Malware Analysis Report

2024-10-19 12:06

Sample ID 240520-2bls9ahf54
Target 611cce73a21b3ef5079548fc40be1179_JaffaCakes118
SHA256 9fb9892ce36cdb74bacbed245a29771e3195894e37672f21176435ca001e4e97
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9fb9892ce36cdb74bacbed245a29771e3195894e37672f21176435ca001e4e97

Threat Level: Likely malicious

The file 611cce73a21b3ef5079548fc40be1179_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Queries information about running processes on the device

Checks CPU information

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 22:24

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 22:24

Reported

2024-05-20 22:27

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

179s

Command Line

com.jkop.cmdn.fqgz

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.jkop.cmdn.fqgz

com.jkop.cmdn.fqgz:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.jkop.cmdn.fqgz/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.jkop.cmdn.fqgz/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 93b75a77514300a9844a8cc583d40626
SHA1 0fa36507fd871d0aed67d81d2c48237981175a40
SHA256 c251cf807493f62d1a961424e6ab8a81a15362205343b204c3e96d9fca9e1089
SHA512 0dc5fc5183d590336d53dddaa3dec916eb03fa58ae29ad13ed57aa0ee75ec8630609ef85cf68bfa0dbb219c0d443aba62297a580af2ae132cbc130811a6e2232

/data/data/com.jkop.cmdn.fqgz/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 177fe09ede54cc2b6abcca517b7e8f65
SHA1 dc207e4afe41a93a65a3fa183ec5955d57aa4060
SHA256 a27074671fd8a3a50f3ff641546cdf93745e096a20109386a56a4c09967ffe08
SHA512 f8869fdd6fdee3f4391334eed5fcb8c68dac18979861a196639cf7089f66eff03ac94ad64acf0eaf7602d30b3e91c0a1e6c0ab7a9789c9113f90e266b8a59121

/data/data/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 acba1c06e17f639a35f5ecdd544e6f36
SHA1 838d5dd6986d41825e6c3fb7074c0f96f8c8c054
SHA256 c3da6a7a47a74bf162894c5f216c966885abe3357a35279045429eb6ed53839d
SHA512 e43a134ae6731404423c392e3a30d887cb2291d1d48b7532821ec91117733b995f44428bcd6d3e11e749fc5fa4ba659c5ac6b51bce963280fbd5cb81a78c0ebe

/data/data/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 d4b1623c329d1cb5d6d34113378a8b9f
SHA1 6e3740ccd020026c56908d92f901a0669b85a369
SHA256 790599ba3f32e80d03b0b31173b34033539934d8dcbd652d512c749a5ffc222c
SHA512 642cad72b5ed4d866dc2625af39650c5e514d2f92f3aea39903a811f6c0b297602e7c11d6a229aabc1baf7888e7e33b16ffbe5a09b6d18c52e819a6751dfcad1

/data/data/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 ba0fc572730c9c3e380f4cd4335b1112
SHA1 9c800b99114c27ac611836e768441dd1e3488bbd
SHA256 63aeac6e6c0aafb8f2ff699afe1c9cec2b5216451a575c7fb4b41da00142db8b
SHA512 38522b48ea0984af1d8bb1694fe20f56347eb94a93d8621ab37309b3ca03efd7899a05ed1da4b925536ccf715928ec92fd1dde81f3cef85b58be942a67a537b9

/data/data/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 0a71f1a40e6d99b0d694c28878f991f4
SHA1 84859b6f74ba1e393975b79dd568a57aaa1618ea
SHA256 485fba498e1b133c93f11f0dfa64b1cdfc804c2a9a47d87b0e60b21f528297b9
SHA512 db2251b8ba5c5d847ce9e880315b007a88ed06108d41026205c8c79000bd9e09e211244dbd77f0adacdab1817e06704ed8daa6d4b48f7a8e7885b77e89a4649c

/data/data/com.jkop.cmdn.fqgz/files/umeng_it.cache

MD5 b3c8379a0bfec96c376224396faa0cd2
SHA1 1dc9be3f069e21abd4977271ace44d52f5c0317f
SHA256 26d4664203b18525a9cf18db6d6724cca88799a65a522a4725e054717430d904
SHA512 c7119216d9295d9ba2faa43b944aae16b166394800c5091184b0dca12e820c37946770c87ad3c0124f25733197eb8146ae17096b682d1bfcf1ba34de9d64127d

/data/data/com.jkop.cmdn.fqgz/files/.umeng/exchangeIdentity.json

MD5 a17105215b0ad6c239acc9cc445b72b1
SHA1 6fe4f30ef466729e0d77605decaeb32cb486514c
SHA256 ecc92fdc03d1bf0f3b6617b7743e90d3222dfbc264cb85d347cc530ba6f4b394
SHA512 c97acb2393b8ca5a979fcb02ea2efd75c2c571eda842d80b96cc56d985801f7a98fd9a969dfddb29b9412bac8103dd81cbf4ec49a01cae13f2797c37be302789

/data/data/com.jkop.cmdn.fqgz/files/.um/um_cache_1716243994520.env

MD5 a23c20475b6f91337d5612504f94a93a
SHA1 195e099b6688644f27c1175cabf3fc60ae1f3341
SHA256 c8e016c9067bd0bc25a0c817c07e8335debdd1d8f9efa97daef389c8ace53c1a
SHA512 92637f6b4b455327260b17f6a946d7d0ed8c89327f4f4998dd8591d34adde5db9b51d259f3a697d4b92495f9911e3fededa42dee260849f6fa341cd249732d5d

/data/data/com.jkop.cmdn.fqgz/files/mobclick_agent_cached_com.jkop.cmdn.fqgz1

MD5 54d7aa89622545a80dbe6300fd8cc46c
SHA1 120f3bb7c45df0fe411adc682edf3c0a1d1e8aa6
SHA256 10c7a1fc5352e046bc6d0929729be9b231ecd50f7261cf387bbb95d628c0140b
SHA512 e709607040ea7860228c03841f2e53eddba8b1275ee94e0f3d07872c02c875d9a70a5f22564f3a4018bd5c35027667e7393c6660bad0dc0a18ec6c2f553b22b4

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-20 22:24

Reported

2024-05-20 22:27

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

179s

Command Line

com.jkop.cmdn.fqgz

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.jkop.cmdn.fqgz

com.jkop.cmdn.fqgz:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/user/0/com.jkop.cmdn.fqgz/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.jkop.cmdn.fqgz/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 1d4b8bd8ed35986940e0c07ff39b2f3b
SHA1 aaafeee5989bfb3b5ac5cc5cc757889746b9e513
SHA256 80e2395e88e0ffd0b8482f659de5955bc74605cd20f97ea242e04cbaa96fa6e0
SHA512 d84c92bc4b2d338c72e76a5ae2520cc7b8aa18e86bb79d6dcc7f8174acf37695f61ad68e7ab28a29211cf03d28522a21601e5f992400378c4844c78d5fa114d1

/data/user/0/com.jkop.cmdn.fqgz/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 d283d4ec81cabe2d356ef8aa79ed8b0c
SHA1 0cbe872d9ae5fba14d538368cd3b88e01fb12bf5
SHA256 241dd4a0c1c45df41c06df46835f7872a4a7131c5c33d2e7aee58f6914a4e82c
SHA512 435a36dd9cbe8735ea19e15bf188983bf4db6716d2b40f1e785360bc56cd34ebacc2ed70c06b9eb3925c3e443eef79ca3ab9f715fc87a08db9b457ef95649e7c

/data/user/0/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 32140630146c413aa6f71589cb051ee8
SHA1 2748fb960c66e8b9bae4913ead54b4ffa67060b2
SHA256 5eecb815eed4fcb67091b7553c285482f7a8f313ea62a1ccc5ea5a584d65d11c
SHA512 7e130a8d91d93ad469f923c0da4589042ab82a11b6fd564cea317e59e1c721e800129cd6538813d2fc8a28a7c1cddba56a3fdd11b2cbd08931fa85f06867ddf8

/data/user/0/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 101e8e9474dc17fa65c72b835ced85bd
SHA1 b453c3d5e24b38c1cdf483add05c5930d84b9588
SHA256 ea2d345c708d2776fa1ac3139e2a58af99fd848643ea5c84a9ff527601580ab0
SHA512 d94d6af864cd49f7b89212cde270984c6c0a03aa8fd4dfbd284130ec0dc836bb2e2a50b8ef4fdc7cc74e68e9c651b6d0cc33baab14c22db74c54f12a6eb6b465

/data/user/0/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 096dca31abf9067ffac3c5d2b664da81
SHA1 4f625240117d677388d47526d01934b59ae5b794
SHA256 bd2b7e6c77da5a9e90712d92f287453460bde845e13c3a3b78e47ba390fd9c16
SHA512 240287713c2531560ee87df9cd4d082113195ee6514bb1b6560537c7140e2d2f9fc31a38e44a47bb6b68589bbaa33ec576589a068b40486fc269518c8b9e733b

/data/user/0/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 1480e60f2c702b160cb8fb87af9df9ea
SHA1 49dc42c97fe81c6c27ac9e5a59457fb0a632e5c8
SHA256 031f0b0d7042a2de03c607eedbc5669f29d4879d70079daa81dc44940402732b
SHA512 9be3d7e1d5f57562b87f950a46267c3bff4ff03cae21de0bb116a4ca5ad817efa3f6613ec4614fad0915a376bd535b01bc33fd18a9a0f03cc3b245cf508e6db1

/data/user/0/com.jkop.cmdn.fqgz/files/umeng_it.cache

MD5 67f393ec338d6ef181ea1c32507ee35e
SHA1 84c65ea1b404f144e461092226c9037af6cd52ea
SHA256 28ffb2589e54ef60273b48e09ab4f35c8fd134b9f160332f5dc0547a2b69446a
SHA512 4e8190d967749ceee979951cd612e3bb074b511a4e6f8b98ff676262caf78f76b2abd67dbda91e401253fc60f8b7ef9f6b613071e010fc23d681c9dcdecc00e9

/data/user/0/com.jkop.cmdn.fqgz/files/.umeng/exchangeIdentity.json

MD5 7cc6d479cfc89f384bc00f1d809b8378
SHA1 baee6f8eba95619026710a75132170b09d3839ef
SHA256 b243f5aa4d47ffb3450b66befa155d9acd9327f51e4d8b41e49973b367deeb5d
SHA512 8b1cab2c2d2a66c87d298e9930e87d2da065b257061021c477e738b98818a3724ad9aaeaccae391cec244047e129cf32d78c234513bc799f4af0d45b86663522

/data/user/0/com.jkop.cmdn.fqgz/files/.um/um_cache_1716243993902.env

MD5 e797d481cdad30acfb8bcf8d55370ee1
SHA1 688bc2022bf8db5c377625f0067a2a665bb13017
SHA256 fc1ea86aaddfb1f13b0bfbd8072246c68ed8afece660e01f7dea17c3088c3c82
SHA512 395e34083f62fd0620f19924bdd873a082c7a2093f72e337f255b5f74696cf53251464f22653ddef9ca08b4771758c062886100eeff0d788dd40e3607e648814

/data/user/0/com.jkop.cmdn.fqgz/files/mobclick_agent_cached_com.jkop.cmdn.fqgz1

MD5 7733ab5b2750a4fe6932efcfdaf49819
SHA1 931f785766e6815daee662fc1baea2f3be95d3ec
SHA256 f420ae695c5e0355aefce4d8ddb1f86212f7700bc6a03841165607f5cdd2dd79
SHA512 baed9eea5dff57bdcc6a1b10a4646e0a2e0e92a77ad4668af5cc7e7c0960e0fc75edcd1dc5ea6f3ade694c19bdf485fdb3b874504fe222a473aef7904e5511c8

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 22:24

Reported

2024-05-20 22:27

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

181s

Command Line

com.jkop.cmdn.fqgz

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.jkop.cmdn.fqgz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.jkop.cmdn.fqgz/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.jkop.cmdn.fqgz:daemon

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.jkop.cmdn.fqgz/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.jkop.cmdn.fqgz/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.jkop.cmdn.fqgz/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.jkop.cmdn.fqgz/databases/lezzd-journal

MD5 a48ce89088fcfca24352141e1e88cce6
SHA1 e3aa8c38912ef4e416753e611ab6bc1496c76f5b
SHA256 f948704453792793a19ef3d495f5a20ee13392f05ddf1be5b27a88ebf5402228
SHA512 2194c772b78da6dd28d12ecd89ff0eaa22fc584e6184cdc3b959489ffd1958f97f8d1411bf1f7790c985ee83dc2ec20e01175839b168b903b84e4457cf275b84

/data/data/com.jkop.cmdn.fqgz/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jkop.cmdn.fqgz/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jkop.cmdn.fqgz/databases/lezzd-wal

MD5 4c3317fed656f761bc578abb728f5bb5
SHA1 b154209b25a521d7872602132332d5fdfd07a247
SHA256 406dc79ea3bd05ab91b8505f904fa32a502190634cdb390f219ff659a3482189
SHA512 7652cc3f277c8f5b2900ee71e0ea71f6e7c82833927f75d59638bf8cf159ee43e7c5694ba43e847ad4137a27f51f7313980bb75c52c92f2c4ac704e04187f1ac

/data/data/com.jkop.cmdn.fqgz/files/umeng_it.cache

MD5 752f8f8afb6dce1cd75bb07306d0d5a0
SHA1 0d395a327a35d318995096943d9d802d0c580f47
SHA256 b476e87f4c98571d9602f0a2d921886a07025dffb9cd419661dd7080159166da
SHA512 e138d646446aa3e4baf0d022a0babb198bb03d45338a00dcaf8cd459d000a1cc14dcffc5aa9c705023e02a420859081e39663cc10f737b7e917771de10d315b6

/data/data/com.jkop.cmdn.fqgz/files/.umeng/exchangeIdentity.json

MD5 020844bd67730527950c4f9c552bcc5b
SHA1 e0ebb21e62a073387ca939bec3b28a92828b0aa4
SHA256 125b09a2b769866c656235ef6d8d9633bb29d74d13fa2b06db7648eea53fc153
SHA512 54f0cbaa535ce5e2a5b6aa8f4b96d148364db705f6482c3a52108a8246e44bdb20084386e68e42741f0d227bd65c1b4bdbab7f9e52f74b8a261bd4784eab5991

/data/data/com.jkop.cmdn.fqgz/files/.imprint

MD5 7ac07ac70e756950e20cd2c01a5544a9
SHA1 15f8210dc770091320d0b504e871da5d1711ac03
SHA256 73a6f3c351f5bb9d76f7e5bdc02a43637eddf6846eb8191c99eaf61f44cb32bf
SHA512 1a14914f76af0a6a405ffc5e3b6a6314fecfd6dea8680b675a661b08e07a67ac31d94b343d19077f90d9a5d78eba1d4d4f38e49e65ddad9678b4a3102de1f306

/data/data/com.jkop.cmdn.fqgz/files/umeng_it.cache

MD5 b2b01bbca3eeb80e51e1f0f758952b86
SHA1 993839d14d081ff1688bb805f09b3e7aac4c420b
SHA256 e57917938c0b7f9fa6922c13346196d6422b6e385d03d70c231a83c42efdad44
SHA512 b3d704e25e621e144601c721b78ea67237b50ad8b3fd159cacdcb78e3a8143748e28a6ab2838ee54ba6461a2e6fb7bfaed3375ddab90ccd7832688e5512f1cf8

/data/data/com.jkop.cmdn.fqgz/app_mjf/oat/dz.jar.cur.prof

MD5 7c97de1262732e790d220fce9b2b396a
SHA1 dfe352393e9970165afcbd329e7855a0744d31f9
SHA256 9a5d3eec5a2a4e65db898e86554f338d76a39653c3653d8a188ddbeddd0c5b34
SHA512 dc8ed465ccba6e1e96e35993461e12324408e1e15282c9c9fdb8737c2b2a0843301a9f98a3db7c289be529a7af6901f2eb54b916d231976033c3958ccb1a31c9

/data/data/com.jkop.cmdn.fqgz/files/.umeng/exchangeIdentity.json

MD5 cb84e5a3e8b35d8e06b4ba574929dfdf
SHA1 25478b55a2035c9a86f60a68fdf5343eac189940
SHA256 098e5126498c25c538464e20776f0d54e5c9e051339cb29b6bce28d9365459ca
SHA512 2dea9fb77cb24ea8cee4acf4e366662e22d97279ee86d926cde5c887392f6204883de8b5b92e5289cc22e2658e039964f5307fccbb20129a29d5880cf2fd753a

/data/data/com.jkop.cmdn.fqgz/files/.um/um_cache_1716244054556.env

MD5 01fa161d5348df12ea66535681786452
SHA1 0886ea7aac43b85d84454e176dc8d0350f37679e
SHA256 5563881d044e6771b9d5b5647bb82e591cd5ca5e702e0224d4b3b64157f7fb5b
SHA512 17548d1ec38d4fbb842226ca746449ba636b41ff603cffcb7e1a368132e678ce6f51b62f3c07efe457c18ce589c5f2a87dfc1ce1189bdefbe9f2dee8e11033e7