4613a4b8a472a329a449fb61e3fdaae04be13c0c199eb72bc658
SHA512 f4adb0b4a84564a2cfa6cd0cd2b0da911a406f3512d9bda6f2ea6cb1f5cb3169a5b888e906b51b857ed0c2c1ab50592670d9f1c43d3bc42d9c1e420f408b23ec

/data/data/com.abtnprojects.ambatana.hack/databases/OneSignal.db

MD5 6ea5817dfb71687d648b0e4763152545
SHA1 b5a1a2a1fb579520ddeb9861c0eba5f7109d0d74
SHA256 be512b097518bdaba39e6106c143a267f56e98d8f980ed6295773c4082149824
SHA512 cafff4c86b710428753e528aed212096fef264a36cd6d6ff48af487ce1d5cf90065b4be0ad6460e4e7631040f7a28657f31811be1a5cb417c4b2725c51fb5186

/data/data/com.abtnprojects.ambatana.hack/databases/OneSignal.db-journal

MD5 e54f2a6b478be4959d6079cfbcee32f6
SHA1 5c176e30e4cfefdc79b49874b9428935d6169f14
SHA256 ab752402611316c8b30f7fb08c31cbf4c1a0a5b943f2058ba990949e85d9f029
SHA512 2eff6ced0879070c2e91da7be54483057f0395aaeaac46ba0fdfff07cb495339cd34b13135b20f72da0f012bed0e2fa327167162cc6dc7a43700c37076825f66

/data/data/com.abtnprojects.ambatana.hack/databases/OneSignal.db-journal

MD5 fd28d95ab5b5af3c20240b9761c793e8
SHA1 9ca34de39d8b0a856bd74bcda0e0524b7add81b3
SHA256 2b4e3aca13ac7b4f66944d48e94ea411393bf2a9f47a288d20be71c6f1233e6b
SHA512 98fd7293c037068b6b4fe3c68415a9f64ad682b993058b420d22954cf2bfc1a22fb8d00b4221d41c0e11da18b6407f7c5790abec935a32f7b7dc9c2a27e42bed

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 b79603f814cbd2ac8f368fb62e7ec2d1
SHA1 01935f35dde108d3ac33e8ec76c755b4a1f7504f
SHA256 68449b381e46d572d21e3b6ec55b62c73a4f34fb520590a7d9c9b5672a333901
SHA512 03fce0b3990a6a87284e1c1e0bc895e708af3a03f587006c8a17b13edd4a3f05ba6c6b8c9f5e3ba424d4db15e746c2d8e6f516da2d3b262f75e81eae25ca4d44

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 e6e91fdb5dd0d2cd12010270ef9be385
SHA1 01b4fad62d4372a57cb631768a03ae4c35ffea43
SHA256 27f1fa2b2e05a45cd60315bf85e88537e69692042dee6a0e325b5380969e845d
SHA512 0f8cf7ba6d0c3e86cff2656579234e910e7e3e8a36cfa88e2c861c3a5c77c9d51d8ee8a3b58a4da6920a85042b0fa9e9a711946366891572a70ac49e27ac398a

/data/data/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 2f1eeee3602c828b8e9f81f6fbd20d41
SHA1 d240b568bb6929702815b9a5edd05ad635671caa
SHA256 458aa953a9e0adbf5b8765ebcf6b51bc5b5a48b7664e85d25c7a8ce9781a2d5c
SHA512 a8642cc12cb9af0cd9d3fdc4bb1fe3b246d02af6b36714d80cdd2809def699b0b93eb585187c17f0a8e19801879e2e9edef7963ee416ae9e8cc35fd9cede2859

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 14:16

Reported

2024-06-12 14:19

Platform

android-x64-arm64-20240611.1-en

Max time kernel

44s

Max time network

137s

Command Line

com.abtnprojects.ambatana.hack

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.abtnprojects.ambatana.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 onesignal.com udp
US 104.16.160.145:443 onesignal.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 onesignal.com udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 onesignal.com udp
US 1.1.1.1:53 accounts.google.com udp
US 104.16.160.145:443 onesignal.com tcp
US 104.16.160.145:443 onesignal.com tcp
BE 173.194.76.84:443 accounts.google.com tcp
GB 142.250.180.3:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.195:443 update.googleapis.com tcp

Files

/data/user/0/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-journal

MD5 cba282caa25906eb9344ce53ec8fade5
SHA1 387ce3a1c3ee42350eaa9e69a496b766feca145c
SHA256 3f7451792278ea2c9740f6ed9eb1840b09337869644aaf7e8005d1cdf41841ee
SHA512 9dd4c78b18e4a307875bd26b4f8f8bcff922453177a3b7e990e51cb09ae55f0a4785879e1961d0793e514aab61bc14b3fc2dfe696bb816e27a549c60a80d58d2

/data/user/0/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db

MD5 ae98d97cb1caa99f66e4719f1f11306a
SHA1 5b09cf4025c674ad332f472449e996304c11116f
SHA256 0cf6a39f0a1e3de7adfbc3616914a4c24f2bda744524bf36ee05fae6311131a4
SHA512 dc6c12a95a424f8ae479ada1dcf08bea270dbad97717d67f2b01597b418091328b373ee8149a8f76972d04405b3c40c5827b670c97e980c77cf29af31a809bd7

/data/user/0/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-journal

MD5 4e6a4bd85133359e0879d72f083347c2
SHA1 de0053250f416dc1fe0032974df706679cfb2509
SHA256 56b1414097a9c7f0faa84343c3588d9abaaba780d33215d3c9cf2b41fe276bc8
SHA512 0a5e56bf8704a19e99eff01555ea9b782c542fe12b87f72609240651313bb39b042349e0cf76bf8a40cd0e90f77d5aed911e18737193ad521bb350972a4e2b06

/data/user/0/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-journal

MD5 2fd86864b3d4ef15e1d893ddd9e787ad
SHA1 89e76d1bd8d332ee7baccd37af17d72e3f4198cc
SHA256 2c03e4335f14afd48fbe1e7d580f79f3d9f5ee746557c4ec143993e42057b643
SHA512 8dbad0e5a5cb70d1f8a49058e1b19ee5412d396ca1bea15f1051a7ccff210ead0c073055a663c2ffe02dd798de0412f55157ce0f47271b83245ac3bf7e41d255

/data/user/0/com.abtnprojects.ambatana.hack/no_backup/com.google.InstanceId.properties

MD5 505720872f195d868075d8b5d384375c
SHA1 f44e94172c3b8434a0a21e02e14ed0e545cdb6dd
SHA256 aec1433f1d1a4527d6246a6125713e71f2ce45a38ca14ce9c9067ea2b88558ec
SHA512 0c4184b3cdfd747f4a5ba710822f606d9677017d2090447e597f0bc45ebd05da619ce067d9802f65cee8caee5e116339b6292bc16b0aa93410a51afe2cf94542

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 d7f9f0ab7ace189344d978ac4dcd5505
SHA1 cd3ab2ef9232390d80e7248e515534a948408d65
SHA256 8f95dee9ce1a9e2c98214b9266c0783160a03e49786f619455d5ca1466cf3f72
SHA512 d0773f57c246e55f5a02b870c6dc564e82d303da6762db7c209ab5bd54f6abc03055f52268996456f87229a898dc8cb37794de75b62a8aeff4cf19a4f1e4578b

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 8a68045aa7ece4be148962dee8223d18
SHA1 f02b5e93062f8bccfd2077433a703bf9438c4457
SHA256 1dad7a2716968094ffd34323b08bafdd98d7e512052ff7c350367574b440d49b
SHA512 8e00776935e687879e9ffc41bcb5fa9f9296b83622b17d7a043acb3ea7d110c430c77c8f0042d927133c492cfc061ae14c9b63822097e7413e48e984c63e28a0

/data/user/0/com.abtnprojects.ambatana.hack/databases/evernote_jobs.db-journal

MD5 d43d82848194fef5224769654ed4ccfd
SHA1 8066af70cfd1fabfe54ce377caa3d13e4c4abcbd
SHA256 a4b809198c4bb4a33135e2dc20e78cfe72d4900dff6b6b11de03b4808e367193
SHA512 01c0f05a77cccead5a68d8165afbb32f45a2d3551ce575474759217e56fe844ddc33f658903acf90ad6357651972d38e2f31e9fc55d3182dc9e5422dafab1e3c

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 d46dd426ffd151449fbc1af2d4cf71fe
SHA1 7b674f8123c45c22956f10943d1ca17b22cf7228
SHA256 33c9cfac0820e80a39bfa99c00eec3b68a39fa7953c10b01fcdf5fdf84dc27d5
SHA512 6b12e82ac6e0bd091774eb7b617036c91071e9ae4be53dc482938ea3695b638d96d101e2b0ff35ef4b0ce362b0c682bb1b82e7f014aa77e09cb13b9ec12d67a5

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 f401ccfe00c1ddfbe63eb85a594d061b
SHA1 53d22e058c48ff59f04e8e07dd6943b2dc138485
SHA256 f30dfa8cecb45df33a2b076de832c1dda537d3d5f59370d14e1030feb3e74d62
SHA512 97475e9180e8a28e5a490324f123516462a96a64a8a6086bd8178136f3d5a1ce13e25f179096c845761c3aecc9b8454295c1ec725494cfaa36673aed088648be

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 11eb22ac1869698e95cbd6e092716e4b
SHA1 eb222e700e0a6b46933e32a70586243d55b93638
SHA256 f8c060d6ec5e3a1257f19e8ec326ed5de3741fc0ace62caaa85d4168b081e6be
SHA512 0fd0228aaf4f5eec74ee8939175f73be769849980d4a55efdfc078173cb709cde3935eb4a99635877cb12f121b56be36e69c5f7363f0e65ca927edce1ad513f1

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db-journal

MD5 fc26ceb0fac29cabb5494e96d257457e
SHA1 babd45d1024cf81c576f83afc8fedc66afca9999
SHA256 a3c3d698d1e6545ae2d6ee5560d2dca52eae99b6fe26e40c17de78927bad5ed8
SHA512 3152e0635afb4b77860d883c49cb4e1fcbb8f5a6bc78562f3daf9a7898b22544a0b52f3a0ea85cbaa9fe5b913064d119c0a8cf1ce270607d2b52a1a668a37fc6

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 94066f8464ad6757390afb313676f3a1
SHA1 0e8b83904c05674f9498c0e2da179adb70a0be20
SHA256 b9391f3e2d5d3c2d0a8fc32de132424d34eade7cbcd660b38bc04f91889a1ba6
SHA512 07c7d6b18e1572979e7d103729822768cf671f13dfe665b2e7c25e9a056447d6ae0eaef3d6878a1437ed9519082be2b3bb0b4d599c2156fb41d99cd2d6f16d75

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 790f102cec1c347f21367407ee13a36b
SHA1 426cae165c4c943ad884046b68ecd53ee60a5a3a
SHA256 d20dd0f2bce8e8103a1eab9e0c8c1db4d471ba5941a4e35b5db3a256b56db1b8
SHA512 c3901746b5e0cf375c3b8dc6120bf3ede04af0536d8445d5e05a5070c74639feaac304e00f0c94767ad7878800971e3a708f6c5889d2949b28a4e024ccea4d21

/data/user/0/com.abtnprojects.ambatana.hack/databases/OneSignal.db-journal

MD5 d58a6639ab18daafdd9c31588b1981be
SHA1 a2a2bca9a90ba3f26a57fbcea10c4485cb2884d1
SHA256 a2cea8df025c1d34bbc525ad1afe47bb6f14633ba1b9078e34d82d8ffad0eb69
SHA512 534857dc4bce9a0ad768bbc75798db62df7bd0d3d9c09ea8314839360defafe4c4012aefb88e2f63804b99a3d51958ecb6f78d15f746a0caa8fc4dfdb6982580

/data/user/0/com.abtnprojects.ambatana.hack/databases/OneSignal.db

MD5 2479ff01e32c1445266304f37e9e7b35
SHA1 63a2b50d03eff98a4b5e684f1f95996b78219e6c
SHA256 c276033016c0ae04c4e1a7128d443a01aab24d99c434696ee1b01fef2d3acf15
SHA512 14b24f8be6f9a88e31a2d74f3f13cf9e84817bfe445b8b8a873c1678f274714237b3f1a2fc9c5821c300fc72418e3229439107c2a2ff307007409dee6fdf16d3

/data/user/0/com.abtnprojects.ambatana.hack/databases/OneSignal.db-journal

MD5 6adc4472f96adb174623e3438fb89fe8
SHA1 571849413a9c98ff2a8c199aed0a87f058dddaf4
SHA256 52dfde4e66011b4caf3b9a9432aba42ad4a6b324a8b8466c8ff16326c6486943
SHA512 59b65dac23973950624ee5e123729f9040dcd35f189241a328d01af9dcd7be37fd4a66f9311b3e62fbd6bdec8623dad0efd062af99a31ab6c56762bc77fc5173

/data/user/0/com.abtnprojects.ambatana.hack/databases/OneSignal.db-journal

MD5 06d2c914a574490f3b1cf731786a9a80
SHA1 3767b3875bb6d62cab11aa1ea7a76dddddb80e1f
SHA256 ab0b4a2670c722681af3d2d30f9f8d83aff302783ae1f9e4c4c4e935b04a5d9f
SHA512 a3daf5ab451f92e3e31603a7b4b6123e947e620a4fa1bf477f27e062d09588f6d28838f7956b8fe9959d0522a34f00a62e65d265818c82965deebaf5c1852a79

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 c73b2d473cc391dc18353fd74c88044c
SHA1 4d70cfea56f0b48fd4ece24d88b7874074504b3b
SHA256 2e332749d0b1ce31d2c7cb8cde352f9763b60e5be7f6282dcc919e3fc19e5d21
SHA512 d59f6a6fe98358948638f90fc23a771ec085070c86024df1bd2c53346892ec0d03fb8eb43a18f951e6fb7c18fa3394776b5a22ed6acd5654bab808fe0126ec50

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 3d8f938a73c1499b96f3822ffc0d3777
SHA1 a1d1a946f82a13f74428d73f3b66a3dad86406a1
SHA256 00443b9698dbbec4e64f9f65bf8a066b39486b3c623a8a5dbfc68b24ec61c9b8
SHA512 008c0ce64923233c25d5ae5bb35776310e5f90d244892506377be99c23c36e91ca4196675b9cfc8cb987b66e917dae1d4317e739ac668112a9b3773abfe80db3

/data/user/0/com.abtnprojects.ambatana.hack/databases/google_app_measurement_local.db

MD5 818548be1885386cc995f564f36a8e8e
SHA1 008b0c602ed55b1122dadfb3a20db517d55c10b3
SHA256 b4765a86f69c122307448d0c6e81cebd52ffbc59b0d19da42971e2857f773e6d
SHA512 47840561a1eded73600b656576a7a9195bd1beddb79b08090b9e6bd9ab610de6cfb0a334310bfefe0b33ef157d420aaa17c6315fa2e689398da3328c4460a02f