Malware Analysis Report

2024-09-09 13:38

Sample ID 240603-plfzjaec7s
Target 91c6032ef6b84a2e5fcc437d67a7a85b_JaffaCakes118
SHA256 3e2dbc15adfb5f8af2c294a75336670164b3a3fed1bb2b46f82fc418e0f7d2ac
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3e2dbc15adfb5f8af2c294a75336670164b3a3fed1bb2b46f82fc418e0f7d2ac

Threat Level: Likely malicious

The file 91c6032ef6b84a2e5fcc437d67a7a85b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries account information for other applications stored on the device

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Checks if the internet connection is available

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-03 12:24

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 12:24

Reported

2024-06-03 12:28

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

181s

Command Line

com.zone.piag.doon

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zone.piag.doon/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.zone.piag.doon/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.zone.piag.doon/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.zone.piag.doon

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zone.piag.doon/app_mjf/dz.jar --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.zone.piag.doon/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.zone.piag.doon:daemon

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.zone.piag.doon/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.zone.piag.doon/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.zone.piag.doon/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.zone.piag.doon/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.zone.piag.doon/databases/lezzd-journal

MD5 c63c318ae91fcaa75ebd571575f060fe
SHA1 ded29b6bd4fb2a7fcecd6416f6b8fff910871670
SHA256 17b29931fc5ed5ee25644a32cae691b8771023be5a7b55ec63caaf0fcb7b0f36
SHA512 f4752f53d4476b5d046ba0a93e47f72ebb1669dbd15f5bb18a6628d91b794d3254c7cea4104b3b97fd372e736577faeebf1bb94a86fa0fa9d6028ea633ce2160

/data/data/com.zone.piag.doon/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zone.piag.doon/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zone.piag.doon/databases/lezzd-wal

MD5 7ae9fdf1cbbfa4a9c2d5be36fb4982d3
SHA1 fa127506eddd1612ea5c8d823b2ef9676344312c
SHA256 eee2f60f5069c098bd5fee04075d75e10a8c5d7d90b3eb3484344b5b85915ba3
SHA512 9b8fab467b6297b0b1a777576de4ce2dfc8fa445faf0d2b69aa7acafa45c60e630df913866c49f517b5586b9fc6570196da7859bd5ad7a37687b20acd1c3e1c8

/data/data/com.zone.piag.doon/files/umeng_it.cache

MD5 e89940ce7d3392d79150f45d3bc31dc4
SHA1 c59ee803040273012c542fb600a3ac34add606b3
SHA256 46fd3dd81da079378ae5167f9bec680a2bb4e7c456e8a3cf658bcb567e587e4c
SHA512 a9c7f1f80faf99d8a34274b5276d8998e928053defab4d6d78068904d1831ef2cbbce3e372eee034ff29c7ae8f055e27231d6b6e3177043cd6b354ba5fe7f64f

/data/data/com.zone.piag.doon/files/.umeng/exchangeIdentity.json

MD5 32db783e1a1d8a8df173c6b7249e8a81
SHA1 42ea210f45a1b6149d45a24a21cc752aa4a164a4
SHA256 bb6a4e6bbdd07f4362502a1e709ecd86d80885c89a23a74601e0c32341d336c7
SHA512 9809685aff4dd99ac78f113d7960e4f61d95216d0fee0162ecd72298e1ee45e97261b0addbcd0e9da7282be78094cf4965f259429296de331b6a997c52e88004

/data/data/com.zone.piag.doon/files/.imprint

MD5 a3030b695a2e514ddf8e39a245507a25
SHA1 1262b52ef83e070652a1f470afc7421f5e1f52b5
SHA256 02bee5e493d4828ffb02767d78d7a0061f3096a5452d31991c083ca47f4805fb
SHA512 22302a9256177c069c29faa9eb9733800b213d7f37056baf7e0c1cb9fa7d6006e6e5116f0bbafa42743f0120568f299f4d01ef0310aab751ccee2e7afc691831

/data/data/com.zone.piag.doon/files/umeng_it.cache

MD5 c560a043cb572711bf587640487e36ee
SHA1 b125cf506e0140d4257897792dc91fb8cca27857
SHA256 708325923f00054e18dd90f1c644f985cecbd5531686aa7d68f199c796e7cefd
SHA512 229e7f6dc52d42ce846b53e7b2e5537f7af44bba282bff088418be9509553c5362e33125675825f2afcce38cc60a49e6941de3e0892e317594e06404baf64fff

/data/data/com.zone.piag.doon/app_mjf/oat/dz.jar.cur.prof

MD5 4a95899e06f8766eb990ffd1fe29781c
SHA1 d73514894346d3a39c435b2e85ccdecd40bbe5dc
SHA256 4f1d9a0f84e859fd9a766b0ce007e22eb3ba075cdd4e39e0315e409c9e604e7d
SHA512 5a72718ff549a9172bb7c0e054659194cf899b7bb130c466a849ed1f504c07590a7674a8363958c3b37d84bdf3a08587ed2a0862f872ae38beefca03ba02aebf

/data/data/com.zone.piag.doon/files/.umeng/exchangeIdentity.json

MD5 86cd2eb2858b927d619723eac93dcf6c
SHA1 8724c945e84e69fc8d9a7c0a6cf72f5c1c2e4d7e
SHA256 593879d22009a6d348fb99b36d886cd2acadf97ac9efe5ab559bf8f5a9904ad1
SHA512 12ce9b74e169f131db87bd1433ab2b67f4cf19ff0dd63c10400a13afcfc29e3e2e142a39c72db0267435360e65b8ffda6f6bb8aad255a4ae799acd41f57adf25

/data/data/com.zone.piag.doon/files/.um/um_cache_1717417671666.env

MD5 0644ac80b370514cbde45e4636e61b24
SHA1 af14c6eaf51d89544ffa5c6d7484af56a960f060
SHA256 4307bd9729fde6b27b5371ce4d35dfe5884bc7a201b33a7d90fddd5bfd2504dd
SHA512 114f7a000228092f1563081b9bac44d7f6a678441988a67b0b32fe282f9d36444a480ee163134746ec0d9d1568c1b746afbd89eecff42eebc76355d9a5a87a52

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 12:24

Reported

2024-06-03 12:28

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

188s

Command Line

com.zone.piag.doon

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zone.piag.doon/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.zone.piag.doon/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.zone.piag.doon

com.zone.piag.doon:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 216.58.212.194:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.zone.piag.doon/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.zone.piag.doon/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.zone.piag.doon/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.zone.piag.doon/databases/lezzd-journal

MD5 7376f682511993233290feeb40ed0b95
SHA1 6ab7b53ff0567e69a0b39ca8f2de1f7d5935c30a
SHA256 33ea5840692d0c10c0a5941f8ed3af66d9cd3a1c140e19ff847b43667cc660d3
SHA512 afb41a22f009e76fdcb0eb96b25ef2701c06bff7839867e3d784f36bc200b060c83a1047cbf0d45af6be6bd1e10af23b019c13a932d5c36f4060ebd6a7e732d2

/data/data/com.zone.piag.doon/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.zone.piag.doon/databases/lezzd-journal

MD5 6420ef936300ff4f7b9749564b8ec40a
SHA1 c66765eed003a60d494db3f90abeb3b08b178f16
SHA256 a4d5b5c04a382202edf910a5f32b4040e3874ab5cdfdb03ee2a4dbb03acbd53a
SHA512 71f44e6e85737a62019e5d0bc1260c1ebd56e79f121022242af88c19297d9c32f01a1b84c02621ddad52469ed16f3896e268c9d0453568908e115fe88bb6a050

/data/data/com.zone.piag.doon/databases/lezzd-journal

MD5 4f340fd6ae6978db8c8eca97dc517602
SHA1 d79bb254ba5869f68bc979b6258dcec924e5b145
SHA256 120a9fecd6d02ae8a8c07cd0e14a23fdf247adccec3299927c519fa208ffd214
SHA512 2301b41c7a7b3d175ad402e3e31a77e6d8a07ed19926c912a469b5afe0e861bbfb9339fa4510e3b53994f16181b172f57bc9099be590ae46fe97e7dbe14d6ccb

/data/data/com.zone.piag.doon/databases/lezzd-journal

MD5 70eadf626989085bfd1b833b0d35ac06
SHA1 7709fc3cdc3a9c4cf1c5116f3d3d5a60af9b8ba8
SHA256 dab38b047463d65e75318c81d8282a412a6e009d6bed3132f5f1405d0106c31b
SHA512 17bbcf0a9ad7bb72b7e297e16be2c75818b3ecdd020cacad73fb96251151a979b8cff0734a50f99408a3c659ca89bf299fcbc494c489230f93d209b8ccf08dd0

/data/data/com.zone.piag.doon/databases/lezzd-journal

MD5 5575299ea382d713acc7d645395a1fa8
SHA1 55abc1445b990b8861be68e3832acd2998397160
SHA256 d74982ba6dc2313c527135201bb5f26f91e8523b29b9f3b543e777f6d7245026
SHA512 d229fc57ee9e505157d17a47bd4842bf76a46fa5b026e6943839467fe1bb5549acd8aaa0b00e754b93904efb2f6a734d9f060a55cca81903e9d312706d7420ec

/data/data/com.zone.piag.doon/databases/lezzd-journal

MD5 42be78cd0e724e732785cad6690beb62
SHA1 2c38aa0c5bf47cee01ec29747bb9d3b5058b3a24
SHA256 0d42e90974f8cf0d1868dc94b1cb2b6f6dc6e42a2040f2bb1afba4e196f9b8a7
SHA512 8c2dce320f0edb0792e0f7ee26139ddf2330d7cf66b922603dba3522645271074b08d1e481d78c6fdccb097b36aeef44ebae3b5ef459af3d9d173e13a412971a

/data/data/com.zone.piag.doon/files/umeng_it.cache

MD5 f761b2d8a5862e59acbe952cd2941b56
SHA1 9e3a58a5be114015eb2b454a4adc164fd43305e2
SHA256 da0bf8bdffb928d30759792b3a7c326c95c4fa711cf575d1766ee68c0946e42b
SHA512 a83a240dc9e0085924a8b34eddac0ce178ea9e8ac6b3455279e43858d7809cf3f187d2acd8aa0184b56f950fe6fc38c9a5d0dfa31b836bc6a8a27cc4c461e9b8

/data/data/com.zone.piag.doon/files/.umeng/exchangeIdentity.json

MD5 794b67e33c127b5d7e7493fa17ccd4ae
SHA1 628e5434f24bb901a3120a4947cd7a39b83018d5
SHA256 02b9dd3ae8b6166390851b9c773ae904df1d77bc225bf49305897d54e7b25fb2
SHA512 bd80f7861f14b75718fe07be1a5a32ccda5e9270def9ad45cb2bff2a46582d248a7e4c4802ffdd0b024c89bbd9c21e2d4392974ae789abf27f0729b92aebe0ab

/data/data/com.zone.piag.doon/app_mjf/oat/dz.jar.cur.prof

MD5 df1ff980a354417d0c471130c49de84a
SHA1 ec6f5a0c8501b74abb9b35ee5e72cc245be59a6f
SHA256 8628b7439382f5cf1d2ffc743a19cfb34ab6444186c21755c919b23586967cad
SHA512 4b1761a91eb352dcafad7e33405e9416028ad859e975a16d8a72cda68e9f6a10ba09de0e77e9a6d7518dc747d33546d31f9aa63803b319676bf0fa092e19e889

/data/data/com.zone.piag.doon/files/.imprint

MD5 79a184203169267e408f46709e31449d
SHA1 e7e493bed58232d1b1dbc54b7ccfa72c67d6ee67
SHA256 cb925c0207a133b068b4e7fae33491b5fbb86643385f32a342c9d08cce8bc4d7
SHA512 5a4419a48494eceac4b637b3caa3e283ab10a337894c4650df8121b39fe40ece8b03f695d2ad3f86add3fad68b532021647088483a81ce4689957adf9d3c71c6

/data/data/com.zone.piag.doon/files/umeng_it.cache

MD5 7f9d575c2c222a2599d419a510ed3114
SHA1 2f48470aca6ad49941323c990d3215396ef5736d
SHA256 857fe87dee6cf5e0667d16220a19ed10f7a9fa6b35abbad98e361a7bd909895a
SHA512 284a76e1a2242af8378be2b69074771084a782cc7ce7d9c74d97e3b1e3e93c282dea865192aa3ed2969462a2b7da7a8ec842cc3afcd58779f5b1b71c7aa069a5

/data/data/com.zone.piag.doon/files/.umeng/exchangeIdentity.json

MD5 b14f6bd92d98250ca4d24976d610cab8
SHA1 08b32245930017c52dba54a8914dbd8d7d47f23a
SHA256 aef4515dc4307b342894d6308b778fee3ee50ab27ee9a1bc3cd79c0230000d8f
SHA512 d3dd083f30930e7b231c558d9eb3080b109cbfa7f0cb66af30b0cacb33d438d4cbd9240ebf16ad90b8fb13b3035f8f0a1b48b39726718fcfb2cb53d97edea522

/data/data/com.zone.piag.doon/files/.um/um_cache_1717417677492.env

MD5 c3dca20ff8b28ef004f870eaf3e484fb
SHA1 88e531d762c96da863b0218e567ef2755deeafa6
SHA256 7be934c175530c80b5e0b1f2c8f1c46e0cd960c49724b1ed42db317cc8ff77b6
SHA512 32c7c0050e7cfab1c17e54b9fe594bb1e2dff5ce378e533ec53845ddf55a4151e91b9f52b5964ce1d7f019dd5e3a60db30af84753f8673a0b83d5f6fcd8c5521

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 12:24

Reported

2024-06-03 12:28

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

179s

Command Line

com.zone.piag.doon

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zone.piag.doon/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.zone.piag.doon/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.zone.piag.doon

com.zone.piag.doon:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp

Files

/data/user/0/com.zone.piag.doon/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.zone.piag.doon/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.zone.piag.doon/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.zone.piag.doon/databases/lezzd-journal

MD5 7c6c92a53646d813ffef224f54f1ad5f
SHA1 bd569503e1cf8f44edaccc34f0ce2211b814574f
SHA256 421677a80de0d03da0b3c78ae445fdaec410334cf25e0e6e96441e00cccd91bc
SHA512 40d17c39d40a5b8830ce5200d3bd7ffed6841449e31fdb1afa256993ce368e30ff9741f98be77809a3a5244261356cf23d7628576cb8cc63f2d67ecdd20a6f1c

/data/user/0/com.zone.piag.doon/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.zone.piag.doon/databases/lezzd-journal

MD5 6e9f97c187b72fda80d6748ef56dbd68
SHA1 a3c05b62dfbebb34bcfacc0053ecb31554f810f2
SHA256 5eaf1566fb10fb918b74c6b8e835ecd81d849a6acae0fd8a8de161b5621747ed
SHA512 3dfeeaad4cdc11348c8a6fe1112f0cfaec3126ca9cd392adbddb5872b164599bbfdc3ab3ca52c34626a656a011940bf4bc1de784ce63b1c9eec727522909d567

/data/user/0/com.zone.piag.doon/databases/lezzd-journal

MD5 f8386f0d593101328cea54b89b0257ae
SHA1 aea3b5420f1f5ac5f102e3e18cfbdce6665b2fbf
SHA256 b6198317dca36b123a7caa5fdd264b76f33d4e3421b94f5da6a7b661c995b3c9
SHA512 0c6875a8886099f298a45b2e0f37f328e8e6f0fe2d0f73a3936be6887ded55eb61c29895d142bcf1f0c121528e8286b22518792c0be3f9f386afd305c161a5a0

/data/user/0/com.zone.piag.doon/databases/lezzd-journal

MD5 53d6c212a42fef3c9d6f9d31479e801f
SHA1 fd586b933332bb2ee75a2a5ff34b20062154387f
SHA256 543b5925ee289506ca24608bb685ec38c9bb76db3224fee8acc21081e6781f2d
SHA512 8bf549cf82d658fd81f929b18764121bbac8b666c03a2a2b0bff916b8788e3684511350e6229c74b48b43ee2d39e7ef9193b7bfb8797c6128dc2788da8a3fcf1

/data/user/0/com.zone.piag.doon/databases/lezzd-journal

MD5 f32ca0725c5709c82958463b098f139c
SHA1 0dad521bd033c5a0ad72606d82c366fc327ffe6f
SHA256 8c10313e114d6a9b1739262c4aff9819d2deb442d552239885c12ca42f935789
SHA512 62b99fd58a500f6e0d954c7b761b489d2b993f87734c1aa3b7cd655ef4d5eed7555fe7f329e9cd58c779003828d1b72a65709e4ba5e9fcae126b320dce30a21b

/data/user/0/com.zone.piag.doon/databases/lezzd-journal

MD5 397317db0fa8cbeda9f7b71f53df1fa6
SHA1 3f254c7042116fd4442b5cee810b975879d1e7c3
SHA256 98585a1cc0197866ddeac4ab74a0760d97e040419bb8f8702a19750f1621fdc2
SHA512 b4c5001713e61935dfdc2220b063205bcd8f46960bfda9a6f581bd2d949b71ea178541cb00809c024b812007eee11d298f7acc8615f6f9e018ec731736e5d721

/data/user/0/com.zone.piag.doon/files/umeng_it.cache

MD5 dd629a27cfbf1682e442e6aa5cd795e9
SHA1 a443431b3a111e9aa347f63b6a2d823a2872ac5a
SHA256 d547601584b3b2eb925b67c5758481f6db9dfa9c6a8768be7b32bf952299f55e
SHA512 a151c4661dba16a3ba00475e7f24ef68333636e50c741544bc60fecef1c9f3f0c645344a56998437fe73ff3dcd08ce2d73ea8dc36fe22a825f8f422d52218628

/data/user/0/com.zone.piag.doon/files/.umeng/exchangeIdentity.json

MD5 35dca7e5bb9a564476258147f58d8adc
SHA1 223b33b07d45b037dfb30a98c4d997e2a68f9989
SHA256 a896170c068bb24ff356a930c0788ef62bf91f96805c80fff522c7a1d7a1aba4
SHA512 b4b7aa82c7b5bd1e08e417ba921a0d09d9b289c1344c1b513c6f1cd9f6aff44f5aca5e8b696ccdf32cc338de71f2814f84449d1c52257244c83d7b8398047fee

/data/user/0/com.zone.piag.doon/files/.um/um_cache_1717417610873.env

MD5 1b7df478874f8cee294ac87c8069ff5c
SHA1 f0a6f0dd2b6581dcb2d3c8caeb063026b55bb1b1
SHA256 d638de6aa96a4f65a80d0b9964798e1f246675e98eabc4b22c232357be16d8e5
SHA512 50815306d2e6cb4adb468df6c33eaec48ece40cc868d8888610917ea67f0a5ec39ff40b441cd4c75802ed3bf97dba524668eab623409e2be05592e7a8af9b4c8

/data/user/0/com.zone.piag.doon/files/mobclick_agent_cached_com.zone.piag.doon1

MD5 fe15dd31bdd3136a8f58f6c05108b539
SHA1 01bbb6008f63f2ec735643bb2091747a3ac10864
SHA256 541e1bf46eef32a8676b916dd904aa77126e2db485e3a728ee775cb3da36e72e
SHA512 a96fc2a8a7a21404c1b878a930c910f87edcd407669df3b7c788399e29026f075f0e8bcc2246fe5b3e8d18f468468756714d6c34755ec23bb0e33cf8e8406e53