Malware Analysis Report

2025-01-06 10:33

Sample ID 240601-d4t4bsha96
Target 894015828ab74e0f16316bf2234c54f6_JaffaCakes118
SHA256 31cc19df16995af1ab100caad371166002bbb79160507d06bc26f1b4cda53ee9
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

31cc19df16995af1ab100caad371166002bbb79160507d06bc26f1b4cda53ee9

Threat Level: Likely malicious

The file 894015828ab74e0f16316bf2234c54f6_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks Android system properties for emulator presence.

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Checks Qemu related system properties.

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Checks if the internet connection is available

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:34

Reported

2024-06-01 03:37

Platform

android-x86-arm-20240514-en

Max time kernel

177s

Max time network

182s

Command Line

com.zhihuielectric

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.bootmode N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.bootloader N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: ro.kernel.android.qemud N/A N/A
Accessed system property key: ro.kernel.qemu.gles N/A N/A
Accessed system property key: ro.kernel.qemu N/A N/A
Accessed system property key: init.svc.qemud N/A N/A
Accessed system property key: init.svc.qemu-props N/A N/A
Accessed system property key: qemu.hw.mainkeys N/A N/A
Accessed system property key: qemu.sf.fake_camera N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.zhihuielectric/.jiagu/classes.dex N/A N/A
N/A /data/data/com.zhihuielectric/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.zhihuielectric/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.zhihuielectric/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.zhihuielectric/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.zhihuielectric/.jiagu/classes.dex N/A N/A
N/A /data/data/com.zhihuielectric/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.zhihuielectric/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.zhihuielectric/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zhihuielectric

chmod 755 /data/data/com.zhihuielectric/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zhihuielectric/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.zhihuielectric/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

com.zhihuielectric:mult

/system/bin/sh -c type su

sh -c ps

ps

ps daemonsu

ps | grep su

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.92.70.140:19000 s.jpush.cn udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
CN 1.92.70.140:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 139.159.137.254:19000 sis.jpush.io udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 139.159.137.254:19000 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 120.46.141.4:19000 udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
CN 121.36.15.222:19000 udp
CN 123.60.79.150:19000 udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 123.60.79.150:19000 udp
CN 124.70.159.59:19000 udp
CN 124.70.159.59:19000 udp
US 1.1.1.1:53 s.jpush.cn udp
CN 116.205.165.66:19000 s.jpush.cn udp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.135.156:7004 im64.jpush.cn tcp
US 1.1.1.1:53 tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 139.9.138.15:7003 im64.jpush.cn tcp
CN 139.9.138.15:7000 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.138.15:7002 im64.jpush.cn tcp
CN 139.9.138.15:7000 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 139.9.138.15:7003 im64.jpush.cn tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.138.15:7002 im64.jpush.cn tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.98:443 tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 139.9.138.15:7005 im64.jpush.cn tcp
CN 139.9.138.15:7005 im64.jpush.cn tcp
CN 139.9.138.15:7006 im64.jpush.cn tcp
CN 139.9.138.15:7006 im64.jpush.cn tcp
CN 139.9.138.15:7007 im64.jpush.cn tcp
CN 139.9.138.15:7007 im64.jpush.cn tcp
CN 139.9.138.15:7008 im64.jpush.cn tcp
CN 139.9.138.15:7008 im64.jpush.cn tcp
CN 139.9.138.15:7009 im64.jpush.cn tcp
CN 139.9.138.15:7009 im64.jpush.cn tcp
CN 116.205.165.66:19000 s.jpush.cn udp
CN 116.205.165.66:19000 s.jpush.cn udp
CN 139.159.137.254:19000 easytomessage.com udp
CN 139.159.137.254:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 124.70.159.59:19000 udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 120.46.141.4:19000 udp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
CN 123.60.79.150:19000 udp
CN 123.60.79.150:19000 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 121.36.15.222:19000 udp
CN 124.70.159.59:19000 udp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 139.9.138.15:7003 im64.jpush.cn tcp
CN 139.9.138.15:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 139.9.138.15:7000 im64.jpush.cn tcp
CN 139.9.138.15:7000 im64.jpush.cn tcp
CN 139.9.138.15:7002 im64.jpush.cn tcp
CN 139.9.138.15:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.138.15:7005 im64.jpush.cn tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 139.9.138.15:7005 im64.jpush.cn tcp
CN 139.9.138.15:7006 im64.jpush.cn tcp
CN 139.9.138.15:7006 im64.jpush.cn tcp
CN 139.9.138.15:7007 im64.jpush.cn tcp
CN 139.9.138.15:7007 im64.jpush.cn tcp
CN 139.9.138.15:7008 im64.jpush.cn tcp
CN 139.9.138.15:7008 im64.jpush.cn tcp
CN 139.9.138.15:7009 im64.jpush.cn tcp
CN 139.9.138.15:7009 im64.jpush.cn tcp

Files

/data/data/com.zhihuielectric/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.zhihuielectric/.jiagu/classes.dex

MD5 be77b4d4087df029c8605285cdadee93
SHA1 608cadf5afb10a630cd0cc5c33cd0527004e68b2
SHA256 d7222e629fded7139d392239a9edaba77cdb34bc54dbdd4b0f043bb53269f81a
SHA512 28d1698d6c337d8c2b49a5aac54cbd6680af0329bc06e4819f2918c4e6b706e071b112f327570fa364cd9a26e19e45c82b9e242f18ab8f00c05fe661cbfc3e26

/data/data/com.zhihuielectric/.jiagu/classes.dex

MD5 732ad3a3bbee7ef7efab19fbb1691d77
SHA1 849895de2d44a4309542de2814b0182d77c8b422
SHA256 fa21d912046e5c33b812f208622ac7ee7c7e7958db8b89ff7a1e62acd808997a
SHA512 5e8d92adbb335cbfe1c6395b8b01bf327e40e0aeb616d1ab825aa8ba06c1d77ce65c494cbb7d34812c6c99954e909422e91ad21c2d1670317336029a47ef0447

/data/data/com.zhihuielectric/.jiagu/classes.dex!classes2.dex

MD5 2da7b01eb6b5b4b57d2307d2e1580c13
SHA1 2786297b172ea30ab5775e92d7439207a6c09416
SHA256 8c496b53f6aae9f07cef792320f7ad027fcdc1c08fa5813b1ae72b4dbdedeb15
SHA512 2e8fdb96981891c8cd457702225785488a4a6f1b3ecd7491275fb2c0097dc2758bc1e413df53d653072059e75738a0f8d99ebf057a620be2c329ae3244de2892

/data/data/com.zhihuielectric/.jiagu/tmp.dex

MD5 30f0f3846d1b831aa4c6dcff4a5d4673
SHA1 3bff96df6581978299f5ea0234987adcbbf013a0
SHA256 9e409cdbd6cccd8600da70ec308f4f35c7a3f4fb62332bd78269d8b1c6876ce4
SHA512 29d5dfc2536e288cbeb6fe747469128744f56b9814e9b0f45ede892fa4b319dd5d95798e61cd37da648c6451a8b7f26509573c8e996168d5ae58deeeff193724

/data/data/com.zhihuielectric/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.zhihuielectric/files/.jglogs/.jg.ri

MD5 e6bfa3ff733867acab9162d87200bbeb
SHA1 b57f758826a08a789ce580de215d800b822b5e03
SHA256 620fbca73307712fe97e2ae9a11c3a8387a036e20a770ca23f1c7c9bace57af6
SHA512 d3ae86817a89f543abed22b98c2f961aae791d56489715b0ab707784ac55b385df36815e406b19d77305abe7d736a1d58c5d8eaaf83829f1b76504439cffe0d0

/data/data/com.zhihuielectric/files/.jiagu.lock

MD5 c984d8a893ba175ce7481df0b90e7ab3
SHA1 23103fed9223f458cf9e75a217787c21bd4cb7c1
SHA256 1877d7da4628bf1b1a2f094c47d2fc3dfecc174e57d7da06f116ab834debe11a
SHA512 fd9096157bf618033b6866caec7f8899d424ee319f0582e46815ad29d57d8d32e3689cd25cc8f16590318607132cd65c3d5082df345ace89b20d1f15cc46a80e

/data/data/com.zhihuielectric/files/.jglogs/.jg.ac

MD5 0dcffa022bc659e2fabce28c1b74109a
SHA1 fa2b4bdaf8a02746fa152065cc6b06f6e92c32f9
SHA256 a7ec2f1c1b4edff42f1fd24e8a5c1f4bbb48efff75ffb6b12115e6a5ac58dcc4
SHA512 9bbfe81c0706f2fc66dda91a91023ea0df264be04ac321eea2a839158afd5a6c5542c7780272ef38a342d3903873067fb51d93cacd34859aca02d23d31cd7b08

/data/data/com.zhihuielectric/files/.jglogs/.jg.ic

MD5 9a0ca5c23adaa3e04efd1a44537315c8
SHA1 e0b74e64ac47231f1a2f0f7067c008d87d837136
SHA256 7890f6887e2281d6273481c2b4980db5b362a2fad8c2b28ccfd666ab4dbf4252
SHA512 7936f1e7a7293f5df87792d35aa2373f37da9ee0a20e88347c5bb9d8ec98ae97577aea885c58273c709a04f5ba04cc4ede7978c707e321992ada799ac16013e1

/data/data/com.zhihuielectric/files/.jglogs/.jg.di

MD5 1c85c9f59c51d85fd9d1f9c476cab96c
SHA1 8c7970ecaad3c96957f8aebb48ee64aa5266fd38
SHA256 498aecefedb24cdba7af9bc0338839e0dc79ba95a593e59caca8bf5f6eb369a9
SHA512 bd0046047cd9e39ca16bf95b57aa2ac18f9ceea9a629e0223ff62a12dc0c26ab12e92192996487c78d032f62c593de819d5734d8b7df08586b509635570490c6

/storage/emulated/0/360/.iddata

MD5 b7a8b37a74c9d80a77dd2463865d6572
SHA1 f50b360baf9206a526858a9b8c827ffdb0c186a3
SHA256 f45330251eca106c72203eff0fd2524c5990ab1d00fed2cfeefb465ba9780660
SHA512 67424e0757a2725fb90fcdee01239ca0f1e40ed2c9ca18c8a356acf21cc2607457dba4f90f332571765a52a996d26b5e8ac8f6a72b5f812ff3a2996baecc5be6

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.zhihuielectric/files/libcuid.so

MD5 31d55b6a92870c25c242c31191ab5f04
SHA1 9d1c0391b179359320242b342041c8706362769c
SHA256 998a5fa4810c639db9eae4431e8fb782593b9e0bde7ac64a6b0c5d39b3a58270
SHA512 9cafcd22fc675381fc27a3e298af8c0b44c81dc1702a52bf4f2cd33e3f830b5c301c1d7d48a0dae1945dcb4349468895bdd9533f29023892ea6c8f2d5a6b8a5b

/data/data/com.zhihuielectric/app_crashrecord/1004

MD5 21f287e4f17e91c1041d3c0980a92bf1
SHA1 cc590f56d4a1201416897610f2da8fa6a5bff131
SHA256 6b4d36ed2c9bfd4226cf3ccc1d4ab77c5c50f4c0906b1965db6cbf51a09bcabb
SHA512 24ab716656601b6ce4cab4ffc7111fb876d01e15ce40f63ceef34b510ab45cd05c98e986702c442795690c0e5b7cbdb65f0d93e5d2f4623677aa7fd268de508c

/data/data/com.zhihuielectric/databases/bugly_db_-journal

MD5 54e3cc055433094b7dc6f6aed8e9cf2a
SHA1 e35986652e2414e545c4d48bf340f0e0a2f27c9d
SHA256 f67795c34819fbb633af77ad0a01853a7c20eead407da5f1d5dcca0fb2a0939e
SHA512 7f0045ad6d6d19535ad57f6dc11b88ad0f00a1352bde101a92a5781e56d218085aa7e8b685e7b89cb28a13ed5f61772f8312425e5b546d8746ccfe1efee70ea4

/data/data/com.zhihuielectric/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zhihuielectric/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zhihuielectric/databases/bugly_db_-wal

MD5 7aef667008206e0a07c19c97612b7431
SHA1 b0ee2bde2f1439586a7216a6c739fb0a0ed1c0b6
SHA256 055bceeb7878e99801538a7d2667c59754253914b48fcb400cdf98aaecc83332
SHA512 94628cfdbd081438a8b3684b8692d8912572a8112bd8915e4abbfd6ca21ee1b2f6d3ec2fae20ed10f6d882e8995e6deb25a0ca0a4e4b7f7ef122707bca548deb

/data/data/com.zhihuielectric/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/storage/emulated/0/data/.push_deviceid

MD5 9d2abab2171f60f292823de7ef752069
SHA1 bc68ed36fcc6dfaf4c7c4ec09509d8cd80e39a12
SHA256 2c5c0059ba671ab4c96aee6f0e112c8752017350bb0fa42940ce9b00606f7947
SHA512 e16bb70215c7c64616a52608734928640ab5da422e5017be7007e06f32dee3b1eae667a9a6c63d2e9c809ed8e8ca1026505599d73146fd1fabd4cbaa7ade2a2c

/data/data/com.zhihuielectric/app_crashrecord/1004

MD5 40b610a4f64ae06b078140b8669cef5f
SHA1 1498222ef5d1248bf3de00cc587119dd20247b93
SHA256 3dd34f48c45d2250b5f20173e226cfe464dc963d208302b1357e18894383a570
SHA512 162d6f9ccb65711d21b95614e662ec16f318273ce99f0d55644be32e4436880eab5a4c648b57a2a5024d6bfe00ed9ad40390b636a57681979316256fcf102ef3

/data/data/com.zhihuielectric/files/.jglogs/.jg.di

MD5 cc3d8aad2c2d28ef7332233d02c8e8a9
SHA1 48b3cb776badacc56e11e4f9eb0c6d69c4af8908
SHA256 fd38325777a5706c0f79b758ecb3406d8f949365b3e2355dbb11e23d525597da
SHA512 038b719a19e24280ce03461c5e11f6958a4f215f25733093523c680e99503a6a425d3fb431ec543aa3f56e3f7d2f2128306338a7f2e53e498d020bd91ee88f9a

/data/data/com.zhihuielectric/files/.jglogs/.jg.ac

MD5 1e30fcd57f6b28b0e031062d322d0fd7
SHA1 23bcda47e97ddb410a365e59db0ab2d5bc7c3b9d
SHA256 035db4ad81f7c4ef5517c932227e49d993f713858a0ad4336556fefeebd1878a
SHA512 e9b7f3ae65f69a444d5a83775014a0823f9afadd72d8204095ff264e41b2f072363d9918086727c9123b10acf25c70231f54479266e4d8a7ca161d39b0730e7d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:34

Reported

2024-06-01 03:37

Platform

android-x64-20240514-en

Max time kernel

7s

Max time network

130s

Command Line

com.zhihuielectric

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zhihuielectric/[email protected] N/A N/A
N/A /data/user/0/com.zhihuielectric/[email protected]!classes2.dex N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.zhihuielectric

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.zhihuielectric/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.zhihuielectric/.jiagu/libjiagu_64.so

MD5 05a8c3ca16893f4e6cc997a82d987fb3
SHA1 76d6c6d19e0bfa83c847e5d330bd144f58994bff
SHA256 82e708e200cebe270ec57231729413621a8904e907efac8cfe71cb2cf16a3c10
SHA512 2a878c39e713fb6ff5b457f94a1fe2b5adc456924d087a1b6abd59afc0b0e9bad68852eddd34c6441e8996e66eb5fdb711ed6f477d6e447dd48cfd151d89fe96

/data/data/com.zhihuielectric/.jiagu/classes.dex

MD5 f12239ef6ac8369038ff7c3c36acb650
SHA1 ce3a5977209e62fbc170500fc9d496768e2a704f
SHA256 f542b93a90da786afeba5647dc13d3a43bb4d59c242d56d2b93c52ff250bd92c
SHA512 3c390e1eead0b4ee0af11fb03457380ef9d3520c64c34e57cba189ca609006169756f20f3f4ee91ef7f5471d581049fa681da9712e05e27fedc092f209cc8d90

/data/user/0/com.zhihuielectric/[email protected]

MD5 732ad3a3bbee7ef7efab19fbb1691d77
SHA1 849895de2d44a4309542de2814b0182d77c8b422
SHA256 fa21d912046e5c33b812f208622ac7ee7c7e7958db8b89ff7a1e62acd808997a
SHA512 5e8d92adbb335cbfe1c6395b8b01bf327e40e0aeb616d1ab825aa8ba06c1d77ce65c494cbb7d34812c6c99954e909422e91ad21c2d1670317336029a47ef0447

/data/user/0/com.zhihuielectric/[email protected]!classes2.dex

MD5 2da7b01eb6b5b4b57d2307d2e1580c13
SHA1 2786297b172ea30ab5775e92d7439207a6c09416
SHA256 8c496b53f6aae9f07cef792320f7ad027fcdc1c08fa5813b1ae72b4dbdedeb15
SHA512 2e8fdb96981891c8cd457702225785488a4a6f1b3ecd7491275fb2c0097dc2758bc1e413df53d653072059e75738a0f8d99ebf057a620be2c329ae3244de2892

/data/data/com.zhihuielectric/files/.jglogs/.jg.ri

MD5 7babb6aab21cae32ac213e91349b6868
SHA1 844b90d3cec69191b6f30508caa4a3a316191909
SHA256 799f90d214f9eb8bccc43106137b4b4ef0ae74bd1e7cc1f372b12cad55692959
SHA512 b32b539d07f680ef9477575ebf203b18ae03406207a4737584f96cbe668d6386bb5f20681cd6b3649ea6714c936f09897264da8f4855825b549d6407561a5aa7

/data/data/com.zhihuielectric/files/.jiagu.lock

MD5 c6f5d30b1416bb2db854ae6b54c5037f
SHA1 51a77d04b6d68fe5b08986a4fadfd0dce8864e70
SHA256 0973b5cd9ee383f6e1de6064ca5e276d4698d36f7b7d89037c4d05ae8f2d13ce
SHA512 7018d9bc46c2cf2d7720b9571a646523e2fa7577726a97c36c455c910f9339569136dc56e7c358d5110fa10aaca9f46066cb8162eeac6babf6cdf33e0f75ec97

/data/data/com.zhihuielectric/files/.jglogs/.jg.ac

MD5 6c122c7a9338d9e87dee5f4356229abe
SHA1 df340c2730c0ac228d27f407e022f036262ef972
SHA256 7557e6a202b432402365e72239396d33210af0d8ad4d253c498aaf74a7542ac8
SHA512 c4b6ff2c2c12300a9d21e01d7dd312cf655841d8c2e7324dcd4c7cc03cfc277a49b7f4d2c2b684d4ef5b210c9bf6d9a861857662a05546981318875af5f9b084

/data/data/com.zhihuielectric/files/.jglogs/.jg.ic

MD5 e6f5a2166dbba8a74e4a3a78df564331
SHA1 8b58309ee139baa57656f34f45d5ac34a1d6c7d3
SHA256 29375b08d2cb6fc1c8702c432fec260e6268b9aea63d6fb5ec3b197776f8098d
SHA512 2cc12d660e84433c1ab008bbf2f1f07678b7148115927598b511a4b491e4938ed2a9d33aebbc4a08095556ab0ae2385cd8bc272665dedcaf78da4a4f44b96a06

/data/data/com.zhihuielectric/files/.jglogs/.jg.di

MD5 8b53c56b3fae29d71936acb675795311
SHA1 c9ad14864d5cd87e6e42a68f5bedc4da0128cb99
SHA256 045a8f1479d341b7ecb2d80437d9daf52ed93699185a55c014c24fc65efaf7a2
SHA512 5a8fb4ca0cf294827d1c953c2c38d554bff1efead96043dad58a6a684bd388882b0a6ccd6cb07473c59c041129f3505227d268e907ac026243d92659bc341d16

/storage/emulated/0/360/.iddata

MD5 200dc5f3f81de00d3f1d58a58ae6a4d4
SHA1 be89726863f7dddc130804914dd927893cae3216
SHA256 af1fbf588316a9e19d73bf888362517d5e190532ee89aa50d04f422600a9ba5a
SHA512 8440c15e79d53115bac991f6a4e79980706ec350720260654388228c5d009c29edf518050680d8de6a7b7f11f02585593cee7a87dae5e8305aba3f3f185b5b1e

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.zhihuielectric/files/libs/libBaiduMapSDK_base_v5_0_0.so

MD5 83ee7a3bd4f3b1c84cee3c03c56b30bd
SHA1 6e6202faa7bc1a914b50455e9b359f2b235a124e
SHA256 eff3047efdc4456ddc004df4055957d5d3881c7304198ee7ce41e47b431c0327
SHA512 a9eab40e91c1ef5cbfee0a62e30e17fd9258107256ca1c9858cdf956918258fb1b008ad641c58cc1f7aa7aee7e4fb14e50a2618d9d953e247f390b4a8411d4c0