Analysis Overview
SHA256
911b1397b9b311ecc5b8c62c047a75da765ae2830b8d76e5ae5523a6311ccf54
Threat Level: Likely malicious
The file 562ca4d88d0998259deb9466c5ec1783_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Patched UPX-packed file
Requests cell location
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Registers a broadcast receiver at runtime (usually for listening for system events)
UPX packed file
Queries information about running processes on the device
Checks CPU information
Queries information about the current Wi-Fi connection
Reads the content of photos stored on the user's device.
Schedules tasks to execute at a specified time
Requests dangerous framework permissions
Checks if the internet connection is available
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 18:28
Signatures
Patched UPX-packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to read the user's calendar data. | android.permission.READ_CALENDAR | N/A | N/A |
| Allows an application to write the user's calendar data. | android.permission.WRITE_CALENDAR | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 18:28
Reported
2024-05-18 18:31
Platform
android-x86-arm-20240514-en
Max time kernel
172s
Max time network
192s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads the content of photos stored on the user's device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://media/external/images/media | N/A | N/A |
| URI accessed for read | content://media/external/images/media | N/A | N/A |
| URI accessed for read | content://media/external/images/media | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Reads information about phone network operator.
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.account.book.quanzi
com.account.book.quanzi:pushservice
getprop ro.product.cpu.abi
com.account.book.quanzi:remind
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.187.228:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | logconf.iflytek.com | udp |
| US | 1.1.1.1:53 | log.iflytek.com | udp |
| CN | 103.8.33.178:80 | log.iflytek.com | tcp |
| US | 1.1.1.1:53 | quanzi.jizhangapp.com | udp |
| CN | 103.8.33.178:80 | log.iflytek.com | tcp |
| US | 1.1.1.1:53 | log.tbs.qq.com | udp |
| HK | 129.226.107.80:80 | log.tbs.qq.com | tcp |
| US | 1.1.1.1:53 | sdk.open.talk.igexin.com | udp |
| US | 1.1.1.1:53 | sdk.open.talk.gepush.com | udp |
| US | 1.1.1.1:53 | sdk.open.talk.getui.net | udp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| US | 1.1.1.1:53 | moblog.wacai.com | udp |
| CN | 115.236.46.4:443 | moblog.wacai.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | u.zhugeapi.com | udp |
| CN | 47.92.94.191:443 | u.zhugeapi.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 115.236.46.4:443 | moblog.wacai.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 115.236.46.4:443 | moblog.wacai.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 47.92.94.191:443 | u.zhugeapi.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 115.236.46.4:443 | moblog.wacai.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| US | 1.1.1.1:53 | ubak.zhugeio.com | udp |
| CN | 47.92.119.206:443 | ubak.zhugeio.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| US | 1.1.1.1:53 | moblog.wacai.com | udp |
| CN | 115.236.46.4:443 | moblog.wacai.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
Files
/data/data/com.account.book.quanzi/lib-main/dso_state
| MD5 | 93b885adfe0da089cdf634904fd59f71 |
| SHA1 | 5ba93c9db0cff93f52b521d7420e43f6eda2784f |
| SHA256 | 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d |
| SHA512 | b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee |
/data/data/com.account.book.quanzi/lib-main/dso_deps
| MD5 | 9f214b04b2579361c511d6168b12f55d |
| SHA1 | ef4747eccc8f755aea91345b155473a59e5f98b1 |
| SHA256 | 22fb1a885eea047f217c0370906a4a42af5f90a6236b277d68294cc7706f002d |
| SHA512 | 5a1c5c35c403be5701167f8bc3d5c71b98b23bf5f975a9c226b4a963c7edc61b4c765ceb3fcd8f5b10fe5068ee39ae35ba76936825fc88c4c70983c1082bec16 |
/data/data/com.account.book.quanzi/lib-main/dso_manifest
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.account.book.quanzi/lib-main/dso_state
| MD5 | 342c6c61aee192a68767b29aeea311b8 |
| SHA1 | d6947ae4d62e7221ecfdb2bf2312fabc564d23e8 |
| SHA256 | 796c380455ddc141b7fc9be8404695e6afecc679e6fcb24aa5636ba8ac0c4636 |
| SHA512 | 75cb3fa2dc766bae3ae61ad0958c52e70a7890193680df23647477d44bbb1d8671cf058d460f3efa441d0767b00de06eddb42cdb80d5ee78425a33a96cd70492 |
/storage/emulated/0/Android/data/com.account.book.quanzi/files/tbslog/tbslog.txt
| MD5 | 46bcf66d40438594fc2137f25adb3fae |
| SHA1 | dbf407492d6039946127cfe61cb07cc38eb248d3 |
| SHA256 | 5af9dac4d3f9053674a82fc7a13ba550e0c11ee92325b25d1f649ab7e0d2ef38 |
| SHA512 | 9b4978d10ba06d63ffdbf7ffb97d5e93522875d30eb091c8c7747272019e58b3a9df78b58c833f3cb7eb0ae1897ed4f1e5aecb07c5b8ae23979fdfcca726213a |
/data/data/com.account.book.quanzi/databases/id.db-journal
| MD5 | 396ebac957f957c8eb433075563e47f2 |
| SHA1 | 5145254a945ef4a33b93d494f0f093b0ae40b5fa |
| SHA256 | 06c90cf95ea10389eff1d0075edb8026a1e16503c118d715a54349bd75979e21 |
| SHA512 | f748570e96c70bb9648f1e8c8290b7f1709cd7fb0f2279ec6181e06d78e0bae96780ad91d7e1f2f30a5a8133717d5fb928f5e1f8eb3d33077cb8fcaf020e75b0 |
/data/data/com.account.book.quanzi/databases/id.db-shm
| MD5 | 6dfac86563c9e0a6675d12212d66bbf1 |
| SHA1 | b7584ef3f1983e5d12f9ebdba8cfdaea5becb2f0 |
| SHA256 | 7e76d5f545e6b218a624ed0edcec76e6702dbe6cac1ab7415c4e43f591051718 |
| SHA512 | 6b6f3e242e0ee46d05f776ba4c33b1ebbf16c1a54a55db4c45e5b539e59ccfed2b948dbec4cab1e59f6a95b57ea595a17d0dc4b56702babff7bb55401efeca37 |
/data/data/com.account.book.quanzi/databases/id.db-wal
| MD5 | 1dad7956e5306cd1c40c0e20b25bb107 |
| SHA1 | 2749d32ef80943e16605c0f4b3f0b706d5dbd043 |
| SHA256 | e081fd55bde2a049cb568cdbf358f5234bc82cfa4b75f6b02dab5f4881f77b51 |
| SHA512 | a616a1ca4f46cfcd886fe7ca3aa4c8438ebf5d1c8cde4052a1526665c0681c1d3af55516d71ed34b6aa7cc5d215b26a9de7cfc438d2fe304a0ce3ece9748ef6f |
/storage/emulated/0/Android/data/com.account.book.quanzi/files/tbslog/tbslog.txt
| MD5 | 03aefed0df4012b58ad6a870be358a3a |
| SHA1 | 291dbe672d9292d0109b008497dd28adfc2357b8 |
| SHA256 | af8b17bf5c544b41df6fa136c787f4c7c11c8e64541330bddb11533447add0de |
| SHA512 | 02eb47e2fcb8cdba9be4d9e1d13d528ac6ffb56cc755e0e1bbc08f024a4dcb31b351f74ae8c9fc41cc510211dbcd3db6faae798c07503f8803465866f4425cc5 |
/data/data/com.account.book.quanzi/files/init_c1.pid
| MD5 | 6f86ac5b4a17d38c9d27bcc9052360b4 |
| SHA1 | 1c97a9305e2c9da24665b70094c30aa2ddcabcc7 |
| SHA256 | 210ed9c599901d571aea79689061488a483b3dc721474751c561a41305ecac2b |
| SHA512 | fcc9a510af7c001280c4be70b9477363d25300e0cd95a103f6adfe5771e6001ee4eac97663e1896d731608c9e6aedb1c947b76e84e72f1fc1255ea36560183ec |
/data/data/com.account.book.quanzi/databases/pushsdk.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.account.book.quanzi/databases/zhuge-journal
| MD5 | 1885aaa376588d9795ca4db6271ea5f5 |
| SHA1 | 0d3d3e088b23b263dd99e5f5f2dd784a5cd81fda |
| SHA256 | e04288dfd39dfc93b872cc4b3951bca08759c71bef147c4d63b4386a206942ab |
| SHA512 | 4a2fc243f2832e40b73c62846a5d5db3c2ed3ac5b7551d26530948920afd545d276fd05b8a7d5ee70f29e4f4fc0e3323d83d44ff0449bc2a6bd72454801d6c0d |
/data/data/com.account.book.quanzi/databases/zhuge
| MD5 | c99e6ca2d9875f037cd6080523b90ec9 |
| SHA1 | 25c17916f039298804f36e588e68f58c3b0838da |
| SHA256 | 93885c8dfd161b774d9020442d35f1587eda7610636a593c026dea08742311d9 |
| SHA512 | c122a32f060a72de59f75622cd55ace12165267962da56a70d32891f306660cb3624a393734a4dcb61e13049ea7f564af8e8f670088c428725bb810b426fc837 |
/data/data/com.account.book.quanzi/databases/zhuge-wal
| MD5 | f028401e96f3ecd55d7f657d7a2129c5 |
| SHA1 | cc57a9702545acd7655cfadc6f97e525b2c167b9 |
| SHA256 | 9ebdf17a2dcfcbc912465e3265b541bc532a0a04d2d054bca48b34ae86c2a6e4 |
| SHA512 | c4f0e78c3e34bbd631e3386a3b678d37f10d7728c4420d2c7b2345642ce7f44468c00ce522bdb8ac586de2632f7589ba9715729626decb8aad6cf17f1d6e1f55 |
/data/data/com.account.book.quanzi/databases/sensorsdata-journal
| MD5 | 1ef407bc6ac8eb3d26f75c68753b5b69 |
| SHA1 | f418b27f562ce369a7231ae333f4bd1b8020b6f1 |
| SHA256 | 7c4127c487c2c5e1b7f428d8819a0d538c11ffc06043d68be3f44936c03dbc1d |
| SHA512 | dbe535a6bf09fb3f6d7066d6e4b81237f454d78a60df0db2dd0881fac61c76192a7c3a94493c8009f4b12fcc617d5b5e310c9717faf00319b016c1c34040cadd |
/data/data/com.account.book.quanzi/databases/sensorsdata-wal
| MD5 | f7bb6bb07a9b65b5b5633ef1e79ea0d8 |
| SHA1 | b95ec24e2f6dbf058817c22b5e96fc1fb48ade01 |
| SHA256 | 603e49e7e756a86f6d4bd139e75d470f89313d42d020e9b98139a2d72ca06fe6 |
| SHA512 | 181f5115058e02e24eb577254d709df50928f84d5e44e7b1b4f28d5d29f35068f853a3d4ce4437d966ce48ac7a9e6358170440710d916bbd82b6d86fe2344b1c |
/data/data/com.account.book.quanzi/databases/zhuge-wal
| MD5 | f04d343119fc00cc4fe565da32755b44 |
| SHA1 | 578dcd974159221e3c699c5750c4754e54414e6b |
| SHA256 | 8237733e790a14e62466f8b26b0acec9f46617b431a413d5f6d2f842f6b38812 |
| SHA512 | 470a255e3c157307cbe250d2f831d56c4542a01fd6d21e80dad2b8b97289a8d288556c0d73635f662f63e33e31cb09be5b70fd876ecfc298261c49548edca0d5 |
/data/data/com.account.book.quanzi/databases/zhuge
| MD5 | a1f64fa4f66928db3127e318a1eefede |
| SHA1 | 3df86ac634b955b5cf491c1397f39db1a5bc9e3a |
| SHA256 | 44e06758bbc55181e782d5c4e3de0cfb0c69cdb7f11db8425ebcebd8090cbcbb |
| SHA512 | 4cdd82e1ffdf82694e26198ccd16d1bc2ff1471d7964fe3c4c40f9b7fb18af3354f86bb9dcf037fe550bbd8711bb2b09c8f0e2a5e0f0bca04dd1955932aeb321 |
/data/data/com.account.book.quanzi/databases/zhuge-wal
| MD5 | e55a18f93ae8e34cce1e0d34426c83a0 |
| SHA1 | 986f747ae2d11acbe385bfe0926a21ad5754f4e9 |
| SHA256 | 41a881dd60b8cddff2c715bb65b347230bf73ae3bc925022552d4cc11a7dc01b |
| SHA512 | 4e56e88a0159b127a0e9f96e2d71e6a49eb3a7e6ed2615f5b23fcf58e820d7e6eb9c9414aec0508bebbdf356d9d9d329a0823faf2b125e0ee1544c5843c794ae |
/data/data/com.account.book.quanzi/databases/zhuge
| MD5 | e687044341ea9509933bf93c5094448c |
| SHA1 | 54b6b7c0285fb5829aa22fe328f2b9b7ba04fb60 |
| SHA256 | e5943d4949d5f672ae9d51a14e6d9c9b9a2b87e5f46e007c88237aad9ec5a418 |
| SHA512 | 3aa6d718738b738ebcd51c9e9e342a856114e5a91cc371ce0f219fa3eb9e3308a51d5070fe15bd3b18f28ad2885a1d2f4077042439a09f200dbbd0f5282c8e0b |
/data/data/com.account.book.quanzi/databases/zhuge-wal
| MD5 | cb6315cc61fddd245097c47e11f422f3 |
| SHA1 | 8536b7e632e8c8da9d0d3b6eca23eb9f3c654554 |
| SHA256 | 990e6b820fda36a8f41207938bf0ecab7848001305f2173fd50cfb47260cc9d7 |
| SHA512 | c499474952d71b0f462d12f57a8981b69a4a1f7f71eb6372dc6e63e84065b732c7c668b94c68f9f206c6e600f0dc248cfd30579223869ce6bc0d7c4c1b23b9d4 |
/data/data/com.account.book.quanzi/databases/zhuge
| MD5 | b2ed867703bf640ac96dd430320ef3e0 |
| SHA1 | d67f5b73bbfacd5a7033e747b92afe5776ce19f6 |
| SHA256 | 3328199f2f19cae3142c07bb7eb47e8f3e85c78e33ad618d979c96685db2de3a |
| SHA512 | 17183be36dca11a1e5677178c33731da6035c42a58f09c805f7e8dcb1c867fd69c10cb57ecdecbdf3327d1e984ba58e0949c2298ed84e34b19021ebb352266d7 |
/data/data/com.account.book.quanzi/files/umeng_it.cache
| MD5 | 8a84908d2f2af5092fe1106d5da77ece |
| SHA1 | 28f8c307be63df83831eb7f9a3d1838519a4551a |
| SHA256 | 5533aa28752c9d780eac2759bcc9a34229039febcbcb041548525cf6a19691cc |
| SHA512 | 40cbadcbecd631533582bd3bc4e265981b01c364a88e71d554bf84a665f70e08767b87decfc3eb8599221b381ed877c32523578287693110a2fd3dc04e729bff |
/data/data/com.account.book.quanzi/files/.umeng/exchangeIdentity.json
| MD5 | 9b5d2e0e6e05b094cfd727021bcbaf02 |
| SHA1 | 41586bb0622cd24fe9439b5dd90a936b7b313d00 |
| SHA256 | c5ff04ccd56a569ded48e2cf0467a386db9ef679bb094b2a3442b78374417bae |
| SHA512 | 2e91b5129bba47d5aee8d4aa523a58e07c5219cfe59c27ac68d3aca126a6a8a53351d990c4654f0ba02e9a2ce7ab7f91d517dca39e9972c67876000b2824e647 |
/data/data/com.account.book.quanzi/files/.um/um_cache_1716056999516.env
| MD5 | c466a3e75f88d540d8c5396cd614caa2 |
| SHA1 | b46b5705e37faa3e5fe986e4034211141320f41a |
| SHA256 | 7a48fc8df02986649b06d0749c5415a69f0ff1ce7c99f6db9cdd3975f0d608aa |
| SHA512 | 06b43fe93d695d62078bc6a41ae5f7a45814ecc216764fdec32c7a21440144abd26bd5a8da6ad472954e3263366404f68453d44b40247801777cee66e0fa821b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 18:28
Reported
2024-05-18 18:31
Platform
android-33-x64-arm64-20240514-en
Max time kernel
172s
Max time network
189s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Reads the content of photos stored on the user's device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://media/external/images/media | N/A | N/A |
| URI accessed for read | content://media/external/images/media | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.account.book.quanzi
com.account.book.quanzi:pushservice
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.228:443 | udp | |
| GB | 142.250.187.228:443 | tcp | |
| US | 1.1.1.1:53 | gmscompliance-pa.googleapis.com | udp |
| GB | 172.217.169.42:443 | gmscompliance-pa.googleapis.com | tcp |
| GB | 216.58.204.67:443 | tcp | |
| US | 1.1.1.1:53 | logconf.iflytek.com | udp |
| US | 1.1.1.1:53 | log.iflytek.com | udp |
| CN | 103.8.33.178:80 | log.iflytek.com | tcp |
| CN | 103.8.33.178:80 | log.iflytek.com | tcp |
| US | 1.1.1.1:53 | quanzi.jizhangapp.com | udp |
| US | 1.1.1.1:53 | log.tbs.qq.com | udp |
| HK | 129.226.106.211:80 | log.tbs.qq.com | tcp |
| US | 1.1.1.1:53 | sdk.open.talk.gepush.com | udp |
| US | 1.1.1.1:53 | sdk.open.talk.getui.net | udp |
| US | 1.1.1.1:53 | sdk.open.talk.igexin.com | udp |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | udp | |
| GB | 216.58.204.67:443 | tcp | |
| GB | 216.58.204.67:443 | udp | |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| GB | 142.250.187.228:443 | udp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.179.228:443 | udp | |
| GB | 142.250.179.228:443 | tcp | |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.igexin.com | tcp |
Files
/data/user/0/com.account.book.quanzi/lib-main/dso_state
| MD5 | 93b885adfe0da089cdf634904fd59f71 |
| SHA1 | 5ba93c9db0cff93f52b521d7420e43f6eda2784f |
| SHA256 | 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d |
| SHA512 | b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee |
/data/user/0/com.account.book.quanzi/lib-main/dso_deps
| MD5 | 18d032b248117a026bda6053fa3c244d |
| SHA1 | 6b7ac3436a4bdf354467e504384e3a183cbcdeb9 |
| SHA256 | 5793486de98fc0af948b83f6d405f79bc4855fa7f158d69e0d2966ba7d487155 |
| SHA512 | d3b5e9649746c849bad698012ad5f047310466abe774dbc9cb9cf90c1e2eddde088e1f47b9abce9ea93a64b1fe736808797ff9634c3566f0a4699b2deeb54564 |
/data/user/0/com.account.book.quanzi/lib-main/dso_manifest
| MD5 | 147d18e634c558a2f8cbf9bc96cbc0c3 |
| SHA1 | 78930eff1d38a67e519b20204e060d855e70f226 |
| SHA256 | 6a939ab2f3229c83cb5f3c82d55347bd9032534a19ed3784f5e7f13bd1ffd430 |
| SHA512 | f0d098f1ee69649b15b6a1cf6adda43fdd42637f7ef7493120f6bbdbd49a4078f7e93bc46e460805218bf72bfa79183ca8fc9b48a6ff1a512c965c4f6d6ad892 |
/data/user/0/com.account.book.quanzi/lib-main/dso_state
| MD5 | 564c0be20907ab5b765d59521b910643 |
| SHA1 | c05f4e4281e7d234cf54ae8691ce043f424eb524 |
| SHA256 | 5bf9facbc241356997c000958b511e108cff33c8d96631555229597a8f69599e |
| SHA512 | 113bf09d57a0c65d32291c924ad4cef5d14cd655c5a1edbf99358aacd02f5fe6b6f2d60976dc20c5a6de2a0bd4a413b3e5628933667ce7b63a9a53ecbadc6c30 |
/storage/emulated/0/Android/data/com.account.book.quanzi/files/tbslog/tbslog.txt (deleted)
| MD5 | 20baf067a6bcf1492b9150572bcbb371 |
| SHA1 | 15f8c4dc9f01bbf03a67a3d8d9cf7acbcf36756a |
| SHA256 | 782516d5f087151198d5817d06df8389fbe3ddc157b9f92fbdec1a0c38ab450f |
| SHA512 | a16141e883049b47ebd4e18e7da5a10afd813e7998a70973b0143ec1a19df7f161c058dfa01a46ba0c5ed6e2c60f767b50e18d63041b9be5f1a0e3d8c481215d |
/storage/emulated/0/Android/data/com.account.book.quanzi/files/tbslog/tbslog.txt
| MD5 | d1849896e7d584d1a4f366df53589110 |
| SHA1 | 42651ec96eb34f94c7388d6334bfc3a0909111b1 |
| SHA256 | eecd8ff59f8a7f55b7f8c47c902a82382482b67cc212c1292c17e6a6bf2b4336 |
| SHA512 | 531576c01401671fbff4812110f5234cbfd4da6808f19e9f2a271ace005ff5310474661ca2aa4b8add5b8ee946068207b0ad718ac4c3600e29557957ea9df072 |
/data/user/0/com.account.book.quanzi/files/init_c1.pid
| MD5 | 6dc02d1ed992a4b0ecbe5bc6aaaef8f6 |
| SHA1 | 8c00f9ef24280116bb520ec80493d7f5a688225e |
| SHA256 | e4143e979d9f16a104ac34cb22b3efd362b4f20db85dde01ece06361c03e4927 |
| SHA512 | 00cfecfb69e632406a22b34450b4255d779f1bf843dc2a95d1a3ecfd69c357226a7a1daa6deda4b6f67b0056b1b0aa77bb2382134a74ada51708e1f8648bb306 |
/data/user/0/com.account.book.quanzi/databases/pushsdk.db-journal
| MD5 | 19019edb823039cd8401d312a0a05d6c |
| SHA1 | fa786a7f541f3bb49f6916ec4342e078bdd492da |
| SHA256 | 83e37e6fdafe8015426c91c9ff2dc6f3c4f3af38c09267867ead2e81e340f0fc |
| SHA512 | 9328f4d7960c1999443c339fa09cb0f9375c3c7d73ffe0b36aa9397ce61db9fdf973d259688cb0a00ccebe99d03d4e479a49bd632accd71e55221d763cc97eb4 |
/data/user/0/com.account.book.quanzi/databases/pushsdk.db-journal
| MD5 | 82eeae0b944eb2c3a2b7d7e2f6cd6f52 |
| SHA1 | 9e4deff47bcf2ac52d7bbf37b77a1d06f70e8549 |
| SHA256 | 7016233b880a7965985e7ac650a32e9fa159509b21374beefed0d87a05d07976 |
| SHA512 | 658154e7021a009ba743ed9fe3ae7c9a1a04602871396b337293e68e5954fc0a00787760d69a40817a9e9785965d69ff0365572c6344f40ec4236f64923c9111 |
/data/user/0/com.account.book.quanzi/databases/pushsdk.db-journal
| MD5 | 628e5f54207063854770c65c29dfbbf8 |
| SHA1 | 365a56bf4806c40d5827d229bded83ff6fd19222 |
| SHA256 | e94f734233cf511cbdbf99240ae97ac87982efc29ff3f103746e4a46480d9ba3 |
| SHA512 | 567c7af4f1d25fc2afa916042618b55712a2f20ab367f713ad8bf716713769f4c942b64b4d3680c9ddb15601619bdac3c4f79cd8253423ebfe50c047036af0b5 |
/data/user/0/com.account.book.quanzi/databases/pushsdk.db-journal
| MD5 | c62271a11d89cbe2d35f57d5c2c1566b |
| SHA1 | 98977bc047045f9a81ebd4b164bfd5cb8cc2789a |
| SHA256 | 555ed0e60c23fcf0f028ba5baf5046207a9e83a7ac2e89edb06c5b43edfce8c4 |
| SHA512 | ae743bba676e83d894c7191c09b454d7fbe2712daabaaba08156b6db4be03cafa3241df9d3b1832b6f0b50fb01bf1a08ebdf9f03f6102c3c05b8c1707bc8bce2 |
/storage/emulated/0/libs/com.account.book.quanzi.bin
| MD5 | ebbe8575d106537d8952fa0ee9cec14d |
| SHA1 | 8d70ff54fe5fd2462815f6ec59fcfa8aadaa656f |
| SHA256 | 5109200016a719db163fb51e91f730c6b76386a7a7263514af3ad3a4f8678a5a |
| SHA512 | 1d9a11829290a858e26957c9db956d6c2fadb277b9d0cc6d7f149b294dbb8561bb3c145f6124c53df089427f049f0c87cede2b7a36f5914e0a18366e3e44af1c |
/storage/emulated/0/libs/com.account.book.quanzi.bin
| MD5 | c70cf1bf23245424dd15b6a5301b255c |
| SHA1 | a0f202a399c5f44eee8c6be19081fe02cd08102a |
| SHA256 | a419e24d2815bb383ef5e53fed262357e8c8aa431934fcaa40f03c83654370e6 |
| SHA512 | 94d7e1f65ab9e30a7242f0bff080a3a4ece8f6891958f34e8c07ce8b8c99fc3bcdfb2dd64dbe4d82e394e145018e372f0e3458f7b250f65563bc00ac8451d730 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-18 18:28
Reported
2024-05-18 18:28
Platform
android-x86-arm-20240514-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |