Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

9dd4a2c7f6...89.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    21/10/2024, 22:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9dd4a2c7f69bb885c054ff85ed4d17e07baedc2b3d4663c3689f590d2cdb4189.apk

  • Size

    283KB

  • MD5

    3df0f3488457efadb4c1a150151b9dbe

  • SHA1

    1eb9da0f727f360c61cf9b1ac5153a6a9a307b1f

  • SHA256

    9dd4a2c7f69bb885c054ff85ed4d17e07baedc2b3d4663c3689f590d2cdb4189

  • SHA512

    bcd4dad4086c379aea9e09c96e058c0ffde01c0d3284587aa56ce0f928a3dc5db12ecb04e20435e5631e62bcc5943f97a875288d34bb30cf371376cf698ce63e

  • SSDEEP

    6144:FPbxDjSYQdYrEQhV3/fJv87fblRoM8A5O5eIxDPX:FPZbQdYYaPfu7DjQA5O5eIxDPX

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.105:28844

DES_key
1
4162356431513332

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 1 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • urkvoa.comxx.yjbcso.avrjma
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4472

Network

  • flag-us
    DNS
    docs.google.com
    Remote address:
    1.1.1.1:53
    Request
    docs.google.com
    IN A
    Response
    docs.google.com
    IN A
    142.250.200.14
  • flag-gb
    GET
    https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
    Remote address:
    142.250.200.14:443
    Request
    GET /document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic HTTP/1.1
    User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Mobile Safari/537.36 Edg/112.0.0.0
    Upgrade-Insecure-Requests: 1
    Referer: https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
    Accept: text/html,*/*;q=0.8
    Accept-Encoding: gzip
    Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
    Host: docs.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    X-Robots-Tag: noarchive
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 21 Oct 2024 22:03:00 GMT
    Content-Encoding: gzip
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/docs-tt
    Content-Security-Policy: base-uri 'self';object-src 'none';report-uri https://docs.google.com/document/cspreport;script-src 'report-sample' 'nonce-zyYkeZtFyuJjvCWJXhKhmg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';worker-src 'self' blob:
    Reporting-Endpoints: default="/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/web-reports?bl=editors.documents-frontend_20241015.02_p2&context=eJwV0XdU1UcWB_Dx95v7U-FRY4lIU7GgYgAhGqUIj_f24SqSRJmfrCU0OUQXIqKuNWpcd4O6HrCgIvLo4PNZw7GLDWxEISqu6BJlrRSN5SFlA_vNH59z59w7Z-6dGavf-jl2RrHNimARfQTLhdXWgpnhuEawEHvBCsDVUbCR_QXTwhWIGSBYxUDBxn4qWAlMdxLMfrBgUc6CFboKluQmWNdQweKHCaYZIZgLnIeu0YLZjBXMAUphjJdgmeME2-QjmN5fsHTYCT2fCzZjgmB3Jgr2FIKDBPtyFmZQBZsANdGCPYbceYLdjxHsBfSNF2wQ3EsQzG-hYGHQvBQ94d_rBHsJpesFOwm3NgjWAGE_CDYTJm4VzADpuwTbC8OzBPOH7t2C2e4RbMM-zAkbchFhrFGwAMguFMwEN8yC1UO_I4J5wKlywa5DwznBXsOQKsF8YA1shfBrgs2GkJu4F-ir8XawB8pgdI1gk6C8TrBKeA_yfcH-9UCw_VBUjxqcgutwqUGwX8D1iWDjIOsp_gXsngnmBsfgElRBHbx4KdhHiH0nWCo8hzaItVPZBagBjb3KnOHFQJVNdVJZNNj7qcwd5n-usqVwBm7C3i9UdgDq4Dn0na6yoEiVRcAO2PS1ynbBCVVlT6JVtn6uyjIgJEZlX8LFWJXVgv0SnA8z01S2fa3KsuERPIUukL9X2R7Ig8twExqhCVrBAr_2r2XRo5ulWNgy5620A-oT30qN8PfLb6WtkNj4TkqBQZ-9l4ZAZNR7SYXD4yzSCbjobZFcDRZpBMxaY5HmgvM6i-QBAzdYJDdoO22RumFfpUUqhOsLP0q1sCKgXVoPamC79A1EL2iXYuFMert0GapndUh3YcKqDikYHG90SE7Qt6ZDcoDJjp2SFgb90CkNgfTNnVLmH4yd0l5I3Ps_KQU2ftUtbYG2nm6pG84690hXYObCHmkOeK_okSaCtLJHsoLCVCYfhPrHTG6Enfm9ZENhLzkS3LZK8ki4apTk21B1BWtZlm-Du6csj4IzX8nyZZg_S5YToXyTLF-AlCuyvBzePZPlTlhqxeVKdy7_DC2vJ_EP4PhxEneCjKbJfA_8-Hoyz4B3HybzTng4I4AP2B3AXeHJwQD-ChKdAnkKVHsGcveJgXwUpGcF8p1g5xHEB8Ky8UF8LZyPD-JV8H1yEP8H1FEwb4Dp24L5LOi-FsyV68G8rDaYH4XBflP4MGDqFN4HQu5N4c4uIdwDugwhXAkP4XlTQ3gZ3G4J4b9CRWsIvwpKaCi3hTerQnnZ7lB-FA6XhvIKqDaF8rvQ3xzKXaBBo-UeA7V8LDRFavk7OPedllfCm2Va_hE6Vmt5rzVa7rJey4dD_WEtb4Rnx7S8FVbd0fLNcPaell-Buc1angAub7Ef9EPCeARYhoZxGhbG_6aG8X_Cym_D-K7sMF4MLSVh_AP4tIXxL2AGCCiDo3DHRccfwqMROt4C40fquBay43T8bhLykLNYx4tgyjIdN4BVho47QpxZxzee1_EtsP-qjof8ouPhcPC5jv8E59z1vBIW-et5GjyboOcWeD9fz7ugM0bPrWL1fPw2PZ8Muf0N_Bokuxj4WtgAmTAmysDHQ2aigd_fb-CNMKzOwP_ySTiPg-v9wvkDOPNpOK-C3ivDuR3E957KF0G61VSeCaYZufTJ17k0GK6cyKVqsL2VS0X_yaVy-KyvkYLBPdpIo2BQgpGG_GGdkXzgyXYjLS8wUs5pIxVB8hkjLYPACiPpwOaDkfpDWpuRNsKBdiMdg6xeeVQCI-fl0a2cPGqA1JN5tBJG_5xHvhDRk0dR8HhOPr0Ezb586gfDc_LJC0oL8-kI1L7Lp-2pBZQNxowCOgKdzQUktRRQ0psCWgxcKqR-EL2okGKh2rWI7oJnchEVbSwiM8g_FVHd1GLq-XMx9Z5WTD9uL6Ybx4upHk6eK6bLMNtcQjFw8b8lVAsZbqU0IKCURsDt9aVUD0p5KdlCUNMB0kPe7weoDE4NNtFF2O9lojJwiTDRcGCRJuoDfRNM5ACea03kB8N3mcgLMstNlA-jKg_Sam6mjRDoaSYdDBtjpjGQ5W-mEjj2rZlOw7QVZpoJ10rMVAM2J83UH5acMtMqcO8ykzcMGHWIXME0_RAdh6Fxh2g0WFIOUVFQE5lhX0ITFcKAlCYaASVbm-gwaB2ayWNGM_lBytxmWg5tD5qpG9RHzfQNOAe3kAf8JlqoHUYea6EJoD_dQhHw8WIL9cAUz1aKhHj_Vho-u5W8wHdvK02C1gut9DvYeb4lNzBPtVaOQaewViTVWrmRYa3UQ1SJtTIPnjy1Vl5BhcVamdlhrczuRB7-5KNRBPToNEpvvUaR52mU_ckapRiqVmqUOojI0ihR8D5bo7RDzz6NYpejUXJTbZQSMJTbKJHw-ISN8hKiztooHgtslbGwe4OtYoQ-22wVe7CrsFVW37RVcp7ZKUem2SuLF9orhkgHZf0rB2WevaMyOdZRcdT02ZH78KRiX3Op7ITsZD09JTZpUUJozJKkuKGeCfFJaSmpS8bFp8Qt_WtCctoSrwWpKclpCcnx8329ff18vH38x3n7zv_O9_-6jdvU&build-label=editors.documents-frontend_20241015.02_p2&imp-sid=CLegxoe9oIkDFdiiXQMda30XyA&is-cached-offline=false"
    Referrer-Policy: origin
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Set-Cookie: NID=518=0-3qB6iZNmye85V9KDsVQYDhW4p1SQOi565TqoXFlQwU9QmaZ0eYNAql5UavHG1o5Qly7NiH_YBS04idgJ7-f-vi1aO3NfFMkl9zosN93LuudU4Vczr6vGGRgFbD8T4Q71ijAJ7dJcC96_8B_-zFLYcxX_6JDQl9CDLsLzvb82tSjbA; expires=Tue, 22-Apr-2025 22:03:00 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    x-l2-request-path: l2-managed-5
    Transfer-Encoding: chunked
  • flag-gb
    GET
    https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic
    Remote address:
    142.250.200.14:443
    Request
    GET /document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic HTTP/1.1
    User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Mobile Safari/537.36 Edg/112.0.0.0
    Upgrade-Insecure-Requests: 1
    Referer: https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic
    Accept: text/html,*/*;q=0.8
    Accept-Encoding: gzip
    Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
    Host: docs.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    X-Robots-Tag: noindex, nofollow, nosnippet
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 21 Oct 2024 22:03:01 GMT
    Content-Encoding: gzip
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/docs-tt
    Content-Security-Policy: base-uri 'self';object-src 'none';report-uri https://docs.google.com/document/cspreport;script-src 'report-sample' 'nonce-TUqmYaSuSK0qynZr3OEADg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';worker-src 'self' blob:
    Reporting-Endpoints: default="/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/web-reports?bl=editors.documents-frontend_20241015.02_p2&context=eJwV0HlczekeB_DH7_d8f6jTOmIsKRRCplLDlUqdzlFd0gx6frqWadOr4dZIuNZRjHsnXK8y1tBpL8exZHrZxShrlgYZMYautWXc4rS5U_czf7xfz_P6Pt_Xd3ksDjvYd0WyItiiCBbeR7AcWGspmAlOaAQLtBUsH4baCzbKQTAtVEJ0f8EqBgg27lPBCmHGIMGGDxYscohgBUMFS3QS7ONwweJGCKYZKZgjXICPYwSzGieYHZTAWHfBssYLttlTML2PYBmwE3o-F2zmRMHuTRLsBQT4C_bFHMygCjYR7kYJ9gxyFgj2MFqw19A3TrCB8CBeMO_FggVD43L0hF82CPYGStIEOwW30wV7CsEbBZsNk7YJFgIZuwTbB667BfOB7j2CWe8VLH0_5oT0HJwwziDYFMguEMwIVfAAbpgEq4N-xwRzgdPlgl2HX88L1gzDrgjmCetgG4ReE2wuBN7EfqCvxh_CXiiFMXcFmwyl91ELzsMtKK9FT3gP8kPB_v1IsINQWIc3OA3X4aengv0MQ58LNh52vxCsGGxeCuYEZfATXIFaeP1GsHaIaRUsBV5BG8TYqOwi3AWNrcqGwOsBKgsbpLIosPVWmTMs_Fxly-Es3IR9f1HZIaiFV9B3hsr8I1QWDj_A5lkq2wUnVZU9j1JZ2nyVZUJgtMq-gEsxKqsB22WoD7NTVbZjvcqyoQSOwRN4AS3QCYO_VdkIyAcj3IIHUA8N0Axm-M2hhkWNaZRiYOu8FukHqEtokerhu8st0jZIqG-VkmHgZ--lYRAR-V5S4eh4s3QSLnmYpaEhZmkkzFlnlubDkA1myQUGpJslJ2g7Y5a6YX-VWSqA64vbpRpYNaVDSgPVr0P6CqIWdUgxcDajQ7oM1XM6pfswcU2nFAD2NzqlQdD3bqdkB772XZIWBm7skoZBxpYuKetPhi5pHyTs-5-UDJu-7Ja2QltPt9QN54b0SJUwe3GPNA88VvVIk0Ba3SNZQEEKkw9D3TMm18POvF5ySEEvOQKctknyKLhqkOQ7cKUSd1mW74CzmyyPhrNfyvJlWDhHlhOgfLMsX4TkSlleCa0vZbkLlltwucqZy7eg6ffJ_APYt0_mgyCzwZfvhe9_9-WZ0PrBl3fB45lTeP89U_hQeH54Cn8LCYP8eDJUu_lx50l-fDRk7PbjO8HGxZ8PgBUT_Pl6uBDnz6_At0n-_J9QSwH8KczYHsDnQPe1AK5cD-ClNQH8OAz2nspHAFOn8j4Q-GAqH-IYyF3gY0ggV0IDeW5YIC-FO02B_DeoaA7kV0EJCuLW8G5NEC_dE8SPw9GSIF4B1cYgfh8cTEHcEZ5qtNxlgJaPg4YILW-F899oeRW8W6Hl7dC5Vst7rdNyxzQtd4W6o1peDy_LtLwZ1tzT8i1w7oGWV8L8Ri2PB8cW5IN-WDAPB_PwYE4jgvk_1GD-L1j9dTDflR3Mi6CpOJh_AN-2YK4FHcyAUjgO76Ad7jnq-GN4MlLHm2DCKB3XQnasjt9PRBwOLNXxQpi6QsdDwCJTx-0h1qTjmy7o-FY4eFXHA3_W8VA4_ErHf4TzznpeBUt89DwVXk7UczO8X6jnH6ErWs8tYvR8wnY994XAjmk8FHIcQvg1SHIM4eshHbJgbGQInwBZCSH84cEQXg8jakP43z4J5bFwvV8ofwRnPw3lV6D36lBuA3G9w_gSyLAI41lgnJlDn8zKocFQeTKHqsH6dg4V_ppD5fBZXwMFgHOUgUbDwHgDDfvTBgN5wvMdBlqZb6ADZwxUCElnDbQC_CoMpAOrDwZygNQ2A22CQx0GKoPdvXKpGEYtyKXbB3LpKaScyqXVMOZWLnlBeE8uRcKzeXn0BjT786gfuB7II3coKcijY1DTmkc7UvIpG3Iy8-kodDXmk9SUT4nv8mkpcKmA-kHUkgKKgeqhhXQf3JIKKXtTIeWD_GMh1YYVUc9fi6j39CKK3VhEi-H7HUV040QR1cGp80V0GeaaiikaLv2nmGog06mE-k8poZFwJ62E6kApLyFr8G84RHrI_eMQlcLpwUa6BAfdjVQKjuFGcgUWYaQ-0DfeSHbgtt5I3uC6y0jukFVupDwYXXWY1nITbQI_NxPpYMRYE42F3T4mKoayr010BqavMtFsuFZsortgdcpEDrDstInWgPNHE3mAccYROgHDY4_QGDAnH6FC_wYywf74BioAh-QGcoXibQ10FLR2jeQys5G8IXl-I62EtkeN1A3qk0b6CoYENJEL_Fc0UQeMKmuiiaA_00Th0H6piXpgqlszRUCcTzO5zm0md_Da10yTofliM_0BNm4t5ASmMEulDLqEpSKplsqNTEulDiKLLZUF8PyFpfIWKsyWyuxOS2VWl6WiwjRPjSKgR6dReus1Sud8jXIwSaMUwZXVGqUWwndrlEh4n61ROoAd0Ci2kJNipRRDSLmVEgENJ62UVog8Z6W4LLJWxsGedGvFAH22Wyu2YFNhray9aa0ceGmjHJtuqyxdbKtMi7BT0t7aKQts7RXfGHvFXtNnZ87jU4rttT21v_QaZDkjOSZxSXxQ9LLE2OFu8XGJqckpy8bHJccu_3t8Uuoy90UpyUmp8UlxC708vLw9PTx9xnt4LfzG6_-yRPd0&build-label=editors.documents-frontend_20241015.02_p2&imp-sid=CLCu5oe9oIkDFVISqQEd8t8Mxg&is-cached-offline=false"
    Referrer-Policy: origin
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Set-Cookie: NID=518=nJyAO2-TE6Ujc2thVfb8756LhEGjCbAPVgsIiXZhgF3-QUeSWo-d1aIgO89obszOhIztegpPwbXi0vU4FetdjmQhsCplhq-IO4pu9grMzurySbo85-QU2ID4wsa3Nwj8SG7To1cLzkzZg--rm3zaw_S4jeYUOtLRItpQwJJMdsscclLk; expires=Tue, 22-Apr-2025 22:03:01 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    x-l2-request-path: l2-managed-5
    Transfer-Encoding: chunked
  • flag-us
    DNS
    rcs-acs-tmo-us.jibe.google.com
    Remote address:
    1.1.1.1:53
    Request
    rcs-acs-tmo-us.jibe.google.com
    IN A
    Response
    rcs-acs-tmo-us.jibe.google.com
    IN A
    216.239.36.155
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.201.110
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
  • flag-us
    DNS
    remoteprovisioning.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    remoteprovisioning.googleapis.com
    IN A
    Response
    remoteprovisioning.googleapis.com
    IN A
    172.217.16.234
    remoteprovisioning.googleapis.com
    IN A
    142.250.200.10
    remoteprovisioning.googleapis.com
    IN A
    142.250.178.10
    remoteprovisioning.googleapis.com
    IN A
    142.250.200.42
    remoteprovisioning.googleapis.com
    IN A
    142.250.179.234
    remoteprovisioning.googleapis.com
    IN A
    216.58.201.106
    remoteprovisioning.googleapis.com
    IN A
    142.250.187.202
    remoteprovisioning.googleapis.com
    IN A
    172.217.169.10
    remoteprovisioning.googleapis.com
    IN A
    216.58.204.74
    remoteprovisioning.googleapis.com
    IN A
    142.250.180.10
    remoteprovisioning.googleapis.com
    IN A
    216.58.212.202
    remoteprovisioning.googleapis.com
    IN A
    142.250.187.234
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    216.58.212.228
  • flag-us
    DNS
    newsstand.googleusercontent.com
    Remote address:
    1.1.1.1:53
    Request
    newsstand.googleusercontent.com
    IN A
    Response
    newsstand.googleusercontent.com
    IN CNAME
    googlehosted.l.googleusercontent.com
    googlehosted.l.googleusercontent.com
    IN A
    142.250.178.1
  • flag-us
    DNS
    encrypted-tbn0.gstatic.com
    Remote address:
    1.1.1.1:53
    Request
    encrypted-tbn0.gstatic.com
    IN A
    Response
    encrypted-tbn0.gstatic.com
    IN A
    142.250.200.46
  • flag-us
    DNS
    social-magazines-prod.storage.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    social-magazines-prod.storage.googleapis.com
    IN A
    Response
    social-magazines-prod.storage.googleapis.com
    IN A
    142.250.180.27
    social-magazines-prod.storage.googleapis.com
    IN A
    172.217.169.91
    social-magazines-prod.storage.googleapis.com
    IN A
    142.250.187.251
    social-magazines-prod.storage.googleapis.com
    IN A
    142.250.200.27
    social-magazines-prod.storage.googleapis.com
    IN A
    172.217.16.251
    social-magazines-prod.storage.googleapis.com
    IN A
    142.250.179.251
    social-magazines-prod.storage.googleapis.com
    IN A
    142.250.178.27
    social-magazines-prod.storage.googleapis.com
    IN A
    216.58.201.123
    social-magazines-prod.storage.googleapis.com
    IN A
    216.58.204.91
    social-magazines-prod.storage.googleapis.com
    IN A
    216.58.213.27
    social-magazines-prod.storage.googleapis.com
    IN A
    172.217.169.27
    social-magazines-prod.storage.googleapis.com
    IN A
    216.58.212.219
    social-magazines-prod.storage.googleapis.com
    IN A
    172.217.169.59
    social-magazines-prod.storage.googleapis.com
    IN A
    142.250.200.59
    social-magazines-prod.storage.googleapis.com
    IN A
    142.250.187.219
  • 142.250.200.14:443
    https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
    tls, http
    2.2kB
     19.7kB
     20
    20

    HTTP Request

    GET https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic

    HTTP Response

    200
  • 142.250.200.14:443
    https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic
    tls, http
    2.2kB
     19.6kB
     20
    20

    HTTP Request

    GET https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic

    HTTP Response

    200
  • 91.204.226.105:28844
    6.4kB
     1.1kB
     27
    19
  • 216.239.36.155:443
    rcs-acs-tmo-us.jibe.google.com
    tls
    1.4kB
     6.8kB
     10
    10
  • 216.58.201.110:443
    android.apis.google.com
    tls
    4.4kB
     8.2kB
     31
    25
  • 172.217.16.228:443
    100 B
     60 B
     2
    1
  • 172.217.16.228:443
    www.google.com
    tls
    1.1kB
     4.7kB
     9
    9
  • 172.217.16.228:443
    www.google.com
    tls
    2.5kB
     8.2kB
     20
    17
  • 172.217.16.234:443
    remoteprovisioning.googleapis.com
    tls
    3.5kB
     13.4kB
     16
    16
  • 216.58.212.228:443
    www.google.com
    tls
    1.1kB
     4.7kB
     9
    8
  • 142.250.187.198:80
    312 B
     6
  • 216.58.213.2:443
    tls
    135 B
     40 B
     2
    1
  • 216.58.213.2:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.187.198:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.187.226:443
    tls
    135 B
     40 B
     2
    1
  • 216.58.213.2:443
    tls
    135 B
     40 B
     2
    1
  • 216.58.201.97:443
    tls
    135 B
     40 B
     2
    1
  • 172.217.169.33:443
    tls
    135 B
     40 B
     2
    1
  • 172.217.169.33:443
    tls
    135 B
     40 B
     2
    1
  • 172.217.169.33:443
    tls
    135 B
     40 B
     2
    1
  • 172.217.169.33:443
    tls
    135 B
     40 B
     2
    1
  • 172.217.169.33:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.200.46:443
    encrypted-tbn0.gstatic.com
    tls
    7.3kB
     182.3kB
     104
    143
  • 142.250.180.27:443
    social-magazines-prod.storage.googleapis.com
    60 B
     1
  • 142.250.180.27:443
    social-magazines-prod.storage.googleapis.com
    60 B
     1
  • 142.250.180.27:443
    social-magazines-prod.storage.googleapis.com
    tls
    10.8kB
     287.0kB
     126
    217
  • 142.250.180.27:443
    social-magazines-prod.storage.googleapis.com
    tls
    1.0kB
     6.2kB
     9
    7
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    docs.google.com
    dns
    61 B
     77 B
     1
    1

    DNS Request

    docs.google.com

    DNS Response

    142.250.200.14

  • 1.1.1.1:53
    rcs-acs-tmo-us.jibe.google.com
    dns
    76 B
     92 B
     1
    1

    DNS Request

    rcs-acs-tmo-us.jibe.google.com

    DNS Response

    216.239.36.155

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.201.110

  • 216.58.201.110:443
    android.apis.google.com
    https
    3.1kB
     7.5kB
     7
    8
  • 1.1.1.1:53
    www.google.com
    dns
    120 B
     76 B
     2
    1

    DNS Request

    www.google.com

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

  • 1.1.1.1:53
    remoteprovisioning.googleapis.com
    dns
    79 B
     271 B
     1
    1

    DNS Request

    remoteprovisioning.googleapis.com

    DNS Response

    172.217.16.234
    142.250.200.10
    142.250.178.10
    142.250.200.42
    142.250.179.234
    216.58.201.106
    142.250.187.202
    172.217.169.10
    216.58.204.74
    142.250.180.10
    216.58.212.202
    142.250.187.234

  • 142.250.187.196:443
    www.google.com
    https
    9.3kB
     209.8kB
     70
    182
  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    216.58.212.228

  • 1.1.1.1:53
    newsstand.googleusercontent.com
    dns
    77 B
     122 B
     1
    1

    DNS Request

    newsstand.googleusercontent.com

    DNS Response

    142.250.178.1

  • 1.1.1.1:53
    encrypted-tbn0.gstatic.com
    dns
    72 B
     88 B
     1
    1

    DNS Request

    encrypted-tbn0.gstatic.com

    DNS Response

    142.250.200.46

  • 142.250.178.1:443
    newsstand.googleusercontent.com
    https
    5.8kB
     9.7kB
     16
    16
  • 1.1.1.1:53
    social-magazines-prod.storage.googleapis.com
    dns
    90 B
     330 B
     1
    1

    DNS Request

    social-magazines-prod.storage.googleapis.com

    DNS Response

    142.250.180.27
    172.217.169.91
    142.250.187.251
    142.250.200.27
    172.217.16.251
    142.250.179.251
    142.250.178.27
    216.58.201.123
    216.58.204.91
    216.58.213.27
    172.217.169.27
    216.58.212.219
    172.217.169.59
    142.250.200.59
    142.250.187.219

  • 142.250.200.46:443
    encrypted-tbn0.gstatic.com
    https
    1.3kB
     1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/urkvoa.comxx.yjbcso.avrjma/files/b
    Filesize

    505KB

    MD5

    1948f47b3ea40b56b95c2afea1715414

    SHA1

    5c690f45283971be674c6d8a2e54175b0ecf55eb

    SHA256

    55e4054d9045b3a34d808883c387d64cbae6a402ba7551f1c7a19d6b2bcc5ae7

    SHA512

    8f3e40ff08f864901147cd60dd88191b9f792a746f0d923e3fea3a30f1ce951ec984013641b32ce1130b764f3d27974ac1a4a9d281090c8bbbff02808ffeb436

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    1ceb1e437275c4de4e8122359c7c09fa

    SHA1

    33b673d49fee5a2455f356d7617d3debfb95bdc4

    SHA256

    6882f33fba0c13ba23718939447ad85c6daa3235a053d70cc5e729f501097395

    SHA512

    b9a2a98a9c3c2fa4f0815caafbb374eb980e2353be9c9cabe3a9e57183f3c9bc8f055318456ea79bc94a8bd64ce4fb407514a019000e9d0bd489c513819529f3

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.