Malware Analysis Report

2025-01-19 06:54

Sample ID 240523-qek6cacb7s
Target yzxj-V3.0.8.apk
SHA256 a520b2fb06448ed7dadc7d1b122af67b3bd97c0e984f6f4a454ec42037a9b340
Tags
discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a520b2fb06448ed7dadc7d1b122af67b3bd97c0e984f6f4a454ec42037a9b340

Threat Level: Likely malicious

The file yzxj-V3.0.8.apk was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Checks known Qemu files.

Checks memory information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks known Qemu pipes.

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 13:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 13:10

Reported

2024-05-23 14:10

Platform

android-x86-arm-20240514-en

Max time kernel

126s

Max time network

178s

Command Line

com.jsch.inspection

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.jsch.inspection

/system/bin/sh -c getprop

getprop

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/com.jsch.inspection/app_crashrecord/1004

MD5 6d05dfde8fbfe4977e66cd1198523636
SHA1 104219cb9364fb9054ac83b16477b480eb155801
SHA256 d8c4e6d159c04de1a76a67219f169ff90bd81d0f56e5a464b5c48d88f81c587f
SHA512 db72b42ab1fcd7c4a53d93e7c0243bda02e19d9f57f83352f88588d732d363d4bb5f49af074c3a0fb4f15078e887be940b473d34699ad12b28cf0e6e1dc1b380

/data/data/com.jsch.inspection/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.jsch.inspection/databases/bugly_db_-journal

MD5 9134a58e45d5e8be802e1a81581fdebf
SHA1 5addb4eaf7012f02d96db86b66ef55cd55a725ce
SHA256 10f4c6dbbbcf7acfc7daca46c2bb6364d4c01364fda91249ddb98470de5896e4
SHA512 2b6eebbd457bac22a168621184b7b263e8dd26fafacf763c8ce5fa343ebb98458534d585c07feab986b1b62ce79ef0d962f516bad0150cd7fe05e7ba98e27f08

/data/data/com.jsch.inspection/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jsch.inspection/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jsch.inspection/databases/bugly_db_-wal

MD5 5b401e5cc7cd3118b833e49b5c093532
SHA1 f77844b07f56360db505f7dda9be701980ecbbe8
SHA256 012a83dee78aa4a6ea191da41f42231448c4e4a55c5786ef7aac9b6ef2bf51b7
SHA512 dd9f3405d0a9faa16e632eed9c5805be829f178572c1a6dfe3396e831615f4870f8ea870eb37dfe90fe85c245917444572d900b98d6bfadbe72d8bc29dd42986

/data/data/com.jsch.inspection/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.jsch.inspection/lib-main/dso_deps

MD5 0aba781f304e48a23b987045a6bab0b6
SHA1 5b7dcd660232e31b2b2487e12c2d302d94f70acc
SHA256 ad561ad4bb6a31cab8a8dbd2e012245ab2037a5bfc967f900747f4c8fb2d9d93
SHA512 66dabb3d7e4fa44b2f0fd593bb91d8153b6bf4791a6e3b69c31bd8e6d5f2abe24c04fb3182c2d5dc8aa5521763de4191796bc6d21cb473bebeda7197dea22993

/data/data/com.jsch.inspection/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/data/com.jsch.inspection/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/data/data/com.jsch.inspection/files/inspection.realm.lock

MD5 ef9bcb7f9debe6ce187ffbfe8c893642
SHA1 157220dc43adf5b4f21ccb0374a95b6a83b63f6a
SHA256 9f01c0871b49c1ebd3630da22bedd3975fb8106724528e21308f6aaab77bc89d
SHA512 1e8885f365b3b9f7b3f2b7778b2d4308f7130df178334490a130be569bbd5e6db04652df0d93a4291216feefee512ccd446829e7b4059a3ecddca9dca1fbd292

/data/data/com.jsch.inspection/files/inspection.realm

MD5 a6574431b943e0bf47642c666f3fbbe7
SHA1 79191cabd86accd903f27c523c95ef19933c64d1
SHA256 60692d3a39b5fa2c7ea60c7be7014c2069f7c0a3fedafa269addd8143ec15f6d
SHA512 c438e1cda3bce0de04a34e3f53f17f7cdd235e80c656c31e43a21b37e77dfd90de14c17a5c6719b84a14899ff41107a75790b35306c7ecb1674d6f60de9bbbef

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 13:10

Reported

2024-05-23 13:44

Platform

android-x64-arm64-20240514-en

Max time kernel

128s

Max time network

183s

Command Line

com.jsch.inspection

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.jsch.inspection

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/user/0/com.jsch.inspection/app_crashrecord/1004

MD5 9618353aad4203804e27d696644a58ed
SHA1 96effa7371fafae104950487d3e6b4410bbbf80a
SHA256 00dfe51405c27055b8ac32be63a7db99f552ed914a087cb7e161304eddc9ba7f
SHA512 4fd42c38b8f0ef44cba09f53bee7737620b6124426c24d7f2b33036ecaa0c097125f339fff851fb4c7ac8573e1167377d3551032e31f68d251576543702f53bc

/data/user/0/com.jsch.inspection/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/user/0/com.jsch.inspection/databases/bugly_db_-journal

MD5 bd96449281979a22ba5cdcfe97be94f6
SHA1 3bc2cbf718eeb439c1d1d431f8211155e7cd0967
SHA256 b741a13dde3619cfa799f28d95b9a198037b3083f47962588d1286070f705ed3
SHA512 10893a2f75cf8c1040750e0ca6a554feff4798bd6828927c76941e1e41084b7094d79d52dee018c6319ea13e0cdd88622adbc192426e5dd83f86ccbbf78112db

/data/user/0/com.jsch.inspection/databases/bugly_db_

MD5 5b3e9388ba96cda501607e8a98def143
SHA1 389d5dcab12ba6ee488693813474c6f2178d9a93
SHA256 b5d696c201e5f90978dd4be7290a0d8ca202529426914d081e26fb24aa0a0cff
SHA512 5194cd05b21429293bc53000469f483580fd3c9e1c031ea147c3916fad158378ea91c858367dbaa8d3a90b81e5ed7a8854c5be6a7b4dc816f46059cd8e2d55fa

/data/user/0/com.jsch.inspection/databases/bugly_db_-journal

MD5 d4de646e20293afabe096cd205530162
SHA1 6b6b81e9639675e3c46fea1a58c8dcb2b6b000ac
SHA256 19ac74e655913bdfcc8e7cc43387a478e5f5d57aa1e2c5cc06097d5241cc0cbd
SHA512 27dc4a80bfaef47f7d1b93af55cc087a37549e6872b4bd7c1cc5e8600f29e8a967e1b5413da5587ff9954fa1e77a6e1531203dfbd7b5ed40e8b603c17f1d9dee

/data/user/0/com.jsch.inspection/databases/bugly_db_-journal

MD5 1fdd5c47ad20783738c79ede26af3dc0
SHA1 cb1fc772f4a86d3193e177873168c9ea85afada6
SHA256 b96bed12e5ca8f4452c3aab86361ecfe1c4c8a8e339d04d479cefbba12a91163
SHA512 b5ce37dde9ef2c8a16c5b47b0f268b6af89c4630e2a0c13b77f96744bf245d480176de19d261dd7f977e6d0017f9694dbfb762ed80f281ee42156c16bdc35693

/data/user/0/com.jsch.inspection/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/user/0/com.jsch.inspection/lib-main/dso_deps

MD5 2fab8380146af3fbc1f62fadc4ea2850
SHA1 33c64e71b73c53015de93976d7d9d44f2ce27998
SHA256 52f048f5bee561e4ff9399a64016dcfd57b97c42aa8569ad91a2be565203cc8e
SHA512 dc2800d2b5852e64ed5788a281532998ac5abd0ba9cd1b42b53b7a7f563298980551f4b25a7b4ec908bf1b4ba8149b5c0eed28e798d8932505c4bd841654b08a

/data/user/0/com.jsch.inspection/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/user/0/com.jsch.inspection/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/data/user/0/com.jsch.inspection/databases/bugly_db_-journal

MD5 089b30f627db0d16b7f241f1e8271e11
SHA1 c6d08c69d01862f5c1e6853e6b13f65052338d5e
SHA256 dcc160648f9596749a190aabd8d9a74dbc538e2615aed8ba80afde2438d867e3
SHA512 52e8b439aabd4b66828b03c1821460c8a289a2234f7431c84c71a116cc6d761729ce3d3509223c2e066007b52636ef990c1ecf504d55dd99b08aeab27ad20554

/data/user/0/com.jsch.inspection/databases/bugly_db_-journal

MD5 9fa00f3e66e22f7d1e2f1b974758b102
SHA1 a2e6ac737aca6576d6236c26fe1c2ddabdb412ce
SHA256 1949644532ed10a056d3ecc108d5f304595167af04a3a2e57036afe0d40b0a82
SHA512 60630184bdd92b9a627b1308c95530d09a26ebf440ffc61c730e2d5dd4a35a5b78d4a03b7d6266376a1abafe559d116f0627865aad961db2754a83ba9bc15dcd

/data/user/0/com.jsch.inspection/files/inspection.realm.lock

MD5 ef9bcb7f9debe6ce187ffbfe8c893642
SHA1 157220dc43adf5b4f21ccb0374a95b6a83b63f6a
SHA256 9f01c0871b49c1ebd3630da22bedd3975fb8106724528e21308f6aaab77bc89d
SHA512 1e8885f365b3b9f7b3f2b7778b2d4308f7130df178334490a130be569bbd5e6db04652df0d93a4291216feefee512ccd446829e7b4059a3ecddca9dca1fbd292

/data/user/0/com.jsch.inspection/files/inspection.realm

MD5 a6574431b943e0bf47642c666f3fbbe7
SHA1 79191cabd86accd903f27c523c95ef19933c64d1
SHA256 60692d3a39b5fa2c7ea60c7be7014c2069f7c0a3fedafa269addd8143ec15f6d
SHA512 c438e1cda3bce0de04a34e3f53f17f7cdd235e80c656c31e43a21b37e77dfd90de14c17a5c6719b84a14899ff41107a75790b35306c7ecb1674d6f60de9bbbef

/data/user/0/com.jsch.inspection/databases/bugly_db_-journal

MD5 2e958456c12863b9cbf46c23248a87d5
SHA1 68f47da78ddf422e8e33aff419bf64a0c089bc0e
SHA256 83df789748f9e1d249a1bbf6b796ef44133bc2abd9e7eab66aad7b1a5f264150
SHA512 e340d37356401772a177c2aa9ecf8a8a76afc14f9c6f6c2bf4c1b600fde9e72540b3da9a8755bbe0db928dc6a4015f57468aaece29beb2421af772c1aba412f1