Malware Analysis Report

2025-01-19 06:58

Sample ID 240522-cww3aahe7v
Target 65aef2f5f4dc2f9ef5715998349b97c6_JaffaCakes118
SHA256 850d1fb8e6a4bdfac25ad7201cd87387a6997cc92ddbfc5ebf926eb14a5dc2e9
Tags
banker discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

850d1fb8e6a4bdfac25ad7201cd87387a6997cc92ddbfc5ebf926eb14a5dc2e9

Threat Level: Likely malicious

The file 65aef2f5f4dc2f9ef5715998349b97c6_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Obtains sensitive information copied to the device clipboard

Checks known Qemu files.

Checks memory information

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks known Qemu pipes.

Reads information about phone network operator.

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 02:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:29

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

175s

Command Line

com.fyjx.qipa

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /sys/qemu_trace N/A N/A
N/A /sys/qemu_trace N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/socket/qemud N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fyjx.qipa/app_libs/update.jar N/A N/A
N/A /data/user/0/com.fyjx.qipa/app_libs/update.jar N/A N/A
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A
N/A /data/user/0/com.fyjx.qipa/app_libs/core.jar N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fyjx.qipa

cat /sys/block/mmcblk0/device/cid

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.fyjx.qipa/app_libs/update.jar --output-vdex-fd=93 --oat-fd=95 --oat-location=/data/user/0/com.fyjx.qipa/app_libs/oat/x86/update.odex --compiler-filter=quicken --class-loader-context=&

com.snowfish.a.a.bg

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/cpuinfo

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 service.1sdk.cn udp
CN 47.100.198.247:80 service.1sdk.cn tcp
US 1.1.1.1:53 u.3733.com udp
CN 101.133.195.68:80 u.3733.com tcp
US 1.1.1.1:53 zll.7pa.com udp
US 1.1.1.1:53 zll.7pa.com udp
US 1.1.1.1:53 s3a.abusi.net udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
US 1.1.1.1:53 sdk.gmbanshouyou.com udp
CN 45.117.11.68:81 sdk.gmbanshouyou.com tcp
US 1.1.1.1:53 s3a.gg51mm.com udp
CN 39.108.76.150:80 service.1sdk.cn tcp
CN 47.100.198.247:80 service.1sdk.cn tcp
CN 39.108.76.150:80 service.1sdk.cn tcp
CN 47.100.198.247:80 service.1sdk.cn tcp
CN 39.108.76.150:80 service.1sdk.cn tcp

Files

/storage/emulated/0/Android/data/com.fyjx.qipa/files/tbslog/tbslog.txt

MD5 cc8f14f0b48e6abdba1a912ea1eabaaf
SHA1 9fc400216a0ef1465937282c7ec01ab9ba6c86d6
SHA256 80ffcf6ae07aacdee133b6b2c254866cd7190b455727d5d78854857ec17ef895
SHA512 9ce66f567d6bc3ae8fe2f7e6407f14ad9b67834b98cbde1a844f32b46dd1007bb63356906518f3576e04b4dc8a230dbeabfe559320e3868b76aefff7715b56f6

/data/data/com.fyjx.qipa/app_libs/update.jar

MD5 3eea0fcda4a513b99cedf31c7452aaf8
SHA1 071da147eacf17f1c10fc6362ac43839ee96d5a2
SHA256 2a9b79160a4eae5fea2e7fbd3e0498eae8af9d0e8d784b18ac81c3468da6e0a6
SHA512 12a20677a8f36778ceeead1e35a9a20dce8ecc9999803db2e3e40312b74847ccc9efbc649b4949dae38520287b7a01bd50c81dbf9fe1db8fb7e9ecd070801880

/data/data/com.fyjx.qipa/app_libs/core.jar

MD5 8ffe69e9aeee7b0917c4990dfe3bb49f
SHA1 a058f735a46fd9a4424f4d96d31c2bf5d0fa6e9f
SHA256 a4f2010123d6cd77170de49c9a6a3d734f9352908a40087d59c888f8923b185e
SHA512 648d54f12a903fca0157665e7d50396577eafcff2f26024c44753c2bf3d32a2111c0ea908bab3cc7c0053afb748897b0abb4160a5ff07b4761b7e0ea9204ad34

/data/user/0/com.fyjx.qipa/app_libs/update.jar

MD5 a052cf31f70cab7dc772b4c59911d43e
SHA1 08a2a8dd43484ac2adf0eb2681d57c2173360d6f
SHA256 f5f594fcb6fe90cad0632fbf30f8fe7fbf9a87f06dca9e00208e6eb85c778747
SHA512 80fe152fe391ca50f026b6144b364bfa889d4e85801a836b8641ddfe7e9ffe435796dc40e6314a05da0a1e9df781c09c681a88d32a9b0541e93b4e67f2dbd8a2

/storage/emulated/0/Sonnenblume/res.apk.u

MD5 31427eb2b18460d88d0d5c2d779921af
SHA1 05cb1f41ceae9e4198a1d8651eb217b362524096
SHA256 34f49f8a001f371b34b052ccf5ebc3dcf564d5280d1cc156605345366bd14fe2
SHA512 0bbede990157ee68d33632da310ce1221a7c7dc587d888d84b1e67615bb2332723b4e39da982260540ee7f46f794d67e6e19848d6f8b5efb57abd5ff7988d54a

/storage/emulated/0/Sonnenblume/res.apk

MD5 2639a7fafd82266d6313f59ac1c927cd
SHA1 1a0d135ed060c236ec35aedf25ae2b481e0c226f
SHA256 e653eba8ee86ca07139b427c3366b10245abb9e694db6412a1811726381830f2
SHA512 e0578d5369a81710ee3ccb2b5dfe5633e830caba079f41761fff94480ff7b33fd965aaa75a17b839e377a640404a2aff2b4c503ebf06a8c78f428541ef60c00e

/data/data/com.fyjx.qipa/files/st_database.db-journal

MD5 362b257cde9ed1a6ce7c1cf10e27eb0b
SHA1 b7fd74cd0f704010f75371e34a2151d2a4e0e6d3
SHA256 8727958f31e934c305e33a54fcdc832ac51d2397ad7f008e946b8f00c20578dd
SHA512 57cf190eee620554e61249bd5c9580ad8bf8bb2025aa9a6998e82c037270bfcc929e7d1d594c964d463e3bcdf749b98443d0bc78711cdaff72321f97ecc04c31

/data/data/com.fyjx.qipa/files/st_database.db

MD5 01cda56c171e4a50420f742e9bbbd37a
SHA1 99eb1fed7ff140e7c285b8c4b14e5fdce8ead9da
SHA256 6d4918d2054c272120655f3b94351d2aa92063a4d22a3245201b329b3b31312b
SHA512 b1be2b1ca7072afa8b67930e8bb7a5d77b78d1455289f3df6dd9fc7a1c9412bb2e4c535218ae86c96abe4cdcd23cac3c75122ada4970c8303290f95039e9ad03

/data/data/com.fyjx.qipa/files/st_database.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fyjx.qipa/files/st_database.db-wal

MD5 e82eb51b07f9cc554e19d626e492fbe7
SHA1 05f8f0fdec528241d76f16427d5d7ee91da471d4
SHA256 6b6d218d1a717cf503a46377f397123c222a890d4dbf83422815bc6281cd3c31
SHA512 5e3731071a88bbdca36d96b94f3dc277bd752d204aea8e13764854d14f071f995af8d0741b035a1403858dafe287b4fe72464c6b37779df9f310d57d88b62539

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 6d8fdbf51bb870a9b1b6b75e956f7cf4
SHA1 195c72b6719ca6607a411e467610962148c3d9e0
SHA256 e885c7748478c880ae1fb478f06c4b07834e2268e4154355b2f1666be442a4e7
SHA512 3dc0478eeaacdb41eed30ab49a7dd4ac18dd9e408cd5b92d77b6ca74350000d10bc963ffdae059eea81bf9470fc004865655a7eafbda95a9c108a71cf4ad1575

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 a900d2cfa6436bc49144b2a016ceed88
SHA1 f785a44aa9d4989f7929e5bc68d23acb7d752da4
SHA256 0f028f6772e0a79a57dd6551b7f6f42726860a7a5cec15db32960a1453cc1005
SHA512 e074f00d6a93c391376ffbc37166e32b1fed8c9ccd567f283b4f6b20907124b2bd7b57a3fa90fe248c974acd7b57e3ff3a2d6f3594edd059fdb83befbc07737e

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 e537b48adcfe268c8d8864449d5a65a4
SHA1 f271f2185e5fa10fde2e43e4cbaf8dadeee3bdaa
SHA256 24f8829dd2623fa6dfa049fc0dffffb3cbe5cbe926f5af6cf5785660c93e1354
SHA512 5a6cb7aecb4fc036363373b30f429d9a312cd44af41dbe3c932add292551e5defd65d6b8d661d2bca98010b26341c176ea1da8349f7a8c4120d1ce5b327be61c

/storage/emulated/0/Sonnenblume/C545C57380E94F57133C605FF10B5E66

MD5 89d03b9f2f25eb825e14dc7e3b6f0ac7
SHA1 17f9fd2d96b60f5a570668cce682ae7eaa0bacba
SHA256 3689cba0c649182f5e87948a1bc3fb014afdc83b60e3c2bb53e6363386e63771
SHA512 d7a6e411ea11a095841c4b686fb2d4c9cfc14db0f840f34691d96e387231dcbdbc5a231827d5b3ae50f18b5c4ec3ee7a359425d8f060ac19aad306aa3ac803b4

/data/data/com.fyjx.qipa/files/duration

MD5 74e1d34c64b9bad8732d774592007ef3
SHA1 4aea3b100e1675ecee524efc1352f55cd1322b49
SHA256 3d89c16e8c4416b3cb66a7cb4adf7d0ff6de03b217ff4c2b266c21c5cc7209da
SHA512 da37014da4ffcef7ab392fcd0c274eac0cdc3d9f994c13eeefca0dcd61ace4ed019d6b3c8b4eee334f56bff5805b28790e956533ad55177459f1f9788d37fd41

/storage/emulated/0/Sonnenblume/kb_sn.ini

MD5 cb3331349071e83991055cb329d2f241
SHA1 fd7752eb0c1e72ad91464292312759a62b276ca3
SHA256 232fae9742df1f7e75e1deb1987ba61d6eed1c232f50273476ac610110586cb1
SHA512 1b327bf4b5481b82fc8e715e96e667862a9cb03446fd47d1afc5720e46033e109f417637ae7653e373b3345a21a17522d111dd975f267ef61bd5af21bf5b3c7d

/data/data/com.fyjx.qipa/app_tbs/core_private/debug.conf

MD5 e3fc414dc6df13355a5bf46ac55ce6e6
SHA1 fd911238c6f41331502c6efdbcfdf6e807709ad6
SHA256 7127f44b21dff33ad32964f132d630d44b93ff2f3337034045fbc4543aaf36aa
SHA512 107af94a72bc64e202754f88469443a872e3e13de43710d4bd65cd92ea725f95038d9b2c395a6aa2b5617f07596002f026c5cefc36c4dfd7f99a219addbcde89

/data/user/0/com.fyjx.qipa/app_libs/core.jar

MD5 cd72ab90ef1a729ed243f71fa7c152ab
SHA1 71e2f42801bb01994c4141a2d18854c0074c57ba
SHA256 c7a7c0c4a03860aa847c5c9697e97d1b0c4d77d46d945946af6e87e1e8c16165
SHA512 2f41014833273ef7dce8a335179d42f7272f1d7511e85fe058f99d53e234ab9b08b520b6cc764e17d833aecb025a203499ecdb5e15f4eaf35d685cb463ef9bae

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 45842ee343fd899d5a5a04af34e1ec8b
SHA1 d4df3f8357b11a044d2c2b8cfc36b51beeac0656
SHA256 87301b7078e0b95e1156320480f35f44c66eed68af52e8f9a2eeac2d37c52b89
SHA512 edfe1337d18a5186ca54eda377c32bf905282d4d76d15752c957fab9468e253585c50076c1f36c3ea415f7383431aa0fc2f44956432f05926774e2739cdfd591

/data/data/com.fyjx.qipa/files/cc/libsubstrate.so

MD5 bdd066a27e56c3b2e852e709f33d8a21
SHA1 25c03dc837b5cac38ac360bc6538f1e42856e198
SHA256 d46bfb8cf6c9beded3a34acbe62ebc91c8dc0f806a366530efdbefd50e91d5df
SHA512 b95a831088d5a571a8c767c7ed03ebd8a77509b1021b73e6e0344a84b3d46430e9ae22ec9dd4467ad906597237880e8b7287e5b6b8d17a5247dde4b953f546dd

/data/data/com.fyjx.qipa/files/cc/libspeed.so

MD5 064b3bbb9928d353b389c3e7718f3bc2
SHA1 b12282b49a55a0135f11e1f210d93b5ac93ae654
SHA256 1ed41b1ce39554e23ed4af12b530a56a6f4ffb1594331c5e23a257666ff9ab9c
SHA512 29d775c3256243c9eb621a72a411a18a4b050f1c71c12e58456e16ad35263d8eb5e08c2a694e6fd0242520839c6c227b53ca8d56a7aa619ed5fe8a13965a3bdd

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 6091a1aa37b02211ddb93e1745b3f29e
SHA1 83d2fb669b01483061979219f97d6ea899ed664c
SHA256 b728b5addc6ff2d3d726af5da9bc81c7b2da6d112804c5efb265f23b9c29e9ac
SHA512 a122c695b899e05fba87c85903ed8378f8297c83eb931a023aaa6164d7492ba3ebb389ae87ed3274d66a5ef280e6babfb665f2b1c2ab3871a28ef2db7263792b

/data/data/com.fyjx.qipa/files/duration

MD5 15f3514f7af01e3ad622ffb12432dc29
SHA1 f29b7a5cebfea0c30a5ca8cfe943818a62fbf586
SHA256 0304530bf3b75c74126f9c07a7923f495edd66c3618cf2c7ec288c47ef91f6a4
SHA512 d893f206f6f3d36e90ff8da0f247e62402aba96c9647cd6d99e641a5dfeb23ce1abbc5d5e0ab639eb0e632ba85904699eb166ac501a2d7207be959fc2975d232

/data/data/com.fyjx.qipa/files/duration

MD5 f8f21d7d9d607f4a343adddeffea660c
SHA1 868156ede33d8ed403f229f735eab9b1ebba3b0b
SHA256 abaa11984bf373e370d7cc1f5176f1ae21bbd53cea21c5859d28f38935ceacbb
SHA512 b328da06c7374be26571e5e140b3e5c32eef58ea022c176d48b1e58e7a2cc1313d7acff670f6959f3db0e8359f1a68f5d6bfbad193c7d167e53b0ea106ff2e36

/data/data/com.fyjx.qipa/app_libs/oat/core.jar.cur.prof

MD5 65dbb537c2cdd301b9338cc79d6b0174
SHA1 e3ddd01d357ab2abc1430b84f0447d494299cb5c
SHA256 96057628e752bc92b0318126f94b5aa2609070c8c51116c83611e4b6a8aa3dca
SHA512 f16b2567ed336f8fe89aff91e72f6ca327de9b6694c30222c0369ddf57e7328490e6d6499aa80bba656c83f5b02acf6c145c70422ebdf703a857e8bf435f2e12

/data/data/com.fyjx.qipa/files/duration

MD5 c6377b7512efdec3632aed11b2fc3a4d
SHA1 a92e105a53f4d40b59f0dbd4a2e3c6f99ece8707
SHA256 e59c2530cdba07946c478854a04d18f25bfe4a1f4aaa4757ed3156f1ca8bda1a
SHA512 6b9387ed9979563472961952af7bf102b3e64c62c689c7c8fb3edf5464f793dfa18df4f210666de07303297472c746d7ea5c56bca3e349297d475bbf15d6c2b2

/data/data/com.fyjx.qipa/files/duration

MD5 0335931dc4ed3dc3c74cb129c49c14c6
SHA1 cf491fc23569a707bc11d1c76802f21268acd8c8
SHA256 39c2da5133363721b2173925a93d8647fce44d4fb6c435f50d03605dae4a5df2
SHA512 a168a6518440ce9d1a29dca7ddfa6e20d552d0fb14a1c2b56f697f798ec8a03946baf9800a1aae042be6a9c03652e70f1fafcacfd5f52462fb22432c98599e3b

/data/data/com.fyjx.qipa/files/duration

MD5 056fd4f790216e30d80b22a838616b52
SHA1 6022c5a485c44b94aa15c8db48e7a491ccddb2eb
SHA256 2fe425e3deb799da79be85f87dcf2b2bba50d007d6805a5251820f65ad7b8600
SHA512 cadb2ea299ef5cb4697d0b546dd8fec5605217dcda5b205e2eb8f3f8e40358908adc2333c27acad648ad67f9eafb6598c58cd48188ddc10c80a89b0999c74a09

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:26

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.34:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:26

Platform

android-x64-20240514-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:26

Platform

android-x86-arm-20240514-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.34:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:26

Platform

android-x64-20240514-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:26

Platform

android-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:29

Platform

android-33-x64-arm64-20240514-en

Max time kernel

8s

Max time network

133s

Command Line

com.fyjx.qipa

Signatures

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fyjx.qipa/app_libs/update.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.fyjx.qipa

Network

Country Destination Domain Proto
GB 172.217.16.234:443 tcp
GB 142.250.179.228:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.179.228:443 udp
GB 172.217.16.238:443 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.200.42:443 remoteprovisioning.googleapis.com tcp
GB 172.217.16.234:443 remoteprovisioning.googleapis.com tcp

Files

/storage/emulated/0/Android/data/com.fyjx.qipa/files/tbslog/tbslog.txt (deleted)

MD5 5cf1d5576636b3c6867668cc8ffb91fb
SHA1 51499a665fc7b94d2aaa29a2407775cdcc64c168
SHA256 daced66851f99ae059ace4eda0ec87b8c5415385bbe574b9093a82740a7b040b
SHA512 1d60fb0d44c9d99fd0c1b16656edaf052c344ecc03fec2db5c7e283f9edaca4d06fc0f89d7db75522a7eaae4ba443b299a8e410cc471339df729dfc2ad320a7f

/data/user/0/com.fyjx.qipa/app_libs/update.jar

MD5 3eea0fcda4a513b99cedf31c7452aaf8
SHA1 071da147eacf17f1c10fc6362ac43839ee96d5a2
SHA256 2a9b79160a4eae5fea2e7fbd3e0498eae8af9d0e8d784b18ac81c3468da6e0a6
SHA512 12a20677a8f36778ceeead1e35a9a20dce8ecc9999803db2e3e40312b74847ccc9efbc649b4949dae38520287b7a01bd50c81dbf9fe1db8fb7e9ecd070801880

/data/user/0/com.fyjx.qipa/app_libs/core.jar

MD5 f84ba6f0daba937e6d435442c99e8387
SHA1 038c9ca9c9ed1c3321bf7fa641975be25fd2241c
SHA256 428827b1d99667c2608ac1c8708b9e3c87018134c1e640b1990cd73adbb77088
SHA512 9a8091c2cd339187341868c4f7ac473852c9cff788d53e6148f99e3093ff6129155cdf985be556dfee4d58b1eb9ca39093fe82bc04d3fab147534dd47781a50f

/data/user/0/com.fyjx.qipa/app_libs/update.jar

MD5 a052cf31f70cab7dc772b4c59911d43e
SHA1 08a2a8dd43484ac2adf0eb2681d57c2173360d6f
SHA256 f5f594fcb6fe90cad0632fbf30f8fe7fbf9a87f06dca9e00208e6eb85c778747
SHA512 80fe152fe391ca50f026b6144b364bfa889d4e85801a836b8641ddfe7e9ffe435796dc40e6314a05da0a1e9df781c09c681a88d32a9b0541e93b4e67f2dbd8a2

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:26

Platform

android-x64-20240514-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.179.234:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 142.250.200.42:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:26

Platform

android-x64-arm64-20240514-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:26

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 02:26

Reported

2024-05-22 02:26

Platform

android-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A