Malware Analysis Report

2025-01-06 09:59

Sample ID 240601-eqd1maaa55
Target 8951daf652772f6953e067d7ca815116_JaffaCakes118
SHA256 4f32a98ae8727f66e649c243b938d4cbdabeb0789dd8ee505df8ee509aec1d89
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4f32a98ae8727f66e649c243b938d4cbdabeb0789dd8ee505df8ee509aec1d89

Threat Level: Likely malicious

The file 8951daf652772f6953e067d7ca815116_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks Android system properties for emulator presence.

Checks Qemu related system properties.

Checks CPU information

Checks memory information

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:08

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:08

Reported

2024-06-01 04:11

Platform

android-x86-arm-20240514-en

Max time kernel

149s

Max time network

155s

Command Line

com.aspirecn.xiaoxuntongParent.cq

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.bootmode N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: init.svc.qemud N/A N/A
Accessed system property key: init.svc.qemu-props N/A N/A
Accessed system property key: qemu.hw.mainkeys N/A N/A
Accessed system property key: qemu.sf.fake_camera N/A N/A
Accessed system property key: ro.kernel.android.qemud N/A N/A
Accessed system property key: ro.kernel.qemu.gles N/A N/A
Accessed system property key: ro.kernel.qemu N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/classes.dex N/A N/A
N/A /data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/tmp.dex N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A b.appjiagu.com N/A N/A
N/A alog.umeng.com N/A N/A
N/A s.appjiagu.com N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.aspirecn.xiaoxuntongParent.cq

chmod 755 /data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/classes.dex --dex-file=/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

sh -c ps

ps

ps daemonsu

ps | grep su

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 provlog.andedu.net udp
US 1.1.1.1:53 newapi.cq.51jiaxiaotong.com udp
CN 183.220.196.91:9300 provlog.andedu.net tcp
US 1.1.1.1:53 bd.cqmc.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/libjiagu.so

MD5 7e7125a1193cfa8a696c1b8a6d2a103e
SHA1 af193df6127a47f455ebb7d5b792d2e982f4e004
SHA256 707cbb7d210699b111f050a382224f04ba2dbf72ecb4ee8f420d5759b6a23681
SHA512 91a62f00c2a9dc3c28348ef512ca56ab44d999e11dd806d565109159e79f25833c9141023ad639c7f5132acb8038ca0d7cc049ca2118534570d3ef1b36798b03

/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/classes.dex

MD5 e4ec278aab9de2b7729e36ae7558a9e8
SHA1 36d0de8630de2b6a5df02fbd4825fe70f8065dab
SHA256 15f41f2e28fa17227c53eb01b7b0324cc26a6eb13949c1cdbbfb2cfc26287bda
SHA512 bb04481587aa5ee5bf46313ea9a166fc5a2b5846f06a369ba418abbf93b7acfaeae35dc0790aeb5f3f0fcd497534d04b097a745a5102da2166caf89be96d99db

/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/classes.dex

MD5 90055e293719e3d530d0fcbceab0d2a8
SHA1 ce6a992d0615106c08083644688b64c798315673
SHA256 63b6b77021ca3e1c5c048a786dfe85e725f8f8d6456c500a7411187d1c2c4086
SHA512 bcbf5253afe1e4a71e81f237b611c072788026b58b1c25931018a6f1f191c8dc1d5626cfdaa3bee2ab90c9e5dfce15711028d639062a28faa28b7df8b373c229

/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/classes.dex!classes2.dex

MD5 567711eab400aac97e4d412538a3f691
SHA1 0e5233595ba8fa0993b66e15a3c721f8bfa64a35
SHA256 21c05e490daee4b457fc86755189aa65d250d5a78b8fb10e742de7fc1fe2885c
SHA512 8f71b5b6e4e7c64985d106c9c8105ce69860800853d8ac5b5f73e9abc5cd0b09af820feac14ecf94efd900b6862e110e86945b85d9702f1abe6eebb8a39d397f

/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.ri

MD5 643cedcb5f3c14d2069c9af150ecb8cf
SHA1 f2ee48e1f46327138623cf7c1cc2e95f35c54456
SHA256 e8026b5d2fba31c04463f865d85ddcf2b51aac3a2849d6edb8092c631ba8c789
SHA512 5aa171db811998b65f7819379648cd7fbe2722d6727ada450102ea9c3b845f6214fa8594d32c2d501fe5d2c6e60560c1f9b75d64690176c047b55bcbe8d272b3

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jiagu.lock

MD5 e30dd1f88520b4cd25a35c2a61e951ff
SHA1 7ea8b87537fddd2989104bc4afa9c85f7cf4c1e8
SHA256 7ebbeeaf32bcbc500a78d90928e5ce991f8ee76e2e1ab206df3bba122e2a0cc6
SHA512 a907b12a2b685e85a6284d9b81c4d5835d0858f92c18d35f3c4898e02c38ddbcc1aa4387b2d40e85cdbd4afb1043e058383b7c17d3c932982e8783686b77a5cc

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.ac

MD5 1b421187b777781ef6483f6befdb2107
SHA1 7d188d8b3d35a204195fc411c11dfd4c62684334
SHA256 8c863b54d5b5793fb7b95305a11365e5fe38dfd71acafb3359873bea5108be79
SHA512 9ca6f7c3e746274df875cff34720186f4214bbd4004f629dd62cccb965de364b27e2d63d67b2a3af174b7ea39ae88eca8af73809861d61895d7f9f9e687b9a78

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.ic

MD5 65faaa4901a328147f2c9272594e59d4
SHA1 b44445d37bfc8ee413e5ded1ed9f213e5bd79d20
SHA256 ed4a95effa1c4d4699c9f742681615564b068de01ac8eadb5cf2e112a6bd1f5e
SHA512 aeadaad0849ea4462e0549de736397bc2b8b7e7962186c267088700901bce45a428c4a57c77e807bc072941e6151c293290945eab8c5da2d3fa23b18b2323489

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.di

MD5 9533fdc3706d16b8f5c18eac3ef08ada
SHA1 94d4f6ce01afa940fdc391505440bbcae29141b1
SHA256 23aaedf1b7e704788131e470065a2059e29e8137908a195534c7f43714889fbe
SHA512 bf261762191b360475e0092dbdcd997924f6e80a0c8fa70cab369a193887ff36ce698208884bc5de3a38dcf2bdeefd74f94e3546bd33756c91d8d15efd20ead7

/storage/emulated/0/360/.iddata

MD5 f64b4c9ad6d5994f6dbdd694b3b6645e
SHA1 6cfb9b51b183325c93ab343aa84606d40d86d179
SHA256 c9a4b1fba3f815fffd38fa068c34d563f326e77faa1b59630dbc6a45962818b9
SHA512 3dc3085f9fc0fbec46dfdf669169f37bd04453f031e337f11d6078d790f1f08eb78a2429aed48c8022a8e354093bf8d32cf6c14fd803a25619ccc5fe3f36e1d5

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/microschool_v2.db-journal

MD5 359a7d85c53e8db11389c8ecbc3447ab
SHA1 20323fc74c051a81e033d34688f4c8f583817f6b
SHA256 bd64be12573fd4216fa8e2b2ca4d420085a92425cc9096c173131f1553d5ae20
SHA512 2b356086e953708fcaf03957cfe6f7db01c5add5bacd84858f43441c8b52b3e158a2430d3a6d42bd689646e9e47307e56e04792e83ecc0224140e941d93c3966

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/microschool_v2.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/microschool_v2.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/microschool_v2.db-wal

MD5 5642c267667d679d4fdcf6b406306bdd
SHA1 c6c545f7c725d766e0d4ebbbc03a010307da6507
SHA256 295167c885ec1a643896577780c1f1567fa04c56c4cf35fd58aaa5676cdeb42b
SHA512 2f7a33f087ef34f00f75e20d103be2e2d3d0d03672c62757bd4cf1df79795c7d3de3780c647336e77ee02b091b66fe1f3ee49fff867d4931d0d7a51af3ff4fc6

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/edupexpress.db-journal

MD5 4153baf50b066c433e5129a212065777
SHA1 478b44f980d9823ebc3e2de5ad77fc84c6884f70
SHA256 5644c70914d6b91e6a7c75ec87e0df08c9eb15a454d0e80636bcb03fb950311b
SHA512 27024bd0458b5d4ce413209f0009db32bded85cde5089000279a4a8122193f71d567f79f0b3e374ad2cf83b1a8275e65a24a56a9f09bbf86c88e54c013bbdda5

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/edupexpress.db-wal

MD5 554e43dee63e038c29ad0768f927ebc4
SHA1 05b7b11b7ec3f9eeb70476b6a72f475b6ddd8165
SHA256 faf7b91282940cd8a5e6286453f89a10bcb75db0bdfd9e122cfb2ede38982b52
SHA512 10545a222b1a92f32f5050f2b978eba4c21c4cc419adbbfde19d91253ab8be1892260b241d76a3add59e8149a3cde4c1160557bb5e1afdb8a5162f398e23a9d9

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/INSTALLATION

MD5 dd91314193063f0ac1e26c8257d595aa
SHA1 b4c24f01489fcafa951904c01683de6db6c7589b
SHA256 cb30f5c811595579866f726f2a45d81f91663998579572ead9b44b02c5780888
SHA512 71e99217ee9b80b37d9f6fc40777452f5f1b2dc7c9418f68104e62a2b4db71b88e37d1340398249f80f7cf4d6df29d460a20918677373ccce3f6c12c81b6babe

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/TRACE_FC_com.aspirecn.xiaoxuntongParent.cq

MD5 b1ce06d362722d9cc7756e31f8a83d36
SHA1 0ba93b6c84c4ac0c6b5878ed20d59fbfff8f3f85
SHA256 23d6a1a17df8df8f3533eab0378243981504d859afdbf0cf44bb188f860ee1d2
SHA512 789da08ae4e1aa2b85e9b84c2b8417eeb6711445307e76f9b7ed87ddcecb85b51405a3c697c98cbb13e597be500fd22a929891320d0df5454cfd10a250e8bc39

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/umeng_it.cache

MD5 b7a873bd5f13ad7e57a1f7a5cfaca417
SHA1 5c5edb3edf0a712b71a4dc70d40c1b0ce8e65390
SHA256 280aa342957577d7d4fb445b08a5dc3e4d02c62f763257b661a195878bf7f3fe
SHA512 ff2af57a10a1737d7dbdaef30b46e210858e01c3cf06ed61eba2b023724d9755d959d083fb3ccaa96113a93925080c3806a75f62aa2ca7285d680974734f5d95

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/TRACE_FC_com.aspirecn.xiaoxuntongParent.cq

MD5 99e03e5b622581f11fc715fe8df4da52
SHA1 8956accb974d1e02732b2f048beaf92da55d9537
SHA256 c92d9fdcd8e215d9ae9abf3c617d960d1dbac27e5fba542cc02b125d23c07796
SHA512 675e69772ddc8ad29ceac7293d7c351b3e44efe511e3fe80dd11dd0f5b42d8c94623c3cfcc195b32a728010f80a1dcdee25292ab8ad9909a6c9369f173f7db6a

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/TRACE_FC_com.aspirecn.xiaoxuntongParent.cq

MD5 6abb6737f3b8de70a7e55e2c3b48e219
SHA1 2837faf6969f53163fc13440306caf379b092ac9
SHA256 9ec9a5cae02c5f0a6fc910da61b9badfea1605546adaccde26a4f518460c0600
SHA512 3cf9f6894f15ce76467a82a88c1cf4c116adcae62ff2853b81a954e87731093224acb632ab9aeabb2d4eddd7c9a1528207ebb824eb8a7043b8ce927a27345d2c

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/TRACE_FC_com.aspirecn.xiaoxuntongParent.cq

MD5 ac9342e3567aa0e9f53821e874ce127f
SHA1 a35a6db546287394cd01ecfa67e7251699d1a610
SHA256 5fa7c1d25f07d4ed40344d9f938353b7303fa6bec663e1c76f7920bec76924a5
SHA512 9705d3e7074e84afaf60352860047d55fc0fc1632c24fd94e454ff3f3894f4c9946e62bc3ae933f69c39da533ad361c99d56484c1edb460775061a53e96f96ee

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/TRACE_FC_com.aspirecn.xiaoxuntongParent.cq

MD5 efa296a6490576e756dce33a848ca5cb
SHA1 e7fd41be2ad7872eb71d9a0d8f016ee955b34004
SHA256 4fb9a81cfdcc61c9cde3cea4d8a6249d904810cb636651d52daf5d31b4d4c523
SHA512 825524d0df69cd5b73a8afa05f4176efe2fb4dbdb71e7bfb7ec82a3e792da8759e56de3b8f76f63fd5637a1af9db820cd034f66ddfe47d0ea8c6cb2b42db3b9e

/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/.jgck

MD5 312413b37f4b7056305686aaff653e4e
SHA1 2e48fffb74d10c397ecf7c28d674527e43fc878f
SHA256 823557cdc2a2e8f1ef89dcc4e47c84495c1c97832c37fe34e4770c54dffec79a
SHA512 921b7c0dff0162c11aab690e99a3f182055983d4e983ea51d512d07a4efe22facd76e0298a725baa35cfb338dd280a364a79165b775da45e35dd73e4dcac533e

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.di

MD5 dc30891435ee53267a226dadf37afb8c
SHA1 b9f728a2fe5df63a13aa3c10dfa5f167187ad9a0
SHA256 84b9b709cdb4fa3dd04006b71346fad29ffc394d92d6ac3e16adca48aab1e6f4
SHA512 a80d21f17c39683a9750a7712388e6d862df7825e29a610b6475de082a0a0a4319e31a1379804f5587d50b392258b11adb7f0fedfa8b40c051e519da93fb4360

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.ac

MD5 f9d2057e5aa2289118c51d9e0c3a9117
SHA1 be6584113ad474f285fa990d95a79235cfa330ab
SHA256 79c9cc755091df2d17252318aa7fd7af5482da77891bceb07cf239eb16f52ec0
SHA512 35e106dca6f3324389fc0894bdf8db5e3d95347ca53d4f3935edf8e8f75d41da500af167060b7e895134c67bbdcd9606098446de9b2d817e0ae2a9c29febdbf9

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.um/um_cache_1717214989116.env

MD5 d102f9d6de5f246189136f160a7d0bda
SHA1 e139d5df1f1f86c51e85d4412bd8caec982be7dc
SHA256 5583e3c34de8c97f269307931ce4526e869d58411900561f2608eacfb7aef918
SHA512 0e68decca0d8b25aab836f129b5e4a5d6fc240309b8752e34c429bfe29e8f4451a450ec5941ac878f89311b88c84e2c964270f2164d0a8bf53c6194cd8a79973

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:08

Reported

2024-06-01 04:11

Platform

android-x64-20240514-en

Max time kernel

16s

Max time network

150s

Command Line

com.aspirecn.xiaoxuntongParent.cq

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.aspirecn.xiaoxuntongParent.cq/[email protected] N/A N/A
N/A /data/user/0/com.aspirecn.xiaoxuntongParent.cq/[email protected]!classes2.dex N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.aspirecn.xiaoxuntongParent.cq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp

Files

/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/libjiagu.so

MD5 7e7125a1193cfa8a696c1b8a6d2a103e
SHA1 af193df6127a47f455ebb7d5b792d2e982f4e004
SHA256 707cbb7d210699b111f050a382224f04ba2dbf72ecb4ee8f420d5759b6a23681
SHA512 91a62f00c2a9dc3c28348ef512ca56ab44d999e11dd806d565109159e79f25833c9141023ad639c7f5132acb8038ca0d7cc049ca2118534570d3ef1b36798b03

/data/data/com.aspirecn.xiaoxuntongParent.cq/.jiagu/classes.dex

MD5 e4ec278aab9de2b7729e36ae7558a9e8
SHA1 36d0de8630de2b6a5df02fbd4825fe70f8065dab
SHA256 15f41f2e28fa17227c53eb01b7b0324cc26a6eb13949c1cdbbfb2cfc26287bda
SHA512 bb04481587aa5ee5bf46313ea9a166fc5a2b5846f06a369ba418abbf93b7acfaeae35dc0790aeb5f3f0fcd497534d04b097a745a5102da2166caf89be96d99db

/data/user/0/com.aspirecn.xiaoxuntongParent.cq/[email protected]

MD5 90055e293719e3d530d0fcbceab0d2a8
SHA1 ce6a992d0615106c08083644688b64c798315673
SHA256 63b6b77021ca3e1c5c048a786dfe85e725f8f8d6456c500a7411187d1c2c4086
SHA512 bcbf5253afe1e4a71e81f237b611c072788026b58b1c25931018a6f1f191c8dc1d5626cfdaa3bee2ab90c9e5dfce15711028d639062a28faa28b7df8b373c229

/data/user/0/com.aspirecn.xiaoxuntongParent.cq/[email protected]!classes2.dex

MD5 567711eab400aac97e4d412538a3f691
SHA1 0e5233595ba8fa0993b66e15a3c721f8bfa64a35
SHA256 21c05e490daee4b457fc86755189aa65d250d5a78b8fb10e742de7fc1fe2885c
SHA512 8f71b5b6e4e7c64985d106c9c8105ce69860800853d8ac5b5f73e9abc5cd0b09af820feac14ecf94efd900b6862e110e86945b85d9702f1abe6eebb8a39d397f

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.ri

MD5 dcb4c11e2ecf571a68ce132721427e52
SHA1 2e07a54ac07eff6bc7b057ab78d86211066bfd79
SHA256 e14e5143a6781d4774e00234a4ab6fe8e71227aae2dba27dffcb448b48800e9d
SHA512 c3005077f1cb36b0b5bd76ab9e3893c73b67abe3ea1ac29889c2a8efa54d78964fdbdab79ce30fbc0c97aa528ededf42e0d2ff39985541b3784e8d806e105bed

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jiagu.lock

MD5 155c3282affc12af8c0c519a0a2f4bf4
SHA1 ea68927fa3a68606134c47e866bf6fcb7fbe07e0
SHA256 d71ba724b22bacd4cbffeda4e880e504c13e3695050e6ef96b8f37c134f665d9
SHA512 d70187330470f9939964f0e5ccc628dcf9e705aaa48d86ac745e25a50984642a0dcaa5cdf54a8c54200d3674f583f986e5260815d156afacbcf63e6ac92a13a8

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.ac

MD5 1194b621e78188c8d0fb6c58c941545e
SHA1 a302fbc4b4b795afed2ad30abab12dd841887685
SHA256 41386c53d0d511aa2983d46f08c525bab529eacf5ad40d24914719402098a8d4
SHA512 507582a78bd135758405399b9ce135132d27bca5dfee8b22562d47e416cb5ff8cb1956938dfba8b00d2d1374e0eb3b83fe61dc408d77b5a418b3754e017e991e

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.ic

MD5 c376fb9e4f840807768a28042f1c20df
SHA1 d14db28471feedb65f0c46831a726b655a661e02
SHA256 ff187b83725f90f86ad1aa07f6406da12622966c5f678ed751c5e35b52f3df28
SHA512 0b45a112053a598d0d2c57443579f4fbde19404931ae4b5540d88c2b477648671ae0b802e3578ce09588c89ffbc93fb3306802aa977361afcbf4ab1c4e7d2d44

/data/data/com.aspirecn.xiaoxuntongParent.cq/files/.jglogs/.jg.di

MD5 a59ee813442beefda921c8eeac88bb0c
SHA1 6167a993ad1ae81a61066bed2af445a1b5827506
SHA256 77365242560f53d341d770cea0d993fb186b11fd0c40fe63020b1613d6a0aa0a
SHA512 2baf7d70cecee8a005fc542f871d72cc9ad4f3fe8c3287c5a403c4839bfea322a36458c7a3577ba489a80aac68232bc581da77a85ad023780d896423dd13c0d7

/storage/emulated/0/360/.iddata

MD5 22c1397dd180cb27781cc37206719bdf
SHA1 ad32ffb3a22c6fbec29675e70b8dbd020b399081
SHA256 b0dfb8abf2bafeb6b7a3e737c2521a59f44fee908b45c3436f01ad73a4d43a01
SHA512 64aa093981e2a2a792e8aa2b5fa973a1320471107b2f50307eb9bdd1b60586f200f4bd64dd09c79d9818d6f5fcbd54e3b74c20073c3c4a20dbb0610c1e202635

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/microschool_v2.db-journal

MD5 85b53073f36431c9d1b46af2accee129
SHA1 72cf6b73b320d5413d3a3a85a2c9d8f40a88868f
SHA256 1422af992b5833b2469b60e50428298fccf94cd20ff1e6ae4e3744df42a917d7
SHA512 dc0a676b533284a292bc69cd7cd3f0c3a52b3006549ad2308cce782564c0ed51d1751e4fea1d046f8d24e7f3436ba36280570c0e73488ab25aa205d977b77c0d

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/microschool_v2.db

MD5 720eb88461cb098f9e9bb48527ba0829
SHA1 90931cf9e0d2cee5486c1fcdadf65901e380aad3
SHA256 c3a4bf748e08eedce7221d9a20eae1e9bb045b8acb2fa893ef5e694ff94cbfc0
SHA512 ce66f1ed9bd3c906e69b5645474646f39883cea509e6c153b70924cae2cc3790d2a60542aff3b612017100059d025fd3f68a394f45683870c85cc4af41cb648f

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/microschool_v2.db-journal

MD5 cf512dbf84a48cf2d202d50a8c14be12
SHA1 40f890fd0ad43c9de900f241a92c7c48d9a0425e
SHA256 40d4a5fa8eedb433047c32c20886502f0d0a978e4bf47477b0a75015fac05cd7
SHA512 cf726052046f23f9d774e670746347d0af23d5fbca9deb34620dc8b2e4e28d2292b4f1a789dd49630f1d50d0c3a3a35dabcac3c5eecbb0c98dd6efa7e5c90099

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/microschool_v2.db-journal

MD5 fb980f77077959e1afa56a164aca5866
SHA1 ddda384d9d44aa544dd3959040ab05120989c7d9
SHA256 06553d23f0364697e425dcf6affbce455df42a0be49b1370e1a69e8f8218300f
SHA512 192bb0aab6beaf806f60fe24cf6e5588599c00efeb28f2589bff2649367613a740fa95490e95254672827a8f33c8f81aa1bcd4542f12151b3ccc58a0f9e46e3e

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/edupexpress.db-journal

MD5 06d17c94012cd4f1e9ad57b01d700aa2
SHA1 fe1d16c54d0dea92d1373e36bcc2d9caf8aab283
SHA256 179a6d003d91e9990a2cd1e4ba6230eb8fa99d75bf747d5a2aced64bad653127
SHA512 814565bcacb446dc975788282c22452a1921709def45cce1a6e1932a47aed3f597f3365ea8ab7776be665ceea5c57448d65a08784db43b9aaf11b37fe9ae986f

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/edupexpress.db

MD5 f6b9e0ba3a4953b520018e7cd1777992
SHA1 cd6460e0228878dbcf73d79736638825e5ec9cde
SHA256 fda50e9f1b8ce13103dc37179d914308b9d702ed44b56715b1fe395e5d1376a7
SHA512 1e6538c0339b7498ce69dae1405ed2d876591ce48477983aa4405cd640d9b7dbe9cfb06e860ec8d46ddde5b8b9e7cb4f0303de7b5541d5e4df25536705c066e4

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/edupexpress.db-journal

MD5 ec884c0d23970a7e13503b67f546b4d0
SHA1 92270baa2100c1d6b0ac497d27df55cdc87b2962
SHA256 ab034e85fcf2e9199845310974fb766fe66c3607016e054f41b607af713ba4a0
SHA512 4ef54b50d547762d91885001ace23ba13010b883656ec37104da6a0988bc497690a3d0887f16153608a653bd7c79fdb55c516af9cdbe77628ab566a2796482d9

/data/data/com.aspirecn.xiaoxuntongParent.cq/databases/edupexpress.db-journal

MD5 97aed462e4bfbbe8507ebedb45bd1bf4
SHA1 739eecee872ea3e9b06c666bb5ff6fd6ec9f0dd1
SHA256 5ad6e688f185f11b93ac752215a483f4a432a4623a9f3cbb3503ac5b66d861d3
SHA512 d33c9b428285f207eaf8e136264ed87cfeeb3b36cdee385d0aee45486fa395fc1418152c000ba33ed1485d827ed5683cf101b4247d31bdce8d3ba24588d2dfe5

/storage/emulated/0/Android/data/com.aspirecn.xiaoxuntongParent.cq/cache/Log/cq_20240601.txt

MD5 d4f39bd3d6f46311916c91379592ec7b
SHA1 79e455dd7f67705747de74b12ddd19624204d6a6
SHA256 b737c62e8f486e606801288fb7069a3d7a5d6edbe3282ecaf124ed30c8f9a4d5
SHA512 baab836b319edbe4f958fff2e1d91307167ccc5ad8a4737cde34b1a004af4f071ccef444a598c5640be7a4cb05d538631674c48b1e55112ef915a42427313fa0