Malware Analysis Report

2025-01-19 05:19

Sample ID 240825-yaxbtaserq
Target c16db227fb29787cd2158fbd7a812248_JaffaCakes118
SHA256 b34c00722df5d523e7197690aeb8fb36b38af563793aa22acd14567553f04241
Tags
discovery evasion execution persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b34c00722df5d523e7197690aeb8fb36b38af563793aa22acd14567553f04241

Threat Level: Likely malicious

The file c16db227fb29787cd2158fbd7a812248_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution persistence stealth trojan collection credential_access impact

Removes its main activity from the application launcher

Checks if the Android device is rooted.

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 19:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 19:35

Reported

2024-08-25 19:38

Platform

android-x86-arm-20240624-en

Max time kernel

24s

Max time network

131s

Command Line

com.Saapart.SW.hack

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.Saapart.SW.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 onesignal.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 104.16.160.145:443 onesignal.com tcp

Files

/data/data/com.Saapart.SW.hack/databases/evernote_jobs.db-journal

MD5 9ffc93153c71bb12a448f16c21602888
SHA1 006c08be85c048924e3fdf270f4f36cb2ffaae62
SHA256 33f6f00aa961c421e99a24f68c6c37cd81d96bbf9f40ba3dcaf94e7cb403f4d7
SHA512 a2914329801c363245f98e5efbdc03898a6a8303b0368fdc5007bd51b91755348a0e41fdeb503301712faa4f4eaa46a45955aabb219d59c26ee92460af4ba39f

/data/data/com.Saapart.SW.hack/databases/evernote_jobs.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.Saapart.SW.hack/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.Saapart.SW.hack/databases/evernote_jobs.db-wal

MD5 a1f936d001711484749599c4464958c2
SHA1 9d05ad1a60abfb1d8d1f8b7af523ec60c53c821f
SHA256 0f7c53cc85f679a95f9c19f44909f59688e4c959ebdef945a0e93174e3faf5dd
SHA512 cf67291a55b0bc584aa25ea1221080c36960a2e5f30eebb5ae822d3e5792fe2d8210d7952f6b8d26d74d807d416b69cb2e0582ead765ef42c6ee4f1e7c6dbc41

/data/data/com.Saapart.SW.hack/no_backup/com.google.InstanceId.properties

MD5 8d7609411fd96794fec5521275de95ae
SHA1 fac7f5df2c7970809f130d6ae2a4ec13721540f4
SHA256 133ff17b544871d6a6b63fd57813bea28c7c6a174e33aa40a5473f659dc4967f
SHA512 8fd1bcc3041c31dd68bb9f0d13639bcbabd2009dc22d03deb764de77f9259124075cff6eae1acbba00ac46dafb0b1fbc4257e67a256f993e23f054c825e980c9

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 47cc9995e14d8997eab2b3cc6017417b
SHA1 5beb74ef22edfe1a4dc470ce017e7b69955561fd
SHA256 cb1f42ce3946e599b2d3f4557e20403d02c31eb89d12564b7cafbf4758db22a9
SHA512 3eb36dcf7626c44effe52f1b630d717d0f34c1b002f15ef1fa0b75bb86d7116c23910709e6f89907b552883d0706eeeb70ad7fd7db97b02f66167586c01813b9

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-wal

MD5 b1320ef658d030edd098e9ea9e030bd3
SHA1 80bfe7ec2cf08451e17681a7566cf3fb166fafd5
SHA256 a12b718a29b3949c9b6608f94517915fa8646cea9fb8284b8ac08e7d95f283af
SHA512 6078305579f515bd37f8dbd3689e84e0da168b59fbcff360fb7d281d8ea3afe25bae7cc45627afe5367e9686fabb5e9c85e5c90585a7b34ee4bef80a87ef40fd

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-wal

MD5 2a386f59891ae6270de125639e0c95b7
SHA1 13690dc87092badd1a5e4b2f5bca3468975596fd
SHA256 6cac1f319fc6117bb6ad1c0d86f5288eee5fb1f3a1e166e928686d5945f74bc2
SHA512 f54744581e8f93fdd650f48a0cbefb7cdff4daa71f0795d80fbaf5eaba9c7035de3fa0f1cec380f281406608ce551bb68b25265a3930bdfa750366eae798fce8

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 2c3b2349cded50bf6f9872ae4ffd742e
SHA1 5fde7376537759fe169bb8c83294f6318531c8c9
SHA256 174848816c434c80ace52b69b0485cbf78977c6ca9af59b1bd530b3a852914fb
SHA512 91fd28f2c021a7fe928cc358fd26c6a964851dd84a0f857eb3dba54c30a3a7d6edb48d93ac5f60405a8c6a9e8ee4770f95b71c8236d9e765fe25d0001949fe84

/data/data/com.Saapart.SW.hack/databases/OneSignal.db-journal

MD5 aacba895901558d575a5687c20f46d74
SHA1 bacd9a6f2f61b580b384c3a325e97195ac39c3e3
SHA256 38b048844222278033c9ebf58af7486db1e8723705700d3d568670dcd7800567
SHA512 40a0a1bc655d06de510913a10d7344930cd9e89ffeb5aacca07a12033dfc54e871c6d94aed16024c393626570e12b634320cdac5ba0ab25c024409889c9dd3da

/data/data/com.Saapart.SW.hack/databases/OneSignal.db-wal

MD5 aee1686f3f6854c4db36ff066acb1c40
SHA1 e6697bedcb50c55036d71beecadbe5c7ff6b1d03
SHA256 b0a55a70117b68378ec1b0933de2d5509eb77e45dbc82e779aef828c79f8c992
SHA512 a68ae7d2f5f0937c1e63f422ca621f43616e6b5003c6f4acfc73fadbca16f11302d59b83e228c119be9413b6e1404941717924defa9cffe8fb83ab92fae05842

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-wal

MD5 5528a46e209f2d2871eb1e8e34cdf9da
SHA1 81c75fe7cce50e18ce2c4448ffd05f4f4dcb96e9
SHA256 b971c674ae6a799c255da25f85c26043482388d1ab710f06c5f62758b7f8e243
SHA512 a83e1395f0acd9cbd3eddbaf8c546a269b802582ad439797e79b2970d1c2156813fcb19eb8add3334e1787e2f486ac3852803db2a8c551b5dee5b2aca55ef083

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 05ad1da62cf22a07983101be3110361a
SHA1 0b024f5afaf13180174c5a716278cecf6aa96d3f
SHA256 c83ed5221bba427b5599d4bc1323d47c080b845b3643409cc278f1031d32ddaf
SHA512 ac1e8026c48bad62d76abe82827ff00ec612d3a0e37e1bbcf60ad93d566b43b8321dd4121c4ef6b83873923fd33501a57ce060765d9abd9f0bdcf3ed1266f56c

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-wal

MD5 e35580d9b7e26d164d9327f5b8d292b5
SHA1 c3d5fc03a19197fb81078be2e8af5f0da1fcb421
SHA256 1eb1a60546fee2a7206e2257d3fdce45ae17cebe31ca4e9c33dc9cd374a8e568
SHA512 ccc22e3e035d23e88bbcb9facd3208d47b5fa8a26bb2ac54612bb9bc6822c071cf8cafdaba5ea103ccf948b43655c555d14a394bf657bc8dbb01a0c9af840c67

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 00327b568adf862952234b8d28090a82
SHA1 fd95b0831ff752522b72898d4724093311f02a0b
SHA256 87db2e7eb574f906c1493bca10c18f55606881bfeb71f015a9687a2a899454a9
SHA512 75696acc5df9977e0c77d0603da08311eacf79d5a137219cb5c2b8b6b71d1dc14b3817fe0641591fac4dfc777a49f28747a4c1dc82a6ca79151e016b6a54fec0

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-wal

MD5 98dbc860505f2c997b2a4f81c953ffd2
SHA1 d21f934fb746c01dfd7e178464183754f3744305
SHA256 960aa671de93a85a427ed7474d38d93715d6a27e8cc3362a9a476e5cb63f561a
SHA512 0eb3715cebdd0d9f5d0597c50cda0f144e30b231d304cf74899a9cb92844dcffaf6215515b33daf4351c36b6b999a28e56022407f761557bce1d4f48f8eac01d

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 eb5bdbd72e40a27555c7c81aa7805d01
SHA1 063f29ca3e207876f998f82b539da8da97c736a4
SHA256 d71823968294cdacd773df7ec15aaaa5f8f7ffea8677377ff0c685cf3a58ef94
SHA512 0f2077060c52093a443fd06896ce6e13d8cc25f8020413b402fc93044ab8c1153596b07623e9d689e1e688ab23fa750c8f651ef813a883a54d1e2f40a5ffd1af

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-wal

MD5 4f8c10880a824aff2c8a479ee425c392
SHA1 99da4b4a5a80ce0108793cc83791c0de1dcbba2d
SHA256 092c924e94c9598751069a2486f754957bf35a64d2616cfa65352ac1b590e859
SHA512 107828d8770786d73beccec1dc2cafd07acd7d365cc976443a3b970d585bf5f810d9c898c80c0da777122b2de44619354bd10e95da8ebb533e7ccc87df7b0cf1

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 44693692da738db6eb133cf0e4cde91b
SHA1 e6bda56494c325d8d37ad89552263ae85d9b0550
SHA256 8fe0ac9db76d4a2dcd3b3d54c0efedcd223e25aabf716506493d50e243a7a2d4
SHA512 b34ddfe1ae343b1b12f7029ae476a0ba8e1b4043ccb520afb412b3f71335ef679bf29723c9a5c00af7e922e9982d5b3af54b2ed779da8cb601f378e5b9d26be5

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 19:35

Reported

2024-08-25 19:38

Platform

android-x64-20240624-en

Max time kernel

44s

Max time network

157s

Command Line

com.Saapart.SW.hack

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.Saapart.SW.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 onesignal.com udp
US 104.17.111.223:443 onesignal.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp
BE 74.125.206.84:443 accounts.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.Saapart.SW.hack/databases/evernote_jobs.db-journal

MD5 54938136a339a381d46932a88461cdb6
SHA1 ee3e7efdb4ce2841501eeb42f33092eb36b50bd5
SHA256 3957dfd74a6ff663052f8fcd83b36fe846d0820f0f3e065319323d1f58dc2ed1
SHA512 dd121907b49659205d8fe1eeb6539c17ba3a40fe3e14bb694ca0d48f904c2496e6ab74d2d7a2dce9f969fdd52d41f088cab0e67e542375811289cf489e7e9e36

/data/data/com.Saapart.SW.hack/databases/evernote_jobs.db

MD5 e378dbcd1cbf89a3ebb6df6bcf9b95bd
SHA1 c853e067ade4a2e943fd1e8e2004a0fa437fa0d0
SHA256 f60225183e99fd382b8cfbd63d8ca4ca3b1b8e9508c2a8e9f36d1905296e8f19
SHA512 b927ed65391baff49163b1a05c5c1a3e7b9b6caf88ce0e67eef862771eebbc49d73340698ec649abc88d8abd0b0155258e12266a8752cb2a4477cea4db934322

/data/data/com.Saapart.SW.hack/databases/evernote_jobs.db-journal

MD5 d9ef6602d3b46540c7b38e34339e984d
SHA1 cf1d6b6b4e5e6a42dcfe61355cf44120c2e91e35
SHA256 8d9727c10e31aa53c6052ba7689f92ed42dd1447ebcd7d1671f289a918930554
SHA512 c7d240df1584ddd61eab955d62d51c701d2e8eb6d368f9b3ce14075fa6e442faddf62f81d1a7aeb7f9a9270f283a0f70b6179a910c5f761c7e7902f619a89891

/data/data/com.Saapart.SW.hack/databases/evernote_jobs.db-journal

MD5 7b0c1945fa4584076ef3ea33e461f469
SHA1 090a3afb3c8c335c82d53c0212a2e3b7df5f388c
SHA256 e65cb7486a3ec6b150d6b2f394d1ee1eb78494a06659b2cdc35a1642c92fa18d
SHA512 ffe9b2ed4f89799630b62dad3b377e6cf2d4030007afd7ae10435434fc42a3449ad7ec804737a0cf7e73d0a944591b0343ae5f322d5f83a326f4f859e1931d18

/data/data/com.Saapart.SW.hack/no_backup/com.google.InstanceId.properties

MD5 dab60f688135463be4d3d9f7dd235a19
SHA1 65cfc01b405dfca03d23625ff7975d29aa0c1a86
SHA256 741f911b2f92f81d3b8edd87d8e565cd36ff98214717d487f1c8cedcc51a7981
SHA512 496b0521b2e5de049aa841f84f8fc4a6fac312bd019726ede0bb3f6f5e2383db66ca8892d5163cc885ec24611879f4385546cc20f28213419707ae8194d87868

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 aa794122e0e141fde6c51afe2c4a0954
SHA1 80cc474b6dced3ea06d97ef9e22b8ad3907dd72d
SHA256 0e7f29f925c79b45b03bf6882fef76991d007f3161009c730eb1503485a70046
SHA512 3c1a307bcb1b80d5bb2d7f3c1f54b34f316386d23123f191a69b8b0b9865104b52adf839c9b30dc91948379de90a9a08b26c4ca3ee4e44f428785e966d39464d

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 e9fb6f24226be0c91ace3ffe280ff20f
SHA1 c08d3c90593479fb7f4b8e9505cf97d0b4c4ff8f
SHA256 144fe4b4b70bb5be401bb1c8f6c6ef2d138771a9235fecaac7c5bc17bef3c263
SHA512 0717e454c118fc4313f959c153a173214b06ce4ab2d0242a5e72013a35d499e91b49d182c63812ae9b770ebf3e8fb7da8ceab83885f7b1194b09771544ac302f

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 6b3e3e51777afc70c922e783c920a6ef
SHA1 347a5a499bccc4478dac46d6eb36df75052d536b
SHA256 27b5e1e41046348cf3463d7eeb38624ff8256985a9db6d1d3f0b522371b0e9e0
SHA512 572f6bbb8cd5af1a9ae87618932de0fe78b3f082166b780758e189b7373335f16d660b3b232ce9c04ce27a5447ccd6b4058347bed7333a57f4e369f80cf51303

/data/data/com.Saapart.SW.hack/databases/evernote_jobs.db-journal

MD5 44ab72b718ff91d11b3529bc3f7fa4d3
SHA1 ee14edc1919e8f4d29648fe9b9657390b6ab2fa6
SHA256 e9197dcb634278be78ca0a8166eb65a925d30dea8157617ffaaf02f8dd00a63b
SHA512 6ae1d406ab988618c4de37e78cc9f49ce7c4a6a6bb661ca00335587d31b409668f29ff028cc7f46006e10c15191777bbaae8c0e0e69789f6c7b55773ca158f33

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 f2e112448d419e5855e792ce58dc7163
SHA1 b08cbc7162619aa10337e125112a69371c4da1f6
SHA256 b9070cd9745753e1a98c6ca3d366e7b3a33f93d10316a1f78e76ef50781b916c
SHA512 0f046d6676c3b2929a6bd58494715b74c79e86e83385bdfec72b4679c5fda3eb31f9515832e49340d2e022ead7edf5889827aeb47468c08982c71784f95040ae

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 7e06d78e0688e8cd1a603be76284757f
SHA1 dac000a06254fff8ef8df6a7cca1643d819cf915
SHA256 481b4d777081de3a76c79412516e1edb20a4ee71b29a288651255599f1136689
SHA512 3c6bec28e9eb9b1ffd888a1041d5063abb7083345efa34744cc488881ef944bcdf83d576fa58103b8922e6838a4e7d08f71bafa6f86dfcc958925078bafcab74

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 948be512a3d697857a6427fc81121984
SHA1 bdead4558805995bfcde9196f3bfaed914393454
SHA256 1f20c42a40035ae4098c836da381513df6e6e89d5f73dbcd69fbed7ac7b65b53
SHA512 cefe0e27188ba71d6c5e3941cf51bbc4487d35f03df73ce5c09e5c1bec20f0ee37b00ce0cba813cb22191d2c0a888bf27abc91aa833334f4ffc0c553fc6f326b

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 f32208d2b4a1e826d841ef1420c657bd
SHA1 d5738fe26c762cb40c6b004e1c3488b1529068a0
SHA256 cbf56c2ec53b03fbe36d1cf15fe303048630be335649e632a825d49af420e283
SHA512 81781c894fc6bd71d4514cca73fb74070e311dbef24b8ac0af382d9ed21b627a5129663c458ac76133d318c71fa7dbf2ea81bd100ff92c23f0b86cee4b3e279d

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 8598c3d7ae7266259c756f7ca14770ce
SHA1 14ab89b7059c51e4b21962f1cd2776bebe173be4
SHA256 7ab159116cfd1e8706c7d03334a4fd5e7887229e4fd33ebdc94414e09e67111b
SHA512 8ae1a170eae03ffb00704123ffb6d6ae9fdf6ba987f02cd6b5fc2c0f233a2c44260445f0535faef4fa9f72a62847664660c427e59a07a598a7d5e64e0165730f

/data/data/com.Saapart.SW.hack/databases/OneSignal.db-journal

MD5 540c6d8f1a1592be4aa2b502bb6d0e1c
SHA1 2b744af35a351956c7cbce99a2da7924859f6f5e
SHA256 5177fbe730589e8fae60948af48c6fb05a7d2e05b8005b08e2d2a3311a117771
SHA512 37ba89fa5e056a2182fa3cd6a697bc57f034df69287b15e66edd9ef90364046fb988fb169ba48ea296ed84d888d315fb970bc563fdb013865a80692f252c9d1b

/data/data/com.Saapart.SW.hack/databases/OneSignal.db

MD5 6ea5817dfb71687d648b0e4763152545
SHA1 b5a1a2a1fb579520ddeb9861c0eba5f7109d0d74
SHA256 be512b097518bdaba39e6106c143a267f56e98d8f980ed6295773c4082149824
SHA512 cafff4c86b710428753e528aed212096fef264a36cd6d6ff48af487ce1d5cf90065b4be0ad6460e4e7631040f7a28657f31811be1a5cb417c4b2725c51fb5186

/data/data/com.Saapart.SW.hack/databases/OneSignal.db-journal

MD5 c29adb5288a0833baf13765f86328912
SHA1 b4aee8a638a41210c6769a9145751c5af5a061c6
SHA256 e1e3c4eb17ce1594cdbe9a1d08cbbce0d8982d9b5760477ffb6792e4a5cfe934
SHA512 c7758862a5393ee6520d3c09b6137ac4038f129ba3cbc9bae4a1c1cfe72d9c75398938fd53476ddeb58ec8beb925138aa740f9a2ae8c0498fac28f3436133952

/data/data/com.Saapart.SW.hack/databases/OneSignal.db-journal

MD5 ddfa60fa172dead3586b062ee2df3411
SHA1 df8bcf6ff6e97d5c3314a7f9af88f28d6b2033e4
SHA256 2bc3b191cae96ef09183420af3119b6e911af5110f7ccaa92a61034286f73c30
SHA512 6d2eaf10e544f6e2f5b0b0c3365ce1dba80b3c597ee437a9a5954cd861f503754dc4ffb8fbaefa212d2527377f218af6a3567af9ec6848f21f216c09467960a6

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 c7fd99c8e92953aa1885419ef4cf4fdd
SHA1 31ff310e651fba8521a322e91e2c150efe5c93b2
SHA256 3cb32ad5e0671534a70cfd02a517360010994605cad0a2e167b94ff5b0ca0602
SHA512 bbffa59be7b992923508214bc19be7e12e0354042127620f82118c9c90314574e4fcf1ae30aafbb3582778af206ddbf10f784dadd120901202cfdc7f85b10585

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 832f57af6e9751bb6c1fc10267534d24
SHA1 b008520f557db592d1559fb4232a12b44675b50f
SHA256 96d6d00a608162601a3d265720ce92e43791e2bcf4eba04104488d2238bc0582
SHA512 0ff39f3eafaf8ee9b2a1376c56bb47221b28ec9a9d2da0d7f7c8df2ef81de036233bb69524041e0ea79bdf0f73ae54eaef604d5fa60cdde0d2108c2bf73e5b0d

/data/data/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 2f1eeee3602c828b8e9f81f6fbd20d41
SHA1 d240b568bb6929702815b9a5edd05ad635671caa
SHA256 458aa953a9e0adbf5b8765ebcf6b51bc5b5a48b7664e85d25c7a8ce9781a2d5c
SHA512 a8642cc12cb9af0cd9d3fdc4bb1fe3b246d02af6b36714d80cdd2809def699b0b93eb585187c17f0a8e19801879e2e9edef7963ee416ae9e8cc35fd9cede2859

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-25 19:35

Reported

2024-08-25 19:38

Platform

android-x64-arm64-20240624-en

Max time kernel

44s

Max time network

165s

Command Line

com.Saapart.SW.hack

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.Saapart.SW.hack

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 onesignal.com udp
US 104.17.111.223:443 onesignal.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 lp.androidapk.world udp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 onesignal.com udp
US 104.16.160.145:443 onesignal.com tcp
US 104.16.160.145:443 onesignal.com tcp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.167.84:443 accounts.google.com tcp
GB 142.250.200.14:443 tcp
GB 142.250.178.2:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.195:443 update.googleapis.com tcp

Files

/data/user/0/com.Saapart.SW.hack/databases/evernote_jobs.db-journal

MD5 7587542799ac74717b9214fcf4f195c9
SHA1 2ea48a3ac374892632d87ec6ad96ef2716132af7
SHA256 420889a5f46426bc7671ba27cdecf761d5bacba6759ea64761f792a155e3defd
SHA512 d32fa156c1d0fc3b3e17d5964f5faeaa247c2ee151ab5a5c963cd7256f7eb231f55230314c5c53e06fe258f22ce2f1a0152364e42274c9f3b88e52d7f3eb800c

/data/user/0/com.Saapart.SW.hack/databases/evernote_jobs.db

MD5 c3a6e7ea70af6d04783db6a6069a2e9d
SHA1 f6138435d6f9545111e2b2c6c6e9c1d4e4c30c2b
SHA256 ca6b6d715f3b331bab5b3571d0033d5afb34d43e40fdac58e4c617a64c806231
SHA512 4c5a96dce2dad3136b7f34e94fd59657d3c34b3a0c45a8f8e8fe3302c29d20dd1172a5fdb269014ae27b1d48042aaebe4f8c58f755eb9260bf3252018647b74d

/data/user/0/com.Saapart.SW.hack/databases/evernote_jobs.db-journal

MD5 f7bbbfc2af72009b501e8c3b9c44faf1
SHA1 d0830dcc83afefaf0b91f5434a8b795f028ad2c9
SHA256 00d515cbd98b622ed78347615b7a105e204a47f259496cdbb3917556bdc912a6
SHA512 c20832ab2609fca70f45a0b59e65e2d8491ffa0d19053168601e1133e168a1b6529a994e9b279360b8f9f91d718903b8e5b434178265ae9c8db84a00b768c521

/data/user/0/com.Saapart.SW.hack/databases/evernote_jobs.db-journal

MD5 b8b0bd16543ad482d51d0d5eb57aed99
SHA1 fd5e02b3dda05bfd77d240f07cdea2da06bfdf04
SHA256 8892dfb91ead33365c7e57268b230ff30230a5d0268a310e40c4fd222d4cc56a
SHA512 2988689f1f17c9dc211e8f4d88a112170d2b70e364a4079a37176b795dd0cdc634ca83b358d0a7cbfc3cc00cd73f655e0499c4fe55dcb8611c5521227eef4eb9

/data/user/0/com.Saapart.SW.hack/no_backup/com.google.InstanceId.properties

MD5 aab2be9c5a4db50aa743a517465b8ea6
SHA1 2bf738b5497892e45c46f0ba18ed5e43670ca04b
SHA256 dc785b8187c68788fa306242a460395c3aacfd92922518bb75ed782d1c5b79c9
SHA512 3714238ae6afc6fb90cb54f8e247cb19e125870bde763560aaeb882344ce2c67354e8a92ef48eafbaa13e198affffd3d7bc9780d6481a4108ceaa46339678c18

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 d8fb6f5c13a769c2857d5441076bde38
SHA1 c7ff65d6bdcef9aa8b4f444c6055153ea21f3be0
SHA256 6ab36c4c726b3bdf8c336ff8743fafa716d4c104bea952fdd01709f8573b7bef
SHA512 8794991367215479799442761566367f9e7c28a5ac108cff9b00a1edb58cb7fadff7d7d0f97721521858eacb1f8330f10ef1e5c4ed8260ed822333161f3b22bf

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 bfdaea1703c08a330424a2362d10bef2
SHA1 b9cf78bc06b345d0fff3a2bc8aa493e8a572c794
SHA256 bb1683139891f25e7ad8a761b4262d682628b1637c25bb71c913ea97a71e6277
SHA512 6968ca4713370120617df2dbaa0ddfa871947fcf14453911f873d1a5b3377bec53da9a129244f3dfb87861a9ab5a7e7fdb4f52e16172d2166c41f92ff37993a7

/data/user/0/com.Saapart.SW.hack/databases/evernote_jobs.db-journal

MD5 2f0577c24419155e5ef29d4c40c84825
SHA1 fd5a79d16f08a25f31215217ef6edff359e4a885
SHA256 9e53a2073396cc59cdd9aee436c0c48edea83470d4a8bd89c9e09305238ae96d
SHA512 3baaa1138ea89285ca57f8d43b95c03ea5ee9046bc664e04118b7351ab8da7ee12c475a7cac466e39c5ecb606636a9ce4e39c1c964453e3d97d8cc33c4807bbc

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 09acb9d93ff79444090355f284e91883
SHA1 6d439a50de5c5834421f2828fe2eecc67ce8eb03
SHA256 94100082b3eb0c50f4831645a0d7530279b6403572a1f362d0ab897681fda4ca
SHA512 5676c438bf64f0951fe7043519ba95809d4cbc7c05ba6605255b8c7b4502277f789e1fcca427c189221cc1851d414819047d03ca4cac9e3012a680bb146f650a

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 c3c983999b499a464eb408698011851a
SHA1 327dcd2e67ffea6a03e365747f1dbd89731e2f4a
SHA256 74ccfe0e1538918541f5044f1f9c13674c4685e97439956da092ad8d65b65e21
SHA512 43b8d6e1c3d2f559b9a369c616bf1344b37ae56e5e904bf36850ce129643c998d1f39d9e7dc45e225a1995aabf7102b115d8c4390c745b749fd7fe03743c74d6

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 7ab46e808b8b0876d2762e4962ed1b92
SHA1 52b8518e9ca9eb71a859d98546bddacc6400beb7
SHA256 485d6da2a9082a2b6aea905b256f5e03d979900671e7daa07d97f74379bf4426
SHA512 19c6dcff915cfafa33c68e594f02759e3d180b4647c664e83bb6354fc482272bb933aa3b2a7fe61e6b899be09ec965be5f3fd4d14de3dceace20c683a69701f2

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db-journal

MD5 59bbb8d92ec0934b495be4359240f398
SHA1 f9862ff38626cd67862dea7f3b85b7d30291cdd8
SHA256 cb9fdac38a10e8f8431cb3ef3544a3415b84f68b8d59148239970b498e62cf5d
SHA512 a23e57d0b96e3d5e7bf6c8e208d594bb9bfd4e9641ca5c546541afcc334e049c81d78e79fe012d921de79552810ff8f00a97634bcdb9c656d5b14b44397ffd03

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 542e858bf83b4122706471b22799b67e
SHA1 a41faddc1ced47ba6bfe1c223243ea65e035d22b
SHA256 b5d44fa54c61b90240e28ebdfc84f5fc67e567b9d8914685445fa5f05ca4d4ca
SHA512 45850768168f2c8886ac491278293ba31a3703592dc404eb11cc9981a083174859af47374350f975abb55b428922c8e6791ec7fdf825be2d56b47dab46276e27

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 c5ce84ef5c66c00c0d309a5db9231f9c
SHA1 cc740d9e97e94857b3294f5bb3ef723c45cf617a
SHA256 845138169296a52dfebf872918e102be90499da063d27719b0ad76896c5eec80
SHA512 404bafb954ac276001a06d05a1b26c9db577c6c4dfb234d35f5dee1576cf8448119cbab76f1ad61a73e6dd5b50b656d233ec143557c573c100ed9eeff78f0302

/data/user/0/com.Saapart.SW.hack/databases/OneSignal.db-journal

MD5 2f0f52c323a17aae819ee34aaffdb245
SHA1 ca4101e00cc676143a5834580975cf2237112e34
SHA256 bc0c20f547322fdde8e4cb68bef657a6fbeed5e23f229b9cb230a74613acd82c
SHA512 e1632750885654c1426addbe9f24c21a9a1d8184e208dbe16483f9de859c97a4fd2c476744a0cffe6c7da0c9cf26e80f5bfd1a2dbed5fa5bfca58a7f45b8fadc

/data/user/0/com.Saapart.SW.hack/databases/OneSignal.db

MD5 2479ff01e32c1445266304f37e9e7b35
SHA1 63a2b50d03eff98a4b5e684f1f95996b78219e6c
SHA256 c276033016c0ae04c4e1a7128d443a01aab24d99c434696ee1b01fef2d3acf15
SHA512 14b24f8be6f9a88e31a2d74f3f13cf9e84817bfe445b8b8a873c1678f274714237b3f1a2fc9c5821c300fc72418e3229439107c2a2ff307007409dee6fdf16d3

/data/user/0/com.Saapart.SW.hack/databases/OneSignal.db-journal

MD5 06833a2dce390e7a26f9e8e21c89aa4a
SHA1 24597c2ff1a16a3ef45944b72aaca6128a6cc99d
SHA256 a4c19672561e3963fe2b7c9f6282e1bc34c778afc06702cf316f4be4910c1519
SHA512 5d12233f2596ba69975db1f2d7c6ef5a79c4343af5acf2238468d17d557ca5c651293bb6e0149484de3225eaa94827181a5ae4362b34e82778aeb8334893f760

/data/user/0/com.Saapart.SW.hack/databases/OneSignal.db-journal

MD5 2cd8fc3900686843d4f77ae2d835e4fe
SHA1 54881bfbf7765a8e5287603c618adc43bcd75ec1
SHA256 95db73d5f5d7b914d20e9fb87455a1d50c8515f1498d8fa1968a1800d841335d
SHA512 9601052183dc4d8e408142a4ba9801a1b8df4ae34c8a8167fc848168f7c9ed03a0a495103d9fda4baca480dc6102341db5f50635e1cca0b2dfb5ab90d33caa8f

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 f2ce54d783681edb19bd491e3c691e01
SHA1 e9a7170e25e59f82dd9189061624f07ef009bc0c
SHA256 1c6863b2daa1d2328e369f665d262dd8510be7d2db475890e23e295bf228550e
SHA512 c87e43751f51ec894b098d2d5dbc5a090b0f5f9fd54f7adb6137b05335133d2b35c54396d31762d9b484aa2ea450bbf4aecec743755c81e2dc3a2d89f8d3b478

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 2d5dbe1d08a6c9cb2644b27fbd3e4ffe
SHA1 0310584dc4d022c8457e22923f8c39d40432b293
SHA256 4a7b3d34e8ac3d4b85c3b98015fbc5e2980b12e6a27faaf517e4fa3f548e2372
SHA512 59e944cdfd33cdf332fb06c8bd3b9b6211c7cebc0af3cd130ee85a8869562ab712abb484c068914c7a4e0430fd4e2b7f891453c3bf810e0c2c534ea95ed0cd79

/data/user/0/com.Saapart.SW.hack/databases/google_app_measurement_local.db

MD5 818548be1885386cc995f564f36a8e8e
SHA1 008b0c602ed55b1122dadfb3a20db517d55c10b3
SHA256 b4765a86f69c122307448d0c6e81cebd52ffbc59b0d19da42971e2857f773e6d
SHA512 47840561a1eded73600b656576a7a9195bd1beddb79b08090b9e6bd9ab610de6cfb0a334310bfefe0b33ef157d420aaa17c6315fa2e689398da3328c4460a02f