Malware Analysis Report

2024-10-19 12:07

Sample ID 240520-2mlydsaa75
Target 612bbfbfe1acc6b3a4c94bd322929c09_JaffaCakes118
SHA256 477d5262ee3a49ffcb3585602d188f7069f66dd8cf4a06e89e36c96482a53f33
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

477d5262ee3a49ffcb3585602d188f7069f66dd8cf4a06e89e36c96482a53f33

Threat Level: Likely malicious

The file 612bbfbfe1acc6b3a4c94bd322929c09_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries account information for other applications stored on the device

Queries information about running processes on the device

Loads dropped Dex/Jar

Checks if the internet connection is available

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 22:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 22:41

Reported

2024-05-20 22:45

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

162s

Command Line

com.cwut.bpbp.pvmx

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.cwut.bpbp.pvmx

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.cwut.bpbp.pvmx/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.cwut.bpbp.pvmx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.cwut.bpbp.pvmx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.cwut.bpbp.pvmx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 d75bd3bd99210d40d25275157c259782
SHA1 bf0510a45e12b7f678d8a5ae343459e2416245f9
SHA256 de93306b7453372d70936553ae778a0595edaf61c967e84672d573010b33eff4
SHA512 a7f253ff771cde99e2b3aacae435b0777fe32b2d60947ea83cc233d5e28fc296808afd106517230cfc5f14fc926ec4f407c11c8e7fc17921a6fd3d2ebb820a66

/data/data/com.cwut.bpbp.pvmx/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cwut.bpbp.pvmx/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cwut.bpbp.pvmx/databases/lezzd-wal

MD5 0ce9ffa14fb7bb78e62e49824eb813ab
SHA1 2fa0d265eb0ed47d58a865cfb458042b72b99885
SHA256 4901e423e93bf806aaeb1d0f04ef640e5f8881db82665397d48a53cd5ab0a671
SHA512 54f57c9e7659e7f0f81a177dd1ab42f93d595c9af7e6cc34515220c4e608c871f6b738401532e4c4763b29738afa81f80e8dc90a03fa8f65bc8274481163e2c9

/data/data/com.cwut.bpbp.pvmx/files/umeng_it.cache

MD5 ba1f504ede2981e8eac2f4a3e6e3bd8f
SHA1 7b1b007f782cccdce4abdbb83b372393151cce34
SHA256 bf9275e6672001207dd45a1bd41d019c836313a8ddd490f9dd694f7ab3e5595e
SHA512 4ee178d9dab48aec7f18d8b88336145cf6160405cdb6d0f1993493e79080abb02ac5ee135c4682829b48a9c3415fc33fba714acba121a7116a0760cf22d3266a

/data/data/com.cwut.bpbp.pvmx/files/.umeng/exchangeIdentity.json

MD5 da69cb8611f6afae4507b81a8af35486
SHA1 7bb2c2e9016767caa4aad85cba4e00c8f189eff7
SHA256 0f26a5dc417e2b98f0540e69d1d31e773ce3ab317e2995d5ee8b4777892d9ec8
SHA512 8cedcad920fe629d74071b9cf318ad9412e648c08f4199a864937f3a8bcb03cdbc1db44f0ace124831c91eff7b3a8ab0363665f7ea9368875c04e51ac4e3014c

/data/data/com.cwut.bpbp.pvmx/files/.um/um_cache_1716245040118.env

MD5 5da7aa820caf40fbe105c32c8c4eaf1b
SHA1 0e3faa78e7f48fe96121d805522446fc3779d3b7
SHA256 49d7b7255e8a6b7a3e2b9bacfce0e0beb26c73ce39252a8b685f98e7059001a6
SHA512 1763d252078e1e24edad1a7425ba4d95171ca864a7cfbff753f7c2f5fc5b923f2cda7bfea07c2e53b14acb022f7308a2a83a86a3df5b700b0a8d5db372e985d5

/data/data/com.cwut.bpbp.pvmx/app_mjf/oat/dz.jar.cur.prof

MD5 83960f6c91df99600621a7fd48c8213b
SHA1 758add6c2951ab30d4fbb14d9d3e98af3e200724
SHA256 7c25ac65f3be6c6276df6703e4503ed6ab3d595a515af56c793251bf970ea897
SHA512 d61c4b7622ca66134353d7073fb944f45821839be9e63088e1558b0f7e241274c26c7537f583006253dda53c1fb95bdc8912f249b71968ac660accaf881ab515

/data/data/com.cwut.bpbp.pvmx/files/.imprint

MD5 31d7c246ca60252a64dd869f0dc2d1ca
SHA1 f1a2a09982487349014a1bb8824ef1336f6e5e31
SHA256 6a3439756b36a53cdea5bd410d1509fba43dd3b5d738b0ad9bb83ec07cbe5a29
SHA512 60fe18131b410bf7432872fc36a8724240b0d99e91cfc6e11b1595913f8e58ab9397c5fb743305aad44c86e0b31f05160467bec8388d3786c3124ce417e3ae78

/data/data/com.cwut.bpbp.pvmx/files/mobclick_agent_cached_com.cwut.bpbp.pvmx1

MD5 64b28680a2a990f02e45ddf6ac479af1
SHA1 3504b46c0fc3830ad6b702135a5e87e9f89b0685
SHA256 5bb1462ad90d16c7f8f9c55502fbbe38becacaafd899dfc40fab5b9a9ae93b0e
SHA512 c617897af9432a06642f9bc13d44425d5c56a8c483042f9bb7ab78d6d8987c8c0a96385021a630e739cfc673c677b66b357457a564c8553bb8f31a71027244df

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 22:41

Reported

2024-05-20 22:45

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

181s

Command Line

com.cwut.bpbp.pvmx

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.cwut.bpbp.pvmx

com.cwut.bpbp.pvmx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.cwut.bpbp.pvmx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.cwut.bpbp.pvmx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 43b42c18318f8aff5cabf30250456f52
SHA1 3eec7ba686c5df9fb6ee03ef71a68a08276c53dc
SHA256 ce9f7fb96cb1654aa30d6dfcf682d88de79a930808e1684d4057e569a573c757
SHA512 9784bb23cd4ce70fdb20b776f8763bd175837899547f4f350a4fda79d0dfc8b10d2e1e648c19b3653aec17de2adb0cda0dd25567c93328495d1d7b4942f7a591

/data/data/com.cwut.bpbp.pvmx/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 322432635247e6e5d35505283ece1b1b
SHA1 c80042ef9e8306f9b0d60b8585851a35c9718516
SHA256 e065980b5fd603edc14a10b1431f222ebcaffcb75fe1a294e8dc48c41e19abc1
SHA512 5ee5826a906e5d8cca1645f644425eaaf980a999982775e5ba0e77a8b09802c158f7055b9357a92fed8da712b3bc9cd9d77e005e61eb7c835b75d331b43c5153

/data/data/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 0e973db48a374961d1ae130e75fe9163
SHA1 fb8908b1f1e7af333b5fb7cda6a485d756dd381c
SHA256 430b735b3aae6e9b2acff84c82893ea79d7a398abe60ee79029d7b90165987d9
SHA512 3b90d6d44a7be248d7962f7a2bd7a4268ccc351795973634e07da33e568f3631c46718c71624985d53b3b035111c32ff6101bc21cf0c3d8e6e867ce8e47d6fce

/data/data/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 f1b91faeead131668f25f02fe69aaa5f
SHA1 aad96cdacc63635c3db2fba380d50b558638fb2c
SHA256 96102d63e087889bb9c35171300caba1c843bf20ab0fdc44e6b91af19c0bc4b3
SHA512 3d21c3d82131a1da1a40e9d29fd8dfb0837876979598722faf222f3fa3fbd50b1b82eeb93a43bfaf015f2cc2f60414a9b54e5f63eab9b3ebf89f71c40adcd341

/data/data/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 627f5ac36365b2e7afa0c551791d504d
SHA1 625a6de923d30bfc6cffc33a08a11fc59f14291b
SHA256 a98218891458f24f6664544a805d962c3036601f510137eda0d611506cbef66d
SHA512 14888472d8ea8fb103df1ceef092bd3c54da12863e9c863c52d1ea0a9c9bc4c2c35a0afc3bd1c046ab8fd51cc55c34bc0d7824400747bc1ca8a21401040ee105

/data/data/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 31c8cb3ce6a07a3e2d9b5a58b91eec56
SHA1 cb219f0a331235c342c4b0a1857d5b537841aa47
SHA256 bd996d6c369671982c9853a6bdb5d9e19a1ffdb5b031df7af3adaf4eb6c1800c
SHA512 1ffaf90d396efe97b6c4bf788c2c71b7915dac6f47a39c91afe61e7885fdb847e0561f85800011c65c780b801a82a1e05657e44e5fd230b82dc429c6188ec87c

/data/data/com.cwut.bpbp.pvmx/files/umeng_it.cache

MD5 957d07a64f499d29052adbba16b732bb
SHA1 2d2c83043816627461ca662df4fe4be9c374565e
SHA256 3126db9a632f03c48854ce961acca6a5f186c5d80c8e5cbc0fdd2e43311a99a6
SHA512 c2becab4dabaeafa24db3de0ec0e4b4c8c560761fe934024d4d8293424e06a15b1b5eef7c0547a7721fd06f3e304009b80697e5999b5338f2d4fe02f863f07af

/data/data/com.cwut.bpbp.pvmx/files/.umeng/exchangeIdentity.json

MD5 2bf7aa8877499a3dd964ab00f33087ad
SHA1 079ff0a9af06979a8607be54fb2379754cb41a44
SHA256 f5167b2ae8e087235c3800f030b54cf9c5b267b67f11e1fc39b4d259b4ad4f5e
SHA512 1e31c0f907cd2193201b4484f673e7cdd5956603154adf5acb9ee5aa220ce27d0b65c4e53b1680411ff4afe0ebbe86eb19534213f06dd22b05af515f9ffd89f4

/data/data/com.cwut.bpbp.pvmx/app_mjf/oat/dz.jar.cur.prof

MD5 df1ff980a354417d0c471130c49de84a
SHA1 ec6f5a0c8501b74abb9b35ee5e72cc245be59a6f
SHA256 8628b7439382f5cf1d2ffc743a19cfb34ab6444186c21755c919b23586967cad
SHA512 4b1761a91eb352dcafad7e33405e9416028ad859e975a16d8a72cda68e9f6a10ba09de0e77e9a6d7518dc747d33546d31f9aa63803b319676bf0fa092e19e889

/data/data/com.cwut.bpbp.pvmx/files/.imprint

MD5 9cfa130ffc5e58261efbbb72d30f7ae9
SHA1 fbb95672f2d21a5bae5192d09def44193e979d08
SHA256 899bde61deb1cc6db85121862c995d343bd6ab9649d9402f9bdc88387a4bf373
SHA512 135cbaf3a0b05e6ecd15dfdcea5b48b01c7904d798f895fca8f316ca15a242f0c188d168eac617b5ca58523f7a0f2293d070515bfedb77ac1c7d57407d057439

/data/data/com.cwut.bpbp.pvmx/files/umeng_it.cache

MD5 f7087e9223ca04419d0091e2f883eccc
SHA1 3fcf26254e4540408a40d585d245e878738a69cb
SHA256 91ce18fbdc43c48cd955c5af811131edc3b495c228de08741acbb898593f8bfa
SHA512 352cb930afdbd64bac0b270ae6e98d793f086fa85e40ade055a16129d4addf3ebad7abfd0c070604359fd3ec1282879b0b28b9257fe217665a2b8eb72a29dcd4

/data/data/com.cwut.bpbp.pvmx/files/.umeng/exchangeIdentity.json

MD5 a70c1a6acf22b4abac7d5733c48eae4a
SHA1 d031b7d780046e91b94ad15db201b99a612670c4
SHA256 9cc047f6596465c457b4d80a26ff87fb25d9008118cbe104041f2fff71c68984
SHA512 f923d5c87ddbc5bdf3877dc8271d9eea4d423cdafd1cf3f5c8704aa3ffed2baed9eae3e2ece2f79efade0ed99b5efd79b9353899d2c915a63645922cb55e03b1

/data/data/com.cwut.bpbp.pvmx/files/.um/um_cache_1716245100101.env

MD5 4a0c798cb71e814eb2acb7ad078a13ca
SHA1 5568a50ad49e33b29621c3aa72ff844fadb2e563
SHA256 e99cedbdc20e4cddbd797fbe41bcc537c2f95f0108f41678ef959a261d230729
SHA512 40bbceffda73b17e8491a8c75dea6ef11b7027f95674f48893482bad5b10bcd419dc6b19de06559268c238fb6099dcf4fb0f480e4819e48bbc62b3d7b098de3a

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-20 22:41

Reported

2024-05-20 22:45

Platform

android-x64-arm64-20240514-en

Max time kernel

177s

Max time network

162s

Command Line

com.cwut.bpbp.pvmx

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.cwut.bpbp.pvmx

com.cwut.bpbp.pvmx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/user/0/com.cwut.bpbp.pvmx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.cwut.bpbp.pvmx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.cwut.bpbp.pvmx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 1d144b09c4f1e6ce5b0bd6b49ce52b7f
SHA1 48b81d4f9a9881e1f93e87af8dd28206fe19c4e5
SHA256 081858a0c0bbc80949df772c5fb33f8d61365b6930e366b0ac0caea25fcb1325
SHA512 e31d7f63fa25c7ccfbdc574edd587fdd4175ea6cbac6d9501bc50ba23def0f5353b027631b45dc1cc51dc4bbfc3885df52a65dfe4250a2cd0873c3b547c1445f

/data/user/0/com.cwut.bpbp.pvmx/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 959df8efdb8c82d649ae7b827f4db86e
SHA1 e7f7d96082daa11725be377d5e05bb81eb034c5c
SHA256 9ef0f57339b316dc6e9530ba469d705064cff78f2a964977538b3505621e874e
SHA512 3b3d943c2b6b208b391907966696eb037312281bef1fe94ab265ac271bc79b647f2683cb7629b8c4962c67e092c0a666035e42acb43b6f04a8fcf70cc662c7ed

/data/user/0/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 862011b0a2ad5936da2d5c44063af0e7
SHA1 7049a619c4298e119986875f9f326d009391047f
SHA256 ff61137d552d6f0aea529f4f9b9be4df2f2a125db47b1678997e98e4ebf1a88f
SHA512 f215c2d0050edd3205e559411c60f1409db3caab8b4340ee4aff57b64c6a0e6be25032de9914956a4c6d3ed0e333332ece984ac21741dc76b14707131c4e75c4

/data/user/0/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 54427bbcbda634912c0dcbc77a68d886
SHA1 709af992107865ece789f934e7ee86eb3ee96d67
SHA256 7edef20402281517c3dc8dee257d295b086d7197817e02dea1a97fbd188f78fb
SHA512 a7a6b13e66bca26de6b86962e8108b70a0237c05502ccf6c7f56ae4584327c4c7b6362225f50703b22f6b46d7f0cde5cba618d3a5fb046e34b5d9fb152e8d184

/data/user/0/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 fd85dfda50a2b9dd66a30f6b8f05bd64
SHA1 78a2b7b20f5161c31bdc5559ff5cbed54b09faa3
SHA256 67cdb95983600bc562d91733544f89b039deb7e010eff77028fd0d7c8e87292a
SHA512 fc8b2df75113b17fcc5b74ccc21e9bb7d348a9ae5857486c080923f10c204cb8304517df48dd95549e8bf791b08e30eb7d11dcad308e744f0231065183765659

/data/user/0/com.cwut.bpbp.pvmx/databases/lezzd-journal

MD5 cae47c15f0af6343686e886cbf557f64
SHA1 f6931779b1b31d70dd3c9c09e2e41005e7f2ac68
SHA256 4479f38028089cfccca03a1408a5e84a266a64c9621411b7151bb01d44a39f4c
SHA512 03b213def684898486136a94ea947d6e6725259125c239ac1dc89da0b559352deb4ffb6340c4ea5b984d871cbd7fdf40e364a4e94c7e4c0f5ec803380beb54ba

/data/user/0/com.cwut.bpbp.pvmx/files/umeng_it.cache

MD5 a3d8106a2b5dd89e3bb3ae603ae9aeb3
SHA1 eda8944b023ce500facacaa00939bff78b31c986
SHA256 8a5115917839c65f0b8509215777a73fd010abb8370e3ef8c00b20676a84d0d6
SHA512 c8252c02bdd8dee4403d80c45310cd45487d2fe50d40f05e22b119d2bb5ca9d44d0338972db3f923f6a6773842b53ee0f7698a00d9c915388a14c5731c045ba2

/data/user/0/com.cwut.bpbp.pvmx/files/.umeng/exchangeIdentity.json

MD5 ddb6096709c256e9a5f768c4e77e788e
SHA1 3fe107fcb2d4c09984abb1f44205017822fa5fa4
SHA256 b6dab9500f03a2cdb6e362611d27257790a8b2f52fed43e9e6fb0e4ec22b58c2
SHA512 9deb3c8ed7ab9c1705f97ee055d7114b92179e0049a45e6fd261bdf53fb4146f2c3b441ab541d37db7e8dd1e653f58f359da79140fedb5d3914e8fb7bb179fa1

/data/user/0/com.cwut.bpbp.pvmx/files/.um/um_cache_1716245039663.env

MD5 b728a6f34f27233ed95c3cf38340ef36
SHA1 a55df5907167fe9eeff11e86fcc78014166e84b7
SHA256 4fb3fe73c4e8fe5afecb6335c075f3313f84a3a7b3427e6572789e1415ceced7
SHA512 d063a3c70595bbeb7e18598331500ff3b4fdb668d9e74284f17d1f96ce5279b3fd000ab0c1f60ca582a066a70667eb1dbd54ae9b3df9c1ec8213505a581e2323

/data/user/0/com.cwut.bpbp.pvmx/files/.imprint

MD5 72103d9f68df185cc1895d02e2acf77b
SHA1 f694235be03fc57e11b4bdb4d6bb5f6c70a8d692
SHA256 deaea2edcfc59ec2e20d11afdf778dadfe4a0ca7ca2cc30df65f224e2f10a493
SHA512 1b93d0324e8688409268e2a6de6366ba0a13e111462d8c32f16e7f58d54fea3eebb76334c1e58c18ee283e20c8ccf05db25c3607269f0dab6e7ad05a0e1214e6

/data/user/0/com.cwut.bpbp.pvmx/files/mobclick_agent_cached_com.cwut.bpbp.pvmx1

MD5 5f67a3e77625003318bcfe91cbb9683b
SHA1 8509fe22404cff4c1f17c2caeb61bdf7a654a3df
SHA256 52b98699f4e7eeb04a6e24f008fa9e1f34190c1f81ba571383d5c06fc3c92edb
SHA512 0042fa86d88d23190007cc3a45e8a5e7103fa21d61ef7b48c4e5d066028cfe2a37467def99e973cad468967b432588e93c6736a0dd133496c0da9a4dd448c7ad