Malware Analysis Report

2025-04-03 14:13

Sample ID 241104-1xcxss1jfk
Target ee1a28f00a200589d07bad252731c0d8f30572b8882fd57abb140f61f58f41f5.bin
SHA256 ee1a28f00a200589d07bad252731c0d8f30572b8882fd57abb140f61f58f41f5
Tags
banker collection credential_access discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ee1a28f00a200589d07bad252731c0d8f30572b8882fd57abb140f61f58f41f5

Threat Level: Likely malicious

The file ee1a28f00a200589d07bad252731c0d8f30572b8882fd57abb140f61f58f41f5.bin was found to be: Likely malicious.

Malicious Activity Summary

banker collection credential_access discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries information about active data network

Reads information about phone network operator.

Legitimate hosting services abused for malware hosting/C2

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 22:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 22:01

Reported

2024-11-04 22:03

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

153s

Command Line

ru.swsiekjr.svlliruwg

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ru.swsiekjr.svlliruwg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sites.google.com udp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
US 1.1.1.1:53 chelpus.com udp
US 172.67.182.114:80 chelpus.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
US 1.1.1.1:53 config.unityads.unity3d.com udp
US 34.110.229.214:443 config.unityads.unity3d.com tcp
US 1.1.1.1:53 webview.unityads.unity3d.com udp
GB 18.165.227.128:443 webview.unityads.unity3d.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.200.2:443 tcp
US 1.1.1.1:53 publisher-config.unityads.unity3d.com udp
US 34.110.229.214:443 publisher-config.unityads.unity3d.com tcp

Files

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 a1b53462eceedd6c4fbd9ff2321bafbe
SHA1 011a5f1d0de455fc4c3826a54716f0040313e711
SHA256 f86b1f4738b8a7a2b59d0b605346176e018b35d98492faa500f43e3ed0711bee
SHA512 4408388c5110a17b819ce26ab23a32b75e155585ff2c1a5b9f62e5fba6f11ffb324b4bf5c8a505d3525d5952b1299b59653b3b29389e16a92d7715d7de734d5b

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB

MD5 ef6c4488156434af4fc62b990b63a85e
SHA1 e36ef5557f0a90d894bbf71062e8ea2d488df103
SHA256 79ace1e1c2767953fd01561f5ef40896ad435f5152d81dede67e9ba1f7dcb905
SHA512 b300958ad0b341f1e81b49668af6764487e1bb191debd3a19ed6d3115d55ce0c352d89a7f41ac7687c18ce81b0ee3d07fc210a99235815f29f4621ca97801440

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 fa175dc413b646864a6ca732b8a71de0
SHA1 4c819605fec7b1dae4f6b8b8179ecac89148dc6d
SHA256 4d36d2940cede3adaf7e8e10d8880b00baac3b9c61d2394812710dc34dc12049
SHA512 b17c1452d68c92a5d1262f7b002730b224569639a603ec70c49cf6759e68c541f528291d6907e1a450b8945cd55424510b0e39975b90ac38ce4f8c987e088f76

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 bf46ae9210803b9e533c3892f9e1797e
SHA1 a820a10d537a38ddde189a2b1c43cc3dc00136f4
SHA256 8a4f537d165cd247b2b0db7ba698832fc722b149959d39b5ed9e732e76b7f579
SHA512 b02548f9ffc808c982fdc0bef7df02ee3888ce12b8e832c357d326a004399fd8049211731c266e6864d60ca5f95f0bd4311798b45850b5a84de4099e34a24d47

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 7b12c07bbc4331001d32ef522e322017
SHA1 0b54bf9ce9c349cf35337ab5b70a442efe869189
SHA256 be0676ca0e81ebc98a763d1cd0085b9cc346c79309802b9c79852cdd612473f6
SHA512 ab0788863eeefd2809aa6c90a37df5b41929af770b8d0e9ad4e0a2c7bd1bb0bf5d1eeeac0ccab8b9c10164a4153aa41057092ce2eaa861e89fd3caabf9add368

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 d5ce2ba35f6af132acfa665155a13599
SHA1 e34f390f317ca41a0ef25a0ca92f6e5df94e4cb6
SHA256 96e8994111507469e889d286ff351d230829f554a0d2fa73eafd842cc739eab3
SHA512 13ed95e2e1169e576370ade79f356e9dc62396984e7d50eac2bd57cc6f50a16652582766df1a42c74bbec5a2d92a15c9ef8bfc5680dfdbb7ccdab7517706b0da

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 748cbd0c352af509b22c16bf382c21d6
SHA1 710e8fe4d22bb16eb46a0dc426e34bb69e946956
SHA256 f31c73cebe1c3fdf362b1f19050c1691c0ce61c6b8c512f53557d24e7746a0cc
SHA512 40edceb0bab34615f89d78599c5fc54ace21db10b56839f81e3ca459c924c34289837e553792ee0babb14c6a0f3f75388b5f70b5fada205752f4c1974cd83fe6

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/files/LuckyPatcher/AdsBlockList_user_edit.txt

MD5 302f7b6d9a4ffeccdda9ef94184c8326
SHA1 d4038ca0629f57b7e5c4056e74a395e5598aa16a
SHA256 5b36134b695f0a9a32f570b08cc3ef74e0687a0d2aa228853bc0346f77bffebe
SHA512 299fda4936acf6479e22f9166d545976d5d99ba6fe7a5b7298cb336cf730eb7790524e4569fe64bc03c598c7e4117f163ddffc2e2889439f709c4d80ff665039

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/files/LuckyPatcher/AdsBlockList.txt

MD5 a39d3e83724992bacc8e8618952cd4ba
SHA1 7bea1709ae2ae49bd4178fddedaeb04414e447bb
SHA256 eb89dcf955fca4d11d336236724ad91d6cd4803e1c3706a265191ffe58499462
SHA512 e31f7dc2bbdfbbe90646f87f7c21156729955f91b6a4ac300464e048e28f9eb87c05b6bb8f171c8bb1a85c2ac49110d7fc3efe943443baca46d7d83dd2501e96

/data/data/ru.swsiekjr.svlliruwg/files/pinapp.apk

MD5 ba57f9fe62bbcf10348091b7d08ce123
SHA1 0fba82354a775094f68fb49bd8530f97f6db97cf
SHA256 1df6c43a03bf45cb91c83eb81d123877eb4f663b0693daf4ba590df900a01160
SHA512 d030cb078a399eb104e5780426e14efeaeeaff93c4710186d1622b64a5ec547e20e318f72ac3c6adc3baa4680a955a3e43fa5964dd87a0684b21902672854e69

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/files/LuckyPatcher/Changes/changelog.txt

MD5 61a55da92ec27d21434035f229201c34
SHA1 f0b036ad91a2f88a305efa12858661bd74e1774d
SHA256 cb34089d0e17b9e2d75b8940803dee678005332279c557d560293cddb8fef9d6
SHA512 ec1ad8696495025d0c1f598a03d430040a3d63fffd2d890db633a1276a4508893f6d4e128db30471873c019bb3400159558f00167a865f6f26c6c2952faa8fa1

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/cache/UnityAdsCache/UnityAdsTest.txt

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/data/ru.swsiekjr.svlliruwg/files/UnityAdsStorage-public-data.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/cache/UnityAdsCache/UnityAdsWebApp.html

MD5 ec0be7729506bf50791fa8831a1fc680
SHA1 9ddaaddef48db397270eba733a39b4e30eb1a39f
SHA256 3a523de9bbcb80dc3cd9ec2c2d87a46bbd5cfa8017f1e03786317292a8e6d5bc
SHA512 f98fcc152d485d35718150d4ea3e59f6a91dc61dddf6fc851d0775f719253b24b1972f34b9d5b124a0c5f24464b0e14596afd354bd976567532892054300d5ac

/data/data/ru.swsiekjr.svlliruwg/files/UnityAdsStorage-private-data.json

MD5 16d3e6eac0e79222a9b368edac765b34
SHA1 48d5e621fcdd84108f5750d6905180b622715b11
SHA256 3a518b70256a689906d6740062462e3124aad6e55c5aa47339a87a56e4933ee7
SHA512 d0aaacf86100135241426e2a0e9ba44414aa456cd708124e2f9c3a8037e008870cbcb506d316e4fe7cfe1d6dc3073393989a6f3c29f7cfabd6b0f65057afe747

/data/data/ru.swsiekjr.svlliruwg/files/UnityAdsStorage-private-data.json

MD5 01f7c32619ecd06923e61890cd721a41
SHA1 0bb197010d1e5421063f6b499fb7edfa0f17b0d9
SHA256 7115f5e196024b409e75ff084b36764048b09e559c9dd6435e94e0eb1b70af8f
SHA512 185f933820c2fc97cd436f6a2266fa0b40c7b5e81b3a8366a4f462e5281df633bf7343cddab61c608279e6ac829feb24ecfa8afd91e2818a20d287bdb5cf1806

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-04 22:01

Reported

2024-11-04 22:04

Platform

android-x64-arm64-20240910-en

Max time kernel

82s

Max time network

153s

Command Line

ru.swsiekjr.svlliruwg

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ru.swsiekjr.svlliruwg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 sites.google.com udp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
US 1.1.1.1:53 chelpus.com udp
US 104.21.59.188:80 chelpus.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
US 1.1.1.1:53 config.unityads.unity3d.com udp
US 34.110.229.214:443 config.unityads.unity3d.com tcp
US 1.1.1.1:53 webview.unityads.unity3d.com udp
GB 18.165.227.78:443 webview.unityads.unity3d.com tcp
US 1.1.1.1:53 publisher-config.unityads.unity3d.com udp
US 34.110.229.214:443 publisher-config.unityads.unity3d.com tcp
GB 142.250.187.193:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.187.193:443 tcp
US 216.239.36.223:443 tcp

Files

/data/user/0/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 7814996d0b2047545647bcf99717369d
SHA1 65eab3f2aa04ac6b45702c05163ee921c08f4abd
SHA256 5400b9a04d4766a1eb277a6a840877bbebd4b6f18bbcf91df0965db7a1f76a27
SHA512 ff8c769717fdcefa01647df5577dadedbc293310ed467cbcb9412fc72b4fc271f6073a71fa7e2f088c516bc788fc522966b87b92e6a70cc72f9d084774176d0e

/data/user/0/ru.swsiekjr.svlliruwg/databases/PackagesDB

MD5 6add0317da9ab2cf701b96817aa3f7c4
SHA1 5636ccd1145458bac7c4affa4db975229bbd6bc2
SHA256 2b691d798766aef7a9c1444181a47a98d9f84f4a596e4c110fdd484c940945a3
SHA512 37d9da7a43c3811075106f89f3ae44f2f87e75e59f349ea513319b870da16df0c44b791148d8ca82cfa7835838be21a9b95843b1c3df05e6249447831023f022

/data/user/0/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 e9fe563f07291fab8c75257ff4c3c139
SHA1 c5028a6bee40d182d4850258c29a15a76c0cb807
SHA256 d8612817928063603f2af5f6d482f0f1de4c5e731e9fe9db56390282f2d5989f
SHA512 b982d574db738b21aed15ba8663f866d9547c811d8f0bd94b16e00f2d8811fffa509150f8734652464e96683c4a9c2a2e952e73b18b3d5e4f509a27872738284

/data/user/0/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 971c7bb2b8fd198b6b7f7ae63a9b0ede
SHA1 2d205e76948c2c39c53ca14f9b969e7d27f344f5
SHA256 9de30d9a7899187d95566001f1909d9a00f0157db903b362feb1fa8aad0c0795
SHA512 397f1117d2e5f461f51e751d1489bb53553780e26a4fdcd0fc3dd6bda29b7a85e50db816f9449aa0aff8cbeeb36c593cf8169fff804794a2d20383f2bf36c8a4

/data/user/0/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 018647336197548aacc8c8e594710d4b
SHA1 38efdf3b27593ffc70a3374dc309be7c28cec0d5
SHA256 f3363694daca2ed463df51fb1be790a7339a826a6c31ce2335662d9d42aa8838
SHA512 88113fdac8084624bbd49dbb37ddf21bb8876f4652625f1692e8483b5b2c9e195027438e5c743fc0ce49e1eb4e3c31d1e281a32b750ac87e8117890b0f73195f

/data/user/0/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 02a08e281996c478e7056a5975d07d0e
SHA1 ad79551f1167ab4b032b2e334f17bad63f8f23d5
SHA256 7e9a757f0c66c8d339fba963005683c362ff9c46d66b1354e1e45096d956cdee
SHA512 c279bb3b69e01c68252e3749cff3d36c39fad52d7b4efa5f19007cfd2598e1ea2ae6345a8838ada05afd0fa1db41884760c158fa3f7d2a32595055386843572c

/data/user/0/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 b49cc89c1b9dab5fdada80e421bd8c30
SHA1 51ebe1b3a8c6898845f76ba20f32b9b6c4fcdf28
SHA256 01e6f3f31cb880e2375e53ae8197eb5e68ddc476112625f1722b35a6236ef5ff
SHA512 b337ce2dfe4065ff09773b27b4800b17c352cc0110397ea5ab73f704db738499e217362ccc994d15e9e50d7779e313057a300d4defbfb54d848a413f4e4ef99b

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/files/LuckyPatcher/AdsBlockList_user_edit.txt (deleted)

MD5 302f7b6d9a4ffeccdda9ef94184c8326
SHA1 d4038ca0629f57b7e5c4056e74a395e5598aa16a
SHA256 5b36134b695f0a9a32f570b08cc3ef74e0687a0d2aa228853bc0346f77bffebe
SHA512 299fda4936acf6479e22f9166d545976d5d99ba6fe7a5b7298cb336cf730eb7790524e4569fe64bc03c598c7e4117f163ddffc2e2889439f709c4d80ff665039

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/files/LuckyPatcher/AdsBlockList.txt (deleted)

MD5 a39d3e83724992bacc8e8618952cd4ba
SHA1 7bea1709ae2ae49bd4178fddedaeb04414e447bb
SHA256 eb89dcf955fca4d11d336236724ad91d6cd4803e1c3706a265191ffe58499462
SHA512 e31f7dc2bbdfbbe90646f87f7c21156729955f91b6a4ac300464e048e28f9eb87c05b6bb8f171c8bb1a85c2ac49110d7fc3efe943443baca46d7d83dd2501e96

/data/user/0/ru.swsiekjr.svlliruwg/files/pinapp.apk

MD5 ba57f9fe62bbcf10348091b7d08ce123
SHA1 0fba82354a775094f68fb49bd8530f97f6db97cf
SHA256 1df6c43a03bf45cb91c83eb81d123877eb4f663b0693daf4ba590df900a01160
SHA512 d030cb078a399eb104e5780426e14efeaeeaff93c4710186d1622b64a5ec547e20e318f72ac3c6adc3baa4680a955a3e43fa5964dd87a0684b21902672854e69

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/files/LuckyPatcher/Changes/changelog.txt

MD5 61a55da92ec27d21434035f229201c34
SHA1 f0b036ad91a2f88a305efa12858661bd74e1774d
SHA256 cb34089d0e17b9e2d75b8940803dee678005332279c557d560293cddb8fef9d6
SHA512 ec1ad8696495025d0c1f598a03d430040a3d63fffd2d890db633a1276a4508893f6d4e128db30471873c019bb3400159558f00167a865f6f26c6c2952faa8fa1

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/cache/UnityAdsCache/UnityAdsTest.txt (deleted)

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/user/0/ru.swsiekjr.svlliruwg/files/UnityAdsStorage-public-data.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/cache/UnityAdsCache/UnityAdsWebApp.html (deleted)

MD5 ec0be7729506bf50791fa8831a1fc680
SHA1 9ddaaddef48db397270eba733a39b4e30eb1a39f
SHA256 3a523de9bbcb80dc3cd9ec2c2d87a46bbd5cfa8017f1e03786317292a8e6d5bc
SHA512 f98fcc152d485d35718150d4ea3e59f6a91dc61dddf6fc851d0775f719253b24b1972f34b9d5b124a0c5f24464b0e14596afd354bd976567532892054300d5ac

/data/user/0/ru.swsiekjr.svlliruwg/files/UnityAdsStorage-private-data.json

MD5 16d3e6eac0e79222a9b368edac765b34
SHA1 48d5e621fcdd84108f5750d6905180b622715b11
SHA256 3a518b70256a689906d6740062462e3124aad6e55c5aa47339a87a56e4933ee7
SHA512 d0aaacf86100135241426e2a0e9ba44414aa456cd708124e2f9c3a8037e008870cbcb506d316e4fe7cfe1d6dc3073393989a6f3c29f7cfabd6b0f65057afe747

/data/user/0/ru.swsiekjr.svlliruwg/files/UnityAdsStorage-private-data.json

MD5 4bce1444620cd746451bf8a8d15cbc6b
SHA1 c22522dd11b66244cf01debb5a922123a5fc1964
SHA256 50c7e27dc1d13c060e2a7df01142fbc70f9ed8ed07bbab1c3fc845f6d6c29ede
SHA512 56d25619a15e6c9315d7140445e67271a5e5f0b6c7b475989d52c42b9944420ef73e4b5008bb92810d4e3bb672eafe367b5e343f9367535f3c9dd09a2023435a

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 22:01

Reported

2024-11-04 22:04

Platform

android-x86-arm-20240910-en

Max time kernel

45s

Max time network

153s

Command Line

ru.swsiekjr.svlliruwg

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ru.swsiekjr.svlliruwg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sites.google.com udp
GB 142.250.178.14:443 sites.google.com tcp
GB 142.250.178.14:443 sites.google.com tcp
GB 142.250.178.14:443 sites.google.com tcp
US 1.1.1.1:53 chelpus.com udp
US 172.67.182.114:80 chelpus.com tcp
GB 142.250.178.14:443 sites.google.com tcp
GB 142.250.178.14:443 sites.google.com tcp
GB 142.250.178.14:443 sites.google.com tcp
GB 142.250.178.14:443 sites.google.com tcp
GB 142.250.178.14:443 sites.google.com tcp
GB 142.250.178.14:443 sites.google.com tcp
US 1.1.1.1:53 config.unityads.unity3d.com udp
US 34.110.229.214:443 config.unityads.unity3d.com tcp
US 1.1.1.1:53 webview.unityads.unity3d.com udp
GB 18.165.227.78:443 webview.unityads.unity3d.com tcp
US 1.1.1.1:53 publisher-config.unityads.unity3d.com udp
US 34.110.229.214:443 publisher-config.unityads.unity3d.com tcp
GB 142.250.200.2:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 gateway.unityads.unity3d.com udp
US 34.149.76.49:443 gateway.unityads.unity3d.com tcp
GB 142.250.179.227:80 tcp
GB 142.250.179.228:80 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB-journal

MD5 32e1c3ab7ece9c2bb34d77db0fa9b8e0
SHA1 18a15be956a9adb970085d903ed24e705ca91497
SHA256 5560ca45660373a7f1c7cfa527ef0831a5da1f69f4f9e1b1f4643b1d2ef5a101
SHA512 0f1a904d05b138d8bc10c9b1393c018756f16162c4161c514930cf989f03a957e60bbef966f1588baddbd9eca3db4e086fe371bd53ab63a5d48411033e6053bb

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB

MD5 434407ae94d6512cc30bf96dcabc1870
SHA1 8c1cdfd073e8333194e40ddf9155626b2c2fea6e
SHA256 30fcfedc9a7fa3997709ef488e84d52ff2a232156d064612374f06988a59412a
SHA512 7f382734b8b53e2b79a3238c2ea8d163e9e37ad9d2eec8441802f38d928975a462058f99bf4a987b51e5f2587466246e94b2c1a66dfb0d25bc37a646a04d71ff

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/ru.swsiekjr.svlliruwg/databases/PackagesDB-wal

MD5 778ab49fc6c7c3eee32f3882c820c3ed
SHA1 f7f37492ddd8ee256fc1b7be8de9bbc1be214db1
SHA256 24483e9243de03a7ab6cf7f20897fef61786c887570632d92373567cbd31f02a
SHA512 f598d748bbdbd7e2fe8312a7d6dbdea08af12644f955c11f7fe7b2b3f9ede2c82c82dfceb1f8369d5839c44893e738b428903d53b9095e03523fa9b6ea7decd7

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/files/LuckyPatcher/AdsBlockList_user_edit.txt

MD5 302f7b6d9a4ffeccdda9ef94184c8326
SHA1 d4038ca0629f57b7e5c4056e74a395e5598aa16a
SHA256 5b36134b695f0a9a32f570b08cc3ef74e0687a0d2aa228853bc0346f77bffebe
SHA512 299fda4936acf6479e22f9166d545976d5d99ba6fe7a5b7298cb336cf730eb7790524e4569fe64bc03c598c7e4117f163ddffc2e2889439f709c4d80ff665039

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/files/LuckyPatcher/AdsBlockList.txt

MD5 a39d3e83724992bacc8e8618952cd4ba
SHA1 7bea1709ae2ae49bd4178fddedaeb04414e447bb
SHA256 eb89dcf955fca4d11d336236724ad91d6cd4803e1c3706a265191ffe58499462
SHA512 e31f7dc2bbdfbbe90646f87f7c21156729955f91b6a4ac300464e048e28f9eb87c05b6bb8f171c8bb1a85c2ac49110d7fc3efe943443baca46d7d83dd2501e96

/data/data/ru.swsiekjr.svlliruwg/files/pinapp.apk

MD5 ba57f9fe62bbcf10348091b7d08ce123
SHA1 0fba82354a775094f68fb49bd8530f97f6db97cf
SHA256 1df6c43a03bf45cb91c83eb81d123877eb4f663b0693daf4ba590df900a01160
SHA512 d030cb078a399eb104e5780426e14efeaeeaff93c4710186d1622b64a5ec547e20e318f72ac3c6adc3baa4680a955a3e43fa5964dd87a0684b21902672854e69

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/files/LuckyPatcher/Changes/changelog.txt

MD5 61a55da92ec27d21434035f229201c34
SHA1 f0b036ad91a2f88a305efa12858661bd74e1774d
SHA256 cb34089d0e17b9e2d75b8940803dee678005332279c557d560293cddb8fef9d6
SHA512 ec1ad8696495025d0c1f598a03d430040a3d63fffd2d890db633a1276a4508893f6d4e128db30471873c019bb3400159558f00167a865f6f26c6c2952faa8fa1

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/cache/UnityAdsCache/UnityAdsTest.txt

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/data/ru.swsiekjr.svlliruwg/files/UnityAdsStorage-public-data.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

/storage/emulated/0/Android/data/ru.swsiekjr.svlliruwg/cache/UnityAdsCache/UnityAdsWebApp.html

MD5 ec0be7729506bf50791fa8831a1fc680
SHA1 9ddaaddef48db397270eba733a39b4e30eb1a39f
SHA256 3a523de9bbcb80dc3cd9ec2c2d87a46bbd5cfa8017f1e03786317292a8e6d5bc
SHA512 f98fcc152d485d35718150d4ea3e59f6a91dc61dddf6fc851d0775f719253b24b1972f34b9d5b124a0c5f24464b0e14596afd354bd976567532892054300d5ac

/data/data/ru.swsiekjr.svlliruwg/files/UnityAdsStorage-private-data.json

MD5 16d3e6eac0e79222a9b368edac765b34
SHA1 48d5e621fcdd84108f5750d6905180b622715b11
SHA256 3a518b70256a689906d6740062462e3124aad6e55c5aa47339a87a56e4933ee7
SHA512 d0aaacf86100135241426e2a0e9ba44414aa456cd708124e2f9c3a8037e008870cbcb506d316e4fe7cfe1d6dc3073393989a6f3c29f7cfabd6b0f65057afe747

/data/data/ru.swsiekjr.svlliruwg/files/UnityAdsStorage-private-data.json

MD5 57fd4723be8ee12a1d39a603bd206049
SHA1 bab794bbddfe6bbb06e58bf231b87ffcba065719
SHA256 3f71698595a9791aadf2c0318443623c0f22655ec4483814aea9726cc1af116c
SHA512 d0fbca0e5cdc91fbd6b95519af2515cde2db13630ca3f2a0ae8012fedab183cd5c817742b20d5a2139735fab3ed30c84c9d4c642849d728da5eeab315f9e20b3