Malware Analysis Report

2024-10-19 12:06

Sample ID 240521-x3vs1sfh4z
Target 6478d00b69e5c2561bd38d29f2813fa2_JaffaCakes118
SHA256 43c9703326164f014bb317e79cd79585245259e18e6d4af32b7735b6da5dd2d6
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

43c9703326164f014bb317e79cd79585245259e18e6d4af32b7735b6da5dd2d6

Threat Level: Likely malicious

The file 6478d00b69e5c2561bd38d29f2813fa2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Checks CPU information

Queries account information for other applications stored on the device

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests dangerous framework permissions

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 19:23

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 19:23

Reported

2024-05-21 19:26

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

178s

Command Line

com.tbus.dlqa.exsn

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tbus.dlqa.exsn

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.tbus.dlqa.exsn/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.tbus.dlqa.exsn:daemon

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.tbus.dlqa.exsn/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.tbus.dlqa.exsn/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 e68bc21b729ed4dc1a69a2a3ebd8eef5
SHA1 fc98fce8884d91d7bad06657a8d08f73eb220f8d
SHA256 8f7417cf866d38b6bd86a6b1c257a87213fc34cd61543756cb626da7a924e575
SHA512 c0b3d2a2cc6357dc65c597b6840c5f12a394f88389285887cb941c48cc9c30f4603540526d7315c5429e2d15fb7afa83652143b1275a457971447055f47d5fa4

/data/data/com.tbus.dlqa.exsn/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tbus.dlqa.exsn/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tbus.dlqa.exsn/databases/lezzd-wal

MD5 0b67fddf89d2a147e0724c6a43959832
SHA1 0da68c045a166127c5c09856b69824e57bb321d7
SHA256 3ab8c4236125d2d04657bcd915e80ebe0d8e17a451fb8c4857b13a712227906d
SHA512 9e51933a8e0a59f75bb32084709aa3e3778d5cae917e946dc95a76c69d690407dcfb5ba7eca250d952748fefe5027de85778ac52d624dadeb70a94d4959b1503

/data/data/com.tbus.dlqa.exsn/files/umeng_it.cache

MD5 5eacb1e83cc6c48d12b78620c9ab3bc8
SHA1 2695cbf42872d81f2f6df5c0208f0ce1fd904c11
SHA256 57ce6b52c331af2590686fac6bc85b44e4d5ec7caf6c95b05b673004f62bf2ba
SHA512 edc51b92eeeb180318005ed9c92401eac6563f31ed521ee02d6948c1f28e670688cdb54c42a0279f0edf276e1fac40ba8a7108f5491867ec5d2619efb4d5dbcc

/data/data/com.tbus.dlqa.exsn/files/.umeng/exchangeIdentity.json

MD5 dc413751349c663fc3af720fee259c76
SHA1 d8227fc717f8572783c8f98e2f17b6c4ba87f27f
SHA256 712a88bb6b9837ce114e3e3b8a6aa566b9194957a8fef88849a27b52242f55a7
SHA512 6650801c901c6b6a39d0de60d3d0837fe0deb501be68c6ef161b27f5649736124cbcf29edc0fbf4489cf8f71a6518984b73bb52c1084b4d837d2247289872c2b

/data/data/com.tbus.dlqa.exsn/app_mjf/oat/dz.jar.cur.prof

MD5 c746170de0dc9abcc72465e2f5085b89
SHA1 8615d386a7e3eb166b35464aff5b8222560b1f2d
SHA256 7a3cdcbe83cfc75f33557bc763ccc66e5803483c42e2b6b7bec0c278aa65ab9c
SHA512 07c209566b875690987b21f097a1fa287e55995bd2d2215373c54f1eed44bd8014f3e63dd17129ab18a592a33fdc02a970d38699dab63dacfabcf415a6dcfac9

/data/data/com.tbus.dlqa.exsn/files/.um/um_cache_1716319513371.env

MD5 f1e22ec24dbe7a64c8e42277a408ad42
SHA1 0343a06e0cb9877d7297f2e9e91aa3a1b8bcfbbb
SHA256 31e96aaf958d16a3275970b98694fd731f5cfc67319b0fbe0d923d71bb7ec487
SHA512 7013bda79dcef0bdfb5d01a3b9dcd89b82d53f93f8864cbaecb837e8c71690877f00ba68d1e83fc9ae1f9557cb34523f6d222b629fe09da819942665833608d3

/data/data/com.tbus.dlqa.exsn/files/mobclick_agent_cached_com.tbus.dlqa.exsn1

MD5 20bb9cd16a85a3bb6f3e38b575085e97
SHA1 de50f5fdf2877b950783e391fd92e0044c67ddbe
SHA256 76cf46ee32c4b1b59c625b96409a1e1634c3af4f70b5cbf7c8aa629c460b78b6
SHA512 77544680d498c7fd2debafa2cd12bf161434bcb5e9c3566cdfd9433425f215ac2603c60b3f7fa0ccae68bbcd9c23144f247783059840b4fd5270dcc31a06be65

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 19:23

Reported

2024-05-21 19:26

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

182s

Command Line

com.tbus.dlqa.exsn

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.tbus.dlqa.exsn

com.tbus.dlqa.exsn:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.tbus.dlqa.exsn/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.tbus.dlqa.exsn/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 b02f5d998229f5b0e76f94f271ee1cdc
SHA1 c988f2f08e950e1e6cd6870584d2d45f5e223916
SHA256 26cf0056ce63553b86daacbc86427b9572687f4bfc012b39f8124938fc6523ad
SHA512 d1dd72b1d30516f649241d4acb31f77d34ac589239457a15eeb2330da687b5bb0c5a30e472ad1a0366b528d541f425554881812a5b82567c0ec68e78215ac0d5

/data/data/com.tbus.dlqa.exsn/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 75d451bcc1fe33199c20be4d90984d42
SHA1 a0e18d94f9e365ec38e6d54723bd49d2d700fc68
SHA256 a6bae04ff8e70ecb1655558edb4eade22d772429088d25934d6041b9178b233c
SHA512 8ff02fe60153dd3a011ddaf22d58891053c7ead5a3026e0f03c82e343a818c8296bb1eb96f9bdc027f20013f6e77fd44d3f7ad9cd09bed6010af3e16e6634e92

/data/data/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 e117758b77a69b369096d05d36cc33dd
SHA1 6839f5312e9b143da1f342b6eb5520e02ec0a853
SHA256 a12e9534eebc9cdda3f29032c270497a48de9ab08f13b258eda1d32afe80f237
SHA512 0105cb83a81124cb4afac328a9f3f138680f31c38757b2d5a5d7d4efc64456ec090258ed85b06501f6ecc0b2333c6833e9a3697881ca394b0256e79d9c2b5d87

/data/data/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 63b706b5f8208919258941f854a355ba
SHA1 ecd722eb17fe5d0c20a08415e02ef62474f6814b
SHA256 770697cf02ca34e914c412162c8e86a74fc236401981622d6e9a47a6edb56a1d
SHA512 586440244e848d9c0e3dff8e61fd5c59afba7d642c2697adae8ca6efdec0bd60ddd9dd54d5969f8f92933ce54a082a99006fb383e1f627b93ed74273e3a6f17a

/data/data/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 1752279dbf86c144e0bacd0c3f217d0b
SHA1 510b615465308aeb933f09a776f33d7bd6cc21c7
SHA256 589738bd365f4e3f06408f4d5b1d88d8b7355463b96e48fe7300e08ff001b3e1
SHA512 446ce70c51cb6075e6dccfbd0b8c718a26a7b4a8a659a89275afa3638908c791373d65b71e409aa394f5e5bb87d689ad162a54c52e531506d4a295ef6ba49570

/data/data/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 ea3899f9b4526cd0c3f1616ff6726ff1
SHA1 3136ce626f1ddea6851aa02840cbae8243367615
SHA256 e358925a30dec6743dbe177e2d02bd76729e2ea6cf61ac01c407614d3d13ea4e
SHA512 cb40df53689f41c599d0c2f4d495ef44b11a498cd7a72895107f10f397c3f8c780971dc2079bdd8933b083d53f995b83935df0c610826c762a23a3984aaa1e35

/data/data/com.tbus.dlqa.exsn/files/umeng_it.cache

MD5 099dfeb47289057bac679bbed1a0b745
SHA1 4372c7845e7406939f2a6c622230e0670882e150
SHA256 73b5f6274bb3ed4afc0b21370d23cad4e87b789bd50bdcfc6d5d9c16d634915e
SHA512 70e0401f1860d3b5074f380cd165c3dc8809e2979e940fb64675b23bde8d086fa3040ac51446fcd16e45b7d2b340a696b990e22c5eb94291bec43c28e2fe6a12

/data/data/com.tbus.dlqa.exsn/files/.umeng/exchangeIdentity.json

MD5 1cf2bbfe71e5c931b4943a505a9e238d
SHA1 83fa1938dad562dfb4e3d86df26ddc4ba2f58350
SHA256 693095c210b1077becb9c89d5b8ed7c6289864fc60aad90de4951dea4d5fa39b
SHA512 336c34b1d1b3bfe6175999bae3a01bd8bf662ab9215ad051f22e4878f20beff3fb875c117281046679e138c92b0422bf65681928481131396f6689dfddf01215

/data/data/com.tbus.dlqa.exsn/files/.imprint

MD5 3997c523ca234c08afda9d988fa167fd
SHA1 de2d384bbfe5af4ba818e7c0a25a682f1d8dcb25
SHA256 eb550e922b9ba26be125df82286e8735759c088b61ca55179b1fc8b0215c42af
SHA512 01990b1a787d09c3730ed6ecbc50903bb07f3cfbda4bd2e6735200ecf7c780e97c7cb75a66d1a3564ebb19037286481c09f6802fa5c5fb8b195621577b22ef77

/data/data/com.tbus.dlqa.exsn/files/umeng_it.cache

MD5 87658b08d9c74fc08f52fdff46ae6795
SHA1 ef035bb9cc69ac4c630816c511b09e33199d6999
SHA256 a5b5b5d0702874710172a330fd3b56735da49976e54dbe7bc5faee9cd6e9b67c
SHA512 7075a7e1ca209b5597ea34d61181d0864d92688af1d76a19bdccf91c70e3d37f121a457624315f0d9ed103645a0c7cc1ad8571cf86659d3497959e2c178ffad1

/data/data/com.tbus.dlqa.exsn/files/.umeng/exchangeIdentity.json

MD5 ffd1dbca7e45305fd6c94b80cbde9b95
SHA1 d4a4916d065add034e812b67882b3b012579ebf3
SHA256 74ea0cb6935bf78fa4a82c87e61adf085028d6f2818fe4ddca5c796441696f1b
SHA512 15507ef06e73443119f1b6779da2b6ba42c020770252740e44c8bf22c481cdab28b8f4c57c1daea45fe457c394ba6221db952b4c26c630678482f1144884a4ab

/data/data/com.tbus.dlqa.exsn/app_mjf/oat/dz.jar.cur.prof

MD5 a87dc1222e6546c25bd22b812f178fe6
SHA1 a7ff038b70956810393286e7548b0520db8b0fec
SHA256 6c57fb585b9619a0b77b41356f48ffe452d24bc8824eb273facb7952e208997f
SHA512 4fd4fc5fb5cad953ac9e1240526c3ad3f864d197b08bf98713b70992ba1d5def64aa3d104786fd16828cb5e064cd931893c11189b4f8d82bc701d01a62bb4d1d

/data/data/com.tbus.dlqa.exsn/files/.um/um_cache_1716319573074.env

MD5 396a8d64129ba41f25a60be21faa2367
SHA1 13f7bc4e8996ba765ede26c7e5cea47e1f763c1f
SHA256 a52c53a92c9a7cdfd2e9725378a5be79f459377acdc55ee5f99d90b3487326d8
SHA512 f2cd873d49e3d1ec7182822a01d157e062a01f03b76ec64cd56d928759cecc7dcfe65c4a56b98035a6ac1b632d90621252ed4e2baca273372adcb7d798f324c4

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 19:23

Reported

2024-05-21 19:26

Platform

android-x64-arm64-20240514-en

Max time kernel

178s

Max time network

133s

Command Line

com.tbus.dlqa.exsn

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tbus.dlqa.exsn

com.tbus.dlqa.exsn:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
CN 59.82.122.140:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/user/0/com.tbus.dlqa.exsn/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.tbus.dlqa.exsn/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.tbus.dlqa.exsn/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 c19d3c9232b33a48c8d9fbbe812ad31e
SHA1 cfd7124aa353971e1523736f8361e44d57613c9c
SHA256 a44ddd12f68fb163bfe7a3b13790b1d3020207e95af279067302669c7819e5a6
SHA512 d801f6085284b9f7a48891b95d39f793d3a4adb48252b35b71b4fe538097bb3e49f759fe796da3ed2899486417a9a78f6624ee5c0b82c87d88669943f5785c76

/data/user/0/com.tbus.dlqa.exsn/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 1868c343ae72df78328d650d938fb84c
SHA1 e739a036ff0a476d4b12ddd6bf4f4200f521571d
SHA256 89de1c874bd7c7ae70bf739b7a21160885394b4c0283b82d321ca919cbed933e
SHA512 b53757a46bd09b110640c2e5df9621a560f89203fc74f69983def998c022fcd582b5f62b0fccd8d80638b415e9ac9409b55390f6689a4e97c442042737410394

/data/user/0/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 bf9db24c89a30159977787e09b91ee09
SHA1 734e7e223741fad82078c2b3182cca2ee20247e8
SHA256 7ed4e38e6c6644f0d6abfa3e5758a2d57a5ce5a8f08d9859bd239b9c6feef2cc
SHA512 3130fdaf09e48bf56469cfd86a87fab4237bb9164c520ffe8bd33d1cf6d779d1aead33258b1bd3d2ca730efc318f861c4e9e7551063d495bb4ef2f0028a213d9

/data/user/0/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 417dc019e3c623c50b9b6a6347f005d9
SHA1 0bfdf650ae20bf3cbf491d99dc2f7534349f29dc
SHA256 18b6951a6199271dd48ae0ed11a002999629b385a7f506272bdc7278dad4fd24
SHA512 97d3548ff6ad33ef5543fdde62afebe70bcc57f156be31dcad611a4e9cf36363e9d856678f88c47976dd38904c4466d118a2da35ad6f69123d327ea76913b886

/data/user/0/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 23182f7f62217a0bf4f76e247b27321d
SHA1 742346a721b105e0a920ac8d4935e4b6b3a76084
SHA256 a67cdbdcecd046a15210d1bf632c5890d134e8d8851aed9b37f7701edd3a56b1
SHA512 bb4eb56fa62b39257eb25da566c6eb994ade132f0562ff83a715ef18cf85c70855b5defb6eb19651572869a28aa86d4e4332801b1ffffe8a2f6fbdd78f8d9bc4

/data/user/0/com.tbus.dlqa.exsn/databases/lezzd-journal

MD5 ee30640f3cfb36a1beff24484eb5ced8
SHA1 7272ef075c16c45b5d2acbfbb8aa7db1aa7d3d4c
SHA256 8205ab75f5628e7b4498da675d4b938e046b9fe9bc2ab834f727e558fc715551
SHA512 8333996593764743a6c81624c728d139d60be85d2ef7fd91c600647c86e7cdc4214cf23b48e8de6506c26f7c9a4bee0771bcc70d8833ed9bbbfe1fc1e4b8e248

/data/user/0/com.tbus.dlqa.exsn/files/umeng_it.cache

MD5 4e4da0a3dd785f4b412f1ec2b33a694e
SHA1 0c9c1abe01c88501b2fe3c94a9c3d08802c2b43f
SHA256 a3f1203598acb84369280a26910015524b243d74f850ae0b04df95e665ab98b9
SHA512 a698b234fcda91d0d5d3df99614561933f4e7afc5410a1733d26e1cf75e62aa6d9468c29c003fdf8540232410e9518b4a2b8e36d0e05f182819de6d47ad52b2b

/data/user/0/com.tbus.dlqa.exsn/files/.umeng/exchangeIdentity.json

MD5 741f9ae45557b049e300ca022c8483fe
SHA1 27f538c8645a23674163b79fe1ebfe585e2e9576
SHA256 f9da773e7f109db1bb387990a231acfb439209be6148d7d64893e2749b99cb70
SHA512 744ff479243ef770e4d2b247007ca1474e498ee8b03337832dae91990a494d854caabf164176c74f9524fdd93f4e1afe17065a190eb88ca733388f6dab20c6b8

/data/user/0/com.tbus.dlqa.exsn/files/.um/um_cache_1716319513428.env

MD5 1907967357fb792452d9f26b1a2e801e
SHA1 ad53c188a47fe336736652bed0c47882a29698bf
SHA256 e71cff27c50dff7ec8ddd60258cf458bbd60991504a758da6030e6d763c0caba
SHA512 36093ac3e0cf82466a03b28b1d3d13d4914266702540542382f0605785b36629ff5eb56a33100ad8de7c43320ae5dd2c6fac432cfa8315e23dfb7a19df781492

/data/user/0/com.tbus.dlqa.exsn/files/.imprint

MD5 55f850c92ba44256686f8c9af7c94a39
SHA1 79a40db01b84f2558af64ec1e427172095cd79bc
SHA256 42f8b7088ef3089c5e6f75e5a34ca6ad822d3ff90611555b6a5270ef25e9622b
SHA512 0473e966a8ae37399f31ca61fb37c877b776a1bdd96ed19a8987f402b766912ed8eda8d0f188105f4c95ed63d654b3410eb5f26a55ae82263917f9680945207b

/data/user/0/com.tbus.dlqa.exsn/files/mobclick_agent_cached_com.tbus.dlqa.exsn1

MD5 ffdc39fd132f4272fd84a046c1623577
SHA1 153777e8e30f2081e06a3d3dfb6150b28f137e47
SHA256 f83cbd35c4a490c8189b44c7489a5ce9f79f4cd4240bbb426076dfef63ff0e66
SHA512 d3f9c2130af0b32509122ebfd4cf5a423ad4b599d90bbf980a7c7b7c3e0a986bcfb53dd4e794e4466761d333da626f2cb36dba0e87dc4f4dd3dd43b0954af2b0