Low Risk

Threat level

ir.pardakht

شعبه ۱۹

Analyzed on 2022-08-25T07:56:35.316971

4

permissions

2

activities

0

services

1

receivers

1

domains

File sums

MD5 c78819065d57d1e01701a134a6326e9e
SHA1 016e3e932abd004427feca768451cc26c8bd58c0
SHA256 d71ef6b10f0d0bc056aa7a107a04ca5aec413e735517aaffe75b0930ea513e0e
Size 0.62MB

APKiD

Information computed with APKiD.

/tmp/tmpd01hzdc9!classes.dex
compiler
  • dexlib 2.x

SSdeep

Information computed with ssdeep.

APK file 12288:cNRDFxdzA6x4RU4TX1xdzA6x4RU4TXRxdzA6x4RU4TXWxdzA6x4RU4TXq:apM6x4blM6x4bBM6x4bGM6x4ba
Manifest 48:aNiivTBkpz9oylyPlold8BvJIDNVGlZ0JwlZwlZuJ2lZX2nzlR3lSb8l+A2pZCdU:a…
classes.dex 384:MaYLzf6P3f4Fv7zXaZ5PPZpxGcczoqIwj02nlQhFH9DebmFEluscMhZ:MaY3yvqvP…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 24:12yC9WAlWWn6pazjpvg3xXueb3lxRNHnjn87F7azjP5U9M4RA:12o1Q9RYzphHjnw0…
classes.dex 24:12yC9WAlWWn6pazjpvg3xXueb3lxRNHnjn87F7azjP5U9M4RA:12o1Q9RYzphHjnw0…

APK details

Information computed with AndroGuard and Pithus.

Package ir.pardakht
App name شعبه ۱۹
Version name 1.0
Version code 1
SDK 14 - 21
UAID caebf2f4d1477575a828063b5a5f8585c3401c69
Signature Signature V1
Frosting Not frosted

Certificate details

Information computed with AndroGuard.

MD5 e89b158e4bcf988ebd09eb83f5378e87
SHA1 61ed377e85d386a8dfee6b864bd85b0bfaa5af81
SHA256 a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Issuer Email Address: android@android.com, Common Name: Android, Organizational Unit: Android, Organization: Android, Locality: Mountain View, State/Province: California, Country: US
Not before 2008-02-29T01:33:46+00:00
Not after 2035-07-17T01:33:46+00:00

Manifest analysis

Information computed with MobSF.

High Debug Enabled For App[android:debuggable=true]
Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes.
Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
High Broadcast Receiver (.Sms) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.

Main Activity

Information computed with AndroGuard.

ir.pardakht.Splash

Activities

Information computed with AndroGuard.

ir.pardakht.Splash
ir.pardakht.MainActivity

Receivers

Information computed with AndroGuard.

ir.pardakht.Sms

NIAP analysis

Information computed with MobSF.

FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application does not encrypt files in non-volatile memory.
Encryption Of Sensitive Application Data
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 ir/pardakht/Sms.java
Pygal United States: 100

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

US ssol-ir.cf 192.254.189.228

URL analysis

Information computed with MobSF.

https://ssol-ir.cf/Inst/sms.php
Defined in ir/pardakht/Sms.java
https://ssol-ir.cf/Inst/url.txt
https://ssol-ir.cf/Inst/install.php
Defined in ir/pardakht/MainActivity.java
https://ssol-ir.cf/Inst/url.txt
https://ssol-ir.cf/Inst/install.php
Defined in ir/pardakht/MainActivity.java
https://ssol-ir.cf/Inst/licenes.txt
Defined in ir/pardakht/Splash.java

Permissions analysis

Information computed with MobSF.

High android.permission.RECEIVE_SMS receive SMS
Allows application to receive and process SMS messages. Malicious applications may monitor your messages or delete them without showing them to you.
High android.permission.READ_SMS read SMS or MMS
Allows application to read SMS messages stored on your phone or SIM card. Malicious applications may read your confidential messages.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Connect to a URL and receive input stream from the server
Confidence:
100%
Connect to a URL and set request method
Confidence:
80%
Connect to a URL and get the response code
Confidence:
80%
Executes the specified string Linux command

Behavior analysis

Information computed with MobSF.

Execute os command
       adrt/ADRTLogCatReader.java
Http connection
       ir/pardakht/Splash.java
ir/pardakht/Sms.java
ir/pardakht/MainActivity.java
ir/pardakht/MyHttpUtils.java
Inter process communication
       adrt/ADRTSender.java
ir/pardakht/Splash.java
ir/pardakht/Sms.java
ir/pardakht/MainActivity.java
Java reflection
       ir/pardakht/Splash.java
ir/pardakht/MainActivity.java
Local file i/o operations
       ir/pardakht/MainActivity.java
Sending broadcast
       adrt/ADRTSender.java
Starting activity
       ir/pardakht/Splash.java
Starting service
       ir/pardakht/MainActivity.java

Control flow graphs analysis

Information computed by Pithus.

The application probably loads JS-capable web views

The application probably sends data over HTTP/S

The application probably executes OS commands