Malware Analysis Report

2024-09-09 13:39

Sample ID 240602-28w1gsaf5s
Target 8fc642358c5aeb7ec649b35d938d847d_JaffaCakes118
SHA256 aefa3f59d16797388f909c9e278f8d36d33f5363f978fe2eff640a22797726b7
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

aefa3f59d16797388f909c9e278f8d36d33f5363f978fe2eff640a22797726b7

Threat Level: Likely malicious

The file 8fc642358c5aeb7ec649b35d938d847d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Queries information about the current Wi-Fi connection

Loads dropped Dex/Jar

Queries information about running processes on the device

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries account information for other applications stored on the device

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Checks if the internet connection is available

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-02 23:15

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 23:15

Reported

2024-06-02 23:18

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

177s

Command Line

com.mckt.dtlp.iexh

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.mckt.dtlp.iexh

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.mckt.dtlp.iexh/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.mckt.dtlp.iexh:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 api.ehtbr.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.66:443 tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.238:443 tcp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 api.adcmsware.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.mckt.dtlp.iexh/app_mjf/tdz.jar

MD5 c34a960ee8657fb632c516c1616ca810
SHA1 9aa3a6cf76f595769a52b40a4189c5371a84674c
SHA256 2bb381984f485a4803c2ed4c80ebf1ab3f327fc918ce36ddd67326a249ba77c6
SHA512 2bfeb1a74504f9c5c978e19041a3c6ccbab2eb77f7fd35c38e45207d2d50af0fe3ae28aaa7373cb4eb69b8f3d9c118d0813c2d7336f2f3f26e8c6a8e34e3504a

/data/data/com.mckt.dtlp.iexh/app_mjf/ddz.jar

MD5 74516f682123a65190e15ca51fea94e2
SHA1 4625bc1052913470b74a0d2eedcb5d1b597cfcab
SHA256 9b0a7ac6b3eae5984f76f9096d2037d7228008c77d63e85f4a0fcc6ad766874d
SHA512 9a9045e8a3ecfeb50632b4f205ccecb3b9104da04d110623b59b73d62d5da2e345f3259ba706ffdc341cec2f16a734b3dfd856a20333b3434dec0ea577ddaaae

/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar

MD5 f94e137d7aa3ec510782c58f1089ef39
SHA1 f1b5f4b422d4fb5071e41a3fe9b7cf99ec13c217
SHA256 89c661a75becb3a99788c1deecf430f54c045e044f30c5fa7dd7f11e93e2a5cc
SHA512 743beef1e59c24cb6662c19dab6e6629a30d6bf6e2e014f2f68258a58acacb868f6a7a2a527123170f92b03ba517d8b48cb2a290a963d2b86130444820b0be6a

/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar

MD5 40235bd85137ac67997ebd98c3ee5336
SHA1 c0ab0d0d39c13fc76c22f11642920003a34a6a8e
SHA256 a6cdc6d2747ca2979c9959fae17a4c00dd66bd336315ce2e69348bff551976f4
SHA512 80193d98b9db86270ebdb3217ad5000dc93f36fec15c06925df1938bd7bc89e9a1a056fcfc0a3a3108daa7dfc5b9856b22832bcc7654ac5e0197bdc45a08cdab

/data/data/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 0573122f87a0a9c6c6cc6a4505963883
SHA1 803bdf14fe44a1e8db02c94b74e135a62da84a50
SHA256 eb57069f252c06b4011aaca0e1f28b1c81d2e86ffa602fb9650e0c0e2be50b32
SHA512 6910581a58c63eaba4255cdb880cf3f9cd06c96110001dcb9614f2d2aeb3d5dbdd4232eb3be009131c31b1360ee7432118d62a59ae56bc4d5dd224a0dc7d7858

/data/data/com.mckt.dtlp.iexh/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mckt.dtlp.iexh/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mckt.dtlp.iexh/databases/lezzd-wal

MD5 7630847475276f43a50a641bfa19d4b3
SHA1 a797512348fc82ba3e6b217739c4d59af617fd5b
SHA256 60a49aa701400234703e3444ffca1afd3c87c340e5442abcc077ba9fa073e1cb
SHA512 d3f9c17d4108cadb2c234e532bc46fd3a05334e1c1e3733aabf1205c3936d926a5821c694a34d1cabc79f854fbfb53c3725c563dea256122939af881f127c57c

/data/data/com.mckt.dtlp.iexh/files/umeng_it.cache

MD5 ad41e272f78efa6dbcb1f0a88f885952
SHA1 a7cb3ef4daeb9d8cfc093281906fabf4fa4895fd
SHA256 b0e5f72a0dc0bfd89d8afb8e069d1f602cf361e632de8d9ac27ea95dc8639672
SHA512 e7ed619d83334dfbd82b323f4ef44400fd20e66687717216ca081cdbcdfc481e645c1c2849bea442e5fc1fd030dfeb3da8798a72a8e37581e9e9bd03fec7a723

/data/data/com.mckt.dtlp.iexh/files/.umeng/exchangeIdentity.json

MD5 5281f3a78e07665aeb8e8820cb370ad8
SHA1 901b0d73b56a3050ae3c69444c0c6f27f195aa76
SHA256 b9a60c81846e91e9967ded1457c172ab82c2b48b5f80c67dc17b314624a54e3f
SHA512 51c4071301ec74a682d5aa0884e6c47d5ce889f2d9b29dcbe4937a33005491ed6ea3649135dcfe03e3bbc984e2793a659af2e2f617b324f29760247a0a7527b0

/data/data/com.mckt.dtlp.iexh/files/.um/um_cache_1717370262054.env

MD5 76e2348d45898c78d893481d3775cf87
SHA1 dab1cc320f70c640f8dbe3ab9cc0c747a6eb2fbd
SHA256 008b83e57fc3bb3ebec2dfd9211e5fc3fb2e30b4f0bd95d9ad75db2c3736e819
SHA512 df569585b233c287a3825cda4d5dc4560c4dcd6f378dc47c0e366dfe56adb9b2d81fa1eb3c084c92d79fe02336e1a212afd1ebf96902d6a2bffcd89d8444caca

/data/data/com.mckt.dtlp.iexh/files/mobclick_agent_cached_com.mckt.dtlp.iexh1

MD5 98f34d07d55a5398860ab3499513c673
SHA1 f1fb0cb5e7752547242771efd23ee13ea4e63c7f
SHA256 d74a04f60805f1e005f5d4ff0f27993d9c00a30b2cb79474b41263d0543c435b
SHA512 59844f450f24049d75e107eb5b7a998cdb871a39e1c6c263df381c9ef16f450f4d3fd353fd244100f5af0168edc8816aa04ba936ad2701823e75bdb8d7d54dc2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 23:15

Reported

2024-06-02 23:18

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

184s

Command Line

com.mckt.dtlp.iexh

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.mckt.dtlp.iexh

com.mckt.dtlp.iexh:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
GB 216.58.204.74:443 tcp
CN 59.82.122.140:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 api.ehtbr.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 api.adcmsware.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/data/com.mckt.dtlp.iexh/app_mjf/tdz.jar

MD5 c34a960ee8657fb632c516c1616ca810
SHA1 9aa3a6cf76f595769a52b40a4189c5371a84674c
SHA256 2bb381984f485a4803c2ed4c80ebf1ab3f327fc918ce36ddd67326a249ba77c6
SHA512 2bfeb1a74504f9c5c978e19041a3c6ccbab2eb77f7fd35c38e45207d2d50af0fe3ae28aaa7373cb4eb69b8f3d9c118d0813c2d7336f2f3f26e8c6a8e34e3504a

/data/data/com.mckt.dtlp.iexh/app_mjf/ddz.jar

MD5 74516f682123a65190e15ca51fea94e2
SHA1 4625bc1052913470b74a0d2eedcb5d1b597cfcab
SHA256 9b0a7ac6b3eae5984f76f9096d2037d7228008c77d63e85f4a0fcc6ad766874d
SHA512 9a9045e8a3ecfeb50632b4f205ccecb3b9104da04d110623b59b73d62d5da2e345f3259ba706ffdc341cec2f16a734b3dfd856a20333b3434dec0ea577ddaaae

/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar

MD5 f94e137d7aa3ec510782c58f1089ef39
SHA1 f1b5f4b422d4fb5071e41a3fe9b7cf99ec13c217
SHA256 89c661a75becb3a99788c1deecf430f54c045e044f30c5fa7dd7f11e93e2a5cc
SHA512 743beef1e59c24cb6662c19dab6e6629a30d6bf6e2e014f2f68258a58acacb868f6a7a2a527123170f92b03ba517d8b48cb2a290a963d2b86130444820b0be6a

/data/data/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 633dfea7e3a13de66fbda0d8532c45f5
SHA1 856a9d28c9b4eefa70ab1ecdf2639fa4104f6d31
SHA256 d737a7404fe23c8dff9ee25d5c7371a0d8ad7837a10c8eaae10ac9585d556235
SHA512 129183ae7ed3af0009ac60ab7592db4cad37584f3dceb032fac3da254410022c6715c6d674c9eda86bf4ebee5aabf3c31cbe9bf9a00f38525c99774d2a6ab0c1

/data/data/com.mckt.dtlp.iexh/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 e7bb1026234b376039e4c6a066ac3f28
SHA1 a14243e6bebb65145518db73b030dcb18c02512d
SHA256 4129b5bc08ef4b860d0cddda4d811ded773dbde0f309528a7d57066143164fb8
SHA512 8a273d5e1b515c882334ae4906920bd65db15c4d7f2ea472e966365d3586a569a0fa45fae6efd43bc9ddd439bb420cf64cea00f0ca63339ff63436c094dcb81f

/data/data/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 a9a6c37e58d1b31b55f4de0806685f12
SHA1 2e6f125f0675a65db49130c2f9968fb867532d3f
SHA256 d959e98751478ef037071602d48b0d1d14e5b12b972c28363811f5bdb0daee49
SHA512 4a490c04f4fb451e633797f0451891598c8f5cd9343bd8418b1cf7faa5308b808d4f81966ded740fbd0ccceb491b3e4b5c6a55cc28c977033777d9b40a2c94f9

/data/data/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 fb99ca8a09462f2f58767296a793f81d
SHA1 5dc02ad587ec90812d1f465fc5564a34a4a21f08
SHA256 b293df59e47699a4e5664cbaa8c2dc3b93929511c24c9dd898ac394d242d09be
SHA512 1676356b641100cbcea1650537571b532156fd87df66e159ace18d46ce9d68c85403735f993b63f7350eff8e01932a3220e0e5fcff2d290d210719c4a41b08f8

/data/data/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 e26d5a834d0e30872b6c258056132b03
SHA1 5903184d0893187671f2d65375fa24642b698694
SHA256 de038c2decfd555ddc9eed4805a6e59dcab5aa1832981e6b3ff69b13585c9dba
SHA512 3969c7ea9e4cf8c60321c1f954b32621ad5636278daffd28350a788bab645bbb8b6ef9e46bad37e6a2bb5f54e0d7f0b94799f8e57019f9c92d0d8f13d34dd1f1

/data/data/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 a0e7b1473623a5e01cb9ef432269c3be
SHA1 19cb14d9757bd92a790dd052458dea314588b5b1
SHA256 d769c50fbff171160bf1f1a58d20d8a3456ce002ff36d90e71611664aa2b6d5e
SHA512 3e0c14919414ddc24a5396f437243c1af776eafaf63f9b7eaa14b3fbd12d88a89566779d84d1cff69c37fa7a6191b206b02929960aac99a9b37a95d8231fdfb8

/data/data/com.mckt.dtlp.iexh/files/umeng_it.cache

MD5 7ee7df1e80e2cd28dc2ca0060495a1ed
SHA1 75b3b25a5c670fefcbec5fdd3b7032f7b78fa652
SHA256 2f31bfdcd9c2ec291e9ba803f4a750d62e709e4787e2a4552c6333afb4044432
SHA512 971682a6754887de868a0ff5905e8cbd4d9cb41eac7acef275b78b3c57fd129639a003c875b67c370b548ab02ac4c509e44f4f7c562aac8747df3644328737c0

/data/data/com.mckt.dtlp.iexh/files/.umeng/exchangeIdentity.json

MD5 cf74a68e7dfdc6929b3ef4a8e01add48
SHA1 a1d60e8bb307695fd5b37330c8db8675abbeb3f7
SHA256 8f2d349bf0a1383ae1cb29ba2e9a15516672443d6110bd11d47dbbb820d2c91e
SHA512 cd81fda8648154e248f959645f001022ce32c30d7a676a2c48f286a4f5c74bedfe9251302d3e36bff861c754474d694b3cf20248ed87cec8ab1fdaf905edf9cf

/data/data/com.mckt.dtlp.iexh/app_mjf/oat/dz.jar.cur.prof

MD5 a55650ae5b45bb06caad27de420a303c
SHA1 7e1243c169ea8aba65c5239e5754bdf6bc5da380
SHA256 aa81f0804d4dfa14366b7de2c9d8e5195e8f1943ccaaf935edea1e413748fd99
SHA512 5cd4fc5931d5225d7e49b0416132d66a32b52fabd4a3d8504566a263e55e30a16719294870ff3887807b1ebc02f67038d9f644e9ab032ce8715fa0f8a5f49a11

/data/data/com.mckt.dtlp.iexh/files/.um/um_cache_1717370263040.env

MD5 38e1896559e18047491a1c26aaca0fb5
SHA1 c657944c1a60bfc609f44a66389099aec7a0bf48
SHA256 d393d2d38a20bd501022e004735913f8e1ee26a9bd450eac54b2e8703086594f
SHA512 53e5f438cfa95e80d6ee6efbce49f413f4fba04b1f0ab7778dac446fab5ad04c6581171ead78abdc3dcacbf50576e7f841e59f4d8ff49c501672d0ac2c3d3797

/data/data/com.mckt.dtlp.iexh/files/mobclick_agent_cached_com.mckt.dtlp.iexh1

MD5 c390429ff4c53e8ad8662babab496dab
SHA1 6a9285554a20880974fc27ead74bdc1876239437
SHA256 b7588cc80f5955925cbbfc92d883121afbe8ab43f29595f828734be8f41a4a98
SHA512 c1cde7cc13917957dda227ca454489a02f77dc0a501041e5968d5c849d5ba202a5d4fb38e897e8cd39f283ea052bd372123e3ae4c2fdd65a5a73c8a9dc15dce2

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 23:15

Reported

2024-06-02 23:18

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

181s

Command Line

com.mckt.dtlp.iexh

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.mckt.dtlp.iexh

com.mckt.dtlp.iexh:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.ehtbr.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 api.adcmsware.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.mckt.dtlp.iexh/app_mjf/tdz.jar

MD5 c34a960ee8657fb632c516c1616ca810
SHA1 9aa3a6cf76f595769a52b40a4189c5371a84674c
SHA256 2bb381984f485a4803c2ed4c80ebf1ab3f327fc918ce36ddd67326a249ba77c6
SHA512 2bfeb1a74504f9c5c978e19041a3c6ccbab2eb77f7fd35c38e45207d2d50af0fe3ae28aaa7373cb4eb69b8f3d9c118d0813c2d7336f2f3f26e8c6a8e34e3504a

/data/user/0/com.mckt.dtlp.iexh/app_mjf/ddz.jar

MD5 74516f682123a65190e15ca51fea94e2
SHA1 4625bc1052913470b74a0d2eedcb5d1b597cfcab
SHA256 9b0a7ac6b3eae5984f76f9096d2037d7228008c77d63e85f4a0fcc6ad766874d
SHA512 9a9045e8a3ecfeb50632b4f205ccecb3b9104da04d110623b59b73d62d5da2e345f3259ba706ffdc341cec2f16a734b3dfd856a20333b3434dec0ea577ddaaae

/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar

MD5 f94e137d7aa3ec510782c58f1089ef39
SHA1 f1b5f4b422d4fb5071e41a3fe9b7cf99ec13c217
SHA256 89c661a75becb3a99788c1deecf430f54c045e044f30c5fa7dd7f11e93e2a5cc
SHA512 743beef1e59c24cb6662c19dab6e6629a30d6bf6e2e014f2f68258a58acacb868f6a7a2a527123170f92b03ba517d8b48cb2a290a963d2b86130444820b0be6a

/data/user/0/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 19b86833f5abeaebd820763301e81419
SHA1 09ba28181da5ef164df48464f5c675228e17f49c
SHA256 4593321310b5e7f3f64d2b2b94ec91c613e849a62e56ae52202d889ba5bd9c2f
SHA512 249d931d27404013d4a18b9f7e37bd8d2587897e668f822d762b0fc5d6240f4c3dcb7b162f06a79a598519de5de19db798cc56e3fc7a358d7d9d0bee53e87edb

/data/user/0/com.mckt.dtlp.iexh/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 ead32a366dac75078042a032e9f960ab
SHA1 2ac7b5c45800e51d555081980e506ab93108d03e
SHA256 59e9f93939d6c915dec92170859455f42b9c80d2362d70b6304db726b70e356c
SHA512 b967d2c9c6e12d31f292fe4989a423d70004ae9e6c9fd2d2071336ffd320e141eaf30534807ba0c954155a3a1978e649d832587b268211ec5fe0766bc491c4fb

/data/user/0/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 360a6267d211b96f32aeef87bdb9c1f0
SHA1 def15b55f8a25f2bf1171ded345f13f48fcc8149
SHA256 aa34f858284b7c9d11c00c06d024b128fe5f892f6ec6646e7b0df7e52aadd65d
SHA512 b7a7a2b7c3d793f72afe98273294ff57467c4e69e509223ad37675dbc3d3aff361c54e3d12299dd51f7f788edb323ac3b1c4b69a21528f3a72659c2f232da99a

/data/user/0/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 b74e00cb6cfc1194a65ad08bc321edeb
SHA1 c5eb498b485d41214ac62ca00c66603e5732f9e3
SHA256 1eb8a850798c45fdad18c5957c419c6eef582a21114eb2b8bf8f268bac92254a
SHA512 d58c2dd6c2e3f4b397be2af169d922e405723857ec20b01f1624427b0f83aea6ad91d2060396f006e202c31a51bf73b74587745c9e153c93762cb3a45de5a906

/data/user/0/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 3002417f260946f985bb76da4d3483ef
SHA1 db7a69d4269082fe65b02036281407cf5b349676
SHA256 0bcbafeb036f55b8cbd259dc0a323dbc3c0298f83da604365cdc279afa021098
SHA512 7d0ec7f0f1166d6fde42e0e2c107ee714238c49ede063f09dcfaf58a5017169249a6f4fd32a114e0f02f5f532423281f26c026514759936d67762815fc9ef185

/data/user/0/com.mckt.dtlp.iexh/databases/lezzd-journal

MD5 a1cb7f76cdfc110cf165b87b50a6075f
SHA1 31d8c3880e0b3ccb1ffe1aa03aeb2c7d34028ebb
SHA256 df37f0a961b536a1c57e2eae8f04fc10f1f5fb9f8ca68f76dfb3c84a2e95224d
SHA512 225796f11a14423618133202060132d764442f5e41e3cc444fc5cc37ef1845876bc756d3af02d663c316656bc5cc6287ec4294f80441841e751d3855bb0f9f55

/data/user/0/com.mckt.dtlp.iexh/files/umeng_it.cache

MD5 5b8636b5b3d2b496d6a4bfb13872da61
SHA1 2a297fe87b0e91ff5d57dfeaf6f6f1e7e45a2b67
SHA256 739b4cbaf71c777499613a0932cea134cf37c78bd599618da7faac27b95412dd
SHA512 6254888e4b7c7c303eac959ad894231cfcdf88b70e0a07718381567ff1610d3274ffdfbb199925ad8dc720d1619b6db12cfeda8a98f3fd22426d7622d04a91c2

/data/user/0/com.mckt.dtlp.iexh/files/.umeng/exchangeIdentity.json

MD5 c5ff4a900a83d0d88d1343aacf659af9
SHA1 455f50b09d79cf56dd7945aa9de23d5ce3124c7f
SHA256 e369da64ab6ebad23df63b0db5219d53cfb7dea491d3ff4effe35e4b63b8dfd5
SHA512 929b1fda6f9c5882af96d1d54ab8ecc586a8507bc164786c36fb096ec2d86daf5bc6c6637e59186eb955dca50df11d996ad28e529fd9530364e9a0ec37a36a8b

/data/user/0/com.mckt.dtlp.iexh/files/.imprint

MD5 18dac39a1c28f38f7a36c7cdac7b40cf
SHA1 f5743b87273d528ad03758933ae4de6e92a71877
SHA256 98d7bbc0b589303c0996ae94927b52c8a473971123f065e93e88b64831ef7d07
SHA512 7af4c41c7ddc0ba8211b85b255b7c5985955eaa119497e1c68a6bf8fded5b15b96d5e11691523cd219b8fdb59e732ee641205cb059d6aa14b4a10149663f99b6

/data/user/0/com.mckt.dtlp.iexh/files/umeng_it.cache

MD5 e76f74ebacbb3f13b18be46c2cbe00b3
SHA1 3652726c6627f5736906acb06e4d4b85cfd763ad
SHA256 166d00f72566e31f9386bf04e735b4c7540be4c4c17d138b46fdc70ac10ba003
SHA512 7080d276ed0f7bdbfdda2778e56a95e145dcd79f8fc83a8893a25bdcb4ce399bb32f7c76ce5d673c37028f0b60d0e07ccdee1cd9ce28b0551c90b1f9dfe77121

/data/user/0/com.mckt.dtlp.iexh/files/.umeng/exchangeIdentity.json

MD5 8535cfe0419cd6e6e5f2691f9401d0e5
SHA1 edf64491aa70df270696941e70d441108496e88b
SHA256 c720b94f96723852ec9a9ae521b060422cf916132857ce9369b9ce34df09bedc
SHA512 b06a45040aa60c56db968bdc6244f6df7f247a420afbdd36d1566a43c84f7ac63ce0a53bfeb9521815d7177bdc7a0daee9246b37404005e6ec516b55e8360da0

/data/user/0/com.mckt.dtlp.iexh/files/.um/um_cache_1717370322287.env

MD5 21af6604561688ebd71b61cc0fa650be
SHA1 30e7332e7727fd11099eaff47ccc50e7d0c8b069
SHA256 225c821e0059974a9c9d1a6a6d82fe384d92e7e5509a07d800b1e2ba14083422
SHA512 c8d5989a3d07b7e32b7709c258ea1ed982ef2ca686cfce72dd7292a42c55b4f00fbfeec045cb88020858396cf8601be5a7f7dcdbc43f5f193307b62c0b97ea10