Malware Analysis Report

2025-08-10 23:58

Sample ID 240518-kbxgbabf9x
Target 53d60ec7aa348149772c1ff09622f3e9_JaffaCakes118
SHA256 c890f65f89c17da6f0646856e0d57c98f3f524dc9bd9e522d0b0ff11eeb4ae1e
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c890f65f89c17da6f0646856e0d57c98f3f524dc9bd9e522d0b0ff11eeb4ae1e

Threat Level: Likely malicious

The file 53d60ec7aa348149772c1ff09622f3e9_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Checks memory information

Makes use of the framework's foreground persistence service

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 08:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 08:26

Reported

2024-05-18 08:29

Platform

android-x86-arm-20240514-en

Max time kernel

174s

Max time network

183s

Command Line

com.ald.aldfinance

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ald.aldfinance/.jiagu/classes.dex N/A N/A
N/A /data/user/0/com.ald.aldfinance/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.ald.aldfinance/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.ald.aldfinance/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.ald.aldfinance/.jiagu/tmp.dex N/A N/A
N/A /data/user/0/com.ald.aldfinance/.jiagu/classes.dex N/A N/A
N/A /data/user/0/com.ald.aldfinance/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.ald.aldfinance/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.ald.aldfinance/.jiagu/tmp.dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ald.aldfinance

chmod 755 /data/user/0/com.ald.aldfinance/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ald.aldfinance/.jiagu/tmp.dex --output-vdex-fd=44 --oat-fd=46 --oat-location=/data/data/com.ald.aldfinance/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

com.ald.aldfinance:channel

cat /sys/class/net/wlan0/address

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/user/0/com.ald.aldfinance/.jiagu/classes.dex --dex-file=/data/user/0/com.ald.aldfinance/.jiagu/classes.dex!classes2.dex --oat-file=/data/user/0/com.ald.aldfinance/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

sh -c ps

ps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
CN 59.82.29.162:443 log.umsns.com tcp
CN 140.205.160.76:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 140.205.160.76:443 tcp
GB 142.250.187.206:443 tcp
CN 106.11.12.92:80 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.29.163:443 log.umsns.com tcp
CN 59.82.29.163:443 log.umsns.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 140.205.160.76:443 tcp
CN 106.11.12.92:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.29.248:443 log.umsns.com tcp
CN 59.82.29.248:443 log.umsns.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 140.205.160.76:443 tcp
US 1.1.1.1:53 amdc.m.taobao.com udp
HK 47.246.103.10:80 amdc.m.taobao.com tcp
CN 106.11.12.92:80 tcp
US 1.1.1.1:53 alog.umengcloud.com udp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 140.205.160.76:443 tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 106.11.12.92:443 tcp
CN 59.82.29.249:443 log.umsns.com tcp
CN 59.82.29.249:443 log.umsns.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 140.205.160.76:443 tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 amdc.m.taobao.com udp
HK 47.246.103.10:80 amdc.m.taobao.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 59.82.31.154:443 log.umsns.com tcp
CN 59.82.31.154:443 log.umsns.com tcp
CN 140.205.160.76:443 tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 140.205.160.76:443 tcp
CN 59.82.60.44:443 log.umsns.com tcp
CN 59.82.60.44:443 log.umsns.com tcp
CN 140.205.160.76:443 tcp

Files

/data/data/com.ald.aldfinance/.jiagu/libjiagu.so

MD5 aa01dd97609092ce310e17bf791069ce
SHA1 f000840a8f68ea7beb2e29ea466088daf55609db
SHA256 e432c191f918053ce368e1b1f155b2e1f9e84379611b93aabec0106172b73aa2
SHA512 766c120a06215d0950aae32026fcde3eafed8d18ae0de7bc8135a7378a9055c8f0040d61574d9af67fe2b5b90eeae64c62d787343858ae375bb6658df8afe7b4

/data/data/com.ald.aldfinance/.jiagu/classes.dex

MD5 e398c649bc411b67a630555eb60f9d52
SHA1 4397a14c93fcd5c25006d52bef2235a1d5044df1
SHA256 208ec4b343fa4b3d3d55551e5d87beffcbe63ef8c8e20301ea8eb5c7cf7569a4
SHA512 bdfb518d7648710331468bfdd98e97f6bd738c30d22c2d97ca84fa6f600d5190517e79e367aa66206e0a88c00cc2a2380d4956f2971fa976a31a4a9497fea769

/data/user/0/com.ald.aldfinance/.jiagu/classes.dex

MD5 72eab4e8c98d22dff28cac881cd40b9c
SHA1 829c92dfca3811887078c79668c3c5489b7d2cc7
SHA256 2a28efe21ded8e88983886c12e93c4b635946f118efe54317b635d63602bacf9
SHA512 8b60765179db24133a5f37dcea613df528fb6e4f6e2109c3089bd362502bb806ba9d2886ae098b124dd8dd5d1c3b844253eaa709d4179e13f59e6a800f1be0c9

/data/user/0/com.ald.aldfinance/.jiagu/classes.dex!classes2.dex

MD5 6b31d6c8d124c0fc51c94ab9002410e0
SHA1 9060acd243600b22ef5d1ce5b885ca01b4cf0835
SHA256 3b7eebff931946989b13ed0824495fda8110cddd6775673eb03bb6f0ae7b6140
SHA512 668d726a5e8c280cc6fe04f8197cb14604efce399df3aa51c0be54d10cdecbf3c31f665d742edbf9f2f21026bf9d7dacc4e1da75cf42f14da02bcb66c26baaa7

/data/data/com.ald.aldfinance/.jiagu/tmp.dex

MD5 c1a0d5b312af2cf28eb81b598cb974ad
SHA1 bbc699428fa61ac1a72e1767654675f302db7852
SHA256 c32ed87100656c8b5108f9bfbfcf980f53c8aa34216ece017579c83542597009
SHA512 54f91314c7c712e349d8c241efcf510a32d7215225cefe1865dd000c9cd40392fc66e8dddb56cd312a4ac994c1ba65a42e1121d9d0f99a5061f0cbd037b4ed42

/data/data/com.ald.aldfinance/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.ald.aldfinance/files/.jglogs/.jg.ri

MD5 d07f26e57c53c26d5c2f94ac20c87264
SHA1 c7104eb74c5dae6f6f34703ae6673365248d1a53
SHA256 4a94744062fee04b8cf7fa6f28b7b3a5e1a1e5cf88ab0639e7c6803be07f5f6e
SHA512 b2ea1155cd449345932d545630c5305037ae9e225da552ec0548cf58243fbd35d43245e96e4a0e377cb013b60f5376e00c979036eecbf83f85d2b5b895087a3d

/data/data/com.ald.aldfinance/files/.jiagu.lock

MD5 1e3d55ae2f32675aa9eb4553db8c4b95
SHA1 3b5bc2e4f9561ec2424c5919b77cfd79d73c6396
SHA256 a6632ae0809683df651d5927a391b16552e628bcb1e43db4dfb07f17659acbcf
SHA512 d6d6f34c51ed2d8a9dae3318ae35f41d136c3c14416a7c30f40b0b09576a2a3721d0cf6e71ec38c3ed69ea79d197d04b39794510179b48fcb685bf432b71458a

/data/data/com.ald.aldfinance/files/.jglogs/.jg.ac

MD5 6fda9c912d0350553ebdc5089e6f6593
SHA1 2fc7b5ec0968ce54cffdd138e83d1827568bf7df
SHA256 d0ab9647828da63059e32331b1fcf8d0a167a1077eda7e204e47f14089bcd129
SHA512 d595188925d5c601ac79af13c385fd41a013afe8859d5af0e54c3c1a31886692fe8898da635f43793e5d4983700d66255873e6b7b5b2a451ce95240bd61204de

/data/data/com.ald.aldfinance/files/.jglogs/.jg.ic

MD5 937c77d87d5ec4ad0709d6dfe5bc23fe
SHA1 333082196c7f91c4de341508b27c19ed583194b3
SHA256 c036335aa3a66b15cdd4eff17895a5df0d575bcd5b57d4f85360dc5c7be9a720
SHA512 868d62413eea2358ac2cac861d15fcb486405dd8ca3b1ced495b0dbab1a44b0f5c71ac83ad48b157c84cb291a42ca7ea05646fccba27918c73657177ed969947

/data/data/com.ald.aldfinance/files/.jglogs/.jg.di

MD5 6270ab2c09ed43d47e30c2f2a7832b26
SHA1 5776df604d5ad0011e39369a8bbc445f6ecc94df
SHA256 844d126f9dd7ab721438ee5ceedda7237b1421feaa69c4fbfd41b718bb0f378b
SHA512 59a91bdb25149de9a8fae9eff1b461142a1ec66770c3ea1260f5b9628938955db8ca65c3d27d6ac88f677a24c290a47cc4d3861c297874f4c9386735ae740f56

/storage/emulated/0/360/.iddata

MD5 f48998b4c3e6d34e8fa36516867d06ba
SHA1 d5edd1d08f9dc9f8961ff8eaf081e8b7794b13b1
SHA256 5ecaf4de92f34d6a6cc4257029ff658b449152b18266e86290f793c20aa8dcb8
SHA512 a2aa8299b6c783d49bd0d196ae9fa0ad4794c75d2154660f42687bab2822d6496bf306c54138b38bcf33e4ea37568e142ee17ad4d8cc155fcaa0b701826d8c1b

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.ald.aldfinance/databases/MessageStore.db-journal

MD5 93c991073c46ee0caf821c7f4747a8c0
SHA1 765249d4685d7a3754d5e9e89cffd063fb096b99
SHA256 d3d6f22efb2e2a9e2e088578a7fd07ca56e54161b3c76a4095b047e619839d33
SHA512 b7b2e0f0446afae815676153ad894d4fdc3c17dcfd97d24471b35367921c58d0019129403b08bd85939035b9c7988665e4d415696eb681fab8b7d28a50e19733

/data/data/com.ald.aldfinance/databases/MessageStore.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 0f55eede17cd0452a53378c66ffbdb64
SHA1 fcfeee4c05b63cd137d1714e6e3aefa282b36b16
SHA256 7912dfe2d8889781c7f2342b426b6e6299b52bd697d757a04d9970a756b60abd
SHA512 7eaef4c978ea2f5cdee6f0c8c36ba15f749b7d54911ea7ebe4896ffbd275ad5bc61586b75ca43be8d30ebba80729dbcfc5e86d0ddf053f76a8a76efe86bc0855

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 eeb053ce2df66c0e2383714466f71c75
SHA1 643b644436d23ce145f8bb32ad357dc0af05b610
SHA256 1d8340d0f7182b74e128dbd618393ffccddc1f64dc68274a189a6f921ad69508
SHA512 09130b240abf0c42d3324ea63479fe3db4cd76a8be964267ca6dc093c101489b6f22b48440a778cf289ca5330aa451ac071587cbac2dea78cca96a0f3720020c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 060ce9be60dce8ddd3e0b42dc4806e05
SHA1 7a1a080f5a42fc418a4cf4c1a46d4fb11767fb7e
SHA256 d0940799354cad2603e4f776b84a5a235294bfeb6d16cfb86b1e6ddf330ae17e
SHA512 6e5923ca96989dd95be5cb41ea90445166a2299a990495e8ab0a14c732cd18d831a50850f9a9395dd0f12f61b8645ea195821bbbef84d871ad26cf9de8ab746d

/data/data/com.ald.aldfinance/databases/accs.db-journal

MD5 c10ef07237feba6d2d21c54a67a92e84
SHA1 04045b75a8817aad41c40e9b64855561c933144f
SHA256 daf0dca00d6fd08b3abf40ffee2a86ad63d0a48c20c58547889d3df2e088d52d
SHA512 9af8cafeea4c8e3f2d604ca678072ff7a79d03cb2e352f23ea190aeb291ce275d2bf0314a4e2fce109588ec29b277bb830978364d34e9b6023b9a7563b5b1779

/data/data/com.ald.aldfinance/databases/accs.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ald.aldfinance/databases/accs.db-wal

MD5 897a78fa428f1d2f9b751d3576077850
SHA1 8d0c3c42a7e5f23c8f4fafa9a6ca5e3da0a78182
SHA256 9271e7933f9ff464df6711e74ac0e033021db3d4ce0f10c7edae603e1cbc5619
SHA512 c810b17dcd816f51ad066da580415d4c139a8ab6058f6ec21490d0824507bb4ffa6fa0d5cd932f5d85cb6be2b562d0c02e0ebdccb50a6a42a4c03677a16af5ed

/storage/emulated/0/Android/data/com.ald.aldfinance/files/tnetlogs/inapp_20240518.log

MD5 da736e3212b2625e2d36f3cc3e42f379
SHA1 6df92333c25be60a8432c3d26d8e7599d55d0fa6
SHA256 a39237f34256c89091380267a885e6f5a19b844829881a1dcb35f3d6211c168e
SHA512 e78ff48e212abbb7ffa694b26fd2e2fd4c0be6605b5e4bdb64b0216d451b8318ce72cc1ec77d584f8eda92f3bdae3ee247e4493cf84f5e850121da767f0df3c0

/data/data/com.ald.aldfinance/databases/cc/cc.db-journal

MD5 4757a0d913b928e2b4c305dd199828ea
SHA1 fa3f98bd1744792ab069bb351153541c71cd9069
SHA256 c6392e275edbd6f2b796e2b0f0f5e96f32af6a6c98f2a208ef661de19849c057
SHA512 b095134cd953b3d245943c4fd6598f6b15fcb840068ca46833b9c232251aeae7ed94d5d0637b783ed21ae673b69444a997e1330f6414e0c7f248b99bad2c45f4

/data/data/com.ald.aldfinance/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.ald.aldfinance/databases/cc/cc.db-wal

MD5 53bb3b22e0415e19ecf2a5688b38122d
SHA1 6a7581e8202882a3fc53e72b2ecf9f2c2d4c47d2
SHA256 cf3471db70173857dc83f93629c69a9db3425696980dd13c863506532d71318b
SHA512 9b8bd95a01709dc9762d1afa9e4833946ce06abdc36234479f9d5c74dc975d5c50c4c86efa5a005b40fb2493e2cc3059e7770b61801a489127ac9db082047e77

/data/data/com.ald.aldfinance/files/umeng_it.cache

MD5 d6ccc490fc41f8b18cc0d0daa7cca476
SHA1 16513cb45483022bbad810a492c357448d1cc5ae
SHA256 63ccea692298b67268ddfaf9643d546f01d3c07034b44d01ea59f1389031fc2a
SHA512 527d57f3bdba371ba8c7a1993c257c30b2b00319fb3ac2426c716dbb1a87214c04b02704448d8f31dd658ad310f76680eb542a2b5a1d3fdac306088ab81cbbf9

/data/data/com.ald.aldfinance/files/.umeng/exchangeIdentity.json

MD5 352a32cd1e292c7526ab1e519c574c53
SHA1 ab6f19b4184411fa974b9624fe74928351ca1e6f
SHA256 541df443def4c2247510a81e6e7a667e985f30bfbce0961a6fc9926ac555492b
SHA512 c7b7d7b402c0d8e8a2e5116ff40cd90f97dfaeda721b483b79dabe9d92cce32c00c56a9f2a3c8b613c339d668d15a11f9a8af29da0ff456db0a1d1f0b683fec1

/data/data/com.ald.aldfinance/databases/cc/cc.db-wal

MD5 8487b5b0472a37fb6a3162357b7a2c1a
SHA1 b15ec3b86d7d36aa63bfe700db116268f3ebb703
SHA256 a8e0558952707b2bb091b5edf612d454215963c1bb72684fd7a2f16610a57cab
SHA512 ac7c4f8d08c9db8e7faf9c1eae8311d1a1e67c8c4aa0934f3be56abc4fe54b0ac9f170571dcd015b67eea96b7621b9f0f009d2b08f1bbebc6674c554155cb3da

/data/data/com.ald.aldfinance/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.ald.aldfinance/databases/message_accs_db-journal

MD5 6c857d8b034d2f5a349c4cd0769d5e87
SHA1 408a3d6ab4dedfc0a3b14f7317ebea6fd84db9f6
SHA256 e349ecb4ee7107112515e8476b35d4cfdec92169b893649d7ef062fc538c6da4
SHA512 5e6627a7b792dcf71c1ea51c1b0a143dc3fd9fa014293e2fd2f49272fde797d7ba56069a03c5ee1d3ce11e2b075007124dde642a9d298c587e7761064cc8bb36

/data/data/com.ald.aldfinance/databases/message_accs_db

MD5 486e2bac2b3e9e1cb411d2838a4854bd
SHA1 81dd0a7537f4af319b830ae834908986be85da8b
SHA256 5644a250fa6cef16c2c802b98275656a5fc39dcf89bcc22193742d85c7313f57
SHA512 c146789563dae163e373489b3df53f22efebd32b69643992969241eb5ad5eec668de67e7cd2aaf5c3a8af57b0842115d00183825734f57643d3fdb09835fe681

/data/data/com.ald.aldfinance/databases/message_accs_db-wal

MD5 479b0298af9e44fdcb3056390ab80ba7
SHA1 e2f0fd9df1fbe044ceaba3fa2cd4c233f238407f
SHA256 3930e9eb12a3b2186bf03fe8b68118938357d9fe5ee16395b6cb846985444ca1
SHA512 8ed2fab6ba326ad2c367e86a2af07e67636dbc73e63645de672dcc4bce94e0f69625d6c36eed4906bdf01706e020d509f90fbd2082a484951d6f664ed6147a18

/data/data/com.ald.aldfinance/files/.jglogs/.jg.di

MD5 8d34716f3cdc5e279b2380b005eb225e
SHA1 8fbf1948fa310d2b926cdb5de9acb7bfb32cf0bf
SHA256 8e76265d2da293f34e83d320e3c174691c29369ddc2caee1b1e90aeb33121bc5
SHA512 8a4b3b06fe1cd2d93ec547e2a71c22c0e67e1c3ae995f93215239db1671f14c55dbe1fc57d99b0703e288c04debf5dbc635fc6cd247b8ab98d4360f98721db00

/data/data/com.ald.aldfinance/files/.jglogs/.jg.ac

MD5 5ec8bd34a52c91278bc5f947e75971d0
SHA1 bf10f7ee0760c296157285f7b984e206d6ddc35f
SHA256 51cba43f9b947d114964aabaf670cb55c8c8040622dce396efd09ffd5139163e
SHA512 0f233346f8c10b1b005253c60fda94f183fa2261bd503a4db7513e2cc72357c6008485074f11541d68c8e81ac1700261b4734fb4ffa04aaea2158f1771156edd

/storage/emulated/0/Android/data/com.ald.aldfinance/cache/e497ad822efe4c25963dfad0661dedf5

MD5 8d5ae6f0eafc81fb35dde3e64e64e897
SHA1 8298febd0bb956b9293dfae4341632bd2b93b374
SHA256 f0b289291f680647e954fbbee426d22ca43ed74c7baa533ee55686ce45b7e722
SHA512 94434bad8f052ff79ddc4919f7e62db31a1ba433c143b194df56dbcee47ab4c166e7c8efee6ee4d6f0d12c5944daed976061b97624523dce329a7c19bd7745b3

/storage/emulated/0/Android/data/com.ald.aldfinance/cache/240e8758cbf349d4b30a7fe8a0a5a770

MD5 869e30ea13dc89b7b9875b2e72240981
SHA1 535059acfb73aca31cfc0308241ccd2b9b3d8500
SHA256 90f70cf06b13cce6fa424de1911e3eb7fa1b7ef51822c2a874a201e48575014f
SHA512 e40215cd1f571bc85a0c720804d2f5e92fb66508057417b186250284c76e9fc317591c631315f9bb018a8ba0e55e88d1d5803154505511c1e646f5385c2f0cb2

/data/data/com.ald.aldfinance/files/.um/um_cache_1716020922672.env

MD5 87c7a7593c2ae27f96ee608808695de0
SHA1 a38b043114ef58089bd73885f40c292675f58e4d
SHA256 9f90ee87fe737220b317372225e0cb8ba9c4492a2f769585aa84bc14774a735e
SHA512 db89cd4afe9486663ab9df11c9c03972b56621025d39da29bc5763c2d2e04557367a512ba1f9e22e9bdd2eb312ba8ab48594cbd799a4a2a1789f94d73c98ddb6

/data/data/com.ald.aldfinance/files/mobclick_agent_cached_com.ald.aldfinance26

MD5 343dfbae4e7c93a37a4ea9745117579f
SHA1 779b0982d42b223c00487eec95322a93d76bd91c
SHA256 032ecde0bc11dbad0bd79cbea667dc8ff0a91a04ab353c946ba372e3bb4078e7
SHA512 5fb02720e6ab4faef5f390293daa217cc5c3d8ff7f744b19bc9f42b708f6f8d24bb7a4144992f0ae80c09d1da54f7ee601b8df81bad65151b0faa3de04e1ad8e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 08:26

Reported

2024-05-18 08:29

Platform

android-x64-20240514-en

Max time kernel

6s

Max time network

131s

Command Line

com.ald.aldfinance

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ald.aldfinance/[email protected] N/A N/A
N/A /data/user/0/com.ald.aldfinance/[email protected]!classes2.dex N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.ald.aldfinance

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.ald.aldfinance/.jiagu/libjiagu.so

MD5 aa01dd97609092ce310e17bf791069ce
SHA1 f000840a8f68ea7beb2e29ea466088daf55609db
SHA256 e432c191f918053ce368e1b1f155b2e1f9e84379611b93aabec0106172b73aa2
SHA512 766c120a06215d0950aae32026fcde3eafed8d18ae0de7bc8135a7378a9055c8f0040d61574d9af67fe2b5b90eeae64c62d787343858ae375bb6658df8afe7b4

/data/data/com.ald.aldfinance/.jiagu/classes.dex

MD5 48dd7edb1096aa8f720e4684989d3647
SHA1 a67eae30f9ddfba807b2dee9dbd8d6368d04b728
SHA256 2e65946a7f7079e8f031db7191fcc55b2be0862b3819fa8b958006f0db093963
SHA512 98015e19c4b0d9b90997e798b8833db5bc14e9c67b9a7d2495a1e2335bcbd2d56b489772ea3b87bfa0ef3fa2b299bd395d58df65cda76cd462581d6b3f94c093

/data/user/0/com.ald.aldfinance/[email protected]

MD5 72eab4e8c98d22dff28cac881cd40b9c
SHA1 829c92dfca3811887078c79668c3c5489b7d2cc7
SHA256 2a28efe21ded8e88983886c12e93c4b635946f118efe54317b635d63602bacf9
SHA512 8b60765179db24133a5f37dcea613df528fb6e4f6e2109c3089bd362502bb806ba9d2886ae098b124dd8dd5d1c3b844253eaa709d4179e13f59e6a800f1be0c9

/data/user/0/com.ald.aldfinance/[email protected]!classes2.dex

MD5 6b31d6c8d124c0fc51c94ab9002410e0
SHA1 9060acd243600b22ef5d1ce5b885ca01b4cf0835
SHA256 3b7eebff931946989b13ed0824495fda8110cddd6775673eb03bb6f0ae7b6140
SHA512 668d726a5e8c280cc6fe04f8197cb14604efce399df3aa51c0be54d10cdecbf3c31f665d742edbf9f2f21026bf9d7dacc4e1da75cf42f14da02bcb66c26baaa7

/data/data/com.ald.aldfinance/files/.jglogs/.jg.ri

MD5 933535dca0bfa798e4ad6e6de52afbfb
SHA1 f184f1b2aef42547da93d81b463c73e8a6d29ac5
SHA256 e20a0a5e19d49ea04e608a82253c10f90736f3b2ce3631a12d9d8f2f90a4a521
SHA512 b94e559a20dfd3a09ea4804ef750fc885cc454a69301dd78d17a88af4687e382a16114b961b08da695fff1b500bbd076356a131748b8d21567f46c95ad50743d

/data/data/com.ald.aldfinance/files/.jiagu.lock

MD5 b5561d5607d7e4570c87ec5c905f647e
SHA1 cc06324beec829210a88b4fb85287ae40c14dd5c
SHA256 517aaad59c7dde6ee01335be634b957bbcb92d45d1a821773a058993b79829e9
SHA512 455bf7406948df8b1feb63fe9fe7b0710725e86457b9ae834b21795a180ce77ea0c086e84f53882043c0529d5f9ba984f9d6462a3cd203018fac8ddca8cd0ee5

/data/data/com.ald.aldfinance/files/.jglogs/.jg.di

MD5 3540059d2393cd3b9d15385127038fca
SHA1 34855bea02c712dbc49e924171953c47aed5092f
SHA256 1836cd07a2399436888a650f901e6d45783257da3ff22ba0c85dd87ef22472e9
SHA512 3408dfdd0bba932f1d1b5a9b4aab4d0a50e6e165d407afc4727da714b7ee7938fc10dffa9af8380e49d351af7bf00e701e235357fcbbc74b7ed59b51f35f5d58

/storage/emulated/0/360/.iddata

MD5 27de052c4eb26caf33ab1553000ff104
SHA1 52f298ca628c3fea5b42fc26a2b26cca30d2c1dc
SHA256 fcdc029b5c62f439b8bb0f98226c8aa2997ab50f673dcc35a144ee031fa8a374
SHA512 1d698ffdd6a3843b5c2dd6cf00ee9d020405305d1ec7997776e5a0f0f38eb56ac5fd67d56a69106f71bfa57c289dcbc8021df25260c81016b872d6bd1c29dfa2

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399