Malware Analysis Report

2024-10-19 12:07

Sample ID 240519-wcrg8saa98
Target 5aa6fb7b8a0b68937e34b1a930a8e627_JaffaCakes118
SHA256 008f796efe5532aebe2f74e19ee3918a28d880a502e0d59b6dedb3edc14e0b18
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

008f796efe5532aebe2f74e19ee3918a28d880a502e0d59b6dedb3edc14e0b18

Threat Level: Likely malicious

The file 5aa6fb7b8a0b68937e34b1a930a8e627_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries account information for other applications stored on the device

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Reads information about phone network operator.

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 17:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 17:46

Reported

2024-05-19 17:50

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

181s

Command Line

com.owtv.ffmq.xnbp

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.owtv.ffmq.xnbp

com.owtv.ffmq.xnbp:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.owtv.ffmq.xnbp/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.owtv.ffmq.xnbp/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 672783f749dbcd04cd13c5bd1cf3421b
SHA1 decbfc598e7b332d08a6d49fe10799efa0d5cef9
SHA256 a635e90f043cf8eb062a72a94e727e12f9addf51341b7ddbbfc1b24c8048e059
SHA512 3e9aec4139467423a05ab5522ca5471b8231168eb9b8af02d2fbc0d40e3de0e83c404cfbc66f516120c730fbb9105141d1899bca7f5881e1c6b83c99c680a7d3

/data/data/com.owtv.ffmq.xnbp/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 85166578832000a0827499fdc7701c92
SHA1 b7a154b23826bf2515f5911d0770b52e260c5cc4
SHA256 df1d2a414d03f0f3cf36341d989df828688b9a34b09865b25f817ba04bc19fbc
SHA512 0fbe97b00a85f71b10168c5c8b085bcb064c83cdb4e6a0ba19a5938d492a31e97c5503f1426423d94bb0525d81918b16cd138a5731dfbd8520bfeeea91a988e6

/data/data/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 8e6314655be70f3701a793d7148a5ba3
SHA1 f4e02992f735f43bd1038f16baaa235c3897644c
SHA256 8c835d85d8e2a75e6c7f6e47afde883b9e18ad17ffdb26bfdd2e88ab0b6ed234
SHA512 839b1684f46f9e6effc4ec6e809dafaa75c7c833564b17a56d089b5fffcb17451ad9c2e1a1b5d5936b038d5d07a07af91b4df114d2a93f13224b5d38d3277048

/data/data/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 5e2ef8fa229c3b3bbda9c656522bff4b
SHA1 dde6ff736d6d0305a1014ba194fda7b5c2492011
SHA256 afff6ae4da1175ffa4fdd8d624cf53b38ee459200dad457a85dccd12d09a9795
SHA512 db25a7ee6ac986ac92524fced9428d1329c30b9e3ecbd4af1e4e7372e8ff36d24adbc14955ea6ea5ca7b66de86386c4712f7bc63f23d36d2a2a3b5202563598f

/data/data/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 1ea75ab568dfae15ba6c33aeb76156a4
SHA1 fa2d9f1a430843c928caa75359d7e4bb44dc5af6
SHA256 accf4c0a1b0798f0ebdf14fc6887b74c8b88a4d5576d1a54ca8a8a954e749f31
SHA512 57f8fc1d3615158852766fecd23ee83cbd5da9c73ff994ca3a7f41956540b8024abee136b3d0e86a80282f0bdeb15d814850e290d6e7cdf02de0cd077ec68683

/data/data/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 377b3594684af3c49c6e01800cf54d9a
SHA1 a6f5abd2586f666bef42a0c0cca9d007f0c14fa4
SHA256 43e4098ae601910386c85d7c819dbd5782c08da750bf29fc975a0bbff78d4a04
SHA512 2fc65ca5ca29b95fa5245971dc29f85b620ea190fd3d526aa8d156242cd5ba477fa088312ee5efb27d845b3debac397c19a316187cd712db61004cc88921e789

/data/data/com.owtv.ffmq.xnbp/files/umeng_it.cache

MD5 94c204ac11f3b054418b261d11a738eb
SHA1 06866b715293208f9360c25117413b0a9b2411ec
SHA256 a4def8dbb7aadc92723e3c1fea9980e426055abfb1f79f2f39174ed84a46b045
SHA512 dbad2ef42125377bdec967f2997bfeaed4f7a86a6c07a896544aeb919151427ccb64b5fdcc8c9ff3dd22fbec8bcb6755ba2f0e4e1444abc5d3395526c8ab5c3c

/data/data/com.owtv.ffmq.xnbp/files/.umeng/exchangeIdentity.json

MD5 fe855238274b015ed21fd7eef6b7f0ac
SHA1 c13e2375bc76bb494a1ad99af19ce7ae202e3e71
SHA256 7835688988975cb4627447ac6aa7fd2c5913be95c02ea97d9bc6fa506e93aea8
SHA512 cab2cb89cee35556a6129f407335180e7461b6d65ded74b329b14f9fbec16609d3266a3020758f30f8abc257342f43d33aa3ebf14cca643381c9ba4dc2cb397b

/data/data/com.owtv.ffmq.xnbp/files/.um/um_cache_1716140952455.env

MD5 3b55b06686da943747a4eff67a5660e6
SHA1 383ce1d0a6ecfdc9eda0b353e062ad38845a96ff
SHA256 98f106bce533145d6835437a1bbedfa0b97b7e106aa873ed2b8ab7697c3a3eb0
SHA512 1f6784de0312ed16e871cfd55360ec668428fefd74d52bfaf12557860401e6dd2b8da03021850b8a1136f040dbbfc09272de7a25316f120d079c1bd48b3f0961

/data/data/com.owtv.ffmq.xnbp/files/mobclick_agent_cached_com.owtv.ffmq.xnbp1

MD5 a6e588faceb235c5690d1967823c2597
SHA1 66ac73c56a6d79b22f02ebaddd0b8bb974754a37
SHA256 ec341f862bbd399aa84bf5edfc7bc543fcaf4cc701d393349c9e2a44ea30adb0
SHA512 546ccc8c7676205e9ab607ce16cf6202fa580e8518662dc7cb19f11ec04bb3ec7089369fca03b2ad16c16a7970d729a4fa684734d395f9c6c4021dc042bdcb06

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 17:46

Reported

2024-05-19 17:50

Platform

android-x64-arm64-20240514-en

Max time kernel

178s

Max time network

184s

Command Line

com.owtv.ffmq.xnbp

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.owtv.ffmq.xnbp

com.owtv.ffmq.xnbp:daemon

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/user/0/com.owtv.ffmq.xnbp/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.owtv.ffmq.xnbp/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 d1243451b65a2d162cd9a89462800b0d
SHA1 75234107ec76eb003d855e5d25854be37a98efe8
SHA256 6d87682997e8578170e6c591fa92e197f3c4de6686ed529f3471c459a6a4c30b
SHA512 f6cf3edec4e481b301f82d2f40a4ca8bd0029203c4c92230bc5e67b0cb21feff62cec5cafe584d93eaa49b953fb8aabe6796364681c95bc656a8455551ea549e

/data/user/0/com.owtv.ffmq.xnbp/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 a6cedfb00305f5c09efe529efdce1d8d
SHA1 8d673f0ddc1819480724afe995ac85d3ab253314
SHA256 adaced138ec677e20aee9143165f4949b2c4844afd4322e37db52b26085ea390
SHA512 83654f701d05da28bb6caaba1d7c358340515ac6b5b12b954c221c479123a5d758b16807025449945913d9c33b85c8ac8e10c8ae4667f38a05f83e0a613886d2

/data/user/0/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 82da917c96bd693218c562d5f11ac97d
SHA1 76c18d6f283196330dfb838466d49c2ae032573f
SHA256 4f48c5ef5bb2e7b8fbfc5be55753dcbd87a94ffeeb643e4686588e463c738639
SHA512 8cbb58ddd04fb3a4f65416a61824f14eb7a33f60e46b5c3e625fb195b9951f4edf42a78fca56ebcc43f8bb496f119d4019062543823fac4614bb2d0d95c4609b

/data/user/0/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 b1e4ef9ee9737bf4a721a19403e00582
SHA1 a76c3b87281904fe38649026a02e93bf8b7d5456
SHA256 725eaeff7eb9221537729670063f7efd58351b3b2f30fc3e1b7b0c243bbea5ca
SHA512 3f240ab92f2ba8e8830e55d216b2a2c4ac26c594c254fab4252e59a568a4d9210aa74ee28420542c6f7c2c7c74332a6c2d559b6e2ec8ec0d6efa386d6c2fa2e1

/data/user/0/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 2e113bddbc66323b1c32c14f67e3c2f7
SHA1 fbf0820cd355227d9c99f60a01afbde664722a26
SHA256 4d1f9235b9f63127e658041822fe45ba99eba88796efc450d068efb461313785
SHA512 309d9dad90b6a4e8deff669c4d15eeb77530acc02b1c3d650e217a544352a9c6d804325a1ae6ac3e1795f91efcfa98b0d440d24151baf090beeaf4d331a9c3fa

/data/user/0/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 d76de5739dfef87b8959941342df91ed
SHA1 273fd51dafe95b3f57b8240f56280dc5f0c57fa0
SHA256 cf4eded6231549c2a402890f4644644b52ba467804f0baf5f83fb558c88ad522
SHA512 dae457b526d0f6204670fcf99853fe8e6e545c0faf8930f8dd8f4aa4a08696df6523ccf344e8bca905f4f404bf1bf89c4554f7cd8d65260bb3a744edba0de2f1

/data/user/0/com.owtv.ffmq.xnbp/files/umeng_it.cache

MD5 e0a3cd0a3aa36821e5dffd535214811a
SHA1 6099e33c5ae26237a304eb49398ef2f2a0c2cf04
SHA256 54fbc487887860a92f25674de2a0459e8724ceac5292a9d087e2ac02aec21d14
SHA512 f5fc08f818a91ce775aa84a1a869faa3461c18161e9c5cb619b264cc9968596e5dfae3f2408dc79b796f47d78c5da7c06a19a113d0410b00ebdb553673708a6b

/data/user/0/com.owtv.ffmq.xnbp/files/.umeng/exchangeIdentity.json

MD5 3247e9ab19e5b9ef96c487151f46b1d5
SHA1 76438063c36dc8eed417c44586806e735bc6ad9a
SHA256 2ec3ab8f9dd96c71b9bbbd5b089c3130267550680bc28450be89ff5fa26b5e29
SHA512 a2c2f536e712a1c57ad1084c5b0567accf8fb6a0f3fc7e3d941bfb59b268408e7dbcf6d819812107b142b51a6398c6710dd5c06038cf64edb5df484fee01e990

/data/user/0/com.owtv.ffmq.xnbp/files/.um/um_cache_1716140955313.env

MD5 d44063cc5bf46ebfb40b9b78d3074d31
SHA1 3ac353c5e6a02e80ff2d91b9ce1f838dd9992357
SHA256 0f7f73c8e126fd403509426a33bff8a38fbd11f25dd3c9aa893a52334502c850
SHA512 54a50fce0d4dfeef372fef6760bccde5ad7ac836698343f0b2ba6a8cac5f2a2b769e80122fed208bb39c9dd38f6743d8e8f43f2940e1ed1439da0269592c6357

/data/user/0/com.owtv.ffmq.xnbp/files/mobclick_agent_cached_com.owtv.ffmq.xnbp1

MD5 064943f4eb66864440368ef528a7229b
SHA1 ee94b41c55ead547d3eaf8e5365aeb4c6935f640
SHA256 2cdbcae7b29e30e16f54106e9b0c490db40f0ac7f7862772b61a022b955da883
SHA512 2d47f6bf81c8348c8da25b6b77dc75cd6cb55c596cabe7b4064489a04e09bcbcf95acbc3d9d73b97dfdce1406dcfb5558b749c050ad6ad54a7e8a722cf3b6d8d

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 17:46

Reported

2024-05-19 17:50

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

178s

Command Line

com.owtv.ffmq.xnbp

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.owtv.ffmq.xnbp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.owtv.ffmq.xnbp/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.owtv.ffmq.xnbp:daemon

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.owtv.ffmq.xnbp/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.owtv.ffmq.xnbp/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.owtv.ffmq.xnbp/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.owtv.ffmq.xnbp/databases/lezzd-journal

MD5 7591af85b6685ecccf0ce78042a76cce
SHA1 c05bbe9dcb62d8100839c9c595d4cc61c69398c7
SHA256 08e85eaefabdaa92412ade300cf525e88e8ce50830058f223d0dbcfe039ebfeb
SHA512 c1e6300aff35322a417c849438f6ed9a3afa990ffa5b80795cdd876331ad98b109f20254f4417420fc200dda7bf59b7b020e533105898ec0ba78d95c1e708d24

/data/data/com.owtv.ffmq.xnbp/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.owtv.ffmq.xnbp/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.owtv.ffmq.xnbp/databases/lezzd-wal

MD5 f3bb9af4d73c1b70ffdfed467c4c7704
SHA1 d0fb1b03c446157f21ce53703066b571c07bf8bd
SHA256 94e1b0b714f46f523d8b398b4b31bd7722fd965d143efa8d16d7495f659ca823
SHA512 9ddc88c6978d046b6e1c38163937f440ad9d6cd48f71003df85da35528bbee263bc9e8ff925d42930e89d1b3e1fa04b62afcdf1618aee9796b6be2ab696dc160

/data/data/com.owtv.ffmq.xnbp/files/umeng_it.cache

MD5 cf3a1fe3c3ef1aa20040aef688d489e1
SHA1 faa61a9a241aa464bd544feb88af17f4d39d9cf1
SHA256 207f8bdb0392447832a57d61777d7594c55ddd68964acc7d2ad35e8744b86c15
SHA512 167033494342d1b9fcb0ea91ddf90dec57044a6b0790eea93a691ab567a9277efb150f751b3e926df8661677f5537dfa3c4d3ad627a78a9bc550e063ab58a199

/data/data/com.owtv.ffmq.xnbp/files/.umeng/exchangeIdentity.json

MD5 71372be36057c2e71f3b4dff8a196a34
SHA1 e997569284b3e80f751c2732865d92f718a856c1
SHA256 a2d3ebbca00ba1eb4ad8bf7f2177db4b912f36e69a7fbe6ddbc727b360f1b890
SHA512 245e0d221aebb5b5363d00e3e95440e8949c9e358b5da6c4eb152cd0516cf72a8a8562939d64c79d99761c2df7ff898dd7ce63d4f9ca7dec52197cf688d13cc8

/data/data/com.owtv.ffmq.xnbp/files/.um/um_cache_1716140954225.env

MD5 84ce52dd2dcf386366d0c6c6d1c6c35c
SHA1 1e042b634d598683a34660bf3bb0d93a43e7f2e6
SHA256 1346f45464159dd1e22a5a87dc62d9488277c74530aeb3aa7acef3c9a40540e1
SHA512 7a78b23f6cb27f9cfb7c8688e7862cf3b1d10505c3e9547481e301d9203f601949a601f86fe93802b56667dfa6676a4b1f2f66c42fe170eccc3c24584a72d8bd

/data/data/com.owtv.ffmq.xnbp/app_mjf/oat/dz.jar.cur.prof

MD5 e72d834a1215774e5d05c115e6286068
SHA1 16c5657a9ad0224f17741730fa440282bdea2702
SHA256 b3340f5e1031d168ae27e3120c749f0dd66d11297a8ee0c8c304a853df4c2ef2
SHA512 3071dffb0c2a64b3de872134133cbb21edf76ef75b03c238773420ff4a2d1e9097e8ea7381aea63f4817b810ef7c758ece3ae3944e3546bc890c5bd73eeb7db6

/data/data/com.owtv.ffmq.xnbp/files/mobclick_agent_cached_com.owtv.ffmq.xnbp1

MD5 b2afcbca455af12a16c2f8e668b954ae
SHA1 789e284e07c1d699611fb16c7aa70beb16d555d2
SHA256 aea361fbd204cf68bf71d6095a9860f4f2bae6c6e83a73f1c6c9947c309f58a2
SHA512 a65c275daea116d008d6911275fc4d3cde62952c06a9fc655b8774a49e051f135a66167b2e80406f81c6f98b85ca3875e1fadea189f8e02dcc7d426292ded4c8