Malware Analysis Report

2024-09-09 13:38

Sample ID 240604-dxm2fabe4z
Target 937d686eca77928a3b8ea974e2b3dd76_JaffaCakes118
SHA256 485959428ca353d404fdf264486ae95d0b48f92ff2a5870ec004103d332fbcc5
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

485959428ca353d404fdf264486ae95d0b48f92ff2a5870ec004103d332fbcc5

Threat Level: Likely malicious

The file 937d686eca77928a3b8ea974e2b3dd76_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Checks CPU information

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about running processes on the device

Queries account information for other applications stored on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-04 03:23

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 03:23

Reported

2024-06-04 03:26

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

163s

Command Line

com.rojg.hanu.gsnx

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.rojg.hanu.gsnx

com.rojg.hanu.gsnx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.rojg.hanu.gsnx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.rojg.hanu.gsnx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 4827b9b04fd62298d34d5867bbead654
SHA1 f8febe186c1596fff924cc7ff5352d86b2d325cc
SHA256 290eca0d1b62f2f7dbf0bf9b5a7d4b527d7660830bd6dfbb51fbe137e5c7746d
SHA512 840a2aaea9a6c0240a979b7d3aac17347348b87f8b74abefe88d0afef20975da2c2b025552d6f40c940feb6a34324fd4238290f3fd6bc73f2f99b4d8d2bcf95d

/data/data/com.rojg.hanu.gsnx/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rojg.hanu.gsnx/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rojg.hanu.gsnx/databases/lezzd-wal

MD5 643645f0eb2243157007db59d6c40f4b
SHA1 777fc7cf252b24ecb3497c16dd876b0cb6fa7cfe
SHA256 84a94a5791cb6e3b33f8a9193c22f5008e6a3113a70a560e45be5456690e6842
SHA512 3ab9f34a1a1f0fa5f29583a404a8c26bc24b4136512fa4625e5a562af7bbf85f4e37c4ed8f72766c9110027c3874ebf45af5a676423087ed011f3429ad91380d

/data/data/com.rojg.hanu.gsnx/app_mjf/oat/dz.jar.cur.prof

MD5 ecce3b24c6e93da58e4e07e5ae895215
SHA1 637c97abaedf0aa1b12a780d23b1ad5091832815
SHA256 b312f368af7f8d44feeb62c98ef6d45babf92ca8117c96d8b54eddf07d3ff293
SHA512 64228697f056f9d8ecc7feba5583a90a8f815876d646757848ff5c06f813388b8db65126e76b570909b92f1ea72891cd59879179fa715029f8247a6193cbf6ec

/data/data/com.rojg.hanu.gsnx/files/umeng_it.cache

MD5 1a3b35be910c31f27fa5dce0bd6d04cd
SHA1 286407e0b1ecaf6881eb6c70aaabc30f13d50411
SHA256 fde1609d6c1537d012af87aacc783f63b51f9caa550f2078b020f97d6b0a66ec
SHA512 a945ab3bdab30bbbe8947c94926c9fe2a9d2fdcc43ea45bd494abdc6c544e041467a5d534e912971bf34a854286eda2c18f789c5cfe83439dea87057acb260f9

/data/data/com.rojg.hanu.gsnx/files/.umeng/exchangeIdentity.json

MD5 8a68233cdfa6696f8ba7d19ff0cd1df9
SHA1 907f1e2a7af5bc18b3516caec20a2fc52bfb948c
SHA256 f4286b50daf629e6fdad001a3ae21aeb2217c519a3f08381f953ca5263f39841
SHA512 af6662ec89f6202df34c90a5e5b9ede9992d645819a1b969531ad0a08efcc7fbea46b0fdcb63f4d5fdab8fa754eebad177250b892d1ce573fd38c2c9550b53a1

/data/data/com.rojg.hanu.gsnx/files/.um/um_cache_1717471525929.env

MD5 f34b8a83e6c286b2190c9a0ba1859109
SHA1 e6bca0a09d6f4cc45761e87c7f7025fd1e9e0095
SHA256 c9944c480071235d5dcc4f8f19ffc6831d78dae71507b2bb8306644751c75e4f
SHA512 967a245bc2819f858222ea8b58f55598d417d8997281ad6ce3dcfcf7a95f0bf739fc87f146a1b3dbb61dc72b1cd5512b2c459adafb39409dcffc05384a4375a3

/data/data/com.rojg.hanu.gsnx/files/.imprint

MD5 969192b220bceea059a75f4ac6a171c7
SHA1 ba35fd2e9af069b0d02da85692eaa294d0361a73
SHA256 a78faa150e4ce2cca0009e5ff6c1ccdd2c11dfd6ca777c5f862654f28026f1d9
SHA512 65c20cab325e155fd95747da4cac82cf6eb77d874cfc9a222bc6cbcf6c8dbd9c10c25996f0ae9f7249fee3b5498baa918883f1c4d9fba2bbf278eba5417de09f

/data/data/com.rojg.hanu.gsnx/files/mobclick_agent_cached_com.rojg.hanu.gsnx1

MD5 3d9d6c800084032196c730ee9ca2eb8e
SHA1 f8b9e66eec082a3baf386540e24f6a74bd67038b
SHA256 2ae66125df29e04efc2090bebb6048152c751bbd33869ae4aaf7bd64b118a38e
SHA512 772f4e8f2c354e4a061d4852319553afd5bca9babb3215f30d9fa22b6d3c3028209978a24d7be38311d68ceff8ce2307a360aee695d214519d1bc2769b9929bc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 03:23

Reported

2024-06-04 03:26

Platform

android-x64-20240603-en

Max time kernel

178s

Max time network

180s

Command Line

com.rojg.hanu.gsnx

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.rojg.hanu.gsnx

com.rojg.hanu.gsnx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.rojg.hanu.gsnx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.rojg.hanu.gsnx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 7837e0f9bd9cb8369b35cff95f8a234d
SHA1 a968e57b6af46d4bf79672d33b5d95d1e6b368ca
SHA256 386db8895b1ca02c84524ed5c5ffb03df4b971443ffca7a554d1fcb3ec7f2779
SHA512 356cde0349be13f4cb9b55c51f4ff037b7720f3ba9ba4f7e6168bea3f4787f671ceddedfff566620e8f7b8b6312084913a049baa22e5eb21c161de62eebfbec5

/data/data/com.rojg.hanu.gsnx/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 e047f9e254b61b24c38e7e26b6300b80
SHA1 993a48a417dead729ed2692bc81cb974b02d44dc
SHA256 7991d6a22f03a0df05e2fe9aa6e7a7a4b3aab9fb7d63423f8d23531dde7935e1
SHA512 d29348fdd24e5f3d891a744f71ef1ada980de0afbb8e3f9379a6c750c22246e647f2d2bc81ddd4b2a7bad516388e85befef71a350668f025385b4882619907fc

/data/data/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 48264c281b91387e499372e624a23e91
SHA1 166b72a6cf05c82bba3311811cd0bab83fd57e33
SHA256 e5b1ab47f831a58f83335c8d6ebb6c2568c4255bf80542707fcaacb649592d76
SHA512 35363b36709073eb8902b08843250a67728c498441fc7828491b11dae1119c1a461ed462dd39ba2aa13e50493fa9e707423aaab846923df319c75590de5c3213

/data/data/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 7a6f8535ba39dce5c1e54250963a7a17
SHA1 fb9a440a7c5eb74a042fedabe89987b15cc72384
SHA256 c6350ca65636870fdde4f1b41f77eeccf60da1d525c39e0ad76785f23f87a011
SHA512 ee3d6e1cfb36feaa4676c1c3f728b77753adfbebad7261b78b7339383304e18837a78d5d4d252de5f9abec80ef0c0af805dc1a56413b6d1c299743f4e83ab9e7

/data/data/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 0c6e6ed68c5129435cf01d48851bfe06
SHA1 81a37d580636a94dea6fdc8436e0a658f22e6016
SHA256 05f834870c41fa310c7b86f5143466378f619a12caf6c508837ed561793213c8
SHA512 7756221624532cf929b8db11133fcc3fbc9325362bc03c30b7846d6319ff8e34d3cad360475862ec3e8e878316d534b9bf6ce85bc7709604343d1d9ec13abebd

/data/data/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 65494dc16b834f7d200d97c75a7d004e
SHA1 50ccb0e1d4773802e1b2a7d868a7bfcda9dfa866
SHA256 749c9e350a05289f6f4a7c3234f086763b6310e7694dfdb33ab563c64a3925ac
SHA512 e56889d2639cdc199dd8dd937dacdd581038021f3970fb3e17addcb02e34d040dd4644b9cebc7d49bba456891fe6795da478b22c9de2f8512b78c0c89f178348

/data/data/com.rojg.hanu.gsnx/files/umeng_it.cache

MD5 c68f828f07ad5b49c44dc171331dd3ef
SHA1 5675923b61993d636680fde5d503cdfc901ee6e2
SHA256 6b8a9751abd8fd8192c818681745b4fbaa38dbfa2e0a75e5739a9d08680255cb
SHA512 6c1f05f3562c4c041091f8735778aeeb155bb7813372ed62b04ac367450515a433284fcbbfea0474432431d8336d0382483ceb66aaec6dc1e3ed02eabb8cb6ef

/data/data/com.rojg.hanu.gsnx/files/.umeng/exchangeIdentity.json

MD5 4aa6389e733e2f9d7fc16142e36e3979
SHA1 9e44a00a2f4b5f07fd3c19d987d7b4e24b8e2d9f
SHA256 5e33e31fe2fb75f5fe81a7a78020bc3a39f599e716f2f61684448d53c0a2a1e6
SHA512 1b9603731257f01ea858f0db39093e633ced8bd4215d9875f4e4b279f8198eeb8bf29ad4517ab84514ffb4bf8a26118afe3d862a65c92ebe1a9d87de47271aa8

/data/data/com.rojg.hanu.gsnx/files/.um/um_cache_1717471524190.env

MD5 771b77aae6c57fd8a079696ce4396f29
SHA1 4223836d0c18a06163751a6541ba7f7a2068ffad
SHA256 533c8c77197e5c6935e8bf32153bfdfa958b57aa4338b7f71be3be9f73364131
SHA512 f9b5a3f401d949e90b986b5cf293605cf5e9fbb16e39974dbd89d05a2ded323ac6fd96df125bfbdd5c6101e3d3c2ed079e602acbbb46f9cb83d8b291093623a3

/data/data/com.rojg.hanu.gsnx/files/mobclick_agent_cached_com.rojg.hanu.gsnx1

MD5 942f87521b8c12eb0d7a92eab4e8df77
SHA1 9fbe2758effa432d95194f9c191c1cb4d3527a37
SHA256 9f1af1b019c1bae89474b23ab20e19686c56b500ccb952d32e7e05ac70d1dbfd
SHA512 fa979f2ed4e1963a34f620d933136681595da880622ef6c6cc491b709b212889730f5f7786828fb6b9a4b6183858fb0b743f132c4d25917344cb067bb962d883

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 03:23

Reported

2024-06-04 03:26

Platform

android-x64-arm64-20240603-en

Max time kernel

179s

Max time network

164s

Command Line

com.rojg.hanu.gsnx

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.rojg.hanu.gsnx

com.rojg.hanu.gsnx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/user/0/com.rojg.hanu.gsnx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.rojg.hanu.gsnx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 54eccf3de08410de80efc3825906e6ee
SHA1 0dd452b0b9268a147f28c5235471c7480e4af317
SHA256 37b119c45febabbe8232617ba17addea91b876064bebc2cb083fe50c944148d3
SHA512 b0d332a25f34c2089a3d2c6fed357faa731cee8caa667c754e1d7341e7ffe91eb40eab9e2556ac4ca229d66ac70f97ec5898b11b833ee4031d2e09eddfd76452

/data/user/0/com.rojg.hanu.gsnx/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 18a781f4698801cd3b35ac57314ce438
SHA1 6a98c3be63508c1d2362b0560eb55ea640350027
SHA256 57508fea9daa3782fd4ed406f228dc5e27cbeec174f93537a6d1e43f19dea26d
SHA512 91a83553f2384d6e59f4100df8f3476b40f06c3b21020e49bc79f83969c3ac1c6a631b7e8ee01cb8a90bbe368ffc43a8644b0fdec2325860bf6d1526bda3a2cc

/data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 2d3550908705101ae30dfd5680625438
SHA1 55f0919b496e05ef46bd5e838e19048f00c751b1
SHA256 50b94ff25a4329625df150df67719ca71ac390bc5daa3c07fb010a18e07e39e0
SHA512 ec03ceab28903ba0741a2e20fd7c4bf9ec5e4fd73659ce425217cf83daf5edefcee33b38bb4193eb43225a3ae404fb868c4f187ec952efc9bef07f478109dd34

/data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 b176f4ecb16236a293688f23615ac406
SHA1 0e701343358e4f5e0ab44f2d6ee99ce691f94a43
SHA256 a5cd10cd5bf430d503cc1c8f4cf15deef300103ef9d94eec64cab7f3d95f80d6
SHA512 c244f5fce1a3c3e411def360c267b572e928c8e7193c1f3668f798e1bebd67a6bfe3a563323f33950bc6e1d6e95c2e8381674aef82794b5d821335e637b4d14b

/data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 0cfc2a6aa0a9b405cea8c1186594c7b1
SHA1 2fb25e4aec2a7f5c77849cecc5612fa4635dd2f7
SHA256 05d2620b4deb6c2a827f8a27be44c8866c8056204f9fbea6614e198b52c7df7f
SHA512 e926075077979cb66871df0021e1df9b66ff3775a40530a7d0f0ab3c00a181bcd92890d9177c1bf97e08bcd98c12f7e1eeb2854e354d8bc5029a9a30c83976e5

/data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal

MD5 4b02a38013990c66b7a79243132c7ed9
SHA1 2f4c3bd29036ddf64467a11a345917f2ed3b71c7
SHA256 2bab6f3fc29b66deda75dd2612f0411f936c07510e3d7f530db3ae477c2e11d1
SHA512 5c859613ca76eac19483e58840341dfba418017a354e0088824f240a66efb93686ef85f39b43a71347e2bc74db2fa28e48b4daebbd7ca55ffe2f8080eacd486e

/data/user/0/com.rojg.hanu.gsnx/files/umeng_it.cache

MD5 2faec314368e780d50ec8406fc4518d4
SHA1 afc75ea8520f680d73c03278b2c758890c636e6f
SHA256 dacad87442228b8a3a1ba95998022918abbbcf75d4b6949c2856ea309e6c763f
SHA512 47c4a9ac7d171401765bb3bf99b07f8a8750eb7508b92c3a615f767e3aece702a7b3dcb1705035ba13706b6d48e0b7f960c6b32f2a4d9bf42b47384a7b163930

/data/user/0/com.rojg.hanu.gsnx/files/.umeng/exchangeIdentity.json

MD5 de38fa43bf82bfeaf26bd2a18359af4d
SHA1 da92dc9bd24c319cf45d305b5acdf6269f2b1baf
SHA256 4351553d47264e75f9dd78df1ff795e5c8e47cfaf707987a504c3d2170de504a
SHA512 2db902b91824d68502cf6786cb87a86c434b7ff776cd63f36f944d8498c07ae842cd625b3a410836ae4cb43d9cfeea66cb503f5705af30795312c6133724b712

/data/user/0/com.rojg.hanu.gsnx/files/.um/um_cache_1717471525426.env

MD5 cca00ccea67ad16c75f6cf3764999809
SHA1 04a31ffb6da5580ee11fd180b0e01f166ecf0c70
SHA256 398ae274b7dc21e0a42addea491ca0a756f71cc183ffc22c1508d3b5538c213d
SHA512 a72edb71ce15d3a963976cfcaa3a4d683294b67d617679bf6663ec073658985f611174276d8a5e765d09a8f8613812071a79e0f3d72efffd18682e4e55d39809

/data/user/0/com.rojg.hanu.gsnx/files/.imprint

MD5 d511dec34b2fda97ac347ba181b01359
SHA1 7fd0a91953fa4d7a21ba860baf42874a4406b706
SHA256 3713b01f76dbc9f2af99c40ff28e23589c3c4ab8d68013c178263c917fca97fb
SHA512 238b63ce77c74fcf36414f495053d20a1f78dc4b48b4c97663a8363dbea9862c1804b65f18d0740c33472ce88dd8c7dd219ed6855a3e769680c0f207fa049e41

/data/user/0/com.rojg.hanu.gsnx/files/mobclick_agent_cached_com.rojg.hanu.gsnx1

MD5 91f85f396a90ef834991a3b9988c11a6
SHA1 de1c1c34e5ebf9e08c19a08564cb2c7dfa3bf857
SHA256 723a0e3fc21275f99fa76ffd7756bca5845cc0d627d78aae24ac2bea69dc1816
SHA512 1c0cfe65f28f4730ce811c8f5563047a91ccf76bb05ea00a5407520ce24ae4bde6ce9ade1505e7f7ef55582bba23d08b727479b89751d956c5df9bb8a955cb92