Malware Analysis Report

2024-09-09 19:08

Sample ID 240516-xqpq8sbe53
Target 4c989daab8a65354154c915e2751e094_JaffaCakes118
SHA256 ad6c78be833afa15ef6b4c2657e6af45e7d58e506586d28ce48924a0bc5c8ab8
Tags
banker discovery evasion impact persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ad6c78be833afa15ef6b4c2657e6af45e7d58e506586d28ce48924a0bc5c8ab8

Threat Level: Likely malicious

The file 4c989daab8a65354154c915e2751e094_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence privilege_escalation

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks CPU information

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Tries to add a device administrator.

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 19:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 19:03

Reported

2024-05-16 19:06

Platform

android-x86-arm-20240514-en

Max time kernel

162s

Max time network

172s

Command Line

com.change.unlock:remote

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.change.unlock:remote

com.change.unlock

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 feedback.umeng.com udp
US 1.1.1.1:53 api2.sharesdk.cn udp
GB 142.250.178.3:443 tcp
CN 115.227.43.65:5566 api2.sharesdk.cn tcp
US 1.1.1.1:53 utop.umengcloud.com udp
CN 140.205.163.73:80 utop.umengcloud.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
CN 140.205.163.73:80 utop.umengcloud.com tcp
CN 140.205.163.73:80 utop.umengcloud.com tcp
US 1.1.1.1:53 utop.umengcloud.com udp
CN 140.205.163.73:80 utop.umengcloud.com tcp
CN 140.205.163.73:80 utop.umengcloud.com tcp
US 1.1.1.1:53 api2.sharesdk.cn udp
CN 115.227.43.65:5566 api2.sharesdk.cn tcp
CN 140.205.163.73:80 utop.umengcloud.com tcp

Files

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 12e690bd6eba0e61c3cd7a7ca6cd3708
SHA1 597721a2c9d2850b10763fa6bca53fa861ab4957
SHA256 94c3406a99c54f56298856ae8e53d582f5e3e664b963bba2a0767987cc613a92
SHA512 ba0b2aadb5e9ea2e2bfa0e6cda8e92a1433923f01026df8cdd5a26ec6e075c43dbbe7b0f290fe061bde44df41ec2f25f8f7c4ef743995e87164bc9ebbf8aa47e

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 772a38104a5c514214b5e8131f87a6fe
SHA1 74c7dd43b6c8d829338ef96fdbefb1c61847d902
SHA256 d83b1856898fa50a2bce64d8b0b338c865382acd51dbfd4e7b4ba0dd2c7c1dcf
SHA512 a1946b4d75d24a14a820d4f89b8d8363746da7373ff72cd89baaa5fcbf9401bacb06d004740023e97b4a7891638eeff5acb5e9abb303e32a2020c916a386965d

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 b133fb3860fbd5b7c842bc8cf4522c14
SHA1 8d491baed681dcd468d9425bcd74c087140a073b
SHA256 ad3fda0c9a555905f2c67d77631ef9ca12fc897eee7fd02f757051140d4561d1
SHA512 3844217bc7b21e24e6e59556bdb7415a675b88e6b3ed8d097317e6c14411e495eb8c6a2f04ee57df3374ae6c5fb195aca99afab442c35c2b33e944a88c0f577a

/data/data/com.change.unlock/databases/tpad_funlocker.db-journal

MD5 2acedce163dbb395dcb2318473f709f3
SHA1 b1f7838a226ba005a0288b0ba2e997361b6e2c40
SHA256 b449ddc99c3de162ae953baa02800cd244cf9f4b4e6f476d142c2b2a5c902829
SHA512 68e7ac907e9560afdde719304e2aa10d638acf64dd116cc96f2430731882f807b5844bfec7b1cfec831e4b4323718a240c6b007daa71f2d45c3e1909e848f3d7

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 80068c22f3d0bde62161e5a282e3fcaa
SHA1 0a5d13909ce7e01e2998282f04b75247abd96b27
SHA256 0f3b58ee9a21fc52840e380fbbd129f71ac30a4efd571cec9514e0258da8f3ab
SHA512 8f714149b870635ff0947ec2225d1433cab636b63c9eb539c1551036ccc5c91e13607170410460d2e120872db90f3c8dea9f756830a04a8439d5f41da3f8580c

/data/data/com.change.unlock/databases/tpad_funlocker.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.change.unlock/databases/tpad_funlocker.db-wal

MD5 8e79930d806fd3d1bc8b1d011e1cb2b4
SHA1 fa8bcc231790bba2be5eeb5ff25ac81ca3008104
SHA256 aacb3e5f6bc713c599eabe06d0baf39260c7841040c6b499322752a91109eefb
SHA512 d26774a8379cee841af24b2d56f3ec7ea656182ada2989e0b54f8618d9419f9932e16d6b9bc3be4f36fa3fa9ae62faccf98faf4ed1b316f4600bb602accd783f

/storage/emulated/0/ShareSDK/.dk

MD5 c9383021bd97affc44be4db7018c4d7b
SHA1 7e680409d1c86e35149bebc22f2cf8c484f0d23e
SHA256 b7b7e032170e3190a84359e5c37adede1d58b6bf4c455ef0c01f73335709bb65
SHA512 7303f068da97319891e2d25c1c737035f1cfdc365d75d954102b612000e54d7e2b5dfafe10bdf909563e2b46ec3ff9e546423bff6f0aa9496880eab1c1c36a81

/data/data/com.change.unlock/databases/tpad_funlocker.db-wal

MD5 853c029d4596655cba6aa60fa8af8552
SHA1 56a3bebc8851f827dc69162e3e444496e800d44e
SHA256 87ed064b302b6a8cef244e39eda95c55a0249634799e8f0e4bb5afb50ac9ca84
SHA512 0819f58f3be0a7a042542704dd2695154b22c2d42068223cfbdf184be2c5222d00daf0e5518f378bcb0c657b7f951d2bd1f40547f1c2bc454fd4333ba3a2412b

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 2aef2d863b51a6d0c6378539943ef2a6
SHA1 fe8efb2fd192e69ab56738dbcc8d7cbcacaed1b7
SHA256 0f012eec7d133fa225d8bbd33b7ed6461af9584e11acf691b9e02c1f6c43eb9f
SHA512 aaec97c53d889e1e9811cf88224fa5c6d070171e353b471709fd494ff2881ce4f4747436ea1980f27530e29beb127e951f2a2dc2fe4102b4196ba187c29bb29f

/data/data/com.change.unlock/databases/tpad_funlocker.db-wal

MD5 addce55952500d737e87b13179e99d61
SHA1 02799acf700583cd1f79320fea1bd326c4542294
SHA256 99ed247f9eef5d9e0e10cc2f053bc13a02756088a6527a1347f29ebf13108286
SHA512 e9385a36345865ff9df5b1618292f7d00f14d8717efbc81ee4934bade979be05b05e8ab3bc38cb9b57714da74ea68b2aa898251b13a008023c9720b3e622e466

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 1d1f528a15fe6d54c36b59961e745041
SHA1 3c3e26e1f9ba2ba60cb484931dd0c1f57e7cedd0
SHA256 50908666918b0884d20c177db0b52a4b1256574bcf1f37fdaab78e884ed64ef1
SHA512 f7c1ca4473521f7987e2d8dc3bcd0c668642aec3dc8ef9e9213432f43fc9a7d74a8305a80a443029b3c8b13b8f89e8f80b63decd479a3fe1f8d57f419b8444bf

/data/data/com.change.unlock/databases/tpad_funlocker.db-wal

MD5 df641449c760f05804ed78de5058b7e6
SHA1 b8837729c094006ae9b376654b5221137f830b14
SHA256 225b50402338501058a333b5768b23691577faf3e659e37b6a4b56cba9500828
SHA512 20395dffa0b4b990180ff05394c12ce8128c49d14494d902e895a35112c59bb9c7f962c94c45333cf3ba625198a63b69cd93883179acaab5d3dba8117b66cacc

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 2c9de24b430e35086c38190feaf4752e
SHA1 04fda5fc78bfb73f7b7d8222037ad4332746d5b0
SHA256 006dee20f6c1a823e7fca4e00965ca7b32ce12541a9dd7bb47426d47e18a017f
SHA512 d464f90c50b7e5df0d4c56b8337f3b875ff9ac0f38b3136be62093e96b73a9fe93a3111a255543e5c7562a1cf4059ef12cf546322484473b4e54a4f400096cfb

/data/data/com.change.unlock/databases/tpad_funlocker.db-wal

MD5 fa5d9c9c22d4fca37480f6aa7c15d283
SHA1 b44ead077aa84e6cc24bfe2bb05b6cea88cefcc6
SHA256 eda68a4b2202013bc78df1820fc235aafcaa6809dbd1d543ccf29b495ba2d264
SHA512 6637f4ffa1170200e9bcb04680d0e77124ee8836042d5235d0aca50082ef78ec7b33bdc9873ab8ab5ccf4bfa4a92ad04b9b0de4501a89c114c7dbb3e84f2470c

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 4f3490c7bd2f75f322da4544d395ef23
SHA1 3411f60815c4214dc5058271dd114a22581f3b06
SHA256 8736d7cde6139f4f69ec8c2d1803ef7c1429bc4b13f898b62e55cde83c8fb492
SHA512 ad2d6b3c7db101e5ff83b9c5d6449cf51cde7751d2d94c7a99a130f0453ff59e1961bee62fbd0611d21a2b3af356e39f576dbcf13670f3b5e5a008e35ffbe114

/data/data/com.change.unlock/databases/tpad_funlocker.db-wal

MD5 00746cc3539e972b81a1ea62df169070
SHA1 cfba5664a80df3b9ae1d74db4c8965b15173022e
SHA256 7d2ad60936553ea09266abcc5453edc8dde07dee0724e7cd136dc54b4e4cff57
SHA512 39cd45a7cc0fc0d46118d65a38820e89e91bfd5be7aa3db07b3138c635d62aa960a732773b93bda64f40f860f80418cf1045b9dd04733d31d65ba4c43fde63a2

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 f89ffbedec5fb109db2b6576c08affca
SHA1 bfea04128947e224cfaba76868ea241a375d0052
SHA256 aef3bc546e8c25e2cf564d42bbdeb798ff191c8e34b6f2d85f686fa67cf310ed
SHA512 8831c8d0e5dad1471eee4bf4c35c99ea316807d12eba53f95df0e3cad7f6408a4ddde6e864056e831a7f81e0858c464d3b32119153d21e2afd9df22df097d386

/storage/emulated/0/CHANGEUnlock/config/con_list.xml

MD5 56bc0e6c22688c11c816f39cd7de709e
SHA1 fc3fd1a172e7b3095852bcf2354d4f20e42b3407
SHA256 49d6d62c0fe0f66ca557e9d0056fb3fb34e69c485b1c8f96f4e9edcc5db25025
SHA512 aea85dc5661215ae3ff603c16f4a29525622a389179e2deb05941336051bd3de5187ba784e4088ccf8ae905d62a292247a0a7139eee5011ff32a7fe074694559

/storage/emulated/0/CHANGEUnlock/config/current.xml

MD5 ba4f9375ae1dea7b80dd87b5cd431d3d
SHA1 428f1118adfe9845d1ad42799fcbf2dbea880c36
SHA256 619116e0b2a9b64d2ac3aaec57391862a206e353ff29ff26332f0b59c5236193
SHA512 4cc9ee565c563838e164c3dcd68eebf64ed8475739c7218aee298b45043bfb3c40247a45e2e6d92de5276596ce09e1bb4b52ae52b4e401b29b65c33e0746639c

/storage/emulated/0/CHANGEUnlock/content/ssrysp/image/ssrysp.png

MD5 5a87c3c76a8a290f070f290f3cf4ae7f
SHA1 ea4d8bdba5eb5950c12f869719e3cfa67da8823c
SHA256 ff1f1c3c7767734f4e5a34d80e9aa03c9452f8fbab931788d9ff6a2f1a99e4b3
SHA512 31d8fd6c32a5a91eb5c7518fbfd396fbec177d71fdc1495c5725956617a9f574cc05360ca9f4b879d94d89f49a20d3efdd5739427861370f7cc9921c5d58f6d9

/storage/emulated/0/CHANGEUnlock/content/ssrysp/ssrysp.ux

MD5 a7bce3103dea42820e7ef1d21b53e61e
SHA1 8dcd852b840911d365aba7501b29a180dcc60476
SHA256 6c0bafec839297d7d1368ac34d2820bc0705b0ab71ed98a9f24897ae2837890e
SHA512 3f2344ed7af6589b81afe02c0253c78354e1fce863e76b64cbcb2fac774ff28c1b66f643f7596a60cda94db59ea2e2700e19b1ce4617e2cf6d6972e3a3030775

/storage/emulated/0/CHANGEUnlock/content/ssrysp/wallpaper/ssrysp.jpg

MD5 579d8f88e6199e31dec3bd56d1445f52
SHA1 d65d53cdc31acc2e3475de70dbecaa2e2fb84700
SHA256 d8f789c8faadd53a58c55d03a3cc3d48661dc04ff450e467fdaf268a046f76ab
SHA512 e175561a20ef1fcc9882280409e2f3bf0c9d649cc306d9ec11445a0f4b505373b8ee0ea3ba428c76e3352994f508a76411abca12b3cf8b88f876835c76813171

/storage/emulated/0/CHANGEUnlock/config/current.xml

MD5 f6bcd1961006e431f5e9ed6941aefdf9
SHA1 3ee97bbee27e52f12c0ae03aa81bd7edbfccff92
SHA256 32d3e4daf3d1f4f2ac00ecfe52ce0a50cea370357c5de68495e74589bfd67d46
SHA512 9d2dad168131ef70676690654e3d900ba017a37d4182317a888c90a485207c6589fd8fc7bb46acac896709c212615015751da50c0b84d3ac1b56498040fa2b76

/storage/emulated/0/CHANGEUnlock/config/fm.txt

MD5 68106a1047c8270770af444ff23b9f16
SHA1 4bf8c46b200d93434fd161e12fb4668afb281331
SHA256 db34b428a43ebc31ff668bb2cd49fed6e6fa3170cd85f072b0d5fcc182a79c91
SHA512 b11b207975694536ae04c41c457300d3609160e5d32b80e94eaf25c798bde7555ff609a5f074a0a837d66b52dd65837a2c793958abb479d3a0277d1c67f0bcf1

/data/data/com.change.unlock/databases/sharesdk.db-journal

MD5 bf8595168cea1295b426adb7436270fb
SHA1 182d957f66e2d99dc6457e668156441fc89cb9c0
SHA256 49b7c7428856c0bc87ea75f22235bea2d3217cb60164fef96c1632fc9b6501d4
SHA512 6faa5dfe0f503aea4b2c2d8bb684218f4640192c99be12a96bb80483aa165840bfb3147922987d83b0e2d1b3b30b02be9c2d1f560b1e5c92881bc010e1fa38a7

/data/data/com.change.unlock/databases/sharesdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.change.unlock/databases/sharesdk.db-wal

MD5 5bd7df1718189fe040dd038ad026db92
SHA1 c51c70cba10ad11745d5d90363262f2cbbabdaeb
SHA256 0971c48d42efd58dbd20e5fab2a8ff2a0479fbefd3e1ed8f21b828806cd3e515
SHA512 ab794dbbdb33380fc1de30c89904a63bf9b8f7b52af97e9cfe7d344162f0b75378d37b02187db3a0c2cf456444599fd6591bdf58c8e8369adf6d6c20e862adba

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 19:03

Reported

2024-05-16 19:06

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

191s

Command Line

com.change.unlock:remote

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.change.unlock:remote

com.change.unlock

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 feedback.umeng.com udp
US 1.1.1.1:53 api2.sharesdk.cn udp
CN 115.227.43.65:5566 api2.sharesdk.cn tcp
US 1.1.1.1:53 utop.umengcloud.com udp
CN 140.205.160.70:80 utop.umengcloud.com tcp
CN 140.205.160.70:80 utop.umengcloud.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
CN 140.205.160.70:80 utop.umengcloud.com tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
CN 140.205.160.70:80 utop.umengcloud.com tcp
CN 140.205.160.70:80 utop.umengcloud.com tcp
US 1.1.1.1:53 api2.sharesdk.cn udp
CN 115.227.43.65:5566 api2.sharesdk.cn tcp
US 1.1.1.1:53 utop.umengcloud.com udp
CN 140.205.160.70:80 utop.umengcloud.com tcp

Files

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 947662b5c5124179f3be3817b4e22d96
SHA1 ba0ef229494bc6b5ab3151b753a91e5c664a98d8
SHA256 9954fdf094946ed01350a0377e3aecddf95aff58c8887d658525cbed2cc818c5
SHA512 0d20d1515f52a6adbcc7950d5a12a0c9732077599452eb5a67a91af2ad64c2f99c7e346f2354b41ec74c2526fc6327dcd3e13991bf8d3ec77e38ddf9c0c29bb0

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 b120774fc88b3b64e554cfc6fe314897
SHA1 8a923387d37adfc3ae26847ed7373a9a3cae482d
SHA256 e7b2539531da0fe1c93efe2b188e58605f9de3326f08565eb89781b953d8c485
SHA512 8de3f0cade4fbb4b52d766dd270aab5f98d9dc6d6251dc546a73a1a2a7444eb9e6b7ea3431689276cd534837ec2b1278f0517d0d7d7bd9add1c299a5cc133cbb

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 b003f28af44af804181bf1579cf123b3
SHA1 dabc25ab3e99b16c004ec468742a155c96fab6b2
SHA256 95c5d6dfa2d7e628b95b927658be88a2508f3e14dc30f6e1d3eb09691cd555ae
SHA512 5c4398c213d127dd534acae6e746a8ac8e42650dd75c835483d99205c809519ca1201f36be00b4452a71925e0658baae854f68709a1918b4c3b197672cc70972

/data/data/com.change.unlock/databases/tpad_funlocker.db-journal

MD5 e5e0838b6fb11346b0111d773c096351
SHA1 2dc397aa84874cf951f301458024fa357faef190
SHA256 a4ab5b18f482d4933b6e6f03243757a8b978a896009691fc313d2f99796cc9bb
SHA512 877a9ea9ce9c8990a3c14b4a08180f730f58c9e8aaea22bdb36f793237e7de33fbb39b60eac082b7237e5e56aaec954e8f10ecc44328780c37a69534f6f9fa83

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 bbe91bb871196257a01fa63932cb7a4f
SHA1 cf475de1aa0dca423fd71f5a966ec6e31e608678
SHA256 c61b42c1101cb4c8f0b44c0f0cd396eb03c812021ef08e990964204d1feb8a2d
SHA512 a0736f2b4c0c89023602c585f41d4f6af05b9c2bb65302557c1ed1a2e8cf65f01eccf0252bcecbff5cbf67bde8e55158573a033d4a2ac686815bd55624c3b63f

/data/data/com.change.unlock/databases/tpad_funlocker.db-journal

MD5 b6ff5bca1103205bffc0caefbcce41f2
SHA1 001cd55ff5fe58e22ef64d22fa07ef373febe31e
SHA256 a89f3419e730582e88cd7c62fc110d6060f2d32efc7e75225bb97225b6821e28
SHA512 ce05654026ea0106e33595dd55ffcabc4f56998e26374e86a27486a98ead88625dff968c491a698e97a15b8af89c8c09551fe4b40ec76c17ee624e0e8b8f0da6

/data/data/com.change.unlock/databases/tpad_funlocker.db-journal

MD5 4c17c0c89399a216e6684990baea2110
SHA1 b3e93f2400435f443b0c9c2d0847c862301b990e
SHA256 a43be3cf3ac2299b4f7402d49b7c09af5c7d0838baa47f6af3ec32e69235920d
SHA512 d97e2a725171e5f16f4e584fbaeb8706322a6e13eaa64e10c1fd705fc14253f904e5f15f7abc7fc49bee3351a6e83cfe58c3038b150e558f05cd85c5c5da2d6c

/storage/emulated/0/ShareSDK/.dk

MD5 893bb9930a6efdd3211826f4114b5a29
SHA1 57b8895adcc3bbfec87268d5f004cdaa6caee8cd
SHA256 45e6cf5549bc12c1150b2a10f20de32ec5b86fe23221536eca2cb2a43b1e2d21
SHA512 78f094bf00c6b440a57dc5b8edc10c3abf4fac63176dd64a54b2e7b03d9973485504d619ae80312fed1bc72db9f1617a990f37edc7bfdfa032ae47b054939010

/data/data/com.change.unlock/databases/tpad_funlocker.db-journal

MD5 933a5642e661d7b713d8ed6152f34831
SHA1 6ba13a6380d9892a0c189f0e0be0555cafdca465
SHA256 f9046772045c61ae11458c5723cfd51c33c71b4ca6f2403bc6fb2b173296ff5f
SHA512 be219799a23ba6973af1060a66d830bc3bfe9b4cff0ad50f3235d4f9001eb25929646c6be427932bb30c3cc91b056fbd1d33ee5f4b80979baca548824fc50e1c

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 340242e690ea4ffc92985d7cb3ff9972
SHA1 6114bbb8d0878da10114d93712be838c92cdf951
SHA256 07c988da2014ba2ff35e441aa6db60c1241896b6612da005984a00d8114bc78a
SHA512 cc48e6ab7b8273442f5d82cae7c48fc94d81374f260fb2d81959ac773c964c8b1a9896532a37827cc402e7914669511bc0726c3d041a5bb57b631b49f795ce36

/data/data/com.change.unlock/databases/tpad_funlocker.db-journal

MD5 8631b89c02cd8e76667ed0ddd2e7e195
SHA1 aeda6bee963ffd2ba9ffcc1d5e3bfec0370cf541
SHA256 6abe36e24d7bd325c1233986f2f066d0d44a9c71aa91f941f0e62111c7bc0ae0
SHA512 cc29037a3ad46b92870b15d5214815d10bc37fa4691cf8ea0312f5a4b9f7f1bd13c2e65b3b164b801c6ceb295cf6729f999236fea59c11362d3b97fb85e73723

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 a0b3af4755209fd07c1f6392a5d84f5c
SHA1 e78f05fa52d5ba50135240ab5c394e8dcbf1daea
SHA256 c228e89ffb27cbde7ee1510e0ffdb6b13e62eba0abd05fe56c3c27866b538b6f
SHA512 a616f5a9bd6686b059eae7ad72312ce5ca18926396929392a71a161b321dd07f3b951839ca5b9fec0446d10d6c99a148aaa9785211c24e5b1eae11ded83fcbd8

/data/data/com.change.unlock/databases/tpad_funlocker.db-journal

MD5 f069311ea34a42394bd214d58ef7bbba
SHA1 5b66872a50689d99f7c6768a15c293863c93851b
SHA256 8f3e431b02de209dfaa3ca763f18a1cde7fd1f54b530eabc19c18626c6275783
SHA512 3eddcacea83844be626e7186d91a6b0f8597bcdea6883d6963a9f520b4292509dbf4040c8a1195b9bbd12db78027aca1eae799752904b973b976b2c7d613f029

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 7f6e34590d6eb4a4614cffb8c9b1e2a2
SHA1 20d4e707f0bdbb01df97b65bdc0b66cc0937e2f9
SHA256 cab96cff9f0d41fd781c42ed66692adc352de7b256bd559935eb08722a2a2b4c
SHA512 f508c2ee00349c630a373becdbc347fc2cf3efbd1b93776d9114f4fa60afa0eab4e1e6f23ee4d92d5ecd1cf6e019dcfe47bc6241b60402dc4f62da2d211d5607

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 d7854a953923a5ef1c7d13fbf4b294c3
SHA1 09326fed2741f8c300e25070b91f818cbf8916f5
SHA256 ba4c13bc6c3db67eab6bf928e251a380fd55260aab7aa98aa19e7f1f9c39f797
SHA512 17a3464a3801f0262754569061430baabc1948935831d8afbbfc6e2496003e4affe7247ca45fb144f4350df23ee9c2f23001059f899559444311ad085d3922f7

/data/data/com.change.unlock/databases/tpad_funlocker.db

MD5 ee76e097c33983f104b4f722ab1f27c4
SHA1 8a7d0c0d595e540cdd57f4d5918fa5656657eb93
SHA256 275620565d75bed5db41f2b277e2fc7f23ca018991fb1bf05b6b7b812d3cfcfd
SHA512 98e5954e4b41ccd33f0cd2c2af6ee9276b3af81e46487e11542a8ad7e8ec58e45748a8fe97dccdbd320ffdf4fcb7368a3970bd8229e209eeba1977dbb0f7adea

/storage/emulated/0/CHANGEUnlock/config/con_list.xml

MD5 56bc0e6c22688c11c816f39cd7de709e
SHA1 fc3fd1a172e7b3095852bcf2354d4f20e42b3407
SHA256 49d6d62c0fe0f66ca557e9d0056fb3fb34e69c485b1c8f96f4e9edcc5db25025
SHA512 aea85dc5661215ae3ff603c16f4a29525622a389179e2deb05941336051bd3de5187ba784e4088ccf8ae905d62a292247a0a7139eee5011ff32a7fe074694559

/storage/emulated/0/CHANGEUnlock/config/current.xml

MD5 ba4f9375ae1dea7b80dd87b5cd431d3d
SHA1 428f1118adfe9845d1ad42799fcbf2dbea880c36
SHA256 619116e0b2a9b64d2ac3aaec57391862a206e353ff29ff26332f0b59c5236193
SHA512 4cc9ee565c563838e164c3dcd68eebf64ed8475739c7218aee298b45043bfb3c40247a45e2e6d92de5276596ce09e1bb4b52ae52b4e401b29b65c33e0746639c

/storage/emulated/0/CHANGEUnlock/content/ssrysp/image/ssrysp.png

MD5 5a87c3c76a8a290f070f290f3cf4ae7f
SHA1 ea4d8bdba5eb5950c12f869719e3cfa67da8823c
SHA256 ff1f1c3c7767734f4e5a34d80e9aa03c9452f8fbab931788d9ff6a2f1a99e4b3
SHA512 31d8fd6c32a5a91eb5c7518fbfd396fbec177d71fdc1495c5725956617a9f574cc05360ca9f4b879d94d89f49a20d3efdd5739427861370f7cc9921c5d58f6d9

/storage/emulated/0/CHANGEUnlock/content/ssrysp/ssrysp.ux

MD5 a7bce3103dea42820e7ef1d21b53e61e
SHA1 8dcd852b840911d365aba7501b29a180dcc60476
SHA256 6c0bafec839297d7d1368ac34d2820bc0705b0ab71ed98a9f24897ae2837890e
SHA512 3f2344ed7af6589b81afe02c0253c78354e1fce863e76b64cbcb2fac774ff28c1b66f643f7596a60cda94db59ea2e2700e19b1ce4617e2cf6d6972e3a3030775

/storage/emulated/0/CHANGEUnlock/content/ssrysp/wallpaper/ssrysp.jpg

MD5 579d8f88e6199e31dec3bd56d1445f52
SHA1 d65d53cdc31acc2e3475de70dbecaa2e2fb84700
SHA256 d8f789c8faadd53a58c55d03a3cc3d48661dc04ff450e467fdaf268a046f76ab
SHA512 e175561a20ef1fcc9882280409e2f3bf0c9d649cc306d9ec11445a0f4b505373b8ee0ea3ba428c76e3352994f508a76411abca12b3cf8b88f876835c76813171

/storage/emulated/0/CHANGEUnlock/config/current.xml

MD5 f6bcd1961006e431f5e9ed6941aefdf9
SHA1 3ee97bbee27e52f12c0ae03aa81bd7edbfccff92
SHA256 32d3e4daf3d1f4f2ac00ecfe52ce0a50cea370357c5de68495e74589bfd67d46
SHA512 9d2dad168131ef70676690654e3d900ba017a37d4182317a888c90a485207c6589fd8fc7bb46acac896709c212615015751da50c0b84d3ac1b56498040fa2b76

/storage/emulated/0/CHANGEUnlock/config/fm.txt

MD5 68106a1047c8270770af444ff23b9f16
SHA1 4bf8c46b200d93434fd161e12fb4668afb281331
SHA256 db34b428a43ebc31ff668bb2cd49fed6e6fa3170cd85f072b0d5fcc182a79c91
SHA512 b11b207975694536ae04c41c457300d3609160e5d32b80e94eaf25c798bde7555ff609a5f074a0a837d66b52dd65837a2c793958abb479d3a0277d1c67f0bcf1

/data/data/com.change.unlock/databases/sharesdk.db-journal

MD5 eb4f8c77f1b930ac9a6c9dcef134167b
SHA1 75de2fffd92aa574334a53e373ad0533d1ec23f0
SHA256 65ac6910eb6f410995cc74deac6ea816eeb9b8a0a8a51a8f64618928b8b55ecb
SHA512 afcb0a962116f241ec8f889359c5bec03161e798b2f84c3f210385aec85f22c338e36a5345585c25b6584411dd67764201f73f60fbb1145ca39291d38dbcb6d2

/data/data/com.change.unlock/databases/sharesdk.db

MD5 c8641d1bece79d230ca81bf73f6a5710
SHA1 d28640aa528f3db6cb3817694acfa8e44b7010dd
SHA256 01bf85559a2c046235e6e4cf81cfaba6a6084f276a6df4d4e02e214828157dcc
SHA512 471e494f3e133e759b8dc08301725b971277cc361935819224560a429802d1b625d5882a8f5c33a75d2a6f65a4f853855019e7e91233f8c10e4716db6d041390

/data/data/com.change.unlock/databases/sharesdk.db-journal

MD5 3d984191fc5fdb6c7278c719ee8b267f
SHA1 f117a350eeec6998458881e10b205e4ff015cb1e
SHA256 8b0e9ca76c658275bac0bca88e53864e66c03347d2798376951736063cf53874
SHA512 a93f533330855af31912dd6309a5a419df0395aa8a5030a71f836fa518a2efbc48aea1d4869fc9bc51a6690f694c8ec754cc57287e075d080b363e7b478ab2bd

/data/data/com.change.unlock/databases/sharesdk.db-journal

MD5 d9e6099a7aa211fe716a0297597463be
SHA1 0079bb9508dbca561c17e34644ca849999497eb7
SHA256 1ffaba2aacf40a4388021568368086baac056e19850fa1c32ae072c6b6d3f91b
SHA512 8784fd01fa2294cb9ad7988d81bd71e59721892bfd0421c8432602cf68ae3ab1a8d4e560f103c310516c7c5f0667638fa0600f3ce5f7ffdb9dd7894b7693a21f

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-16 19:03

Reported

2024-05-16 19:06

Platform

android-x86-arm-20240514-en

Max time kernel

12s

Max time network

131s

Command Line

com.change.onekeylock

Signatures

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.change.onekeylock

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-16 19:03

Reported

2024-05-16 19:06

Platform

android-x64-20240514-en

Max time kernel

13s

Max time network

152s

Command Line

com.change.onekeylock

Signatures

N/A

Processes

com.change.onekeylock

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-16 19:03

Reported

2024-05-16 19:06

Platform

android-x64-arm64-20240514-en

Max time kernel

13s

Max time network

174s

Command Line

com.change.onekeylock

Signatures

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.change.onekeylock

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp

Files

N/A