Malware Analysis Report

2025-01-19 06:58

Sample ID 240522-bjkm2sfe88
Target 65788ec9c2255139f7b64d9e8630b6c8_JaffaCakes118
SHA256 6f38da6bb5b0a7b0ef8996aa69f865dd49b7fc21d9e6f9b3c229ad088765fd1a
Tags
banker collection discovery evasion impact persistence credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6f38da6bb5b0a7b0ef8996aa69f865dd49b7fc21d9e6f9b3c229ad088765fd1a

Threat Level: Likely malicious

The file 65788ec9c2255139f7b64d9e8630b6c8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence credential_access

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Queries information about running processes on the device

Queries the mobile country code (MCC)

Obtains sensitive information copied to the device clipboard

Checks CPU information

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

Reads information about phone network operator.

Declares services with permission to bind to the system

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 01:10

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 01:10

Reported

2024-05-22 01:13

Platform

android-x86-arm-20240514-en

Max time kernel

166s

Max time network

181s

Command Line

com.gau.go.launcherex.gowidget.weatherwidget

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.gau.go.launcherex.gowidget.weatherwidget/cache/1582435991586.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gau.go.launcherex.gowidget.weatherwidget

com.gau.go.launcherex.gowidget.weatherwidget:pushservice

com.gau.go.launcherex.gowidget.weatherwidget:com.jiubang.commerce.service.I

com.gau.go.launcherex.gowidget.weatherwidget:AppWidgetService

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 imupdate.3g.cn udp
US 69.28.57.140:8888 imupdate.3g.cn tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 goload.wecloud.io udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 newstoredata.goforandroid.com udp
US 1.1.1.1:53 goadv.3g.cn udp
US 47.88.60.195:80 newstoredata.goforandroid.com tcp
US 1.1.1.1:53 graph.facebook.com udp
US 1.1.1.1:53 goweatherex.3g.cn udp
GB 163.70.147.22:443 graph.facebook.com tcp
US 23.236.120.226:80 goweatherex.3g.cn tcp
US 23.236.120.225:80 goweatherex.3g.cn tcp
US 23.236.120.224:80 goweatherex.3g.cn tcp
US 23.236.120.223:80 goweatherex.3g.cn tcp
US 1.1.1.1:53 goweathergcm.goforandroid.com udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
US 47.88.60.195:80 newstoredata.goforandroid.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
HK 218.213.248.178:80 tcp
US 1.1.1.1:53 gostore.3g.cn udp
US 69.28.57.173:80 gostore.3g.cn tcp
US 69.28.57.141:8888 imupdate.3g.cn tcp
US 23.236.120.226:80 goweatherex.3g.cn tcp
US 23.236.120.225:80 goweatherex.3g.cn tcp
US 23.236.120.224:80 goweatherex.3g.cn tcp
US 23.236.120.223:80 goweatherex.3g.cn tcp
HK 218.213.248.178:80 tcp
US 69.28.57.140:8888 imupdate.3g.cn tcp
US 23.236.120.226:80 goweatherex.3g.cn tcp
US 23.236.120.225:80 goweatherex.3g.cn tcp
US 23.236.120.224:80 goweatherex.3g.cn tcp
US 23.236.120.223:80 goweatherex.3g.cn tcp
US 69.28.57.141:8888 imupdate.3g.cn tcp
HK 218.213.248.137:80 tcp
US 69.28.57.140:8888 imupdate.3g.cn tcp
HK 218.213.248.137:80 tcp
US 69.28.57.141:8888 imupdate.3g.cn tcp
US 69.28.57.172:80 gostore.3g.cn tcp

Files

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/weather.db-journal

MD5 94105d9624bc1dcb94b36b750c14190c
SHA1 5afecce853aede70964eae3685a53d4236cae14c
SHA256 c1ad1bfe5cbc7ea0c04308875d6edb316f1c924aae3c41f5a27e3e36d6d41cdb
SHA512 4a4df87711b1747c09ba34795125eebfc0bb5c7b8d26c39d1e997d056fce197b0fcdfc2097c4ab310586f168057919064d80d162186f7b34c5f21a0cd2b835ad

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/weather.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/weather.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/weather.db-wal

MD5 e1b2b90703c8f7d7b12108b6f505cc6f
SHA1 a345123db21ef637bbd6a4ed3d1a827103e84995
SHA256 3f2f2945102a45c4f8b905e60462c7c0baa59276a5c0c4aeded2add38c42e7e2
SHA512 102d82c0aa3319a74169a98ec9037cce6405f68fc74ba2b7bc9546fe5e5a8b53bdeb948146b5055d2c7e04529fe7dfdcd83655fad757528acd105199c7fe5448

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/city/go_city_international

MD5 21cd735cc2153c7efbbb97f78f0a3710
SHA1 21b6e2f3b3e5c94fd7582617e8bdf98b37f95820
SHA256 ef509d2cc080feca7c609796b85356d519951397794e3a94031a835043f69705
SHA512 7af6d3a431b0e127e51f4e1791aa43cc15f711bfd568f8697b18592766a2d74b63e83c750e2ec18dc2efe3f8b5e93457f5702ff293bfcc629fc2149164c32963

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Y29tLmdhdS5nby5sYXVuY2hlcmV4Lmdvd2lkZ2V0LndlYXRoZXJ3aWRnZS5iaWxsaW5ncGF5MQ

MD5 f2103e1fa0b575c37aff1232c79fa353
SHA1 0d77a21319de8d5e4eb996ac09101c1a6ca98cb8
SHA256 bf8de636d4ec5254813d3e8fc3fff8094e757baaf2a3a7110972f74dd8077b3a
SHA512 0710a027723e8567c948465d1a019d0a464e35cbc2d0064fea6785aa8926ab7e1267596a7f20c8d43028146fe3f56df107acbc8debec67ae213cf8b451610ba8

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfdmlw

MD5 ca0d08aaf4c60d0de54efd10b03af4ab
SHA1 8bd8955ca512a3635e8960c7bea36265b8157bce
SHA256 987e95b25c7c453470ad0699b4c83855ab4e964f8dbbc5ff49d6021182a330b8
SHA512 687b41834becc226a72ece60936f078f0806beb2d024eef3cc975965150e08b8371e8c2da9d911c0575173b201604483684746f49b8770e37f29d4b7d5eabd93

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfdmlwX3Byb21v

MD5 9187b5b572b807bdc2b81b49b3f11c0c
SHA1 33324291886b40909801528d8f8e7bed575cac35
SHA256 85aadd4540ce91bcb5719b4dc92d5efc8db1d63ef5253f3d8a6383651a37f2a2
SHA512 f15a72b47cd6e70277b5eb98434f423414bc906de9c6b7a869cdcb995b851665c6f8d055e15942cc3a0421fbb6c404788ed436dc719f5a7ee81280de1ebd7d3d

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfdGhlbWVfdmlw

MD5 652d7154d2b14e42256f3b694ffd16f9
SHA1 737215f207b7547d5f6de2b3715593b1ea418596
SHA256 3a1fb1e4dd54c848f15dcc2e3e7995d45182f9c21cb224c2d4bfeaf3e8abff10
SHA512 d91781fc639010e3e206a9f0ac807d49ea35bc482b066c3d69b683fbcb316f31c1a3a2c16ab8f34d26ef5a8e2c4fac86b82c03e31cfacbea1d2935ce32467bbd

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfcHJvbW90aW9ucw

MD5 be21c137567e027aa0b4fd4c05cfc4d4
SHA1 9d3b93ae83b5a1352f9bcc673387de7ce730f372
SHA256 1746230ef3e2da8c1f97e2d3a72dc3e9e101cad332345382e7e43a9e5f77233d
SHA512 9f955aa4f7118e92e84bcaf22afa43fab5c94f2092346ef82d1231cfdcfb5fc5c4e35e60b720d763fb0b8f33c1910289c1039389669713f3276f3d4d00678482

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfdGhlbWVfdmlwX3Byb21v

MD5 aca167ca6ef6fb78e2ba872439d0781a
SHA1 45c412ba4a0cfe8a0d997a00b3465644a0101190
SHA256 81dad9dc0f09376f86e8ea46b58c3122f2033b26452f1e8bc3533025372749b1
SHA512 22c2a32ec458ff34ef7cc11eb56d2bc07bf89cede5671c6e337564cc2eacb46fc889c13f84b4ba06b3523747e8d68eddc815f3ae26d6df8ad0ba7f2c5536f470

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z293ZWF0aGVyZXhfYXBrX2lk

MD5 e9b8274b0739b93ba4e1122ae0b3e61a
SHA1 9c2ef50d65d20c56baee57af6b9002ee34bb2393
SHA256 ba5353ef5ed3d424670faa1dffd552fb7d8ecaa0f2c424ea89ba60ab8f8577f4
SHA512 72c00dedcf3044d4aade5eaf371d5fe8c8c6d818cb0037ae7147cc4de5e0ec38cb03acd7b4ae5fbe420b19e44b41082736c6840789fea8183d540b05b6bf3163

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX2FjdGl2YXRpb24

MD5 6900c09452a431409a79554d6bb8fda6
SHA1 5293e626f9da8a58d5147032f65c6521d633b21c
SHA256 98e99d12a1ebf16fc607bc24dd59ff1eccc5ecb832a296104c53b52accfe856f
SHA512 8815bafe7db43e829ca0ecf2cafa7452318987f207a19b25389161fdb36d06baaba3196e3dca72d3790868c67d4951d6e4675f5aff97545e4029b52aea409a35

/storage/emulated/0/.goproduct/goid

MD5 11abb5e880f81a0478620d37fbadc26c
SHA1 0ee156bf33dc4ec5e05e28cd8d2050de72e1d005
SHA256 c1610135c351336fd74482e081db35357d4400c13f8ca9b21e7225ba781fd2dc
SHA512 36a2835afc66c44e9dc6359aae1e33a1079137f30a01c108065995d086315333588c38548fef4caced7141d6fd61465f78af14bd7b95555d10f9f4b1ae655f8b

/storage/emulated/0/air/as/statistics/deviceId.txt

MD5 1d19d729b2817f212fa6a7e6e50f9e81
SHA1 704fafba2e850f39916ce64a296125997a3298ab
SHA256 5eda496a6745815be59b40a3a7bbe25a773239d73eb096306f8336ca18a2186a
SHA512 dc6650f662941ddbc134363dfee8660c5441cfb12d79def391eb60f52d07e6f93aa42b9e49989d3cb4bf7170a1b64b0e5c534f537ff597e805e10235e97f309a

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/ad_sdk.db-journal

MD5 1ebaf4b0dbd675a4675fe5d6d32f2834
SHA1 0ef25b0cdb9fb559c926c8a55ff9418d878ab2a7
SHA256 82561efa9f01f7742d581c3546623d8af6d4c9697d2b22d502b915a577b453ab
SHA512 82317e26b443e0ade56190aa84bbf5ea64e727a1cef23d956e5506eebbe8e1da075b30d7685a5cbf6518f21c46aa07b3a8d8d20327dff2aa947aad1b9f6f4ae0

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/gostatistics_sdk.db-journal

MD5 559063b69b98cf97f1c67c9617894674
SHA1 0c7e563dd19c40e6a065b8fef8cf5b791adda478
SHA256 594020f4af202859c585df57b4461b7b16933040ba06410ab16db5c816427108
SHA512 a228e8516369aad7963084dc2e37c9ce91a130a0b76e4d2f57cec655c9fccb65feb48d4e9e23de093ae1c03885c651053c86ae8087a4c2797f89de4c2ac90fa6

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/ad_sdk.db-wal

MD5 2a04081e976408266cebf0867eb45560
SHA1 a5b7bebe8bb521e5ddf85ba608a5ae410c03c729
SHA256 851e4cc9bca54c51b72ad4a39ef6edd62dfaa2b7cf3ec8fb6c987833127c2170
SHA512 b87b500fc2b3a95a7587f4837605c876fa16bda838f218cb1784e59b74abe20ff2defe6e9508d97225517424c18050068328e671c4207083ed829aac24c2a850

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/gostatistics_sdk.db-wal

MD5 adf5a9de87d7fa0eb97c045f4bff0ce4
SHA1 22076d39a4eb541740567717fcefaa723919f41b
SHA256 73af1df6526d4750e35150c40b827ec3c2a2ec93c1124f0d14dd093fca65899a
SHA512 1f39c08feec5e9cd64f97634d6e0b8aecfd2697f7ed3cec3a33f859866cef07cacae523b77409cf395ea3cb8c886a9edd71943196e3b9b874c39ee75b4f81eca

/storage/emulated/0/GoAdSdk/config/user

MD5 bb38f24ce647037acaf8b216cdf7ca3f
SHA1 36b3c0e8a5453de7216c31e590dfb7959eb84718
SHA256 39ebe3ad079bacbdf55b1a9881e9e1533340bd38c607e8312139de9ee4f40fc5
SHA512 ebacaa2283c7380c39aa2d2ad5324338c30ddb2d75625bf3beb45f9edcadd69dcc93b6806ebcbd1fd01e889464f35ad77ba884029742c88000da7158aba96385

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/gaClientId

MD5 3720398b1b0d07ed8e14df1517ae3713
SHA1 48c7ac823481bb50c8e89cbe47e56a4d2cca8455
SHA256 cbf1104d32f8c2204ff59c9321daffdc6c8ac1851a7c3acace933957bf4a7f54
SHA512 5ec6328f050c30d8bcdc7da21e977771389a5ad7cb42be8edb353566bcc84d211f1f8922404fa603e0502ce4479002429dc96125c5fec953775e6f128cf00017

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.gau.go.launcherex.gowidget.weatherwidget/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/network_time_and_status_statistics.txt

MD5 ba422c988fd02720ce08e8f3f6eb50c6
SHA1 81a8bf6c856ca9598c5e2ced53975fd0dc067289
SHA256 0511329e4fe56ddd6700a8d67fdcf3fddf5daca6c50928ff4bff67e74bd9f883
SHA512 d4ed4c48c240d5fc50dd201f134c1eb74b90b6b466c08ce6d1ebb38dd32d4d3d86ee526109d8e8e2a058e1fd4d3cd5a564e23f9f98a855ee715edd25559a71d7

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/network_time_and_status_statistics.txt

MD5 2fef7adbea3ad3270ce73063cc34686a
SHA1 548648cc6faf3637c86926cdbe3b4b557753f1a7
SHA256 f036c14f89361330a9c3824c7ff66978b0392409ef29c342ad2a243868e80884
SHA512 ae140ca7056c92fc44662be988a5bf4d5c5231b95d02b7a2825f0865bbb99212a53ea6372a413c8ab06cfe59fd1138871961b2cc8eed2808f13ed950cd38e8e4

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/network_time_and_status_statistics.txt

MD5 71cd085a2de58a2b4add1a9023a28b8c
SHA1 89d3fc146ad45d021cabdea70df2a5c1b5ea198c
SHA256 35ff17ac3f6fd231cf629294b24fd2935948c851f043d5c696066bf50b8bba13
SHA512 f8f6b1846270f4d4b9b3fce063b19a19175ea3431f302035381346cbcd019b4bf5b7ad46ce27d2a3a0f5df6e640606cb712ef1c1058acea3726d529516ad51c8

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 01:10

Reported

2024-05-22 01:13

Platform

android-x64-20240514-en

Max time kernel

171s

Max time network

186s

Command Line

com.gau.go.launcherex.gowidget.weatherwidget

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.gau.go.launcherex.gowidget.weatherwidget/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gau.go.launcherex.gowidget.weatherwidget

com.gau.go.launcherex.gowidget.weatherwidget:pushservice

com.gau.go.launcherex.gowidget.weatherwidget:com.jiubang.commerce.service.IntelligentPreloadService

com.gau.go.launcherex.gowidget.weatherwidget:AppWidgetService

com.gau.go.launcherex.gowidget.weatherwidget:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 imupdate.3g.cn udp
US 69.28.57.141:8888 imupdate.3g.cn tcp
US 1.1.1.1:53 goload.wecloud.io udp
US 1.1.1.1:53 newstoredata.goforandroid.com udp
US 47.88.60.195:80 newstoredata.goforandroid.com tcp
US 1.1.1.1:53 goadv.3g.cn udp
US 1.1.1.1:53 graph.facebook.com udp
GB 157.240.221.18:443 graph.facebook.com tcp
US 47.88.60.195:80 newstoredata.goforandroid.com tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
US 1.1.1.1:53 goweathergcm.goforandroid.com udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
HK 218.213.248.178:80 tcp
US 1.1.1.1:53 goweatherex.3g.cn udp
US 23.236.120.223:80 goweatherex.3g.cn tcp
US 1.1.1.1:53 gostore.3g.cn udp
US 69.28.57.171:80 gostore.3g.cn tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 69.28.57.140:8888 imupdate.3g.cn tcp
HK 218.213.248.178:80 tcp
US 23.236.120.225:80 goweatherex.3g.cn tcp
US 23.236.120.224:80 goweatherex.3g.cn tcp
US 23.236.120.226:80 goweatherex.3g.cn tcp
US 23.236.120.223:80 goweatherex.3g.cn tcp
US 69.28.57.141:8888 imupdate.3g.cn tcp
US 23.236.120.225:80 goweatherex.3g.cn tcp
US 23.236.120.224:80 goweatherex.3g.cn tcp
US 23.236.120.226:80 goweatherex.3g.cn tcp
US 23.236.120.223:80 goweatherex.3g.cn tcp
US 69.28.57.140:8888 imupdate.3g.cn tcp
US 23.236.120.225:80 goweatherex.3g.cn tcp
US 23.236.120.224:80 goweatherex.3g.cn tcp
US 23.236.120.226:80 goweatherex.3g.cn tcp
HK 218.213.248.137:80 tcp
US 69.28.57.141:8888 imupdate.3g.cn tcp
US 1.1.1.1:53 goload.wecloud.io udp
US 69.28.57.140:8888 imupdate.3g.cn tcp
HK 218.213.248.178:80 tcp
HK 218.213.248.178:80 tcp

Files

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/weather.db-journal

MD5 6072a21215d3104c55bc23351c4b17b2
SHA1 7f78dfd19c13f749fc2ab6ae01d11ac6fec47671
SHA256 236e6b454d3fbe2b832c997cdadeef8344c1d299aabb4efaea9292842d6b87ba
SHA512 f3b3398e82f2624d8ffe034d0d56bfba91d3a755f0bd7fb90a9c36a2d4df4f8bf3e7751fba3499e02ca62fd6eaabdfe20986c2a1b23ba18bc60b3000c73f2e8f

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/weather.db

MD5 c995c51aa3366b6414694f9cab0b87dd
SHA1 2b2a3a785eba90d801e09cd8301a5cefe01881b3
SHA256 099fb77a003de007f514a63d447bc108f69b7f03b2056c6163ea1c0e0d6c934b
SHA512 9c4948ef4c0fe8ca2ed79f3f4894de049bbd37bb095af01297f52200cad1a81b6f9bcd3052f784b3b0698c0b9565886eabb06a642aa3d3f4b7c3b42dfb296935

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/weather.db-journal

MD5 18524495f7d31cef3b3f245e1a198605
SHA1 143b852764dc266a04fc72fa4bdc9a8448ef3ca1
SHA256 189121b26a2a2080d3af2e8bec6857dba98cd8704746f568e0e1566aa83a65de
SHA512 e681927072523b014aa2299e96989f5ccf19a0215774c4c17e6f3dccdade7efa8abd32951dc011696513259eba7eaacd011a8e4076333c8149069e1db78725e7

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/weather.db-journal

MD5 1ca0e53f59d4928378136d92e8534d42
SHA1 1e542fc6b51c08b5a6612e4dcd2548bb897a05c9
SHA256 ac7f29ce55dbc711dd0467373867648604edb0a509413cf867ac9a84b1870ef1
SHA512 8d619aba8bd71b005cabaeaa9cfb3dccba77dc43776d45a9ba8d995f40fd7578c1c3c4f0edab5e94a569b25cfb620a64c0de63f4be7e5f1138d081d17002e277

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/city/go_city_international

MD5 d66d43ef6b3628f10f7d29c73ff3e117
SHA1 5e031b518f8f0fe5bf246ea1a41be3a635238eef
SHA256 f3b763b4cdf00713023488fc10643a78434f589d9545682974dccfcd3054d1f7
SHA512 e45259fcdae6c9fc2e26c5aa9b7e139901459452c0d65ff05b833a6893ff465631de5c8acc09698ef0129f0181dfb575727d9383b84d1338d662830cbd00ce22

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Y29tLmdhdS5nby5sYXVuY2hlcmV4Lmdvd2lkZ2V0LndlYXRoZXJ3aWRnZS5iaWxsaW5ncGF5MQ

MD5 9e6accf68d6b49d857c2e17d57db04ed
SHA1 8aa1346c068c7ca83d4be6885f2b9a8da66638d1
SHA256 65d1cb12e9e0aa93f11d9dc487d02d1f2646c7ae2255551e305889992f43abdd
SHA512 51debd54f92bf0ad57d21c59df2854fa212434e73ed25be4094f01d328f70b3b4ba85a17eac794af7786760109f2fdef503a10d55ef6779a03b3481a6305583f

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfdmlwX3Byb21v

MD5 609127e703ad3ab644fc01f6d43ee028
SHA1 c72c66223bae485fd1c915cc3e1fec78e90499ce
SHA256 ce6616323b0b7aedd45240a9b5a370ebe7275799d90c5e92df89709ccf638209
SHA512 2763ff3557dd4960b5ec93be0883c73881bb8bbcb27e8146a03c6f288bee44503e50873f8f1e163e4dd99f050683eeaa47a5c14ab786a1ff0ec7c9cf9a90e801

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfdGhlbWVfdmlw

MD5 12fad445b4a7f708dc8137f956439719
SHA1 ea47939abbf6f40a153c4eb6e21b148097824df5
SHA256 c63210b90fc38248178da7f2076c64cb035c320e379cb6fba36898930e85a001
SHA512 ea13ef53c9558d789348e7800d7655e04c7937301f6e0d08d9211e3f94f67992c9f46d63b8723f34d0dcfbfe9cddfcf9f6a98534f916ad9ac8660cc4c8ed6003

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfcHJvbW90aW9ucw

MD5 d5a28014eb94fd77269f95afb2d07e03
SHA1 cc44891dd56162fe3c823b3f3df5cf5ab0e9fb05
SHA256 9015b5fabfdd1203efa94a7e8d70cdcd56830317d976491549ebc8c289891452
SHA512 fc5fdc459ebb87504002ed8c1e83b4a38f7d46a677c6ea27a0b341238a92f87aa675789f6bad67fd7a88767ac7a224739ae8421ef978be5a2a283c71c1930746

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfdGhlbWVfdmlwX3Byb21v

MD5 8916838222cd865e4554047a34538d67
SHA1 38f31e0c4401f1913224f0516756517c06719847
SHA256 e269e6fa6d064f33e311f6c1e3746974d0ca738232c5b01911806663872e42fc
SHA512 6b257f5e93d3911da42df77964d5f70ec62d585bcf3aef8a6411de38a5fb14d0468e96bbc63a10948e7f5bed053785bee4e976d69033a8df61c2f9003f71e38b

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX3BhY2tfdmlw

MD5 c7079a0e9d1d90b51727a3812c934cd9
SHA1 e2346c0f7a3279d84ba783fa4bd11afc926098f2
SHA256 0925fd01ad031c7889adfd10f1f08fdcb19d1c9cbf6a47457af22475838cdbba
SHA512 feef905b9c7889cc987bc5861beb435995b7b6be315894e3cc5a853f30041d7eff945836e620b4c017bc9563ac4c0fb57f3da348ba8549a8e89642c15890bd7a

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z293ZWF0aGVyZXhfYXBrX2lk

MD5 4f3be28694f80b7e458cf6d56983b9a8
SHA1 16757811c8de9a7c8123f0daf97d87133b69b774
SHA256 c2bfa5c31d0e40426aa6fd1a38b25ffe0a52648a6baead7dc5cb84ae9ba9ae72
SHA512 7acfb5c273901bc5a7d750337093580a604aacd016561a43dae731cc60c8350290041f970647a01d10d9cbe1ea796dd108e86f1d6af9ff18d51e2b81f620443d

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/Z29fd2VhdGhlcl9leF9wcmVtaXVtX2FjdGl2YXRpb24

MD5 bc7fdf6d0a6289a741a5bd225c185d25
SHA1 76ea06bfa665e336601959e015b8300c2ba90dba
SHA256 10874919ae6581707bdd2913d6686d00834d0c570676046137d6009cbcd83fc1
SHA512 dbb40d06ab5e8287ee7fd7ed497ab5629e985d8e73ab22f1af6790cc7421c53bdaaa535a61aba1fed26cefeca2adaf6ece8c4a42dc6ed771799d1258fb8040fa

/storage/emulated/0/.goproduct/goid

MD5 bbfe1c7b1cb0f8fc80a79164fdc691a3
SHA1 73e4e533d830a0b84dbe7782339a0a18566c1c46
SHA256 f99c59a35a124fdbbb8941b81ff8c40111df178eb1592d39d73d787b12995696
SHA512 ec4737bf7b534378292f82fe3bff6b0ba56c0563983584d52adf598a862c0094fb4cd471ac2172fa90d4dc54a69b1d9b63081095a74cf584a37fb371b27f4634

/storage/emulated/0/GoAdSdk/config/user

MD5 88ac528a7101f972d226a9ac3c376c13
SHA1 6b553c0426e52b9afe97f4d7ddd05c5e9cc4ee9d
SHA256 0756197b35085622a95b65f505a49db58e3c0e458b0e4d496d11961bb9d6b30c
SHA512 318dc63994943292e0bb36beb365d02844c5388f849987e0cbf942b1b3e5811b8949ae5db687c3ab922bd9f368bbf4e3aeaab19de7951e41e7a4de792b580d96

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/gostatistics_sdk.db-journal

MD5 917b4374d1d8049198ea2bd0a48c4b00
SHA1 eebae49980923359dcaaf3a5b6eaa600a3242ad2
SHA256 2ee860b0d2fd3fb8dcc94220327615881717593fe2c79ed07ed9f052161bd98d
SHA512 86c8ede7de948b54ee6effde84260e3fd3ce5b4ed9248b4efe09ecf5cf763951164223de19cf2453d0aefd1d47e86fdd62be079917cc9493369d974e0fe3263d

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/gostatistics_sdk.db

MD5 552902ad0a8ba78aa6b93ddde3c1cc94
SHA1 d4276128e30e171a4f8d0ca680cc59f1c38a7e8a
SHA256 2d6ed23862eefaea98274ac2bb5f52c4bf9fef0663707d2fddcf34d2d3c4bc10
SHA512 2dd20518a9342d8d812fb185cb67561e5305a0c345a075c79906109438629c875a94b7742b2f0f634777186d7d8e44659c475a268302170c404f6ad2bd2cca4d

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/gostatistics_sdk.db-journal

MD5 02b49cc58d91c657dcd86e140d644a36
SHA1 ab4220aee5ac255e4aac409d9b1b1424a888cc92
SHA256 d23aebeaf0c23d5597a4e23f3b5e06b29abeefea0bdf2eafe8d950cb9017e9d5
SHA512 72c0a3096e9ca6eae5d71cbe4c42b1293bcc43fd81df66a722aeecaca0a1fe32858007aa3e99d1a2f893118dbb0c7a0feddaa2a3df912c02e3e6127a7a751914

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/databases/gostatistics_sdk.db-journal

MD5 898983cd42cf08a3c1d2dfab40b519a6
SHA1 8bd3dea905d3946c268c9af1466968b191f7c049
SHA256 1baafcc4a86ad2f1361d1ed28517b4b07d0f6b2d745150b2b02a0c5ef1467b4e
SHA512 ac7f78318dc129eabcbbb06d2ab250f3cf84f04bcf69bcbe0df4218bc85dacd00a93b06e254fcdec73db2e0f18b7b9705f37c1c4aacd55ddb73c202843387c84

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/gaClientId

MD5 c69102c46a37607e02a66dff4bc2e1b8
SHA1 bb3d3a48c5e56ea79efbeb9dd444e650d21cf9fc
SHA256 ef51ac41a8dd7151d614025f2979bd919e590b066594eb927fdf9b2550150ffc
SHA512 7b50a0c9a8fb7d015efbfae29ceddb4bd81cbc205a7d6d73e3f1231e7e368447f8008e5cab7bc909ca50d726d9d413b240a98fc61d30cb0a8b563928f07dcbbf

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.gau.go.launcherex.gowidget.weatherwidget/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/network_time_and_status_statistics.txt

MD5 3a392f5a2cca7af302bc64fddfacb373
SHA1 32f960987614fc1d826fd7d884f87d65b0c2c60e
SHA256 40742e626b0e49564a65780f90a337c8ded4fba4f3184c36ed3cebdb15c780a8
SHA512 3a3871471e7d0b8fabad7dd742caea974af95ceca17845352ae0908844ed61befcce65f865edeed2f61bf4e92628bd9b657ddee1d0a1cbe960c6ec547a939059

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/collect_data_weather_refresh_error_info.txt

MD5 577254836b09b4d30b5a5d5ad5729136
SHA1 31f309f0e41a9ee24b31e0b6032017268b6cc138
SHA256 88382f5b8695c50f5921efc635f17649c5af51d478ad1d76cf7a5a5429772490
SHA512 acea628223aa9ed625796e365f62dbd010e3221cff66b1a683a204212347e267ccbdc390c372ddd7048cae0391dce8135117dad2841d365301be8542eb27bea3

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/network_time_and_status_statistics.txt

MD5 9e9c5a16c655223ab3ea0eb0a72b7f44
SHA1 383e966bcf85b664009f6d279910680eaff74434
SHA256 613bc23878637b32a8b746f9f0d6c5b52b8e2c921139d127f612859db0a6ecc6
SHA512 0da571db09f7960d5f2c095fa803bc8cc8f3bdf4276d91c2d8080dfc8ef88eb517c52d6b1a74acb98a6dcb1dbff955194b406d7223f0b7b98e263e505cc4a579

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/collect_data_weather_refresh_error_info.txt

MD5 392b6c35e2bd2b01ebb1b5e1b0a1053f
SHA1 98eff5dd1db8b1df5399ed38afcc2f9793d936d5
SHA256 066996b3b05ecb09f45e161a06c3369b9023e296aa330dd5a18ab2d6596a0d27
SHA512 44e54171ddcbea9af2c74c8d91ad34d42b2a36d8a2a3c6675e9815c00490125d16c09a18c758186c353145f390f2250292ce8890b9043b39ac12bf3150a0ac34

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/network_time_and_status_statistics.txt

MD5 47ff2d5ac75cbafd994af71cb62e9a4d
SHA1 0cc755103f002e51d060208db9d50898436489a5
SHA256 c7e30496a8a4d5f481c8ff374ea643bf74d228d205d4d0f236b88c81262034ad
SHA512 8a7be0c20745444aa4aef0395626e3eb3249f2d89b1c69720eb44db2d8cbe42a33a3a861c18d7844f304ba9c1e084dc0f3f9316cf4449f9bca69e5b79e92b469

/data/data/com.gau.go.launcherex.gowidget.weatherwidget/files/collect_data_weather_refresh_error_info.txt

MD5 5f0b1c13b16c714b4f6f341c7773ef5f
SHA1 489ccb13fad341738cead84c8d51f41b2d240be5
SHA256 21d82ceba2be1e3279a1911378a007e8d64ca99e2e9dee2f77888c172c1a1bef
SHA512 d28e827fd1dfad4358172b531cd450f53496db1af9f149fc15317df5347c856a5e26a72b1797a4fea794d6d54b5b99d48f47ef605edac34e14731789f6ae880a