Malware Analysis Report

2025-01-19 06:59

Sample ID 240522-gn6c7sed8t
Target 663ca6d8781be948124cfb87703bac76_JaffaCakes118
SHA256 372b3e7a948880fc74bf1ae14b95db94e5f49a54d6183fc88e73472a25387b72
Tags
discovery evasion persistence collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

372b3e7a948880fc74bf1ae14b95db94e5f49a54d6183fc88e73472a25387b72

Threat Level: Likely malicious

The file 663ca6d8781be948124cfb87703bac76_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Checks if the Android device is rooted.

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's foreground persistence service

Queries information about running processes on the device

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Checks memory information

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Checks if the internet connection is available

Declares services with permission to bind to the system

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 05:58

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to add voicemails into the system. com.android.voicemail.permission.ADD_VOICEMAIL N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 05:58

Reported

2024-05-22 06:01

Platform

android-x64-arm64-20240514-en

Max time kernel

8s

Max time network

152s

Command Line

com.exce.wv

Signatures

N/A

Processes

com.exce.wv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/storage/emulated/0/.com.excean.gspace/extra/appeal.js

MD5 ab1e3c3e567afa354b391c771445115b
SHA1 2943163bfa9fb104959cdf8969ea1945dd2a03e5
SHA256 209c04a3a9990099650a683191e18ae7e3ac969b4df7485bb84d0744e2abfd9d
SHA512 792b8fdee21f2db46fb05dba3a435492785a1c84fd0fbd43ff351991d99fb29d36d7b566c3752d43851ec1aeae749140af2810c6a0b8a49cfa51a1a79c59ca8c

/storage/emulated/0/.com.excean.gspace/extra/hook.js

MD5 f85e6a9a9ffc4b27befeeab271163c90
SHA1 21163909018b798cffbba919e2ee56ba88f44e00
SHA256 1302d0d811871258891ff7bc38a49a7fd76ef62c40959b0263ba6d86d5f19cef
SHA512 087eb8110a7402ace6d6c862e967b6ca78af2cc6685ed96f0b1c238f65894e0af3a9e45254a5cc554f5807cbb124e9143425610370c30e1b165a6c267089d848

/storage/emulated/0/.com.excean.gspace/extra/login.js

MD5 8069a5fc01af56b924e42d1d4619209e
SHA1 252c63dccdb2f2920ddb125ad1caa4e7a86793f4
SHA256 eb738b475786d34094bf6697fbc74b6186829ddb3beea0eba2ce520dba6fc7d6
SHA512 882b277e899619c50eff23dcce4ce3f13fd3b6d17459f7e56539cb2e2954179c43f26aafe36ee32edf1e5d4ee8bf99e08acf04edc0f8b2795fea8cee640c26ad

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 05:58

Reported

2024-05-22 06:01

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

187s

Command Line

com.excean.android.vending

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.excean.android.vending

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 play.google.com udp
GB 216.58.201.110:443 play.google.com tcp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 172.217.16.227:443 ssl.gstatic.com tcp
US 1.1.1.1:53 stats.g.doubleclick.net udp
BE 66.102.1.156:443 stats.g.doubleclick.net tcp
US 1.1.1.1:53 www.google.co.uk udp
GB 142.250.178.3:443 www.google.co.uk tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/com.excean.android.vending/hook.js

MD5 f85e6a9a9ffc4b27befeeab271163c90
SHA1 21163909018b798cffbba919e2ee56ba88f44e00
SHA256 1302d0d811871258891ff7bc38a49a7fd76ef62c40959b0263ba6d86d5f19cef
SHA512 087eb8110a7402ace6d6c862e967b6ca78af2cc6685ed96f0b1c238f65894e0af3a9e45254a5cc554f5807cbb124e9143425610370c30e1b165a6c267089d848

/storage/emulated/0/com.excean.android.vending/tt.js

MD5 e92fe1f2a29f509878e61217a2563a99
SHA1 c57d5fea1e372ebd538fd3f97b7533bc2f7cd5c0
SHA256 dc9ba26e3eb711105170b59195d0fe19e18d39b1834544a25436e9557bb4f572
SHA512 26a7eee6bf621486fb76d925392c4f81eacbab21a860ea55687c721f61551539f4c8710d4d13d3510194e064cb5f29f698f16b38c7791d8f73f9343719f9cb8a

/storage/emulated/0/com.excean.android.vending/xx.js

MD5 a27daa00d9ddbdecb227e27cb3372e68
SHA1 79405ced9eb6768362253abc54fef3e9fb768209
SHA256 78f4f184c43f3757306297516127d511a773b0545535013fc68548f26f15f749
SHA512 6f4d904f2551a8a24a5f37763165f4bcdefd90a4fa40a4da1c9a7ad5e1bf608a1b8a1840de026a92a674033d7e0b683d9fe0aa88219ef9cee715297652c8170d

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 05:58

Reported

2024-05-22 06:01

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

155s

Command Line

com.excean.android.vending

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.excean.android.vending

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 142.250.178.3:443 ssl.gstatic.com tcp
US 1.1.1.1:53 stats.g.doubleclick.net udp
BE 64.233.167.155:443 stats.g.doubleclick.net tcp
US 1.1.1.1:53 www.google.co.uk udp
GB 142.250.200.35:443 www.google.co.uk tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp

Files

/storage/emulated/0/com.excean.android.vending/hook.js

MD5 f85e6a9a9ffc4b27befeeab271163c90
SHA1 21163909018b798cffbba919e2ee56ba88f44e00
SHA256 1302d0d811871258891ff7bc38a49a7fd76ef62c40959b0263ba6d86d5f19cef
SHA512 087eb8110a7402ace6d6c862e967b6ca78af2cc6685ed96f0b1c238f65894e0af3a9e45254a5cc554f5807cbb124e9143425610370c30e1b165a6c267089d848

/storage/emulated/0/com.excean.android.vending/tt.js

MD5 e92fe1f2a29f509878e61217a2563a99
SHA1 c57d5fea1e372ebd538fd3f97b7533bc2f7cd5c0
SHA256 dc9ba26e3eb711105170b59195d0fe19e18d39b1834544a25436e9557bb4f572
SHA512 26a7eee6bf621486fb76d925392c4f81eacbab21a860ea55687c721f61551539f4c8710d4d13d3510194e064cb5f29f698f16b38c7791d8f73f9343719f9cb8a

/storage/emulated/0/com.excean.android.vending/xx.js

MD5 a27daa00d9ddbdecb227e27cb3372e68
SHA1 79405ced9eb6768362253abc54fef3e9fb768209
SHA256 78f4f184c43f3757306297516127d511a773b0545535013fc68548f26f15f749
SHA512 6f4d904f2551a8a24a5f37763165f4bcdefd90a4fa40a4da1c9a7ad5e1bf608a1b8a1840de026a92a674033d7e0b683d9fe0aa88219ef9cee715297652c8170d

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 05:58

Reported

2024-05-22 06:01

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

189s

Command Line

com.excean.android.vending

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.excean.android.vending

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 216.58.201.110:443 play.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
GB 172.217.16.246:443 play-lh.googleusercontent.com tcp
GB 172.217.16.246:443 play-lh.googleusercontent.com tcp
GB 172.217.16.246:443 play-lh.googleusercontent.com tcp
GB 172.217.16.246:443 play-lh.googleusercontent.com tcp
GB 172.217.16.246:443 play-lh.googleusercontent.com tcp
GB 172.217.16.246:443 play-lh.googleusercontent.com tcp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 142.250.178.3:443 ssl.gstatic.com tcp
US 1.1.1.1:53 stats.g.doubleclick.net udp
BE 64.233.167.154:443 stats.g.doubleclick.net tcp
US 1.1.1.1:53 www.google.co.uk udp
GB 142.250.187.195:443 www.google.co.uk tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/storage/emulated/0/com.excean.android.vending/hook.js

MD5 f85e6a9a9ffc4b27befeeab271163c90
SHA1 21163909018b798cffbba919e2ee56ba88f44e00
SHA256 1302d0d811871258891ff7bc38a49a7fd76ef62c40959b0263ba6d86d5f19cef
SHA512 087eb8110a7402ace6d6c862e967b6ca78af2cc6685ed96f0b1c238f65894e0af3a9e45254a5cc554f5807cbb124e9143425610370c30e1b165a6c267089d848

/storage/emulated/0/com.excean.android.vending/tt.js

MD5 e92fe1f2a29f509878e61217a2563a99
SHA1 c57d5fea1e372ebd538fd3f97b7533bc2f7cd5c0
SHA256 dc9ba26e3eb711105170b59195d0fe19e18d39b1834544a25436e9557bb4f572
SHA512 26a7eee6bf621486fb76d925392c4f81eacbab21a860ea55687c721f61551539f4c8710d4d13d3510194e064cb5f29f698f16b38c7791d8f73f9343719f9cb8a

/storage/emulated/0/com.excean.android.vending/xx.js

MD5 a27daa00d9ddbdecb227e27cb3372e68
SHA1 79405ced9eb6768362253abc54fef3e9fb768209
SHA256 78f4f184c43f3757306297516127d511a773b0545535013fc68548f26f15f749
SHA512 6f4d904f2551a8a24a5f37763165f4bcdefd90a4fa40a4da1c9a7ad5e1bf608a1b8a1840de026a92a674033d7e0b683d9fe0aa88219ef9cee715297652c8170d

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 05:58

Reported

2024-05-22 06:01

Platform

android-x86-arm-20240514-en

Max time kernel

170s

Max time network

186s

Command Line

com.excean.gspace:olle

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.excean.gspace:olle

com.excean.gspace

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

chmod 755 /data/user/0/com.excean.gspace/.platformcache/main.jar

chmod 755 /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar --output-vdex-fd=51 --oat-fd=54 --oat-location=/data/user/0/com.excean.gspace/.platformcache/oat/x86/kxqpplatform2.odex --compiler-filter=quicken --class-loader-context=&

com.excean.gspace:lbcore

com.excean.gspace:smtcnt

/system/bin/sh -c ps

ps

com.excean.gspace:smtcnt

/system/bin/sh -c ps

ps

com.excean.gspace:smtcnt

/system/bin/sh -c ps

ps

com.excean.gspace:smtcnt

/system/bin/sh -c ps

ps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 sdk.ourplay.net udp
US 148.153.44.138:443 sdk.ourplay.net tcp
US 148.153.44.138:443 sdk.ourplay.net tcp
US 1.1.1.1:53 statis.ourplay.net udp
CN 47.99.226.150:80 statis.ourplay.net tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 folder.appota.cn udp
US 148.153.44.138:443 sdk.ourplay.net tcp
CN 118.178.30.122:80 folder.appota.cn tcp
US 1.1.1.1:53 api.ourplay.net udp
US 148.153.44.138:443 api.ourplay.net tcp
US 1.1.1.1:53 statis.multiopen.cn udp
CN 114.55.203.49:80 statis.multiopen.cn tcp
CN 114.55.203.49:80 statis.multiopen.cn tcp
CN 47.99.226.150:80 statis.ourplay.net tcp
CN 47.99.226.150:80 statis.ourplay.net tcp
CN 47.99.226.150:80 statis.ourplay.net tcp
CN 47.99.226.150:80 statis.ourplay.net tcp
CN 47.99.226.150:80 statis.ourplay.net tcp
CN 47.99.226.150:80 statis.ourplay.net tcp
CN 47.99.226.150:80 statis.ourplay.net tcp

Files

/storage/emulated/0/.com.excean.gspace/game_res/info.data

MD5 90236d6288cae26330e04ee57fad9899
SHA1 22a73773ce1cbcc03cd518818b2b8f142efa59dd
SHA256 e3c535c608375477909d4fe65ddc3593c6414851f11f6537e23fae9a3f55976b
SHA512 626f7f6a8f29495b1b37c12c230ee676057b402f815b14ad02a7cf2671c43a69ade245998b081c76f0ac5244ce1de7455fba83246876e8e65f4e9780ab25910f

/storage/emulated/0/.com.excean.gspace/init_time.txt

MD5 2ec293706741d024fad54968202a1506
SHA1 af87ddb2266b289b64f91c0749b6ec13e614763d
SHA256 e23bd873e98e53c0ed8b4603e6b255e2fcc1690d25a7fc6c938a2335a38eebb9
SHA512 ae783d386f91a4ade7d169149fd3903e48c447558b6e0625afd8738283a5e3d41cc0edb5fde96364bbbb801736f2fa0e07c81a831aaa75510cb49871597636a7

/storage/emulated/0/.com.excean.gspace/game_res/compVersion

MD5 c1fd6a45075bd1da5a525d55a6e19fa0
SHA1 dbf9482346b8fbefe1a977e4c2458b8f699e149b
SHA256 537568e07888c925e384e0e5ab62ea4ecd6680cae3ffeea959a20057b2057992
SHA512 d946be291c4b32430367a65760367b12569e99a3ae95f86484c1b1ee7e2e8a504b24910a37ce05d2173b965d0cf7dfcd53b0c29a127925b774f805415ba819d3

/storage/emulated/0/.com.excean.gspace/game_res/verinfo.cfg

MD5 f244e3fcabcda1585c0a7efbfb611e0d
SHA1 2c070bb2152f0650b81bdc220720043c47c30d27
SHA256 bb5026f0ff0ea3919c2d996c6a774b976c2d3e858ba619bba68a11fbc5c52cf8
SHA512 09f1f781f413cd6a962a9ff0fa6b7e280e249ab3837096408859dc7ecf0fe5515345d68eee331b7c18d5bab54d88eaec5a46525c560f8cbf0f44bbb9ef7c531e

/storage/emulated/0/.android/.systems/.idcard

MD5 84cb26e38a0079ed253068d782b2526f
SHA1 1b981429f797358e0befd13ed832db54210e8f53
SHA256 c961882aa490875f9f323c259ef20b9910110da363c1e1090e36d3a8d79f14aa
SHA512 4a9f361b2d8f186ed2e3b49018d096c0e635d3356e376bf966e003b9b6435289bf62f13ff93104d4f8da5add81acc08013c6b00cc42e770750af1cecde4ab4d3

/storage/emulated/0/.com.excean.gspace/game_res/compVersion

MD5 f7fd7d0c50e35bd2fd02ddd47a95dbfb
SHA1 06f7650c5a4aaa6f060487addd910bac18add2c1
SHA256 c9a1bd1ebf889c78126f22d1df2367913469619625ef48e6baae38c7b838df59
SHA512 178d0d0b68844d5729f98ac19026f2390b6f8e5b7a61a8fd53e56af12cad7e46c7ce8bbee6328f17fba172b2870377b9a36460d4bd20ab334e8e7f02fefb1004

/data/data/com.excean.gspace/.platformcache/main.jar

MD5 03e198ddc87dd03d06c0d383ad81c905
SHA1 b7917dc00f032925ebe0e553a15bdef77420a856
SHA256 cf4fb2391c66df249a87e6e269c892cea9f3d2dae6222511ca1797c49a1d6bae
SHA512 6bf90832d4f12c6d772d874c7be7f3e5812b8a6bb73f4a13671f672cb271eba1086597038286895d48b74b4078ce9efe3a9f4562a7a433f1a2e6b33163068523

/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar

MD5 e90ba0f2b1783036dbf145ce6a7037cd
SHA1 5a55273866ee4605cf8a3373d147c033adacdb9c
SHA256 4c9c7e5d238a15693b4db78224ae6251ee275f903df4cb5dd460418b3a83f7a8
SHA512 d7b8e834f08dd193c7585089f48da12fbc7b6d50aea7099bf89bd2348b3ae8230c994716eb7bda0f321dbac338449aaa19be56bf22763345b0e6e5c2daf0f36f

/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar

MD5 af85f7f299ff59a3a522238744504392
SHA1 71b89015d03510d6150d50fbb402b4e68394b1f1
SHA256 4e02a09b4e46ca00843b00be97ac4af58530659d5e707b2bef0789da881d8efb
SHA512 b8a05cd2854c9d0997d426c1bd36d45db78621a44350e2fe232b314e15bdf19d65dc9365d968cd9034215848c12495f52ffe227b4e9fd0c4a147c9ce037cd88b

/data/data/com.excean.gspace/databases/lio_statistics.db-journal

MD5 229c9187050032ab6be33e07937d2f94
SHA1 831fed4b75c4342e5c5ab789decd3e9d11556568
SHA256 784fe0f1a3b63f06e59304af27320276f7cbf1b0603d75113216eb1766fd8887
SHA512 727e326777785309ad0ba6b50451611761bb4fa323d2fbe125b0846b71b3709df5d8f24cd1a55fb48393561bdd4a4245cceefa118a2c335bcfd09fbf86edfaef

/data/data/com.excean.gspace/databases/lio_statistics.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.excean.gspace/.platformcache/lib_kxqpplatform/tmp7602445146772381717tmp

MD5 0f52589f5b807ff4a58fa038c1aabec0
SHA1 0cfe1e582d58a530838342e7ba564de6ce3c2890
SHA256 fcc2e36047fe314f96caee1b2c6b734b1bf420ddfc7fb896ffbe6176028c0599
SHA512 849b9afef4487bbdc38b52f53d6e97ca91279357fe26258bce14dd915f3b61d06e77d6f909e046e0200b96b0b308fbb2f5550e23091a86b5b26d47518e069216

/data/data/com.excean.gspace/databases/lio_statistics.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.excean.gspace/databases/lio_statistics.db-wal

MD5 b14651681103fb426cb9de8bb2e8aef6
SHA1 60d4542c7e44b661e9cf9b4d218eee7be8ebf91f
SHA256 356e10d3b65f6b9f88425a37db3e42c56b013b2613854b20521956568e754fdb
SHA512 27a3c24cb6acdadf30bac3ef7a63169fe1684aaf1ef75fdc642c0da958654bf9196b2688ea3e909a025a27c77f784d06355a06c9e06b6d64092fe86651c55532

/data/data/com.excean.gspace/.platformcache/lib_kxqpplatform/libkxqpplatform.sinfo

MD5 f6dd326826104c177a0f916cb433419e
SHA1 875bee416e096960e9249a907d292661a2f4fce2
SHA256 8d5e5f1c7660a443fc7659b27e972e579d15cca2bbf269d8d329fd3af45ca2f9
SHA512 9ad60cd10cdfffe7c237163323c905dde70de9b4da3610806bf9a2e0be87d6eb1a4903b570113b81bd5bc8323a3697a6954b155dfd635cb81e4512490e700e1f

/data/data/com.excean.gspace/databases/airpushitemnew.db-journal

MD5 f1ca9ed8fa958745ff24b99457631bd1
SHA1 115a5cb588a50adda5dfd47ec627bafcb193a4bc
SHA256 967df474e18ebacbeb931abe793b49884ca026fb183cf318e0f833a061416433
SHA512 9e465c868dd3378fb220daf5cd47f7cb3a144e34255d76c58156338f365091d4efed171c498fc6404c33d3da8f05e4836b4c9221b499514e3f25a9fa50369eb9

/data/data/com.excean.gspace/databases/airpushitemnew.db-wal

MD5 35ea7dc7f56e31398d135328e1a96b0f
SHA1 293ba80a5c07ca6a975ac7ccd64bac502f3fc409
SHA256 8f8ec36ef1746af902512c259be01858287ac48587ffe3804987047c584f61a7
SHA512 8e909815849d3b1afbeffe8d7e090f746badd344cda6adad0134d01cb1d63f5ea50428b859293d8b95b541370a2ac4bc60a4529f2ed1d97bafefb0f770a9e8a1

/data/data/com.excean.gspace/gameplugins/lb_amcfg

MD5 fb43224c2ef7d4fc01a51357dad58b5a
SHA1 191713403ae1e3b1823b7fea401bff92e2648ba6
SHA256 84513f60951b5c62dd14d39fc040ef49983660f5632fa0bf0384298bb6235a24
SHA512 126e0f4eb7780682cf8163a5a5bd60c50880f04cea31ad5601da89a8cbeabc612959550a925347aabbba449629a81da1f822f103fa9bf61c9ac841adde58c946

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 05:58

Reported

2024-05-22 06:01

Platform

android-x86-arm-20240514-en

Max time kernel

8s

Max time network

133s

Command Line

com.exce.wv

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.exce.wv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.3:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/.com.excean.gspace/extra/appeal.js

MD5 ab1e3c3e567afa354b391c771445115b
SHA1 2943163bfa9fb104959cdf8969ea1945dd2a03e5
SHA256 209c04a3a9990099650a683191e18ae7e3ac969b4df7485bb84d0744e2abfd9d
SHA512 792b8fdee21f2db46fb05dba3a435492785a1c84fd0fbd43ff351991d99fb29d36d7b566c3752d43851ec1aeae749140af2810c6a0b8a49cfa51a1a79c59ca8c

/storage/emulated/0/.com.excean.gspace/extra/hook.js

MD5 f85e6a9a9ffc4b27befeeab271163c90
SHA1 21163909018b798cffbba919e2ee56ba88f44e00
SHA256 1302d0d811871258891ff7bc38a49a7fd76ef62c40959b0263ba6d86d5f19cef
SHA512 087eb8110a7402ace6d6c862e967b6ca78af2cc6685ed96f0b1c238f65894e0af3a9e45254a5cc554f5807cbb124e9143425610370c30e1b165a6c267089d848

/storage/emulated/0/.com.excean.gspace/extra/login.js

MD5 8069a5fc01af56b924e42d1d4619209e
SHA1 252c63dccdb2f2920ddb125ad1caa4e7a86793f4
SHA256 eb738b475786d34094bf6697fbc74b6186829ddb3beea0eba2ce520dba6fc7d6
SHA512 882b277e899619c50eff23dcce4ce3f13fd3b6d17459f7e56539cb2e2954179c43f26aafe36ee32edf1e5d4ee8bf99e08acf04edc0f8b2795fea8cee640c26ad

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 05:58

Reported

2024-05-22 06:01

Platform

android-x64-20240514-en

Max time kernel

8s

Max time network

154s

Command Line

com.exce.wv

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.exce.wv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/storage/emulated/0/.com.excean.gspace/extra/appeal.js

MD5 ab1e3c3e567afa354b391c771445115b
SHA1 2943163bfa9fb104959cdf8969ea1945dd2a03e5
SHA256 209c04a3a9990099650a683191e18ae7e3ac969b4df7485bb84d0744e2abfd9d
SHA512 792b8fdee21f2db46fb05dba3a435492785a1c84fd0fbd43ff351991d99fb29d36d7b566c3752d43851ec1aeae749140af2810c6a0b8a49cfa51a1a79c59ca8c

/storage/emulated/0/.com.excean.gspace/extra/hook.js

MD5 f85e6a9a9ffc4b27befeeab271163c90
SHA1 21163909018b798cffbba919e2ee56ba88f44e00
SHA256 1302d0d811871258891ff7bc38a49a7fd76ef62c40959b0263ba6d86d5f19cef
SHA512 087eb8110a7402ace6d6c862e967b6ca78af2cc6685ed96f0b1c238f65894e0af3a9e45254a5cc554f5807cbb124e9143425610370c30e1b165a6c267089d848

/storage/emulated/0/.com.excean.gspace/extra/login.js

MD5 8069a5fc01af56b924e42d1d4619209e
SHA1 252c63dccdb2f2920ddb125ad1caa4e7a86793f4
SHA256 eb738b475786d34094bf6697fbc74b6186829ddb3beea0eba2ce520dba6fc7d6
SHA512 882b277e899619c50eff23dcce4ce3f13fd3b6d17459f7e56539cb2e2954179c43f26aafe36ee32edf1e5d4ee8bf99e08acf04edc0f8b2795fea8cee640c26ad