Malware Analysis Report

2024-10-19 12:07

Sample ID 240521-s3x6xsag4z
Target 63d1c4eed6af4f5df798744775aea2ab_JaffaCakes118
SHA256 36050438869a840764b4dde7481bdd75899763ee2e5aef89b29bcabf115e2fe0
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

36050438869a840764b4dde7481bdd75899763ee2e5aef89b29bcabf115e2fe0

Threat Level: Likely malicious

The file 63d1c4eed6af4f5df798744775aea2ab_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Reads information about phone network operator.

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 15:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 15:39

Reported

2024-05-21 15:42

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

185s

Command Line

com.ajdr.epbs.blkv

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.ajdr.epbs.blkv

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.ajdr.epbs.blkv/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.ajdr.epbs.blkv:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 api.ehtbr.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 api.adcmsware.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.ajdr.epbs.blkv/app_mjf/tdz.jar

MD5 fc1eb8c18ddc0f8727b5fb5eba8ca870
SHA1 af6d64fe2432bece4c523066a57f35be8f175a48
SHA256 7f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9
SHA512 25e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66

/data/data/com.ajdr.epbs.blkv/app_mjf/ddz.jar

MD5 7f1e0fe2e6a0618b6c84d48ea0586b6d
SHA1 dea54fa91f9f431b85e8c4048244a1c3c4b16665
SHA256 4225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e
SHA512 7a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6

/data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar

MD5 789a4162427149dd5e519f917ead0e29
SHA1 d2bd738c28ec21c0441c6daaefc206a6a76f8e1c
SHA256 830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0
SHA512 b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37

/data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar

MD5 eb4b1f8a3354e8b5c30a253c771196ab
SHA1 5c721a6d50b607c91d6b900b4a21a09680f6149e
SHA256 dee0215de8f0bf8acfc41aa199e605f30178a969cb5821a977e865b69773b3e2
SHA512 a7ce9f9612de9c987392c28f2ded37dbe991f3b61022ac5ad797230c294606a69030182a62df3f8ce98ee50b42a4a38eda9bc297332cc4b46b3f478cae6fe1b6

/data/data/com.ajdr.epbs.blkv/files/umeng_it.cache

MD5 9ac8b3533ba1a6e96e0e7313765c0a6e
SHA1 af94e33a5ea4974abdae020045523c6eaa5522d0
SHA256 650c05ae0f32d2da4e7e6f0f86e24c014abaf4b8271d3f54785e389e1b47cc5c
SHA512 fd2304fed0503786c04b8dd9f4e668a04e5bbbaba244907876937158f6bc551f5f2955e1099ff0935ec0f836814ceb9ef4a21850b8a7bfc14220fbf826455114

/data/data/com.ajdr.epbs.blkv/files/.umeng/exchangeIdentity.json

MD5 756938aa1719e69dd20100c610039674
SHA1 b2f5fc060ae62f898517f10900c4b498889c5b11
SHA256 3ea71ab66648357e66d1bccbf3a63abeedcb22dc967fc8320312c81b73febc2a
SHA512 3dc81f7fb4eba34f2117792f74399f993a7961b0ff60c77ef0996d3f17b552dc472db18caf53a04bab4b38670e33a031056f72baa2227bd4cffe9d40b016d5ea

/data/data/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 e090c7b5ce3f0c6d0c1131e1a8b9fc31
SHA1 9c0979416891476e94574180420dd0672c59dc9c
SHA256 c08dd22a12665f0a37084df0482769b89931d0c3de50d8e498391b957d374575
SHA512 9fe77e8cbf545b2091314ee7fe499e4faa5e4a38380ff56814e82f514fa585722ebb73aa6484fbe6e2537a21bfb223eb1206e5e7a0234416964ee32ab0064a19

/data/data/com.ajdr.epbs.blkv/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ajdr.epbs.blkv/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ajdr.epbs.blkv/databases/lezzd-wal

MD5 5a38a96434780f67bc56d84f6a3ca9d0
SHA1 36510b28b88925f16a6070809b4a0684c8a534d7
SHA256 c535487705334a4ecd4056c540a01e26387e6f83b0d016256f4450e5c6831729
SHA512 0ce7dceb4837ec4f690ea102a0132d6ce90f8d2f670f584ac816c4f1dfcee81871ca0f55608d38e2ffc7095ea73d659136b4662ecedc40a43f9e12cab65b087c

/data/data/com.ajdr.epbs.blkv/files/.um/um_cache_1716306049748.env

MD5 8971aafff56d5aac5cf9518ad7e89623
SHA1 4da6a8f8150ca0bedd64b292ed0de085dbbc7d78
SHA256 a175d9d3637925ec02a8b916da854d579b427fc7aea19477c7d0d397bfa3b7b4
SHA512 801627a8b2b9fd70d97ace7d78ee2fde29f41b2db8be4f4cb391a90500e8af00403f3fed82ef10b51589827a0b1617776eb2e0ca96fff8a66d7203ef13483235

/data/data/com.ajdr.epbs.blkv/files/mobclick_agent_cached_com.ajdr.epbs.blkv1

MD5 e6275be716c38918bcdf97a0b4e94f59
SHA1 ad36786714af4cf2d9ffc2df81c35fcaba14c485
SHA256 52a67571de2a6b2bea346cd85b8875ac79b60d9b9c4bd3a71dada860e5aa5796
SHA512 1d65663ff76cf29a719d53ad6fa21cef34e5e85114d62eb2aaccacc6a07af03cf1bc7bc6dd9e4756a600ef89c8f178bff939b7a8c90e380d28a807d9f0351a9a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 15:39

Reported

2024-05-21 15:42

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

186s

Command Line

com.ajdr.epbs.blkv

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.ajdr.epbs.blkv

com.ajdr.epbs.blkv:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 api.ehtbr.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 api.adcmsware.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.ajdr.epbs.blkv/app_mjf/tdz.jar

MD5 fc1eb8c18ddc0f8727b5fb5eba8ca870
SHA1 af6d64fe2432bece4c523066a57f35be8f175a48
SHA256 7f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9
SHA512 25e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66

/data/data/com.ajdr.epbs.blkv/app_mjf/ddz.jar

MD5 7f1e0fe2e6a0618b6c84d48ea0586b6d
SHA1 dea54fa91f9f431b85e8c4048244a1c3c4b16665
SHA256 4225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e
SHA512 7a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6

/data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar

MD5 789a4162427149dd5e519f917ead0e29
SHA1 d2bd738c28ec21c0441c6daaefc206a6a76f8e1c
SHA256 830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0
SHA512 b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37

/data/data/com.ajdr.epbs.blkv/files/umeng_it.cache

MD5 3044c962eaffa1c4a834bf3cbe4b9e72
SHA1 417211c63790c4ce7d01cf0be4a81ae90a2ef923
SHA256 f4feb243177a178ff6c2f35477e14bfa40b1a45a02731418df919c212ebef8e4
SHA512 99fdda474f885dea2861551a1abcf210c4e326d8a9f23c5e6d5a8d265a5bfa65d99294b0efcf5ad20494648041d041665da3708237debc6977e1231e22a77072

/data/data/com.ajdr.epbs.blkv/files/.umeng/exchangeIdentity.json

MD5 cef6174c614493465567b75274419dfa
SHA1 9f09a526b694547bb7a7baae05156aa83f12d5fd
SHA256 e3c436320ff42adffe9616dd5e65caa75afbba5469b351ceb9baaec1f99fca8d
SHA512 690eb1cd445504d1b289a3b6e61d46606921237d313563f9fe6258075afddd63577ac598bfec9482bf2e1bc01a6ec96129b94bb070827df129eec6d7f8f223e8

/data/data/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 258711f1e04aa0d1f1a7d1922b47d093
SHA1 80ab4a3d4bccd3663555a667164b76910e441efd
SHA256 d054a1e9d870da7b539ec960f6262752aede2c244332056739d9ba0f6ac18646
SHA512 ee4b6a157942e7dc3e9bec512abc61ca46a7aeb39eafea0a5602c290cc336e919edc66c86d45184e1a83decf8777cace17e808fa3961d4f2c99062d461120114

/data/data/com.ajdr.epbs.blkv/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 fda96b14443112f71c56a16b84f65963
SHA1 e33b51445822e37178def8f071a10a7805be36c7
SHA256 a3fa527403bc930e650227f68b6baaa2a2dc1393c2b8380a54fc89368a86d7ce
SHA512 ff1b57dae18e2526c3704f8bec63aec43a210342bb44f3f07abf337bbe10faad89acb6395917fe16d781ccee13f0eca308ba203e7cdabb3ec8757e18eaeba0bd

/data/data/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 98330c87da6e4ee0f491d1bebac638c1
SHA1 926b050c93f0132d0661efd3ceeb76f75e63aa74
SHA256 8158e92a9473c8215201bc7925863452f8ba6695b4dd350d405bfce7b3cc2d66
SHA512 d0f5bba2878f7823b36eff24a7c916f953fb86d8da40ac714edad7e684546eded757e1640663c34f6a1d9e19e02f01df65ad3c93dd593da984b49363e8575f26

/data/data/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 8544f140f926af1e8e3bc70bc5b976f7
SHA1 c01786455fa4eeef0d55690acf7dc145df73fcfb
SHA256 b03142d589c5c412bb5637c8ab9423a24134ae640aec48e23d584298279fa94b
SHA512 a0f2a8a971782b2b3d20e8839c71fbfe36d078ef22c2b2dc9b43d32ab91bdab33f23749cdb326cc0f5a69d1f4bca99cbad341f9b00d29d23df08888c3f6ae610

/data/data/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 3472470eda5a49eecb326417d4db9ea2
SHA1 df12f425d3e87e62ffb931614b270e5b0626e094
SHA256 4cd6e516767d7c7b961f2fd8115c19dd2825a06da968dfb5535c46ca7b722821
SHA512 540c4303024e432ecf68456cf183c649fcbebd89efaa019c4721da471309d03a5df0bfb95dcb5709d570b42800190183bf6c93fef3624d43e81dea49fb9fe7c4

/data/data/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 a9da4fff2c51565b9f40f11a3c525299
SHA1 e58a05d114b8419e4c7e97b32f23f285400fa455
SHA256 c8fc7cc0024d5546f52c37a8f0a7bff66d515d4c788cef6a8a5d59c71a210dcf
SHA512 e30dbce184137895484015191a82084555fb2b640abeda951ad99854412a60a562fc8fa38dd845d5ccd8674a48911f0e233b5efc96e1f3aec92225a6c367bc62

/data/data/com.ajdr.epbs.blkv/files/.um/um_cache_1716306048952.env

MD5 2855383bc2a9dc3b1309e3c5cf689dbb
SHA1 2f88204dc213224fd15c77a5e309864471a239f9
SHA256 45b1103b9f473676b91447eb6e148fea23baa1e3fdf575701838ddf0b0a007e8
SHA512 f359abbe81dd90c726326a418939ceb9cbf5255f9ea5768df3004f1655f481d174e966d778ff45304f3f798e9fa5fef37a762dad5a5422fcce479c8d65b1436e

/data/data/com.ajdr.epbs.blkv/app_mjf/oat/dz.jar.cur.prof

MD5 dd700f22a556fcad635f2dbcd470244a
SHA1 ccef6021225a1e037cf4a402384ae62e3f936a71
SHA256 cdb870b3b79e1f5490341cfbc0a1b2cc4abf4c88e53b5597161c04aa92d2901b
SHA512 41984f251c0167335c1cb34ec2b51ff7f253abd9ee9516ebd6a247856895a40d77ef6c302107374892ab6bee18d559d92b77c7a0768031e793ff51cba887e276

/data/data/com.ajdr.epbs.blkv/files/mobclick_agent_cached_com.ajdr.epbs.blkv1

MD5 a419ab2975383326ff129303d2e8113b
SHA1 973fc7fca085188698bfeb059b4ce6ae7e3bebb3
SHA256 0211ee66a4c8d9bc5ca731b1ef5dd2a53845acc1341f3ce55d795df09961d113
SHA512 a88782c06d98fcf0726eb6e45a1cf05867f2cb39ac48d412902872b5027e384dd846944455037c97726a773bfa673377dd0973c75a9cfc5ab0eb337f967646c7

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 15:39

Reported

2024-05-21 15:42

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

186s

Command Line

com.ajdr.epbs.blkv

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.ajdr.epbs.blkv

com.ajdr.epbs.blkv:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 api.ehtbr.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 api.adcmsware.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/user/0/com.ajdr.epbs.blkv/app_mjf/tdz.jar

MD5 fc1eb8c18ddc0f8727b5fb5eba8ca870
SHA1 af6d64fe2432bece4c523066a57f35be8f175a48
SHA256 7f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9
SHA512 25e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66

/data/user/0/com.ajdr.epbs.blkv/app_mjf/ddz.jar

MD5 7f1e0fe2e6a0618b6c84d48ea0586b6d
SHA1 dea54fa91f9f431b85e8c4048244a1c3c4b16665
SHA256 4225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e
SHA512 7a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6

/data/user/0/com.ajdr.epbs.blkv/app_mjf/dz.jar

MD5 789a4162427149dd5e519f917ead0e29
SHA1 d2bd738c28ec21c0441c6daaefc206a6a76f8e1c
SHA256 830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0
SHA512 b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37

/data/user/0/com.ajdr.epbs.blkv/files/umeng_it.cache

MD5 dcb142ef548e0796df79824aded8a975
SHA1 370fb04b798bc8a8bffeffc3eff036e209b90094
SHA256 cb1fab4bb9086b6a971d8a021c678c21da083c88273cfa447497d99c42a488d3
SHA512 b87f4a9d553584318883fee67e0664656bc7145983966772d7772e810578c9a89a9cd3255f97ab2b6fd9a5ce58f75dbf61c7cef1314f0ae4bc89263bc39da770

/data/user/0/com.ajdr.epbs.blkv/files/.umeng/exchangeIdentity.json

MD5 6d6546403fc5449ef45869cf6458d5c7
SHA1 3bd2e4fc276395914f3a147f6c80fa5273cdc583
SHA256 283dd6783117a49e5ba985ee5c0a16313d83921aabc4b01f94625d9408a700c4
SHA512 27f9ca91e8310afc1117e284246b8f48b672cc6203ad0e1c5f1e104749a0e6e1978afae48724eca5bd12c12ca67ea8a90abe5121c15d577fa7954789b5adf4ac

/data/user/0/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 89b379d5f2cc361033087d1e2ad84412
SHA1 7bb40da181a5652610eef3a184da887c8f5d8b13
SHA256 e26cc73e13dc5e35a8b3ce60327aca3cd23c6d88e970f6504eec84c25ec96c7a
SHA512 1f8a74ce4cf54b8644b5e906511cade8ba1ee3cff0da2420b480a01a21284046e7730385e0f809307b85e3b8807d33466c6f175a788bbf5cc5ec418631785315

/data/user/0/com.ajdr.epbs.blkv/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 bc403342642a90eefa1198445610bb97
SHA1 69453877fbc0ab8a95e8afb843157eb9bf7b9ac0
SHA256 e65ded252c8b1012e8657f10639b45e677d20554cef57075e98b7d4313030ee0
SHA512 5cd08bf658f5400d3dd84ae7ed04f0a32ee9f51e1cc3e70d69d29b1e4f8fe62800b3150d5412f7da555ca3c861e1e5caf7c9748b09a06c70350cc8aad5323f05

/data/user/0/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 2f7a7cefbf97d8850578d230b199baf8
SHA1 60e848cc22d6ef19ac1ed907ee0eefc061021fd4
SHA256 e9af16443f9ae6273584d94e4d36dbbd9566afd0e5b081512340aecfcf8edbfe
SHA512 d10a1cda2b531328bcf03e73fb3110fbace8ba982bd18082a62be4b7e12751c4abbb361faba15e274a7cb9ccf586a3b06fb68ad833d00b3e3f28210867be2247

/data/user/0/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 8cde7cb4da8c6102fc98e911096a7d49
SHA1 2ec97981ba66dc0bceb89eab20e9a1c7c7c23a70
SHA256 a2911ac5a505ecd0f755194d3fbc9eed5333ee73bd048db8bda5fef3fb1ea0a7
SHA512 f2f3a113150684b68f8ca93069cf6cef5e5da6dd9ac10eb90166604ae353bdb7596436cb2f9c80f15c5a16b0e04cf1720e1aab49ee6d576ae1584ed42360e9ff

/data/user/0/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 6166430df16a421a11f4f89bf11d07fe
SHA1 ce42eb457824bfa7ef6fdfa6292816732b69ce59
SHA256 09edc1e7c20861548883d685e90b5e931b74fa33f7c6b628f3b0eb072ad6c35e
SHA512 41b6632236406bee48e5ed5786503b9c8904749b5ec65ce6538889653df2d84624ec66c56609629b821d6652c686cdd123b319141222becad60c9a3ce18cc847

/data/user/0/com.ajdr.epbs.blkv/databases/lezzd-journal

MD5 a1fe688f106ebc0939ad06676e27c7a1
SHA1 ed15bc4fafe004a78489c93b51ee16a4517bbe7d
SHA256 de27c59b65d3f6e0702e20056252a03fe3a96a91bad5cc5f30223195b1ce595d
SHA512 0cca63b000d1c2ecdefabdc0a62e41c54db2b4e03dceddfee081492190d5acfa63c6abf3cc68dbefd3499f77cacf233ac46eb62b3a163d9339e2a31fb3fd9a16

/data/user/0/com.ajdr.epbs.blkv/files/.um/um_cache_1716306050005.env

MD5 ce11c68a19f9a9a5ca4d24c24c3f6889
SHA1 d8589f6efa12eea92bd62885e0376314c6e1e0e5
SHA256 960074185ad414841d0233d2a8dd651a6e563c2d89b3e4dc3ee1469172b7f369
SHA512 0e5e0b896ff7376cf2b32cce1930554c01e3428fa4f740fdd23e0e6a095c8fd7d1b4070bfa9a97d466b7e84a8fe3d8c1fcf49107cac936802f6bbb901a0713e7

/data/user/0/com.ajdr.epbs.blkv/files/mobclick_agent_cached_com.ajdr.epbs.blkv1

MD5 28bf0e9062cc77d0dd65cfb271d5f19d
SHA1 11a8860041c92dc96c3d42109ac71b21d027e6f8
SHA256 52e8f89f288d9167cfaf6c3f1a1dd9f7704946e42857535dc9ec9d88463c1525
SHA512 d8e1660f93830b918abb931ab0f3c9cc692ad9aa6e06ac7882c016368e6799a1275bae69b0d0594ff7d1cdce81c86a27aab6dad4352425d82af2d91dfe9acbac