Malware Analysis Report

2024-09-09 13:38

Sample ID 240605-ak31caha49
Target 96bc915d76ea99ec620669e6110d69c4_JaffaCakes118
SHA256 88a7e7a00810df1b5364458c66ccaf38cda9c6bc7494dbe0354c6fd25b7412b9
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

88a7e7a00810df1b5364458c66ccaf38cda9c6bc7494dbe0354c6fd25b7412b9

Threat Level: Likely malicious

The file 96bc915d76ea99ec620669e6110d69c4_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-05 00:17

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 00:17

Reported

2024-06-05 00:21

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

180s

Command Line

com.lwqv.qkqh.epde

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lwqv.qkqh.epde

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.lwqv.qkqh.epde/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.lwqv.qkqh.epde:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.lwqv.qkqh.epde/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.lwqv.qkqh.epde/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 e1b4788a988b4522dc22966de2294afc
SHA1 d2075c90af44ae361112687a02ab9ee37755030e
SHA256 9fe57ee0f414a3d5b803c49ac25440702cd4a0684fa191e680e44ec107c8cc70
SHA512 bba5b9015fc5ed72020571b4ac7e9753056daae330719b0f30e6b4ef008d5ded4fcf52fc745d1cf29fc01bdd479970f2ba3fc016595ef8fcc6f907e8718a7f30

/data/data/com.lwqv.qkqh.epde/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lwqv.qkqh.epde/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lwqv.qkqh.epde/databases/lezzd-wal

MD5 11fb75ddcad257690636d2e27e62762d
SHA1 f5d4106a5bae92a2335e1be531ce2c88ac5c3267
SHA256 b9fc5a94761a97ca716a42d58f6a4866f26557f05d8c7d57501a716227d27cc3
SHA512 e0e6f8a6eb66e33cec74f6c0d6fa9e55c77c0f895fb567987dde753876ac4135de4b2e64aab5cf79eb7edf72d74e05607eab9ed81ece7d20e170c5eb134e15e6

/data/data/com.lwqv.qkqh.epde/files/umeng_it.cache

MD5 bf72c77fa45e72e3524fe80b95905689
SHA1 e50eb2ae7c982e6974970f3fc90425922b40cb8a
SHA256 dae2dd141f94c25f5b787416215b4f13ab25b7b01093e48631633f518bcad49c
SHA512 a30698885eced5a9045bb09d55949c42d69fc90411c36f78c1025a4592c468cdfedd7df57ac789c09a5101bcf9405b7d0447045f3ee169e64127abd327c87377

/data/data/com.lwqv.qkqh.epde/files/.umeng/exchangeIdentity.json

MD5 fd8928dc971100de156d19ee16703c7f
SHA1 88d2d07bc73fbae52f4c126ca7180166bc674a9c
SHA256 02b81682099183d5bb0247b0acd9c2b069d6e37536dd31579e1c20264722c37a
SHA512 7e3f8454ae31ff3cda40c294c8c633b68f1da64a01d8cf99b53cfc0e4151044470851c81a52d94e0cc7d1bf7cd39e915d9dc75734a9d38a406b1324a4f75f30f

/data/data/com.lwqv.qkqh.epde/files/.um/um_cache_1717546803566.env

MD5 70af9046f53ef4c92fbfca740291581a
SHA1 2093009d2cedada77ca353ef04d502f20f7419e1
SHA256 a87c3c96142b35913ceafe0c317a5b614140f7fa8a62885b79563784bf13f2de
SHA512 c034e2b67cd31ec2a41557067f893e5e1bf020b2848985ee9f6e7979569eeba8350859a60cb05b4b93cebe772d91e12184f4e4f4355cf37c8753523eb3f70b67

/data/data/com.lwqv.qkqh.epde/app_mjf/oat/dz.jar.cur.prof

MD5 cdf150fd20075a308e49536a35db1a2d
SHA1 822c784da7b75d89c49fb60719a96158aa0f4d21
SHA256 e04a6917ca40149e48d32e16e30c428906e8e57ad42304d054a545bfba868801
SHA512 fa6f08444384cf1fc6c229b6db07196fa29da0c9ebc615707616ae5c254febfdfca89a590a4d9f668518559682a7db28ae470c2230f987f6e009161dafdc27df

/data/data/com.lwqv.qkqh.epde/files/mobclick_agent_cached_com.lwqv.qkqh.epde1

MD5 5536ebf2cb162db4f05e4cb4ce205f45
SHA1 ba6a6a7be4ef0c4f80ddcb47d9d658ed284cb90a
SHA256 f12d77cc8a834bcbbfd0c4cea1e69c387d62f8b100da94d7e74a7fba77632929
SHA512 e0fce26f7a3e725379a2858e572f0f8a233c9d05617e6fd75fa7ba540894a19a8f9003aed3ced839506758172b8c178f9adff8a25b10f0514efb238e928c4ae2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 00:17

Reported

2024-06-05 00:21

Platform

android-x64-20240603-en

Max time kernel

178s

Max time network

177s

Command Line

com.lwqv.qkqh.epde

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lwqv.qkqh.epde

com.lwqv.qkqh.epde:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.lwqv.qkqh.epde/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.lwqv.qkqh.epde/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 18fa2a8d748156f9de28c1fa573d0a0a
SHA1 b2291a640320cbbd0c2d77aaa27d6884f0476144
SHA256 2662e6fcec33039e0d541697df6bbcdeaf517a479fe388c57ee453d9c277c84a
SHA512 180f7e39b3d007cdd58d285e099e72b569a3bca835c8513158067ef112a0656d087e1b2d273c98086425d45efe4b61b3600b05a49d2269e3903bde9a7e801f11

/data/data/com.lwqv.qkqh.epde/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 4159d37766a36a70aa2531f0812dd32e
SHA1 8f4d86f7fdd0255014eb1914c11f7ebff152ecf3
SHA256 272a8957977c5856da8956e6a0bb6392d2cf16152ff485e7c4e4790a82e5d530
SHA512 7e0f89c2aab202d1020e30151a8567b92876db5e2f9dfc047de4406fadca3faa6e56788f202e0ca50c20ee96547bdd7834242fe85429073e5ef2102297439912

/data/data/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 edd0afab28c35615c66595f695ec4c6b
SHA1 f77edb1be04f45c84b909afb82fc68fb068e55e0
SHA256 ae2eab4cfae5d295771e5d6515b0932245d5580ccd7e32f629fa56a928ae5733
SHA512 1f46bc9f7653ad1ddc86c3ab336c04acec017e413968aa2ec9e6bc0260e1bbe9f2b55bb5aad7eed0c1ef768508bec8866f79f1791fabe645168db3aa8c9d1c4f

/data/data/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 f8a671c2eca5a2df81e7ebcd35122a1d
SHA1 6628f5a0351b5f8bfe3aea3f584c9d4642ccd6f2
SHA256 a14ce65640e512b1cdeb4d1494a1abf2db9319ee828a7f07d950a626cbab65ac
SHA512 f9351b7d9da8547ecb7bed6b3f6d4719c7d5914fbbdfb8dc22ee65a0f12ec8f2c9ddac25c77b0f070dbdc2e9ec194d43f894ef501f3a5618c3336f23bae2ebac

/data/data/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 4f15519e973103423831c8b5d682150f
SHA1 6b252bdcc0cbaee19cc586292112f1618338a2a1
SHA256 92e5e3a17326812bebb9315bff27f017c96aae10dc9d95cafb19853263304a83
SHA512 3ee33c2b8cc7ed7a5601a03359317221e25a24a563e04ba4e3ff9c6c324b652348ac81512d8e654010cb385e73301f630a0cb1d1874e5ff8715052d2cc828898

/data/data/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 1a208a5d8a841f9eaa5165bd4739252d
SHA1 25bb4c99f34aeab9b2b5d598a6987caa72434f09
SHA256 bd3813a55a88d1f58b452be3ed3fba065ecd732cfb3af60c040c970aecc6fa27
SHA512 459c094eaa1588f65359f72120327a752beb67ded7279e7cbb203fac45b188bc45f547b094c594e3b276a0e2956695f8303451d0bb295aeeab6d27ccba192cc3

/data/data/com.lwqv.qkqh.epde/files/umeng_it.cache

MD5 7cd4cf095f0949971d9d612b6fd92206
SHA1 0d53c217ae6d622df8bfb8fa136e9e1545e18768
SHA256 af790667700dbcd53d735a6a0c10bef91d32642d0c3ae98064bf6818a034fdcf
SHA512 19677499b55924755e1753c08a61ba5cfb03e7fd63e1c0e58fb680ba9cc6826fc7124a81539a3fd9d750b8ee5e5bae51fb0f73fc1758c393b3f6876390634761

/data/data/com.lwqv.qkqh.epde/files/.umeng/exchangeIdentity.json

MD5 6fa8a7cae195c3749a565c313db32069
SHA1 cfe2d6361815e0128a574906a56514008e1fb35d
SHA256 8fc07963101a31912e1eba4e72c90465e4fb75013d3d1032680c3a5cc0d7c433
SHA512 0adaf3e3075eda8dd7aea9d9d3a2bdbfd004401e208696d4c826b11e2730614ed1525f5cbcf12982e075778d4fe31f2cf8ec374883fe539b4366ef36e533a7db

/data/data/com.lwqv.qkqh.epde/app_mjf/oat/dz.jar.cur.prof

MD5 df1ff980a354417d0c471130c49de84a
SHA1 ec6f5a0c8501b74abb9b35ee5e72cc245be59a6f
SHA256 8628b7439382f5cf1d2ffc743a19cfb34ab6444186c21755c919b23586967cad
SHA512 4b1761a91eb352dcafad7e33405e9416028ad859e975a16d8a72cda68e9f6a10ba09de0e77e9a6d7518dc747d33546d31f9aa63803b319676bf0fa092e19e889

/data/data/com.lwqv.qkqh.epde/files/.um/um_cache_1717546802684.env

MD5 17cb096a252274df9f2dcfe2f0ebe25b
SHA1 43970098b238269aa359e3c17b01d810b56c749f
SHA256 b17ef272c97070c6ab15eceb80aaf01a2e47df96988e555e60bb507df664108c
SHA512 fdd334ec482281f2a22f9a3dbcb92094e6514ca528dc76711a367074656c627b6aec237e42747e025d0f36faddc2d3e3e8925ba6262c88a1c9b40a746228f5cc

/data/data/com.lwqv.qkqh.epde/files/.imprint

MD5 6619d7311147c70c517aa9277694800a
SHA1 9bc006868ac22430e80acf82c64574cda1a17f28
SHA256 ae9a5eaa0b59ffd429ea6619853e09622c2a8f0ad0c9b2eb61d7722fbe65b9f2
SHA512 fa52968d5004f0bd5fffacc948e5cb23a97f2161091df6a2934e9c1be1bbe7198deed1a77582ea770a133fbcdbf552f706bced6ad377d6921abb770dfdde5ea2

/data/data/com.lwqv.qkqh.epde/files/mobclick_agent_cached_com.lwqv.qkqh.epde1

MD5 69240a3b2040d3a95f39dd179d51e1bd
SHA1 7659221ec8776d7717eed63501d6983f801b278b
SHA256 0813e663bd016da20efd4f4ace00b27cf4740c7e5dd1a46c4837d3ea934d304c
SHA512 935d5f293332b422cf2390c08a19dff460b82f2250d6681674eca6ea18fcdb6d242e69ee6e346f1e1f0c9ef94ccce56c467a557c93cb0f4f1a70e92f31416289

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 00:17

Reported

2024-06-05 00:21

Platform

android-x64-arm64-20240603-en

Max time kernel

178s

Max time network

181s

Command Line

com.lwqv.qkqh.epde

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lwqv.qkqh.epde

com.lwqv.qkqh.epde:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/user/0/com.lwqv.qkqh.epde/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.lwqv.qkqh.epde/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 2b689ed0cd3362a660db41f3f66953bb
SHA1 e58bcae51f729b83eca622b6aaad188e2ad7c78f
SHA256 351e6c6866ad1ffd10a1674e27342bca46bc965198e766bd25c7c6f704c190cc
SHA512 c77ae2497990c7868cd62e7e09f86b62e12c366028fefb14dfc78d3d332168c1f9500911183dd571c1cbe011c622a8bfb00b191113966641028dd329ae151a84

/data/user/0/com.lwqv.qkqh.epde/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 b184c872b7de0f9b6325cba6bbdc49c5
SHA1 932491433a6abc03134d5cb37465956306e8d193
SHA256 807f3294726ae735d88f3a76b7c2a593a1a5854f1d9aef8710f600364ffc39b8
SHA512 f126a887051d316211b4d0f3225ebfe4278063a3dfec8877552812f712bcc6c59a6d275a2ca96283d8cf95940a34e8385c6ce15dca78b8019e99b33259cfb51a

/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 699194eb35b52cd894b0c4a816245f22
SHA1 722a6ff08dd92b136b0cacc5dbf1dfef6fab4d95
SHA256 e28b3b4cb1654ef35bcdd943eee497aa6a9c1634726f028f518a12956bfa9ef2
SHA512 c442eb3128c64d42f9bd8a1b198ab09d44219b3234e68026a686b1ef0f52afdd6f19e656bb599d89937a3145e41499bfa6dcac1f0ab73f0108a6830ba447b2b8

/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 e3d7ad8f813d4991c6040e61baec5428
SHA1 792a94d954a8eb4c7ef16706985d5029faf80dbd
SHA256 e49b89e92d3ced806301f1153d97128301522ea1b4d6e946bc01b29f1e5e1b6d
SHA512 bdee8d941b78ca4ed54f3be11dd8c5e5ea38801873057f4ef97a9577b869a17f1a0bc03bda3aff3d8ed2b1c6d5b9b92b08e6cc65c6d11240c0f9cf08eeb6a95a

/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 337f5c25c60fb16b81a295969e76a944
SHA1 ed7bdf7866eb20cf953d3fac34c076c3bcb2f2c8
SHA256 b512165f52b953e4fdf8ad154919ece47c44d532445215c819a7392a9a73f5ff
SHA512 2e618973e37382803681b254f5ed00224e7755ee88fb65b9b1016322c4de99ef5ee59e68b3554f3de901951c7e7ba84d5b6f66c2d5db4fc290a5138e18e47c33

/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journal

MD5 7a1389efb2adc46b5da69581030f3a59
SHA1 3b300c9ebf95ae337f83ba7253606e8106f1f081
SHA256 e3cd5045a9a96c53c7b0d98078f375be1088d18e8223f50dad3fb3e843642d86
SHA512 360748c7e537e9146656f855d6b73fab30c0d0b8d82881ac0f29dfd8c1bd27e9e438a5ab2df610439cc45e12a9cf349db5797da1a419cc38eef9462f0e38725a

/data/user/0/com.lwqv.qkqh.epde/files/umeng_it.cache

MD5 bf488c989feb7d6b4227c8f57faba9a1
SHA1 12f869d67c53f6fc375498349f6f98dae1d5f42f
SHA256 69ce2bfc181d22974f1933eb45ab6ecfbba977af882c250de453d8d10b1def71
SHA512 924368f48ecd1937b4810f26e7ff9e8a531a26a2d5b337547a494ef328468a19baf4b4461d92f86b3cdd5e56d2149e4d3e5e2b4caf4fad49edfa03d368dc687d

/data/user/0/com.lwqv.qkqh.epde/files/.umeng/exchangeIdentity.json

MD5 a53c14cc8e9428afa5f477e03ff6e6cd
SHA1 1ffcf4b110e538b68eef0d98dd4528493bd2c773
SHA256 9a30986229cdcf84926b01cc6703dc7aa60dd86bdf5034c4fa4eeb4c3642e26e
SHA512 3ef649ff1601b628c3e2f1d6f647554c13c2a3a63913f5190bfe42642f16ce86145ce64cd5f4309bb1cb532d8eb324a0ef3ffa09f2f261049be4da5308b20090

/data/user/0/com.lwqv.qkqh.epde/files/.um/um_cache_1717546801543.env

MD5 59ad9faf97ecf2d43b8c70bc48623d5c
SHA1 93cd6224861b1702e5198e54ee36aaf5ac79a531
SHA256 ce296044aa5320b7912b989e176b7f1936f41bb72dc3c2d9c744ac3aa82cab41
SHA512 3a1ebcafc3c4b167e0c49b4f22217558276c28cba026f137b5a5daecca7a6646571f94992f8579c0dd1621bac60dcc966513b20cf6b74407fdbf23673677d425

/data/user/0/com.lwqv.qkqh.epde/files/mobclick_agent_cached_com.lwqv.qkqh.epde1

MD5 2445599aeaf1b08ca1fd7bd230d23118
SHA1 b0b92c412b8e7f4877e75d8c995cb87ee4fd8ce0
SHA256 4f5ec4575776e7579448137eb1b556e96bebd6f59eec4f62831bf3a5b287e22f
SHA512 e7a61670b54214db42d7a4cf4243765e28246d28304d10f95798eb9b4183091b8f9b575be8bcf65e0a614e75a14a58906d3bbc83ce238c5406f5a706ae3b873a