Malware Analysis Report

2024-10-19 13:18

Sample ID 240602-m3yjssbb5t
Target 8dd7c1bba6929f3a6d96d0b697748e04_JaffaCakes118
SHA256 73ce0801147f8ac19242d837e7d4f2f3331429005751723c0d1d06acf209a616
Tags
banker collection credential_access discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

73ce0801147f8ac19242d837e7d4f2f3331429005751723c0d1d06acf209a616

Threat Level: Likely malicious

The file 8dd7c1bba6929f3a6d96d0b697748e04_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection credential_access discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Queries account information for other applications stored on the device

Queries information about running processes on the device

Checks memory information

Checks if the internet connection is available

Requests dangerous framework permissions

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 11:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:03

Platform

android-x86-arm-20240514-en

Max time kernel

4s

Max time network

131s

Command Line

com.alimama.mobile.sdk.handle

Signatures

N/A

Processes

com.alimama.mobile.sdk.handle

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:01

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:00

Platform

android-x64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:05

Platform

android-x64-arm64-20240514-en

Max time kernel

172s

Max time network

184s

Command Line

com.jiecao.news.jiecaonews

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.jiecao.news.jiecaonews

com.jiecao.news.jiecaonews:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.easemob.com udp
US 1.1.1.1:53 npb.news.jiecao.fm udp
US 1.1.1.1:53 m.jiecaojingxuan.com udp
GB 79.133.176.211:80 www.easemob.com tcp
GB 79.133.176.211:443 www.easemob.com tcp
US 1.1.1.1:53 a1.easemob.com udp
CN 101.201.233.110:80 a1.easemob.com tcp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.109:80 alog.umeng.com tcp
US 1.1.1.1:53 apipool.37degree.com udp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 1.1.1.1:53 register.xmpush.xiaomi.com udp
NL 20.47.97.231:443 register.xmpush.xiaomi.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
CN 47.95.246.247:80 a1.easemob.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.78:443 tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp

Files

/storage/emulated/0/tbslog/tbslog.txt

MD5 bddb5b1fddcb655b85625722eec41a34
SHA1 1dcc38024cfd33389d53b7af3d0dcb0fa7cc6a85
SHA256 095dc5b9ba746ff19b63d4b3ce1b7f3750aad304be2a8b4de501b825ed47312c
SHA512 8009a3a4c1234732cc364ef58fae57036156fcba763f51e537e831e79a48cfbe1aa52fbc1148d5f31197b1fd54fbbac0376b4d32a28935db4c4b72cbe3e790b9

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/cache/temp/journal.tmp (deleted)

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/user/0/com.jiecao.news.jiecaonews/databases/db_default_job_manager-journal

MD5 9f8175fa0d8c6a8e4a58fac240a511eb
SHA1 e681328fde79cbe24c02e821befddabbfb0d58f2
SHA256 709e5218e87b530170522bbcfaea92b8e1458129714357233d2d6f340313a6a1
SHA512 0a234b0d909159d83c3b56291741e1c37ed8b4ebe1af08a31aec61a91fd07ac08ead2d9056b99d143d9fe47777d9749205bc73e3a0a3e6feef34f2cefd51b187

/data/user/0/com.jiecao.news.jiecaonews/databases/db_default_job_manager

MD5 d70cea691d8524d853f2a35de2f20a97
SHA1 84a87be7d34f5971444989c2a4a18dca35a9348a
SHA256 63395943542cf36e59cb0b050b14e7611beced009e3abf96bd5a5dba83d9a255
SHA512 44ca20e99cc412c705dfe346fe6e189baa03bc09086386f21b98eedfeba0cade2e9b22caf6cff4cf441df7e136ab849eac0be0d8cd37b7de565c80751ea3e916

/data/user/0/com.jiecao.news.jiecaonews/databases/db_default_job_manager-journal

MD5 8031f042b5e945e817e0de374ec4fe5b
SHA1 b9affab8a562560dca7662e52c653e7287d31234
SHA256 eeadb785f1fbcde9bbdbedea4c8a093a573d1e8fca9634d2f643318dbac990cf
SHA512 6f36fca9e602e768a632b75ae0af59108bb3cefe1feec07bed37ff2aa055205007ed20662c396fc7236bc710363f42d70ebfa0b0b0329c7f8a9c5fa9a7b7f246

/data/user/0/com.jiecao.news.jiecaonews/databases/db_default_job_manager-journal

MD5 d799e8db54aefe4aeb90152d84171d7f
SHA1 e4cedcea70a84b0a1922f518230e28288f54da70
SHA256 7cd184c01030b0eea0e013e995c67e8c6a13e52b8ac2b92c7c6e2b162f880298
SHA512 f5291be099bae3ea114b4f69ddc6dee0fcf8e24280fb2e72a9c9cc2105b30e0ad324862efe4a312782fa0e81f1722d929ebf90b52cafd42b80db425a78cf5f47

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 33d79253bc2348a7b4c76cb18c0d54a6
SHA1 c7d745adf44d450de5a0296105b27d3811fe20f4
SHA256 cbd2d2d62095a3af4ea4a66d898cafd59fe1a0b31096ebaf3c6595bf177c3759
SHA512 94a22f022774435f1ceb4576065eb0d21a12c1c7f549d9136f538e5143d5718c275df24123a5756d34ab22d7f3b8a4376f66a71105ef25e062568ce3ae4535c8

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 57de702d36888a760b265ba0465fcdc1
SHA1 361ac6d21a54402d6c2d632db21b1e9116a2a15a
SHA256 ac9b33efed4013e3d4f687c4505a8a198461e9c596f84b8c5b035afc2f737c1a
SHA512 aebddbefe0c97038f2a2aecca0eb2cf7460f2c7604fbf4e880fcf8f12743682f4bfde7aed62ed1dc2307c27024e33c22d1ff9706364c7777bf1e10deb69207c4

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 386dbe0122ef88ed9e390a774508f84a
SHA1 b9cd0182711571370e3e74c375c5a741bf5a200f
SHA256 6406a1af4c58cd4e4aac498bda2ac9f443f6ab3d25d75c44f3a57be1d6028c99
SHA512 fd0767ed3fcc90921677191702606d96b03f76a72b098afe5994655daf96e4b2ea277fe4c8ef8da804639171b8addddb4b419767bff3bacc2939d6104699bd6c

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 2d2434756e622a15ab3465de008ad6ea
SHA1 a4e6222fdfde6b72b15adbb943d0784816fc4d17
SHA256 a9b149cc4eadb9262aa825520b10ffd59138aa4577d87af85192565cc263cac1
SHA512 27785b842989dd63aae756b866150ceb0dddf397dd573ec8d753241569f499b6d93b418a8f0680d4c9a0a77b049d114f393105edf9cc0f1916cfe040cbd9343b

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 bcdcdfca73d82d399ae80e565b947dc5
SHA1 9d2778c9069735ab68188057cc02920e397f609e
SHA256 428213d8a802d32e2b1c441cc83b72d26e9d0425b14d54b419c193f830d360d1
SHA512 0e6d278959e7415121442c700178207abf11f2c0a5e8e809f7f890025659b4112f123ef5734978e9c6c54a570cf2b17079d5a002e28293a5c8d532b89f217aa8

/data/user/0/com.jiecao.news.jiecaonews/files/umeng_it.cache

MD5 4b159e57b6fcd211c20613b2bde0fa93
SHA1 d5321f14df9324557771496cccdb088feefeadf9
SHA256 1fc686d99186faec4077c91ce7206a2a9fcc9f8904674ca81ae103e3b4d29876
SHA512 18faf1ae314c29e8e489cd7d1d0cc91cef97bceeef20ad459e04d30cd7609d84c8e73d35a37275bb8b06a790edd7877b5b55cd088605170a2df3a9a28cef3ea9

/data/user/0/com.jiecao.news.jiecaonews/files/.umeng/exchangeIdentity.json

MD5 e7d438889ec670bf68d09eb38fc52ea6
SHA1 ad70473e719b733361ac742ef912f51ff44a0a96
SHA256 5357a4c82bcfb5afdec61f9a0c40112a978b763c72c25a76cedd93dbf5ef7142
SHA512 a5afaf7046291572b65aade0715a078496e2e8e55f579b9a041a15616f2fab4c121b43aafd6ebb5a9c1f4bd155d353ffcff8ec11fd0246d1ccbc4f461ff3814a

/data/user/0/com.jiecao.news.jiecaonews/databases/jiecao_news.db-journal

MD5 943f608c0baf42bb0815b5632f02c6ab
SHA1 b5b200d8f4410c5a8a783be7735e89b54cf27c4c
SHA256 87c30a55b9c37add36c03508a9f441ae1f4bce441f8d52834decfcf7f457c94a
SHA512 bdc3072c8903b7e6e530686d5154c7cb363bd605dc8bc6557e9494d203fb181b03f9c03d49e4b1422871db15a4ecbfcc4f69eb48175318450a3f1c9d9b51ca25

/data/user/0/com.jiecao.news.jiecaonews/databases/jiecao_news.db

MD5 59abbc479be534ceaebd74f512bbc2c7
SHA1 1ca9a24dfe5b96b7e892797151c4a7822fa70650
SHA256 dd648944a9f5f1b39512cca1ee62c49e4d045c66c7c134ec281232d390f02513
SHA512 162a8f3bdb5f4475c275f75f60c573c82335f9d0a1552cc5c707291fc1da6f053cededf78c76ed34f595c1929e077738346f9b25229ede9be8c38d7b6484b9a6

/data/user/0/com.jiecao.news.jiecaonews/databases/jiecao_news.db-journal

MD5 05458857d798911c860bfdf1be4ff02a
SHA1 e00ffab510982e2e10f9e79a45c31dfab35dc927
SHA256 03a56adf7a3a43dc02803b47a75a11966dd23ad6e07a518c8e1e5551773e65a7
SHA512 2d67c0d01ea20291776cc92d41407ff41350dabae75f1a434c26b46c93b413c41681b22893894dde878c2b8580068ae8215c168bc9a6651094f37fd0efa37886

/data/user/0/com.jiecao.news.jiecaonews/databases/jiecao_news.db-journal

MD5 c832a29bcff97aea9e4d2db586b9027f
SHA1 25fc876cf5a2820b4f97b0ff77592fceed603ddd
SHA256 643ae17c5829991a7e8c1f3dfee4a4dcb41d5cfefe54f7e58f82e6d930844dad
SHA512 696c5428349700c31426f770cfa436392b367d7cc49b4adff857a09024ba6a481ea2a1576678ec9a87af002c9da3ac2cb5cd2eaf6a9d20a00892c49ecbb8cb1f

/data/user/0/com.jiecao.news.jiecaonews/files/.imprint

MD5 102c6a7f836b2db5e4fb353e24261073
SHA1 ae1b198b4495a939b7160892aae02aa937679fd8
SHA256 1ccdcb27f7a915fa1c4a54665bf60e7678b5ab5e161153061a8808a254a28a6f
SHA512 d33e126b86d5818c65898a122ea93d8587019112f8d42791bb92d24d2958cdbd085be0bc2dd1c017296dc8999766f0aa721c807f5bd7f9ed7806b70cea64c6bd

/data/user/0/com.jiecao.news.jiecaonews/files/umeng_it.cache

MD5 449bf8d2166b0f104fb48989bd7d5b21
SHA1 9c3692379eb5dc80e6a66fbed84e7bd1d77755bf
SHA256 6dd7e2660558b84a57d60bd3f36125a279baa6ef2d94c422f46906799b9b3665
SHA512 8093de71f199608db3b68486fec4d7eb38ddd5c60f7f53977864a265cf61754899c6485d84d7416446ff2f6ddd78812b119ccae1e3a4ee5e8afa3396586a9415

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/files/MiPushLog/log1.txt (deleted)

MD5 3cc474addd67065d66cf8161cc6e4e81
SHA1 700b08482a8d2c989d401bc150b16cc865e19ef3
SHA256 5bd9bab8d79b6272060068b4f9185b72815b466bc103a7fdcb38b5a9b529f9cb
SHA512 673b04e12c9ee73d87d15707753bcc93ebf85b95137543b7fd545c2ba4a2b48a4dff78e62e05e197f8f5d3d76489eff3ced7d40e59b5034f9b1577b13e10b28e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:03

Platform

android-x86-arm-20240514-en

Max time kernel

4s

Max time network

153s

Command Line

com.taobao.munion.plugin.cm

Signatures

N/A

Processes

com.taobao.munion.plugin.cm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:04

Platform

android-x64-20240514-en

Max time kernel

3s

Max time network

153s

Command Line

com.taobao.munion.plugin.cm

Signatures

N/A

Processes

com.taobao.munion.plugin.cm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:03

Platform

android-x86-arm-20240514-en

Max time network

182s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.35:443 tcp
GB 172.217.16.227:443 tcp
GB 172.217.169.3:80 tcp
GB 216.58.201.100:443 tcp
GB 142.250.187.206:443 tcp
BE 142.251.5.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.16.234:443 mdh-pa.googleapis.com tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:02

Platform

android-x86-arm-20240514-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.42:443 tcp
GB 142.250.200.34:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:03

Platform

android-x64-arm64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:03

Platform

android-x64-arm64-20240514-en

Max time kernel

4s

Max time network

133s

Command Line

com.taobao.munion.plugin.cm

Signatures

N/A

Processes

com.taobao.munion.plugin.cm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:03

Platform

android-x64-arm64-20240514-en

Max time network

169s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
BE 74.125.71.188:5228 tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.5.84:443 accounts.google.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 eopdoopol udp
US 1.1.1.1:53 gjiibzaxsrrl udp
US 1.1.1.1:53 jfcfptygrspraum udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.180.10:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 update.googleapis.com udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:03

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

141s

Command Line

com.alimama.mobile.sdk.handle

Signatures

N/A

Processes

com.alimama.mobile.sdk.handle

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:01

Platform

android-x64-arm64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:02

Platform

android-x64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:03

Platform

android-x64-20240514-en

Max time network

184s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.200.2:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:03

Platform

android-x64-arm64-20240514-en

Max time kernel

4s

Max time network

134s

Command Line

com.alimama.mobile.sdk.handle

Signatures

N/A

Processes

com.alimama.mobile.sdk.handle

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 11:00

Reported

2024-06-02 11:04

Platform

android-x86-arm-20240514-en

Max time kernel

172s

Max time network

181s

Command Line

com.jiecao.news.jiecaonews

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.jiecao.news.jiecaonews

com.jiecao.news.jiecaonews:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 www.easemob.com udp
US 1.1.1.1:53 npb.news.jiecao.fm udp
GB 79.133.176.223:80 www.easemob.com tcp
US 1.1.1.1:53 m.jiecaojingxuan.com udp
GB 79.133.176.223:443 www.easemob.com tcp
US 1.1.1.1:53 a1.easemob.com udp
US 1.1.1.1:53 register.xmpush.xiaomi.com udp
NL 20.47.97.231:443 register.xmpush.xiaomi.com tcp
CN 101.201.233.110:80 a1.easemob.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 apipool.37degree.com udp
US 207.60.59.105:80 apipool.37degree.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.180.2:443 tcp
CN 47.95.246.247:80 a1.easemob.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp
US 207.60.59.105:80 apipool.37degree.com tcp

Files

/storage/emulated/0/tbslog/tbslog.txt

MD5 0b4916916e247403551479d7fab10e2b
SHA1 af2ccc6f19156568c57e576d115d8497397d1bca
SHA256 7925a6904b3fd86ac7c66928562794012634715b7f255d6dd3aef11c28fec809
SHA512 eb2d939018bd937ea9f9132cb349b657020b1946652bcb6055e3cd1511030e32f57ac1c25ef86275cb5f9f6aac92d04b6e4d6accd0fe1eb25d22c0760d9526c5

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/cache/temp/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.jiecao.news.jiecaonews/databases/db_default_job_manager-journal

MD5 e86cfb2a72c2a48ab18950b3cddd4934
SHA1 12d04b3d26dfff43249ccc3094c81abfa72773bc
SHA256 0e6a9a7515e0571ca06133d61d87c5f4ad15029403ee5bb31be720c57751bae6
SHA512 238ba918e6c5298aea3680ca0a7aa35bacf4f21c064a4690e472f8b5593b89eeaeed125ecc4b9c892744bf32064f1d48428a752440b51bfc059aff08c4be92ec

/data/data/com.jiecao.news.jiecaonews/databases/db_default_job_manager

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 61c0ec2caf4653c00296afe20e99a789
SHA1 dc82126ad152cfd6267162e5aad5fbf17ee1e671
SHA256 66149d76fdf74cbca08a43ec16a38ceb61a9ef90afe7f0252d1df72af54c1ad5
SHA512 8f4e720ff939120cc54ecdf7441a427e04f97c950158c6147f8730fd58ea90c682ec02a65e8d025cbe2c87e5dda9b29a2cb50b2526d59703ec0aa4b22d10acc9

/data/data/com.jiecao.news.jiecaonews/databases/db_default_job_manager-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jiecao.news.jiecaonews/databases/db_default_job_manager-wal

MD5 9c2faff7349b5885bdfcbcc4b4cc18f6
SHA1 f17d20854619e3e2028a5f6f199704d5a5eeb267
SHA256 88ae40ab6218153a9f5536baded17679de9e88e1101464a0203dd258c8cecd50
SHA512 eef8ff94d27a3a0426b762c23ccfdf530f337667530650e5e1bb9803567b702fd4cb81661b9ef77ebf33f09fed264fd66108d227bc195dfe66592312e299a7f3

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 420e8fbc5230f82db93a6023c4ea4f27
SHA1 106c0bf4e616ab7a1242c0cdca844e56781e9423
SHA256 eee1f3bcaac103c5b61e4ca4dbbe34f278f59980ec3bdd68c94e8b13df5d5bb8
SHA512 d35e54a2b42a564fbabedf36950cc93fe292967c8e4830bd161f859e6a4f1cadc49085e3f8d615f9cea33e071d9fd7853ba6ed8dc28e4bc9a4999848162fa369

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 e41d81d762a477cb01deb5c7ef3e988f
SHA1 094a7d8f39b8924075170a81dbdc15a785c3100e
SHA256 b1dbc75a233dc571a177c4f38b607abc5dbe70b54ee97e669e06a0c2498823e6
SHA512 4c73454fcf38977175aed67879b4c8ad42ee69cc1b3b31499c13a36a6acafb18f9c2419a77e46813f47edf0998de52a038ff41786af46a5bce78c81c1466cc23

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 8049097c72a7b121ba3263d92908ca46
SHA1 3d8d3b3692d62fe3926714ffdb268d7439cfda10
SHA256 0fbff2e0154799aa0fc08a99cb221c6681bb2704e93264dec6627e7fc46891c8
SHA512 0c4eff6879f8f7dfd620015716ffaa537dd454658b8c42cd5b76f70003d1cb5b2f6b93f29447eb954b38f7fab56514282ddeaa248079ba3065b17d951452caef

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/jiecaofm#jiecaofm/log/20240602/000.html

MD5 8cff193c1685b90505bddcee7b135150
SHA1 e636e592e77cc49315f241aa8c29d05fa0f4c75a
SHA256 715896484b0503ddf9b2f95437dde29f10c36dbb582ce2703849c009fff7cbdc
SHA512 9de2c86f03e55799073f7c2cf1754f8cc051c8c700a9d33190b1dba3652dac002ef2282362cc534c0241c6b24c3e4e20d47b261872f54e7f5e222ae6cf3bf4d5

/storage/emulated/0/Android/data/com.jiecao.news.jiecaonews/files/MiPushLog/log1.txt

MD5 6fe8e7fd70dbeb546fa2d3f1eba106f7
SHA1 65cd2fe9c26be68d43883ca45b65db50baec81cd
SHA256 ebad9a057c58022d199a771b43b6ee16db3a6464a8150a0381b938e777b4b31d
SHA512 0627b260d115d23c06af0160d58dd3329f4693b1af9ddea3e6f9fc7d37a4802582e14c3650bf9133c730d8f8b56cefbd462f89530821e056de97b80bf0158b94

/data/data/com.jiecao.news.jiecaonews/databases/jiecao_news.db-journal

MD5 c83381abe50f51ca1515910572fb1d29
SHA1 7c77fd8df07257c8a6e8d4ef4f06e2094a68f3c2
SHA256 235c4c04ded4065d64d8e1ec3123b4aa2f064b49fbfe7aa2590f4cb12c9c418e
SHA512 bf07fd0011641d38c1ef0bcdd4908223dd0d7fe4d5e72c9e371d686e1d785cc67817b6b8fa7bd746968423d4a522570cbbe0891fa9f8f4b3b7b943564142d12c

/data/data/com.jiecao.news.jiecaonews/databases/jiecao_news.db-wal

MD5 9cb5baa61309997e7bb157771deb6b5e
SHA1 54709c46de55da4d71c71d04b3d37a4f43562c14
SHA256 1291229b2ba6565f1526d3783c0692d2f67037df5f9a872eaa7fac7a64076375
SHA512 64f88745bd54473044b9ae73a3f9a18dc025d5fbda91878edfc8da0abd36d6c61b3623cbceedc6de27240fe6b119337794b9d56bc1acabbd1e0e03a88303bf21

/data/data/com.jiecao.news.jiecaonews/files/umeng_it.cache

MD5 bdf5076ccf5d095564cb30f4cff9791e
SHA1 a9668029473ae4c4e10a5c69331d4c25edf74f47
SHA256 0d3bb7d2e1307140a4921acc82c5a9c8ef43a5023873a521dda9eccd8a3ee233
SHA512 de3a65d080d50dd12f2d29a23fc74ff4d7fdb7e091205894fcd1ce473961251f1a0d8ccecb053b656669de9bc97548dac71c8817c639abcab8b241cea58cb4ce

/data/data/com.jiecao.news.jiecaonews/files/.umeng/exchangeIdentity.json

MD5 a1318ed3a99562b383004f24d5c3e989
SHA1 c82854f6bd7e8d060cb6dd20b6453f754a69a274
SHA256 cf6c8c16dbc642a5d3691b85616858f36fe49f1f5b6385eaace886fd112b3cab
SHA512 c22ae352c83481b24bfe9ae330c5a613af6996f2373704e1d89994d61caadc59afcd3b65527f6f41fe46024a435a02593f871d00f247694573b3da09e0573732

/data/data/com.jiecao.news.jiecaonews/files/.um/um_cache_1717326173762.env

MD5 7b7455c6b6d7bcd4762b6202327dddf3
SHA1 5f5ff93d50cf8cdc2d969248eaf2dfaa00761011
SHA256 bbbc12e246745145de620b74295119e7113d864c6024da321498d77c90ac559a
SHA512 de2edbeba023cac9e076b7ca1e9a549402c5c4dbacaa149b71049955a6841ad4125e2b60d803bf74efb9746ebb21a543740d5b16b5fb80ec6f13804bf8097561