Malware Analysis Report

2025-08-05 19:10

Sample ID 240518-w4hpeaha7w
Target 562ca4d88d0998259deb9466c5ec1783_JaffaCakes118
SHA256 911b1397b9b311ecc5b8c62c047a75da765ae2830b8d76e5ae5523a6311ccf54
Tags
upx banker collection discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

911b1397b9b311ecc5b8c62c047a75da765ae2830b8d76e5ae5523a6311ccf54

Threat Level: Likely malicious

The file 562ca4d88d0998259deb9466c5ec1783_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx banker collection discovery evasion execution impact persistence

Patched UPX-packed file

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Registers a broadcast receiver at runtime (usually for listening for system events)

UPX packed file

Queries information about running processes on the device

Checks CPU information

Queries information about the current Wi-Fi connection

Reads the content of photos stored on the user's device.

Schedules tasks to execute at a specified time

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 18:28

Signatures

Patched UPX-packed file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 18:28

Reported

2024-05-18 18:31

Platform

android-x86-arm-20240514-en

Max time kernel

172s

Max time network

192s

Command Line

com.account.book.quanzi

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A
URI accessed for read content://media/external/images/media N/A N/A
URI accessed for read content://media/external/images/media N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.account.book.quanzi

com.account.book.quanzi:pushservice

getprop ro.product.cpu.abi

com.account.book.quanzi:remind

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 logconf.iflytek.com udp
US 1.1.1.1:53 log.iflytek.com udp
CN 103.8.33.178:80 log.iflytek.com tcp
US 1.1.1.1:53 quanzi.jizhangapp.com udp
CN 103.8.33.178:80 log.iflytek.com tcp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 moblog.wacai.com udp
CN 115.236.46.4:443 moblog.wacai.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 u.zhugeapi.com udp
CN 47.92.94.191:443 u.zhugeapi.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 115.236.46.4:443 moblog.wacai.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 115.236.46.4:443 moblog.wacai.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 47.92.94.191:443 u.zhugeapi.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 115.236.46.4:443 moblog.wacai.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 ubak.zhugeio.com udp
CN 47.92.119.206:443 ubak.zhugeio.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 moblog.wacai.com udp
CN 115.236.46.4:443 moblog.wacai.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp

Files

/data/data/com.account.book.quanzi/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.account.book.quanzi/lib-main/dso_deps

MD5 9f214b04b2579361c511d6168b12f55d
SHA1 ef4747eccc8f755aea91345b155473a59e5f98b1
SHA256 22fb1a885eea047f217c0370906a4a42af5f90a6236b277d68294cc7706f002d
SHA512 5a1c5c35c403be5701167f8bc3d5c71b98b23bf5f975a9c226b4a963c7edc61b4c765ceb3fcd8f5b10fe5068ee39ae35ba76936825fc88c4c70983c1082bec16

/data/data/com.account.book.quanzi/lib-main/dso_manifest

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.account.book.quanzi/lib-main/dso_state

MD5 342c6c61aee192a68767b29aeea311b8
SHA1 d6947ae4d62e7221ecfdb2bf2312fabc564d23e8
SHA256 796c380455ddc141b7fc9be8404695e6afecc679e6fcb24aa5636ba8ac0c4636
SHA512 75cb3fa2dc766bae3ae61ad0958c52e70a7890193680df23647477d44bbb1d8671cf058d460f3efa441d0767b00de06eddb42cdb80d5ee78425a33a96cd70492

/storage/emulated/0/Android/data/com.account.book.quanzi/files/tbslog/tbslog.txt

MD5 46bcf66d40438594fc2137f25adb3fae
SHA1 dbf407492d6039946127cfe61cb07cc38eb248d3
SHA256 5af9dac4d3f9053674a82fc7a13ba550e0c11ee92325b25d1f649ab7e0d2ef38
SHA512 9b4978d10ba06d63ffdbf7ffb97d5e93522875d30eb091c8c7747272019e58b3a9df78b58c833f3cb7eb0ae1897ed4f1e5aecb07c5b8ae23979fdfcca726213a

/data/data/com.account.book.quanzi/databases/id.db-journal

MD5 396ebac957f957c8eb433075563e47f2
SHA1 5145254a945ef4a33b93d494f0f093b0ae40b5fa
SHA256 06c90cf95ea10389eff1d0075edb8026a1e16503c118d715a54349bd75979e21
SHA512 f748570e96c70bb9648f1e8c8290b7f1709cd7fb0f2279ec6181e06d78e0bae96780ad91d7e1f2f30a5a8133717d5fb928f5e1f8eb3d33077cb8fcaf020e75b0

/data/data/com.account.book.quanzi/databases/id.db-shm

MD5 6dfac86563c9e0a6675d12212d66bbf1
SHA1 b7584ef3f1983e5d12f9ebdba8cfdaea5becb2f0
SHA256 7e76d5f545e6b218a624ed0edcec76e6702dbe6cac1ab7415c4e43f591051718
SHA512 6b6f3e242e0ee46d05f776ba4c33b1ebbf16c1a54a55db4c45e5b539e59ccfed2b948dbec4cab1e59f6a95b57ea595a17d0dc4b56702babff7bb55401efeca37

/data/data/com.account.book.quanzi/databases/id.db-wal

MD5 1dad7956e5306cd1c40c0e20b25bb107
SHA1 2749d32ef80943e16605c0f4b3f0b706d5dbd043
SHA256 e081fd55bde2a049cb568cdbf358f5234bc82cfa4b75f6b02dab5f4881f77b51
SHA512 a616a1ca4f46cfcd886fe7ca3aa4c8438ebf5d1c8cde4052a1526665c0681c1d3af55516d71ed34b6aa7cc5d215b26a9de7cfc438d2fe304a0ce3ece9748ef6f

/storage/emulated/0/Android/data/com.account.book.quanzi/files/tbslog/tbslog.txt

MD5 03aefed0df4012b58ad6a870be358a3a
SHA1 291dbe672d9292d0109b008497dd28adfc2357b8
SHA256 af8b17bf5c544b41df6fa136c787f4c7c11c8e64541330bddb11533447add0de
SHA512 02eb47e2fcb8cdba9be4d9e1d13d528ac6ffb56cc755e0e1bbc08f024a4dcb31b351f74ae8c9fc41cc510211dbcd3db6faae798c07503f8803465866f4425cc5

/data/data/com.account.book.quanzi/files/init_c1.pid

MD5 6f86ac5b4a17d38c9d27bcc9052360b4
SHA1 1c97a9305e2c9da24665b70094c30aa2ddcabcc7
SHA256 210ed9c599901d571aea79689061488a483b3dc721474751c561a41305ecac2b
SHA512 fcc9a510af7c001280c4be70b9477363d25300e0cd95a103f6adfe5771e6001ee4eac97663e1896d731608c9e6aedb1c947b76e84e72f1fc1255ea36560183ec

/data/data/com.account.book.quanzi/databases/pushsdk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.account.book.quanzi/databases/zhuge-journal

MD5 1885aaa376588d9795ca4db6271ea5f5
SHA1 0d3d3e088b23b263dd99e5f5f2dd784a5cd81fda
SHA256 e04288dfd39dfc93b872cc4b3951bca08759c71bef147c4d63b4386a206942ab
SHA512 4a2fc243f2832e40b73c62846a5d5db3c2ed3ac5b7551d26530948920afd545d276fd05b8a7d5ee70f29e4f4fc0e3323d83d44ff0449bc2a6bd72454801d6c0d

/data/data/com.account.book.quanzi/databases/zhuge

MD5 c99e6ca2d9875f037cd6080523b90ec9
SHA1 25c17916f039298804f36e588e68f58c3b0838da
SHA256 93885c8dfd161b774d9020442d35f1587eda7610636a593c026dea08742311d9
SHA512 c122a32f060a72de59f75622cd55ace12165267962da56a70d32891f306660cb3624a393734a4dcb61e13049ea7f564af8e8f670088c428725bb810b426fc837

/data/data/com.account.book.quanzi/databases/zhuge-wal

MD5 f028401e96f3ecd55d7f657d7a2129c5
SHA1 cc57a9702545acd7655cfadc6f97e525b2c167b9
SHA256 9ebdf17a2dcfcbc912465e3265b541bc532a0a04d2d054bca48b34ae86c2a6e4
SHA512 c4f0e78c3e34bbd631e3386a3b678d37f10d7728c4420d2c7b2345642ce7f44468c00ce522bdb8ac586de2632f7589ba9715729626decb8aad6cf17f1d6e1f55

/data/data/com.account.book.quanzi/databases/sensorsdata-journal

MD5 1ef407bc6ac8eb3d26f75c68753b5b69
SHA1 f418b27f562ce369a7231ae333f4bd1b8020b6f1
SHA256 7c4127c487c2c5e1b7f428d8819a0d538c11ffc06043d68be3f44936c03dbc1d
SHA512 dbe535a6bf09fb3f6d7066d6e4b81237f454d78a60df0db2dd0881fac61c76192a7c3a94493c8009f4b12fcc617d5b5e310c9717faf00319b016c1c34040cadd

/data/data/com.account.book.quanzi/databases/sensorsdata-wal

MD5 f7bb6bb07a9b65b5b5633ef1e79ea0d8
SHA1 b95ec24e2f6dbf058817c22b5e96fc1fb48ade01
SHA256 603e49e7e756a86f6d4bd139e75d470f89313d42d020e9b98139a2d72ca06fe6
SHA512 181f5115058e02e24eb577254d709df50928f84d5e44e7b1b4f28d5d29f35068f853a3d4ce4437d966ce48ac7a9e6358170440710d916bbd82b6d86fe2344b1c

/data/data/com.account.book.quanzi/databases/zhuge-wal

MD5 f04d343119fc00cc4fe565da32755b44
SHA1 578dcd974159221e3c699c5750c4754e54414e6b
SHA256 8237733e790a14e62466f8b26b0acec9f46617b431a413d5f6d2f842f6b38812
SHA512 470a255e3c157307cbe250d2f831d56c4542a01fd6d21e80dad2b8b97289a8d288556c0d73635f662f63e33e31cb09be5b70fd876ecfc298261c49548edca0d5

/data/data/com.account.book.quanzi/databases/zhuge

MD5 a1f64fa4f66928db3127e318a1eefede
SHA1 3df86ac634b955b5cf491c1397f39db1a5bc9e3a
SHA256 44e06758bbc55181e782d5c4e3de0cfb0c69cdb7f11db8425ebcebd8090cbcbb
SHA512 4cdd82e1ffdf82694e26198ccd16d1bc2ff1471d7964fe3c4c40f9b7fb18af3354f86bb9dcf037fe550bbd8711bb2b09c8f0e2a5e0f0bca04dd1955932aeb321

/data/data/com.account.book.quanzi/databases/zhuge-wal

MD5 e55a18f93ae8e34cce1e0d34426c83a0
SHA1 986f747ae2d11acbe385bfe0926a21ad5754f4e9
SHA256 41a881dd60b8cddff2c715bb65b347230bf73ae3bc925022552d4cc11a7dc01b
SHA512 4e56e88a0159b127a0e9f96e2d71e6a49eb3a7e6ed2615f5b23fcf58e820d7e6eb9c9414aec0508bebbdf356d9d9d329a0823faf2b125e0ee1544c5843c794ae

/data/data/com.account.book.quanzi/databases/zhuge

MD5 e687044341ea9509933bf93c5094448c
SHA1 54b6b7c0285fb5829aa22fe328f2b9b7ba04fb60
SHA256 e5943d4949d5f672ae9d51a14e6d9c9b9a2b87e5f46e007c88237aad9ec5a418
SHA512 3aa6d718738b738ebcd51c9e9e342a856114e5a91cc371ce0f219fa3eb9e3308a51d5070fe15bd3b18f28ad2885a1d2f4077042439a09f200dbbd0f5282c8e0b

/data/data/com.account.book.quanzi/databases/zhuge-wal

MD5 cb6315cc61fddd245097c47e11f422f3
SHA1 8536b7e632e8c8da9d0d3b6eca23eb9f3c654554
SHA256 990e6b820fda36a8f41207938bf0ecab7848001305f2173fd50cfb47260cc9d7
SHA512 c499474952d71b0f462d12f57a8981b69a4a1f7f71eb6372dc6e63e84065b732c7c668b94c68f9f206c6e600f0dc248cfd30579223869ce6bc0d7c4c1b23b9d4

/data/data/com.account.book.quanzi/databases/zhuge

MD5 b2ed867703bf640ac96dd430320ef3e0
SHA1 d67f5b73bbfacd5a7033e747b92afe5776ce19f6
SHA256 3328199f2f19cae3142c07bb7eb47e8f3e85c78e33ad618d979c96685db2de3a
SHA512 17183be36dca11a1e5677178c33731da6035c42a58f09c805f7e8dcb1c867fd69c10cb57ecdecbdf3327d1e984ba58e0949c2298ed84e34b19021ebb352266d7

/data/data/com.account.book.quanzi/files/umeng_it.cache

MD5 8a84908d2f2af5092fe1106d5da77ece
SHA1 28f8c307be63df83831eb7f9a3d1838519a4551a
SHA256 5533aa28752c9d780eac2759bcc9a34229039febcbcb041548525cf6a19691cc
SHA512 40cbadcbecd631533582bd3bc4e265981b01c364a88e71d554bf84a665f70e08767b87decfc3eb8599221b381ed877c32523578287693110a2fd3dc04e729bff

/data/data/com.account.book.quanzi/files/.umeng/exchangeIdentity.json

MD5 9b5d2e0e6e05b094cfd727021bcbaf02
SHA1 41586bb0622cd24fe9439b5dd90a936b7b313d00
SHA256 c5ff04ccd56a569ded48e2cf0467a386db9ef679bb094b2a3442b78374417bae
SHA512 2e91b5129bba47d5aee8d4aa523a58e07c5219cfe59c27ac68d3aca126a6a8a53351d990c4654f0ba02e9a2ce7ab7f91d517dca39e9972c67876000b2824e647

/data/data/com.account.book.quanzi/files/.um/um_cache_1716056999516.env

MD5 c466a3e75f88d540d8c5396cd614caa2
SHA1 b46b5705e37faa3e5fe986e4034211141320f41a
SHA256 7a48fc8df02986649b06d0749c5415a69f0ff1ce7c99f6db9cdd3975f0d608aa
SHA512 06b43fe93d695d62078bc6a41ae5f7a45814ecc216764fdec32c7a21440144abd26bd5a8da6ad472954e3263366404f68453d44b40247801777cee66e0fa821b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 18:28

Reported

2024-05-18 18:31

Platform

android-33-x64-arm64-20240514-en

Max time kernel

172s

Max time network

189s

Command Line

com.account.book.quanzi

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A
URI accessed for read content://media/external/images/media N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.account.book.quanzi

com.account.book.quanzi:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 gmscompliance-pa.googleapis.com udp
GB 172.217.169.42:443 gmscompliance-pa.googleapis.com tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 logconf.iflytek.com udp
US 1.1.1.1:53 log.iflytek.com udp
CN 103.8.33.178:80 log.iflytek.com tcp
CN 103.8.33.178:80 log.iflytek.com tcp
US 1.1.1.1:53 quanzi.jizhangapp.com udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.106.211:80 log.tbs.qq.com tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 udp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp

Files

/data/user/0/com.account.book.quanzi/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/user/0/com.account.book.quanzi/lib-main/dso_deps

MD5 18d032b248117a026bda6053fa3c244d
SHA1 6b7ac3436a4bdf354467e504384e3a183cbcdeb9
SHA256 5793486de98fc0af948b83f6d405f79bc4855fa7f158d69e0d2966ba7d487155
SHA512 d3b5e9649746c849bad698012ad5f047310466abe774dbc9cb9cf90c1e2eddde088e1f47b9abce9ea93a64b1fe736808797ff9634c3566f0a4699b2deeb54564

/data/user/0/com.account.book.quanzi/lib-main/dso_manifest

MD5 147d18e634c558a2f8cbf9bc96cbc0c3
SHA1 78930eff1d38a67e519b20204e060d855e70f226
SHA256 6a939ab2f3229c83cb5f3c82d55347bd9032534a19ed3784f5e7f13bd1ffd430
SHA512 f0d098f1ee69649b15b6a1cf6adda43fdd42637f7ef7493120f6bbdbd49a4078f7e93bc46e460805218bf72bfa79183ca8fc9b48a6ff1a512c965c4f6d6ad892

/data/user/0/com.account.book.quanzi/lib-main/dso_state

MD5 564c0be20907ab5b765d59521b910643
SHA1 c05f4e4281e7d234cf54ae8691ce043f424eb524
SHA256 5bf9facbc241356997c000958b511e108cff33c8d96631555229597a8f69599e
SHA512 113bf09d57a0c65d32291c924ad4cef5d14cd655c5a1edbf99358aacd02f5fe6b6f2d60976dc20c5a6de2a0bd4a413b3e5628933667ce7b63a9a53ecbadc6c30

/storage/emulated/0/Android/data/com.account.book.quanzi/files/tbslog/tbslog.txt (deleted)

MD5 20baf067a6bcf1492b9150572bcbb371
SHA1 15f8c4dc9f01bbf03a67a3d8d9cf7acbcf36756a
SHA256 782516d5f087151198d5817d06df8389fbe3ddc157b9f92fbdec1a0c38ab450f
SHA512 a16141e883049b47ebd4e18e7da5a10afd813e7998a70973b0143ec1a19df7f161c058dfa01a46ba0c5ed6e2c60f767b50e18d63041b9be5f1a0e3d8c481215d

/storage/emulated/0/Android/data/com.account.book.quanzi/files/tbslog/tbslog.txt

MD5 d1849896e7d584d1a4f366df53589110
SHA1 42651ec96eb34f94c7388d6334bfc3a0909111b1
SHA256 eecd8ff59f8a7f55b7f8c47c902a82382482b67cc212c1292c17e6a6bf2b4336
SHA512 531576c01401671fbff4812110f5234cbfd4da6808f19e9f2a271ace005ff5310474661ca2aa4b8add5b8ee946068207b0ad718ac4c3600e29557957ea9df072

/data/user/0/com.account.book.quanzi/files/init_c1.pid

MD5 6dc02d1ed992a4b0ecbe5bc6aaaef8f6
SHA1 8c00f9ef24280116bb520ec80493d7f5a688225e
SHA256 e4143e979d9f16a104ac34cb22b3efd362b4f20db85dde01ece06361c03e4927
SHA512 00cfecfb69e632406a22b34450b4255d779f1bf843dc2a95d1a3ecfd69c357226a7a1daa6deda4b6f67b0056b1b0aa77bb2382134a74ada51708e1f8648bb306

/data/user/0/com.account.book.quanzi/databases/pushsdk.db-journal

MD5 19019edb823039cd8401d312a0a05d6c
SHA1 fa786a7f541f3bb49f6916ec4342e078bdd492da
SHA256 83e37e6fdafe8015426c91c9ff2dc6f3c4f3af38c09267867ead2e81e340f0fc
SHA512 9328f4d7960c1999443c339fa09cb0f9375c3c7d73ffe0b36aa9397ce61db9fdf973d259688cb0a00ccebe99d03d4e479a49bd632accd71e55221d763cc97eb4

/data/user/0/com.account.book.quanzi/databases/pushsdk.db-journal

MD5 82eeae0b944eb2c3a2b7d7e2f6cd6f52
SHA1 9e4deff47bcf2ac52d7bbf37b77a1d06f70e8549
SHA256 7016233b880a7965985e7ac650a32e9fa159509b21374beefed0d87a05d07976
SHA512 658154e7021a009ba743ed9fe3ae7c9a1a04602871396b337293e68e5954fc0a00787760d69a40817a9e9785965d69ff0365572c6344f40ec4236f64923c9111

/data/user/0/com.account.book.quanzi/databases/pushsdk.db-journal

MD5 628e5f54207063854770c65c29dfbbf8
SHA1 365a56bf4806c40d5827d229bded83ff6fd19222
SHA256 e94f734233cf511cbdbf99240ae97ac87982efc29ff3f103746e4a46480d9ba3
SHA512 567c7af4f1d25fc2afa916042618b55712a2f20ab367f713ad8bf716713769f4c942b64b4d3680c9ddb15601619bdac3c4f79cd8253423ebfe50c047036af0b5

/data/user/0/com.account.book.quanzi/databases/pushsdk.db-journal

MD5 c62271a11d89cbe2d35f57d5c2c1566b
SHA1 98977bc047045f9a81ebd4b164bfd5cb8cc2789a
SHA256 555ed0e60c23fcf0f028ba5baf5046207a9e83a7ac2e89edb06c5b43edfce8c4
SHA512 ae743bba676e83d894c7191c09b454d7fbe2712daabaaba08156b6db4be03cafa3241df9d3b1832b6f0b50fb01bf1a08ebdf9f03f6102c3c05b8c1707bc8bce2

/storage/emulated/0/libs/com.account.book.quanzi.bin

MD5 ebbe8575d106537d8952fa0ee9cec14d
SHA1 8d70ff54fe5fd2462815f6ec59fcfa8aadaa656f
SHA256 5109200016a719db163fb51e91f730c6b76386a7a7263514af3ad3a4f8678a5a
SHA512 1d9a11829290a858e26957c9db956d6c2fadb277b9d0cc6d7f149b294dbb8561bb3c145f6124c53df089427f049f0c87cede2b7a36f5914e0a18366e3e44af1c

/storage/emulated/0/libs/com.account.book.quanzi.bin

MD5 c70cf1bf23245424dd15b6a5301b255c
SHA1 a0f202a399c5f44eee8c6be19081fe02cd08102a
SHA256 a419e24d2815bb383ef5e53fed262357e8c8aa431934fcaa40f03c83654370e6
SHA512 94d7e1f65ab9e30a7242f0bff080a3a4ece8f6891958f34e8c07ce8b8c99fc3bcdfb2dd64dbe4d82e394e145018e372f0e3458f7b250f65563bc00ac8451d730

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 18:28

Reported

2024-05-18 18:28

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A