Malware Analysis Report

2025-01-19 06:59

Sample ID 240522-q2z8sade71
Target 6777d1c63e11aeafacfb47a0bb505672_JaffaCakes118
SHA256 36f7fddcea9b92869a582e43772f86e17d996d73b9f172ff5be834c1f8649a18
Tags
banker discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

36f7fddcea9b92869a582e43772f86e17d996d73b9f172ff5be834c1f8649a18

Threat Level: Likely malicious

The file 6777d1c63e11aeafacfb47a0bb505672_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Checks Android system properties for emulator presence.

Queries information about running processes on the device

Queries the mobile country code (MCC)

Checks CPU information

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Reads information about phone network operator.

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 13:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 13:46

Reported

2024-05-22 13:53

Platform

android-x86-arm-20240514-en

Max time kernel

68s

Max time network

131s

Command Line

kx.app.notes.diary.memo

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

kx.app.notes.diary.memo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 www.coocent.net udp
SG 150.109.95.214:80 www.coocent.net tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.178.3:443 tcp
SG 150.109.95.214:80 www.coocent.net tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/kx.app.notes.diary.memo/databases/note.db-journal

MD5 4e2439dacc86243f8eb1c393a7b11289
SHA1 078a780621a86511b2fbb5b8221537ebe24ce940
SHA256 24db42b9c03a21275e97b0ab2a212b4a360714d710ee46a959f53db5d30e9939
SHA512 f10207bd9c2d5d2a7fa14180f1aab66e81154a8524d1dd20a0c73ab32ab19d320d0e4cd8e28f90abc7ef8e7957b011a5df6678f15e9666339777894d10ba722a

/data/data/kx.app.notes.diary.memo/databases/note.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/kx.app.notes.diary.memo/databases/note.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/kx.app.notes.diary.memo/databases/note.db-wal

MD5 58508500876c013a50afeebe18ca967e
SHA1 75a6a29a70a173dc71d825919f2798961c5a9987
SHA256 4cdce9d65f93ba9a7a2c92aabe10cd232c60481ab4a784b2fdf8dd450f05ce6a
SHA512 ede0494fd63e65be65f9e3938004d96638e5ced89c7fe2495f15d64a6a6a1fe75ab409bf0126a208b8e62366af6c505fc343678d91c6c77a988ddc34020ba1c1

/data/data/kx.app.notes.diary.memo/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/storage/emulated/0/gift/kx.photo.editor.effect.cc

MD5 08b17796b7ef0c74f4904125a25be59e
SHA1 fa0d48484ed34214623b5f3b9a7526fffe658257
SHA256 3744fa31d2406dfa2cda308e470ac605175385b669cbc3aa31d8ea8e76feb93b
SHA512 2d18ecf25494f5b4592647010f517cf02d7720b30f06b861ab915edbda838d06e1edde76182d0303f025444fb8e2948ed77543ed7afdb90f41e830e4622dafbb

/storage/emulated/0/gift/hd.camera.photo.gallery.editor.cc

MD5 91fa277ec9ca66a8f08dee6e7d3abc05
SHA1 474d7647bb06c15e7c01e8199316d0f01b45a891
SHA256 d5a82451822919a78c05871a9ba0b6d0032538619a2bd39481fdbdfede252812
SHA512 8dcfc2945eb0091d1f65438c104afe8d04f363394880fae29cd0b66a6fa8a20b42eba650acc36810e9a5f6879267da864fc19111996eb640507b072c6f7a40a4

/storage/emulated/0/gift/picture.image.photoeditor.photogallery.folder.cc

MD5 30d8054c9e94aad0811a4b4572c04655
SHA1 cae7dc46ec6cbe665b751877b426c145d5ae3607
SHA256 176aa5f662ecb6d6c16c2d5cd05241bb47aa5fc4c235ae9543c39c2a8d1a20cc
SHA512 b7eafa83425c4c3b4e8d946ab0fd20bb885b386ff6ef30b8e03b20752b7a99178893b0b4797a5a8095743250a46e82892c480a013fb71e1802c039c02af82686

/storage/emulated/0/gift/tools.weather.forecast.cc

MD5 e2f3f8e9cc9e06676544112970a98f67
SHA1 7aab947a8fe159e936fbfad5f1b3db7e8b859b5c
SHA256 2b7a57e33f30e9a8175ff66c25cc8bd71812cc56a4e76ada99daf20f0d237a44
SHA512 9832908b0b8b2c42dc73f0d071168d5581603fbc54ac05a07fd4e3aca02060e3f84985f6dce8737019d03d93d60278b3ea032900757ef7aef53a0fbe2fb187d4

/storage/emulated/0/gift/yong.app.notes.cc

MD5 f86173a753d3035eb606ae552def33c6
SHA1 d1d22b0973dc0a7a9546ba25f143405ba4878f14
SHA256 4d1156d9b55fc48ac14bfce72c260ea86640d5aef0fae65a6af715ab89ebbf0b
SHA512 d6a66bec9a5e5a4b21a71782f15ad49d90f18f0cfdfc92878454d3427d37d48dbb9d83ccd791c0e2dd99478e0c76a079b497abe1fcdb059cbe7b977699331682

/storage/emulated/0/gift/tools.scanner.barcodescan.cc

MD5 76da067927aec3ab9779da7d9d0d38a2
SHA1 50ce936df89d32ac8462aee1b77b45dc5ee437fd
SHA256 fbf3716610d8816d06530d296e84b200b5f0457a1dc8053487ab15c84d0678a8
SHA512 e72e9a8e1c54a1dbf03468a87ca612321210b7859bfae4db51267aecc11ac9f7e1f6d5993a395fa33dff9683d9ac658041ad95b561242999934d7f75bb248d9a

/data/data/kx.app.notes.diary.memo/files/mobclick_agent_cached_kx.app.notes.diary.memo

MD5 9dd64e77198123b51473b8d000de61b1
SHA1 2b1767c40f204ccc03115f5c56fd48a923a79c5e
SHA256 27af28a238bcf6497cffd20cf510cad3bf35d356071f03e61d8ad2a88d5bbc1d
SHA512 1f74a7ff2f3330d28c6b917fa21077493a6aaef33e3d81d5a27957f1a2e350e4327b6e76165f0e2d78dbd8bd94f0e80164332a540a598577739432a3fb8a5813

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 13:46

Reported

2024-05-22 13:49

Platform

android-x64-20240514-en

Max time kernel

69s

Max time network

142s

Command Line

kx.app.notes.diary.memo

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kx.app.notes.diary.memo/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

kx.app.notes.diary.memo

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.coocent.net udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
SG 150.109.95.214:80 www.coocent.net tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
SG 150.109.95.214:80 www.coocent.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/kx.app.notes.diary.memo/databases/note.db-journal

MD5 dd89bfc91cc1045a4f6a728667b37fab
SHA1 aa8277b0e0a8e40eda0cca4682b2b50ae0f60ca1
SHA256 140045fea2f18c267bc9b48ad0f083558f99588a4bdbdc7ea8fdbb29ded972b3
SHA512 1898b70d64bb7453f6da587bbf243b1e5fcb43fac1b940ebd6dff0df31f346032a2d52ef975a1070587d4bf311b0fefacf7bc00c4595d27464dbc1a7b3f48224

/data/data/kx.app.notes.diary.memo/databases/note.db

MD5 1bb88fdcdd191c3a638cd6dab200303b
SHA1 90652eceecf5190a54b9a38225ef9b65893d1ea9
SHA256 b21e9015d9ae4caa48aa809460dd1c286805002f80b9dbd0eb1b6c94bfb1c732
SHA512 4606e4dbbe1a59329b9aca7a915af8a62ab67abff57ccb59e33692a44ceb68ba9d0ff64145b4520dc6fd1586fc15244310c98b501f18f26465fb163b018ea057

/data/data/kx.app.notes.diary.memo/databases/note.db-journal

MD5 848949d39ec404608f8ddffc1402ce8f
SHA1 1e23980d9297424e6d8c32c2230c818a2a291521
SHA256 a1114637ecb5691f73f02bf7f37b5bce97cdae0cc9e6d926db20ee238cdd054a
SHA512 9266ffd882057ead31cdb212d82a5f9029e7e395301efe86a47b006a080b2476c254e1f8a48cdf361eccdca368573972a8b100cf537281536f17e20e1e333eb5

/data/data/kx.app.notes.diary.memo/databases/note.db-journal

MD5 ebca62ced08ef924203073b0b6dc38f1
SHA1 c0bc059bfb3c37d2de4ee07d3fb3d6fdb9652e6c
SHA256 f997583879b19785389162872766790f0e1e3c07ea6f2971412594cdb2b97e34
SHA512 505e5abf50ddd4f04824fe741fd57a8e8402a7dd081941d0f053b0a86d9127d046e8a2a21863db134e50d9c7707e61633488980d1a56b64d4d586d7dec9f412c

/data/data/kx.app.notes.diary.memo/databases/note.db-journal

MD5 425b2fb115ce76e7cb389f52d5c3fab2
SHA1 24a2be36a931146cba7e77697de9f5df80c540d4
SHA256 4c8f9d11a70fe241a11f4129e624f1741e306dbd7e1a5444bdc9e29d5ca12d8c
SHA512 bb9a5df065a812ccf9f120ecdf804531cd4f23237fde8b77310357c2cfbdef5c7a87fb04c0bd54bea21546a02ce9d81dd7c70b2de77aca6a8c209786795b47ee

/data/data/kx.app.notes.diary.memo/databases/note.db-journal

MD5 f8c1bb9e3a1d6fe46e7b24d934ddc83a
SHA1 9bb163671b2332320b48d33b10bb88075648e8db
SHA256 fcd0ac3bc14168581f2a79e3c801f22a7b225645b3d6eb1886a5da16482ca23f
SHA512 e1dd6209d7ca4848f4d21c409eea2a502ed40b00cf4b196fc2c4c3d4af39e46dea9faa1628176fdcda2bc50e7ffb85fec49b85ab2910858e69bde0912dcb2185

/data/data/kx.app.notes.diary.memo/databases/note.db-journal

MD5 a1dc199d7655e4eb76cc81e1c8809061
SHA1 6d62dba5260d7c77ce3169100b2a0c2a37d68f52
SHA256 00affe9b86c8a4ec166c1f31d97672f0a08924d27fa5452551dc7ff827472b6c
SHA512 4f9a022da57cbef52b729f098fa16103176c1531b9b59974ae1326b3a76aa133591a266c210569aaad0e97e5f8775cf5e4148b36ddf24a8854d3371d26f44f6f

/data/data/kx.app.notes.diary.memo/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/kx.app.notes.diary.memo/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/storage/emulated/0/gift/kx.photo.editor.effect.cc

MD5 b8096e8f6d3edeedf06e8547298cae3f
SHA1 5bb74aeaf80f6862419c2f329f81c94ee07cc9ed
SHA256 9dbc3d95191b8c68a7927bf55c1fd96d04c3b3901575126a700db26140904c4f
SHA512 1488d3525addfca6c6434fcb043d6b81753c32fe0d9b8b6d33476f24db8e2113cac887d31fbbedf24145a05e0b0816a433d7fbe3bb6b6adec20e03fd5ba18524

/storage/emulated/0/gift/hd.camera.photo.gallery.editor.cc

MD5 a1b1da22ed0adea0c34b1a81e082880b
SHA1 b1c4a343dee1038127055ef0a18b4fd564969144
SHA256 23dad30a05270483e0210a4a8baed816ef95b9c8e1a194fe829428f7385d3e97
SHA512 11baad8ca6e44d01d75d29debe7f8b833301fa565ee576a52ffb8b62b1b7978563302e82cb1f122150b8c105a6c1951f4f0ee8eadf5916b0b8cc4389a3a2b0cd

/storage/emulated/0/gift/picture.image.photoeditor.photogallery.folder.cc

MD5 b2250924c9665c73a4c79486d3caa18a
SHA1 5d4789e6996f9ad1dc44dacf1b6f88771fbd7ac9
SHA256 d6d5ec7a6fc36d919b37fbd3f8e8ccda1a90433a346af69238efe9b7aff4b59a
SHA512 09c992466c3e47482da9f6d72102b013759ea3516cd43ef62821796bb514178e3b964a390e7f3d4134020daae551fe90b2c61744eea0b12b9f9130e7f4fd428d

/storage/emulated/0/gift/tools.weather.forecast.cc

MD5 124277cc81b5e530a94337823341b4f0
SHA1 1d798fb5da3a5519fb7c16d77e4dd02891c8d3d7
SHA256 6012af15b7267a8d6a043eeadb62736c7527405e9369cd77054a8114b097308e
SHA512 19e98f6da29fdfb96396d2eedf06411ab95accc94f112d010201801c502c1c75cf2d907dcad257c090468cfdf4f6165071e3e4c3fe2fa6544953a03630ff0fd8

/storage/emulated/0/gift/yong.app.notes.cc

MD5 3cfe50823d6c654b15093abfe51650d8
SHA1 8da72ff53d93d94dae662661da31207cb9b41c5c
SHA256 53369701378744d74da2d55676c6156facb58ec7be09e3bb51b2c77483c26518
SHA512 0ee10ab2717b0423acc48c953265339194277d4df795768c14866ed14abf098426c8e73d75ef10cdfa6b3a3cc2997e21e2a0c6b1495dbd2c82dba56c62d43096

/storage/emulated/0/gift/tools.scanner.barcodescan.cc

MD5 5e976972ce82f1e658d82faa53d5b618
SHA1 1b045d168ab809d06c11b0913fb23aacca60f1d6
SHA256 8f83497e9b3872c9878b60e3f6ad6e1eb1a412c5901981e3f714c47bf7278636
SHA512 d6f3e0ef3c6681bff332e6dcffb5caa6c2b737d53dbc81bcdf1f5ba1a85ae7098e8f364531a839aab6036a8418051b11fb16df8cfd2ba41ce8054f5301691cae

/data/data/kx.app.notes.diary.memo/files/mobclick_agent_cached_kx.app.notes.diary.memo

MD5 8200a9ed15977dadfbe35bfcd5f37eb3
SHA1 74f890744ded7831353a7e323dd95b5eae49279c
SHA256 07f9b9a99a152fb9c2e916d126d5eeb4fb33a888b9c9f9882906cafd30cfcdad
SHA512 27bd33f83d91c804c68f001b06e783ed8a9781c975e24bdeb15d4352425b459effcf412a83d39b2607d9b9c1d5df8d2d8af69845a52639b3a5b060648e47fa77

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 13:46

Reported

2024-05-22 13:49

Platform

android-x64-arm64-20240514-en

Max time kernel

69s

Max time network

167s

Command Line

kx.app.notes.diary.memo

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kx.app.notes.diary.memo/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

kx.app.notes.diary.memo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 www.coocent.net udp
SG 150.109.95.214:80 www.coocent.net tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
SG 150.109.95.214:80 www.coocent.net tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
SG 150.109.95.214:80 www.coocent.net tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
SG 150.109.95.214:80 www.coocent.net tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
GB 142.250.187.206:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/user/0/kx.app.notes.diary.memo/databases/note.db-journal

MD5 6ecd009d753813543787aa2ed48f9b6f
SHA1 74073b1e38d766a7115343aad5268467fa5bc5e4
SHA256 546869c80af2b32771ed4423d3c1d3ab9d22215cb61cbe6f708dd0c9005e1d16
SHA512 27438124b98f22e3d9bdd905e0cad3e7e5b9d1c61b8f4f4cd7492659ca4b8337a618954343d4cb5947750b866199cd9e70e184459eed8cd722b5b86e86e9151f

/data/user/0/kx.app.notes.diary.memo/databases/note.db

MD5 f2135f4c0f603d86cd3b961519aa816e
SHA1 db9ac1cad795a01cbeee6b1a9211d7c09a6a64c6
SHA256 10c1910344a3892b41748da29af4207d2c741654f3b4fab62e436f8b6213efcd
SHA512 6e7a5faaeee104f9b8f8dfcd520f277855b883a3392a4c969d96483915b8e30932e0cc88744076b594cd9003cb8d9a68ffc8944c7f425c7eb1f43a21a74c668f

/data/user/0/kx.app.notes.diary.memo/databases/note.db-journal

MD5 ae44b1de99d48928819e7d2d8d8f24bb
SHA1 5e2dbb979f087993b24f647d7aff9ee32bc2edf6
SHA256 bd2f8babf279a4b364e90511b258fbcb692c8c1fd233a426df6a3352c7dcc79c
SHA512 2a24be47e1c66f98bdc58449d01db441e22a8489c5c584e4ed24d114f05314690a25a5e54773e5ef70b3b68194bbdda7fd468f06ba52225b3e3a071a16bad410

/data/user/0/kx.app.notes.diary.memo/databases/note.db-journal

MD5 6bb6085694798d2cbb1b40bb15d9395e
SHA1 28609597a9de2ad5a01cc414ef0faa023746dc52
SHA256 f364e61e67e5302b5fed7351d5e94a197819f16dc031f4977c9e76cde96115ef
SHA512 175df50961e7463f3ddb240adb8a7e649fe1b88d7384f2dcd6e0ea7f65376bd7da760f2f4c455455116a70d0687d0457501f249c48b4711d89037aa562aa1072

/data/user/0/kx.app.notes.diary.memo/databases/note.db-journal

MD5 e2dd5eaa8b6745b866ee6364cfdaf00f
SHA1 6c92dfc39a8ceeb010c0057d7b85118982523a4b
SHA256 21780bf0538ea9b40a2a7eb96e4cd20a8f4c8d538e4b4b2f52f1a57a29ab02ed
SHA512 a4c69b8298b710429ea3d00c234d14925c50553e0073ecb0ed536358b9aa1fbe39357107cd562c5097a5f8c85746c7b79f562d3c4fea889552d3d59f4d67cf9c

/data/user/0/kx.app.notes.diary.memo/databases/note.db-journal

MD5 ceb655e85e1c5ca374dc5068147b2492
SHA1 80eb7c19bafeceffb38ee3feaafa2989ae12adb3
SHA256 d34aa036e11c8896a57a6535880a4b7b39c2bddbab60f66024f8f3c0e67f349b
SHA512 e6246a3577bce4df9655465111e2753fcc40ba69f8ada8f187c804898a4bc2cc2cb1c7bfb05cea69e108548b9177bf95a51b779c3e696a94f08e017929f27490

/data/user/0/kx.app.notes.diary.memo/databases/note.db-journal

MD5 9e5c30509bdc9147520707cfa9b21a65
SHA1 04d82c8f5bd79c600853d2b946009eabbf454218
SHA256 4967d7338b5582d79569d9fe93f978ef73f810ebc19d2594115fd0fb04f5c0b6
SHA512 07cc538d572420d147537743a03154d44949b96b89e1c07be286eed5bf9bfbc848a00f9045b410e273d44778eb8975e5a60bef31808c011219ac230c558f5abf

/data/user/0/kx.app.notes.diary.memo/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/kx.app.notes.diary.memo/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/storage/emulated/0/gift/kx.photo.editor.effect.cc

MD5 b8096e8f6d3edeedf06e8547298cae3f
SHA1 5bb74aeaf80f6862419c2f329f81c94ee07cc9ed
SHA256 9dbc3d95191b8c68a7927bf55c1fd96d04c3b3901575126a700db26140904c4f
SHA512 1488d3525addfca6c6434fcb043d6b81753c32fe0d9b8b6d33476f24db8e2113cac887d31fbbedf24145a05e0b0816a433d7fbe3bb6b6adec20e03fd5ba18524

/storage/emulated/0/gift/hd.camera.photo.gallery.editor.cc

MD5 a1b1da22ed0adea0c34b1a81e082880b
SHA1 b1c4a343dee1038127055ef0a18b4fd564969144
SHA256 23dad30a05270483e0210a4a8baed816ef95b9c8e1a194fe829428f7385d3e97
SHA512 11baad8ca6e44d01d75d29debe7f8b833301fa565ee576a52ffb8b62b1b7978563302e82cb1f122150b8c105a6c1951f4f0ee8eadf5916b0b8cc4389a3a2b0cd

/storage/emulated/0/gift/picture.image.photoeditor.photogallery.folder.cc

MD5 b2250924c9665c73a4c79486d3caa18a
SHA1 5d4789e6996f9ad1dc44dacf1b6f88771fbd7ac9
SHA256 d6d5ec7a6fc36d919b37fbd3f8e8ccda1a90433a346af69238efe9b7aff4b59a
SHA512 09c992466c3e47482da9f6d72102b013759ea3516cd43ef62821796bb514178e3b964a390e7f3d4134020daae551fe90b2c61744eea0b12b9f9130e7f4fd428d

/storage/emulated/0/gift/tools.weather.forecast.cc

MD5 124277cc81b5e530a94337823341b4f0
SHA1 1d798fb5da3a5519fb7c16d77e4dd02891c8d3d7
SHA256 6012af15b7267a8d6a043eeadb62736c7527405e9369cd77054a8114b097308e
SHA512 19e98f6da29fdfb96396d2eedf06411ab95accc94f112d010201801c502c1c75cf2d907dcad257c090468cfdf4f6165071e3e4c3fe2fa6544953a03630ff0fd8

/storage/emulated/0/gift/yong.app.notes.cc

MD5 3cfe50823d6c654b15093abfe51650d8
SHA1 8da72ff53d93d94dae662661da31207cb9b41c5c
SHA256 53369701378744d74da2d55676c6156facb58ec7be09e3bb51b2c77483c26518
SHA512 0ee10ab2717b0423acc48c953265339194277d4df795768c14866ed14abf098426c8e73d75ef10cdfa6b3a3cc2997e21e2a0c6b1495dbd2c82dba56c62d43096

/storage/emulated/0/gift/tools.scanner.barcodescan.cc

MD5 5e976972ce82f1e658d82faa53d5b618
SHA1 1b045d168ab809d06c11b0913fb23aacca60f1d6
SHA256 8f83497e9b3872c9878b60e3f6ad6e1eb1a412c5901981e3f714c47bf7278636
SHA512 d6f3e0ef3c6681bff332e6dcffb5caa6c2b737d53dbc81bcdf1f5ba1a85ae7098e8f364531a839aab6036a8418051b11fb16df8cfd2ba41ce8054f5301691cae

/data/user/0/kx.app.notes.diary.memo/files/mobclick_agent_cached_kx.app.notes.diary.memo

MD5 2b06178ef102980cb19812c901b57217
SHA1 1790fa0b15b16903983542ea3353ad431470fb70
SHA256 1d9decf198d100f1c0cd4cc8094643ddc2d32263ca920ca9d472d5c604894e2f
SHA512 5a8c30a1c40253227b213372db51d9253526227eb8a8b44308f5007694428d1fa746b89ef4b35f8b8993bdc469e09ae942d6943b6e6914f32863a771fe2e2702