Malware Analysis Report

2024-10-19 12:06

Sample ID 240520-v6p1tsbd7x
Target 6057c23c1a28a8e0111bc472b542b042_JaffaCakes118
SHA256 14e4e6112ade7224ac5fcf612a536601db5b24ea87c97a753175c44e9b8e9560
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

14e4e6112ade7224ac5fcf612a536601db5b24ea87c97a753175c44e9b8e9560

Threat Level: Likely malicious

The file 6057c23c1a28a8e0111bc472b542b042_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Checks if the internet connection is available

Requests dangerous framework permissions

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 17:36

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 17:36

Reported

2024-05-20 17:39

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

172s

Command Line

com.zpba.malp.slga

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zpba.malp.slga/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.zpba.malp.slga/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.zpba.malp.slga/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.zpba.malp.slga

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zpba.malp.slga/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.zpba.malp.slga/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.zpba.malp.slga:daemon

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.200.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.zpba.malp.slga/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.zpba.malp.slga/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.zpba.malp.slga/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.zpba.malp.slga/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.zpba.malp.slga/files/umeng_it.cache

MD5 9fab40bcb640329a1e687bf8df1e5547
SHA1 8b2020138591cef8e7c31e7a0da1577cd19d579c
SHA256 79a921ad125fe5895118381214aac38561052395b4e464832a01209d05d7ce4f
SHA512 f21cd011051b67d2476529fbc9987fd66e9f76fc7acd979e2fe09c91b7f98e28260c4f9b1b010d008a638977fd4dcb1b4e0e5bc1d81aa5c63dff46f66ff3df8b

/data/data/com.zpba.malp.slga/files/.umeng/exchangeIdentity.json

MD5 ee5dfb58a8b648644ef1aa4f826952be
SHA1 2c94e7c8f9ef437c7b8a5e36b3fbd44818761475
SHA256 f9f4c45173c4deedfd28e607064880e4ba1952ff232a68afc4c94f91898136a1
SHA512 3450827959393d9a684023ede0eef99388f47776d88e9c593155c02c34947d4cac50511b62826c3974e777c31e5aff49eb498e7d144d7714a4bdc62e482c7577

/data/data/com.zpba.malp.slga/databases/lezzd-journal

MD5 2e4f3380e6be14ccba9b96d11952e99c
SHA1 09fda80a4c0ca6123361195b86f6bea96e36166c
SHA256 720fc41da81e56a2398e1797979622afa201846185a0c2d1e7e86dedf5a74373
SHA512 00606956839ab734083e7a65fb62aec3524952e08372f15fb9bcda3f7d148871b7460627e9981fa02665db3638cca80da8b7433ef7d426d42c0fd3cd68287a88

/data/data/com.zpba.malp.slga/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zpba.malp.slga/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zpba.malp.slga/databases/lezzd-wal

MD5 166fc06a0538f3460a308716f5a83f38
SHA1 d59c549a37d786205cdcd21125af93de1446e942
SHA256 082876c91d13557c838b198c613e2d8975002385513f9d2ff5433338a0033402
SHA512 1439b666a22a4855cb0cd2eba3de002f5f7e84f8bcb75052c0fecd1cf798867ed713fddd8a58bb5f8e0c284441169c336865e8efe89704b781fbd7b20196ef29

/data/data/com.zpba.malp.slga/files/.um/um_cache_1716226651431.env

MD5 0156e1704b2ce2b1a17c9022e80443ff
SHA1 14e4375bb7d50d99998b28cdaff7fd253c6198f6
SHA256 bd74d60f570cbc2669fa5b14315ca09e8c20fa29e8a134eba7c35cc7ed5a7f27
SHA512 215912058b695969e5264bc4da89200e3eb8344bd619e69652dc98f52c97d767be389f592f8942527902f72ce8cab31c70bb867d70879fc7ce0972ae548dba86

/data/data/com.zpba.malp.slga/app_mjf/oat/dz.jar.cur.prof

MD5 1ea39eaa8f4460fd72b2dbe255983cc9
SHA1 39dbde1e442d8a81fdda8484b63af5a6d50c77ba
SHA256 db56e380cd9cb8b4ba74f37eb6b2a7f18c903a765d444716a7bfac49152f027e
SHA512 b2403592f0c650e8b7ef3d366e032f7b9c292f9d3bd938409e5cad2ee220b9b3e0ab2dce5632ce0af37a5d705303d86a2064eec4803352b92bca848e23d807fc

/data/data/com.zpba.malp.slga/files/mobclick_agent_cached_com.zpba.malp.slga1

MD5 28ddd562f3039d1307ca6fee19407c28
SHA1 5e5190256d400d02dca1ef7acf9f68c366249c81
SHA256 bbc7cb9ab55e07295f6d012e672f3ea215aff81176b200aa7a0a15c2bfc520e9
SHA512 7065576e271b8a83ad7b007be72423d1043a630c9457ae810666da00b7af147207f846240779751e7b22282542b458e8ac95362b9ca292c53ab57c53f1b2cabc

/data/data/com.zpba.malp.slga/files/.imprint

MD5 1c87ffd1e6149b48184c16d7e8bba803
SHA1 77b37d035575bb40678db620540350957c7e0ad4
SHA256 725c82c94e1afcff5c191f4948ea403c5a22243abf092cfac94cdea05e8768e6
SHA512 1322ec7b3ee3d68078e8e7c258165486e42b2cc91bf2b4d3f5c9ff19f1df9905860496954c562b67ea97e3de0f2f6e565d3bb160d8639d691f597a57c2b2eefd

/data/data/com.zpba.malp.slga/files/mobclick_agent_cached_com.zpba.malp.slga1

MD5 9e7ed0b98cdc051ba88da7da22e233ff
SHA1 84dd152b76a6375b927a00c5b2c1abb22ebb5837
SHA256 68ee6e1a779ff669e8d800ea5440561e035540ce328dbddf93bb5ab5c15f242b
SHA512 5b6ff7db166d50561cfb82ac44357c68e49490aae8c1963173cae2fc8b84e73baae9a3a842cab2f1678b3287092eb7bb474b8006f96fe9e7ebcc625103f66c4f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 17:36

Reported

2024-05-20 17:39

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

186s

Command Line

com.zpba.malp.slga

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zpba.malp.slga/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.zpba.malp.slga/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.zpba.malp.slga

com.zpba.malp.slga:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/data/com.zpba.malp.slga/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.zpba.malp.slga/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.zpba.malp.slga/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.zpba.malp.slga/files/umeng_it.cache

MD5 1f58193a1da3197d4d465c7362ca3210
SHA1 87d97f21ad5015ff09fd389258bd6aed9b93b29c
SHA256 5ce86a30aec7fa377970943fbc71fd1800fb5528d24fd66ee131030d5d082f07
SHA512 2d211654c52b4b9dd7ef2b40e60333e7a00c0733291b48266e38a625b1b629f242e2a0974cb0e3ebd108e14cd8e3567f0a1b57d095ed1cab923a00d7fc130105

/data/data/com.zpba.malp.slga/files/.umeng/exchangeIdentity.json

MD5 6c2de2f386d5409986f774abca33d46f
SHA1 3febb7aa788de27cc7a1427eef1b6bd3d7c07088
SHA256 4f866b14ac7192fd9daf185deeb09de753ae4dc56bbc34d9e3308a06a7dbcc06
SHA512 7af6525400df2baf09f2ab8e37ef5ae23e8bfce3a9d3139b958bf92e1c5b1d98c7209f1dd2a93a27766cfd7af674fd0e83367567c8ca22af347882a677debbcc

/data/data/com.zpba.malp.slga/databases/lezzd-journal

MD5 f2d5dd016eee8d14374532e48c6a490d
SHA1 4487527b2fafce0dc266d2205cb7d57883f8946d
SHA256 a0ef78fa9ac78727f20057cca9af1ed2a06585190243ef2aa0bdf84497d35932
SHA512 c3ec2cc447f9407342f284bc2ddefb7590d742f8477a395fe4bc4ccddef816988a71927d97a084978f702204179b5d599057afbaec6216be07407512bec40863

/data/data/com.zpba.malp.slga/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.zpba.malp.slga/databases/lezzd-journal

MD5 df63fcba546e3d70f5be4b89f7644ce2
SHA1 ba28d1abddee981e935904e4439359f343e92034
SHA256 bc9cfe852621515f34493b535f1b3a948ce37f7a83adafea5e801afa450187d1
SHA512 3363b0729e0f51527ef845f3984b581afcea2d9dcbedf4a263a88fd7fe4decff3e2ec6e4fd79d58644a3e8b9d4dbfb1e2eabd69335c6703e17a0d24276d43bc9

/data/data/com.zpba.malp.slga/databases/lezzd-journal

MD5 ac6a8e96444f823153a76cbd4c574aa6
SHA1 0ee5cad98458e41e3437150cde824ee23be473d6
SHA256 0225778fe927d1eb25a4bb705fa645a7042984ee2f6990406b55e86bf4cd3149
SHA512 9342bb0806be0ba5ea0a6e2f2464a123b5b7aedba788e5754327ef8d521583a7c33e081e16db1f84e66e2df4b0aa40f0528782585c84bda98d035adc69e1d6fb

/data/data/com.zpba.malp.slga/databases/lezzd-journal

MD5 c7751a9f733c6c101016f1be4c6c3cd4
SHA1 b8ff34b4a888b14592fce7ccc74b9b6bc8434607
SHA256 ff2cf3e1ed360ec4d754d6a73dcf1310e71d70e14f66551fc2d61c37dfb3e186
SHA512 9423229cba0c952023782f52864693fb6bc881b071002803a181e80d41fa2a4d2391b0496bce9eb3c5a4dd6f03bda53068554987645a7c8c34155e51e7cc370e

/data/data/com.zpba.malp.slga/databases/lezzd-journal

MD5 e12dec0cf46d158fb29602691afae239
SHA1 51b87ff83bd3db4d40e58b9d84a524bde2d8c5b3
SHA256 2df7b41091dd0abe9929b2228a1f3501ba25579e108c061a267ad66361985870
SHA512 8fb2a86f424ca03c758bf6ded08e049775b7265d51408c9f4f00983644ec56da8871d8070b1ac18669778edb6d5f8a48b6b3d709cc892b569b26d4f62f76f29d

/data/data/com.zpba.malp.slga/databases/lezzd-journal

MD5 a93842d1b54995dec96856f5de446ffc
SHA1 71053c0055edfb30a0fb134f6c79f3e0b7a143ac
SHA256 0d5dd06b54ac6d94f81c27ccf840b0f0cfb81b12c66a3c097ade349325fd0f64
SHA512 c21e47095b30aba3918000b5a513109d7882e5833a4c3d159b128b5bb98556e5369737a61c5c30f1a7ac471b3645911bdd1a41aeb18cefa4091125eb855d8b2a

/data/data/com.zpba.malp.slga/files/.um/um_cache_1716226651351.env

MD5 ba02cb8b1dff18b594fd0cee6d208649
SHA1 ab766674179e4443bee805757a9a69eaa7da67f8
SHA256 e7a6c87141aaa0d5d32af259d2e78e6103466709d77959c82b53f345ba850869
SHA512 4844adee79fa32040308c6b2d386a07e95f96c26612c5ced9db6150f3688ac6d82545f3b25e41fb3f47b7fd6dbf57d295dabe8fd9b865ee2b7db22fb8164075d

/data/data/com.zpba.malp.slga/app_mjf/oat/dz.jar.cur.prof

MD5 ad70d5493c5d67325ade40bfa925e7ca
SHA1 0b82a38ca1b2da0c4df4935d75ad36e3481aa616
SHA256 3053a0ea90d74afa8ad601c8b8b4d183a8a8b22e46efaa2ddcd4b7db54f7d9bc
SHA512 0b3af28049c57740b0186b8c53d8ad8c76d182245c98a19ebced66cd151194ed59cdd4217313be181ec2dbc65eadd0bad1efcff5a8f4b48c729349649274672d

/data/data/com.zpba.malp.slga/files/mobclick_agent_cached_com.zpba.malp.slga1

MD5 a3593c2328a8ebc62438d4de47f5771f
SHA1 983af94afd6a140344ac224a4bfdb927f047913c
SHA256 e180d08bcaf537189c4b0206f7707ca0c8e3a0398554b2e154bee79e61ef3653
SHA512 bab1c501423730f5e0a9b8c836237db5fc53eacffb44386b7152e08478b856879fdc36eaa47ec2c8aeca8fc1abb95013368649f65173b74a511126eb59e36acd

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-20 17:36

Reported

2024-05-20 17:39

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

182s

Command Line

com.zpba.malp.slga

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zpba.malp.slga/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.zpba.malp.slga/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.zpba.malp.slga

com.zpba.malp.slga:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/user/0/com.zpba.malp.slga/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.zpba.malp.slga/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.zpba.malp.slga/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.zpba.malp.slga/files/umeng_it.cache

MD5 bf762d06af882950782af228a26a6492
SHA1 10ffd9e3d7140c78c033546c164c22770f3ec350
SHA256 fc02a884bf4cd534b83f8b24894a43775fdbc45e39b4bde19cfe0b77ae63cd17
SHA512 0d012466e979cd20e8a5d3bfb90edd5c35f5a7745a8be4ee861431b4e23fab8dfcedee171c306f61e61037f55f748cee1cefa43d7be2f387be87db001a3c5598

/data/user/0/com.zpba.malp.slga/files/.umeng/exchangeIdentity.json

MD5 034e5caffd7e954293c0ae07d9160c84
SHA1 49cff7d20c0bba04328e841d636210e0da1ebb3b
SHA256 346f842991b4ca987f75ef25f3f25837cb8f8ed2a99cdcc9bea4cc6772cfbed1
SHA512 657d6c33a3c2e8325cbdf51566f647b596b74979844217842b6beae3c7dbd38b2db779b39ad0397a6e9b17af0f1355c8f978877ef434571503c55cf7e6ad986b

/data/user/0/com.zpba.malp.slga/databases/lezzd-journal

MD5 3c490f70d16613d78cf00c861f9131e9
SHA1 32140690cd2d069aed274e640b8b79865fd6e542
SHA256 f9360037d8d8fbdcf734d798c58ea35afce7483d2b2282a1eea27b3bb6148511
SHA512 362adbe1606f487db40fbfdf88ec4f6caa3be9ed17c17e8ef6e170a73e1d05df0a2718856420e8d59bb5d2544a6d449218b8dc36fc26dd1927c497888a3263c6

/data/user/0/com.zpba.malp.slga/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.zpba.malp.slga/databases/lezzd-journal

MD5 b56dd98e8f086e6ea601aace071befac
SHA1 5b33c2aef5c2abfd1b82e7bd9ec4ce48b410f7da
SHA256 cfaa25bcc0e713cef7daa37a4ffd7b8450ea1eb18be4eb6f489604ec5749b7a2
SHA512 c501f502408886ee127b88a4c38d9c6bb0e7be4ebc045e23f6fbb0bc6826388bdd242ce69e9e47c4e7feb173f5e9facc72bf83e34a20de40436c283811eaa2b2

/data/user/0/com.zpba.malp.slga/databases/lezzd-journal

MD5 6e1aefd1a038d11ac9dee5a674577b7a
SHA1 bf7e6d0e2300a402a2486b23b2f430bfdbea5a9e
SHA256 fe944ba0e50267940b5b568be4df1bc730340b1c1b693fb2510dbf836682ddb0
SHA512 58dc32a689057820957ae29af99a89377e899f9e0d5377b5b6b0edd94c68a293141a98a8daee9186d6f08163e56c472723c872921d5582735f3a55fbe47e383c

/data/user/0/com.zpba.malp.slga/databases/lezzd-journal

MD5 9fc7422382d60305ec892c94216795ed
SHA1 ed8bf538e470f1b799be1f40ec92057c7d857a13
SHA256 5ffb9fccf1a1c6b8f094a3180700150a9830305118a348187620ad8de7fdf098
SHA512 5205fb9426f6aa14e76a5f08fb9ce8cf259a9f11eb97803c4eb8e4da99543e9b4154db865c25078e4cab1ff2294215d196ba0dd46eb687d87f9ddd06865e23b5

/data/user/0/com.zpba.malp.slga/databases/lezzd-journal

MD5 d9281a8638843e11d357bd7fa26f5b8a
SHA1 39af69952fcb2f0c7cece431973c48a27ead1d98
SHA256 b9a515601e9cdcb53d3376394de51513d5ced04a0b42a4f52ad45880bda875f0
SHA512 4a4cd89e04b0b0f7ec3e077ce9fe879ff2780b939ed8641a9091b79ae7926bf5be8ad10bd4afb76352174890567c7117ff3af2b11f9ead05181b02818030b511

/data/user/0/com.zpba.malp.slga/databases/lezzd-journal

MD5 b82eb690376535fa4cbc285ad73d665d
SHA1 40dee1fa47ea4a585fa52c4b4d1d299d0961fd46
SHA256 0cf27ca88b0abe8c489a8641b25403fcb0151d61bf1555b3a0c97e54ca705a49
SHA512 d6fedde2f40635b927e37e7298c47c38e40b58a2135b16ddde7a1c3c908064bd880116308ab98493a5863f56652bdf1e7e62bcbe3f749c04a050b6f1f6d44491

/data/user/0/com.zpba.malp.slga/files/.um/um_cache_1716226653172.env

MD5 5ee5e9cb38de5d8569b961aa99ebd462
SHA1 952fe51b576d37e5fbd9e0f5e91d933796b76be4
SHA256 912f84f2276fdb05efa5a4b9d804413bd47f464bbdfd586025f01af18faeb4fb
SHA512 9f05968b12a575130e1fc2fcf730b0511b2be7484cbfbf62e265bed9be6e407499bc601228092ce9a41a9ec9a06a46e6b93171ebf208ebfb29588dffda7d0ccf

/data/user/0/com.zpba.malp.slga/files/.imprint

MD5 21f09b24c249f4b3981c35735277d54f
SHA1 98da49cd3387184e589bd79d71f3bc50b63f9373
SHA256 49d6d7b06a6de25f0abc59f171ba14e6738c1102b94c08827575a12ed2681c6d
SHA512 91263ca51b0caec6823c340cab814a6dc5badf14a2b894d1b93c8847069f1d759bd4bc3c6aec57e3ad258df73c4e1444af0e02b24f277115d488b764f997ce8b

/data/user/0/com.zpba.malp.slga/files/mobclick_agent_cached_com.zpba.malp.slga1

MD5 491ec3a5648cc7afbcd07f8840e8b26f
SHA1 997e9965508c2a4fff4225c59b49226da0bab020
SHA256 76be5405f80a7831c634250f73fc474a13fa0eb2054d94e9838e2f38ffe39f9b
SHA512 abe9c61ac0b520f0099712eca4d708ae2702ecbba7f0276f617c6f4390f401bcaaf20550908ad6eee4f55c77e3ea0ef93f9935755d869522598621f9bdefb62c

/data/user/0/com.zpba.malp.slga/files/.umeng/exchangeIdentity.json

MD5 50f85aa2a86fc1f6a73cb8bc118ae67f
SHA1 abac889d44abab4d5164bb3a2873af904b76e7a5
SHA256 d057410065d25573805c853e4388b9e5f48f3c7140c5ca495773435c0b4a8a68
SHA512 9fde45a777301e148b45357ce6a7ddf57a495ccda3acb35e45c3a09686fbf07b8a0847ba36a42c426aa62498ed519e2d95abea44d5d11bc51844dbdc15b2733c

/data/user/0/com.zpba.malp.slga/files/.um/um_cache_1716226764778.env

MD5 cfb9c81c47299fa594e0744d31737a37
SHA1 814ce470ccf9c8489f47ca741febb6672c923f7a
SHA256 e9c220df7c71d5d9f84758c6ad36edae49be17955723d4febc2dc22f79064999
SHA512 c3ec5fee418ba9ded1f24db2d9221dea0feda05d447689925c3f40ead37970ec35d2ecb54884161ad1a1e9899f248a0570928fb174aed62da03b0514b569d7f6