Malware Analysis Report

2024-09-09 13:38

Sample ID 240605-pme4mafc9y
Target 9827db94c1e7747f2d8d5f1d6879be56_JaffaCakes118
SHA256 43c99b2c2cf886d561635ebe6e87b8fb7d166bdce2e569a42405b329af04a5ca
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

43c99b2c2cf886d561635ebe6e87b8fb7d166bdce2e569a42405b329af04a5ca

Threat Level: Likely malicious

The file 9827db94c1e7747f2d8d5f1d6879be56_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries information about running processes on the device

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-05 12:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 12:26

Reported

2024-06-05 12:29

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

179s

Command Line

com.afjc.onen.jfjx

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.afjc.onen.jfjx

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.afjc.onen.jfjx/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.afjc.onen.jfjx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.afjc.onen.jfjx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.afjc.onen.jfjx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 419e7c4f7945b06caa187cae82f7c543
SHA1 c1bbdaf33cc0ca19930ec155da291f3eb1334ace
SHA256 458946a3f3c4a13ea5fd7827666b79a02bebdf11be4769a45ebf87547d344359
SHA512 43b7f105c4d5337aeac2d1b88e72bf242b0a5b57cf42c16e4c6e802d0ad0d4d291218cf6a80312042696112806d5faa165ac81b83e681b53b55f85a230cecc14

/data/data/com.afjc.onen.jfjx/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.afjc.onen.jfjx/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.afjc.onen.jfjx/databases/lezzd-wal

MD5 a9f06158247133ceb3e0c5a6000a519c
SHA1 e75f59fcc1bcd5d75ff2f38c2de8d565bdcf1221
SHA256 9c21076575b51bc06fee793982267bd9aa99237eee115df5bee99f2046241f4c
SHA512 b4da4fbcef26bda72883bd8fe3228d5b0486d7da94709861c79da97f849d02ebe0406e6b64681baf58effe9fc2df4d63cd2b3e67c14c25d8b5f61880ac2703ce

/data/data/com.afjc.onen.jfjx/files/umeng_it.cache

MD5 8b94effdf6a260ed42d71eab7b415055
SHA1 c33fe8bbf737431fb3cce0b02ee36c8e6366a6bc
SHA256 75d6c064571c2a751dc4b92531fe22f0a1e1a4a2e24da5eb67f542452515d50f
SHA512 febcaae35927a5411bd106d8417b3a77cd2aa795f726bb12aa35daba2ff534aa51b605a8b972d5ef7437fcc2f974acdbd29580d383c3df5e882bda6fda0a12ea

/data/data/com.afjc.onen.jfjx/files/.umeng/exchangeIdentity.json

MD5 847d37e4ff64f3b5ee4d849cc736ff0f
SHA1 2436382d11cb117fbedeffd82b3cefe03c66f8ff
SHA256 5c9bcdef77ac92323a8be09a6613bd63e78ea08f4ddaca2d8d31c3c309119426
SHA512 e6891eb29575fed1a58e1898586da29a90618c89607510f346774b124d81b47dcc53b3cc070993469ffc9178506b21b021188ce55fb61a21b241c17727426976

/data/data/com.afjc.onen.jfjx/files/.imprint

MD5 67577d67f86bcf1fbc1bf7a2b7cf30ac
SHA1 4d25fd53c988d1d9768d4d602df110b82e5c9169
SHA256 6ad946850efd20170e3633f2fcac04d8b313f3fdd257cad0ca17a0b8407e2933
SHA512 bdc13d00208115e532e9738b1179d1c09d1a51a52a1d5f0a70b255b26a6ff8d4cf1be6fe672f2d8b8333a31908b077cdad94c306a9adb5d2f69d180d3001d582

/data/data/com.afjc.onen.jfjx/files/umeng_it.cache

MD5 e58d7e7a94fdfe9747ac8e41897e1444
SHA1 c27ac5b9bf8ba32c05bf5138d098e0509e8c6f33
SHA256 eecb9b152f70606717403b028c6e8ebffa4188a7149f6357b883e2bb2c551643
SHA512 7d89080da951b2df2d16cadce5f4e9aaf1a07a01447b3bcaaef4fde88c83b306f47ba5f43d4715187dc0c668cb831304538f17851886790804620f9dd08b5a51

/data/data/com.afjc.onen.jfjx/app_mjf/oat/dz.jar.cur.prof

MD5 f6c33220368aa39ef6a083ad0cd045d4
SHA1 d3b9e0f63d782e79c51d51ad54d6293bbfebef17
SHA256 9352ad0026b6cedd504b6abeb4f99162618a395e07b82b991f2e2d422b03df01
SHA512 e545da93581ecf2c5f18555458d421ccd7e16b8611c680fe99d1c0efbd67aa3f4c88fd6814d7dde081559979626b1a09e0f500f3ede564d01dc9bdba2f17b572

/data/data/com.afjc.onen.jfjx/files/.umeng/exchangeIdentity.json

MD5 43198297dc5a4158f5ebd70cb336c77c
SHA1 23c585eb05d81a084eb0ec9b751040f58f39868d
SHA256 1e937ee55facdf1cd9104eedaad77bd71fa2ca03ae27daebb097b1876264d094
SHA512 7c6c9f6afabecc536d84bfbac2c62d16fe092f0e4c354e75bf31ea1cbb304e6bfe7d8df4f8146db693cf5594f7da9ac08f6a46280e2006a8ac4285f11c8dd3f0

/data/data/com.afjc.onen.jfjx/files/.um/um_cache_1717590570235.env

MD5 40532587978ef12dd2276b460039b1f7
SHA1 c602cc24533104fe30e55ab7478a4d44d2c4218f
SHA256 1ed884e5480ccf07481d8f7fc1a373dd483a68ac8d03f2baca0e30fe75174c6a
SHA512 cdffa2d5658da88073cf8e74469e742d928d539d727adaf5dffca47a3a89bb7b16681ed5f36b4b4527157df4df13ccf213e7886d7ec75c5ab547ac6d0b4ca7a3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 12:26

Reported

2024-06-05 12:29

Platform

android-x64-20240603-en

Max time kernel

178s

Max time network

178s

Command Line

com.afjc.onen.jfjx

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.afjc.onen.jfjx

com.afjc.onen.jfjx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 216.58.212.206:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.afjc.onen.jfjx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.afjc.onen.jfjx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 6f216d23773b47c5db495fcd4e413551
SHA1 2c8fc6b680cce8f8a3c30c2667549e2551109ec4
SHA256 481382e4c83c375735a48346ab263bdd6f8d63bb4ec281dcd58be649708422ee
SHA512 202c183b13db7dc9de5160f60dcdd30735f9e7a440de9d28505e060bd88abfc9175454b98f6fcef791515c83ceec685c40a0fe3900ca7fcf3f0758ade504d612

/data/data/com.afjc.onen.jfjx/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 c1e2217eec6c5bdf03479e6bc817f9b5
SHA1 fe3ee0f0898d7238cb75821721661b374cb2dbd0
SHA256 04e62b9f92be79fed5de7113ecf796eb3fa4f5a5e24dd1286b11544db184bf4d
SHA512 333c1709e7f1f7314b9ba00663f3e5afad061e63f2b6eab82d61beaec301f41e0f10dd8e528efa3df89b293f6e606205f14269a89f64db1d26d1bff631e332ba

/data/data/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 b53de3a54a790c8dc29e45d0276bc070
SHA1 29e26d08c18dbb1a26d71cc8d26099d14f6e9188
SHA256 4204d64a33460e991fa545226765fb89ea380035df6c0f88baa6571ac1b6e72c
SHA512 18144708901ed04b9384eaef9002abcd03bb95161e0f29785232474dd0d2e9c9a226fcb2159341ba24e14ee2d5230636f40367121838445e00d67a839276354c

/data/data/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 918013f93cb0265be4ed1fa660786fbc
SHA1 52bf450589fb883ca27d373a75f68d1bb1e5f878
SHA256 177305880e229ecde15f50a8d7263dab7bf76af181aa70830391de561fd1e16f
SHA512 0b65934d355a4dc970bbeb58bdea8e14c1f08659bca5af717e9cb73298b437009e13a49580eb04a066c76658ee4646dfb1a4f3e136d774af434b1b20d061cac4

/data/data/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 e37b1993294890eec7df040a6bfcbdc3
SHA1 bedb091a9571e4b0db3235a793eabd599e6a2743
SHA256 2cccb091dba423c3b4df3bd0ba783d3db913bff343da7af893e2c70f5605405d
SHA512 b77b41ebb03b2c2bfd7cbd567159df93fec63785fd02c769f924855bb036373f4ff4c41e898088766f25ae936694fd4f9c90726b3ec3748cb67daaa75b84be7b

/data/data/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 0a743aec13052aa1e061a3f695cdbcb5
SHA1 07cb83ebaa7a53bf687427ba1bedc594491b5150
SHA256 e5854662c45b738d4a51bb6aa2b52da9618fa7526d8e951c732aefd45baaf2ed
SHA512 a5790c6b31bf18480c3b4dceaa1c32d1a432a7bbe01f3f50e21ccd86c5ec333193f8bbe8bf66a6244031bd14212e37cfbf457f2e0c1ede701454aa5d3a0df82a

/data/data/com.afjc.onen.jfjx/files/umeng_it.cache

MD5 265693e0c96fb53c200c205948eb923f
SHA1 31a65d5548ef24fe12fc3d1ad677913491381309
SHA256 dea8b5cd9bb23ab9995e890cdeefbe2275bd75ad274f4725cf9f970f54171032
SHA512 fee5cf952eb63111cbf6bdc448041cb77acceaeef8de7afdb8cf2848cd33708db233039949550841ca2b6005842d28ab0482aaa8e0f7a130385dcf9ee0d907f0

/data/data/com.afjc.onen.jfjx/files/.umeng/exchangeIdentity.json

MD5 49a245437ec7eb57e3a72078c565d8aa
SHA1 141323abb594d440199f43a52208ea41d20ba147
SHA256 55cb1239ea259e9f28f5774e46ade0d45eef28777104c32f5295bf6600bed4dc
SHA512 1d8c881cfd377373f24e9e2b70f6116fd0b580fc35f3c7a77e1d59574b5bcc0c2d92d5a48b9ca0d889a68db75fa9a691c2098e133edad10273a8ad4505c1bd31

/data/data/com.afjc.onen.jfjx/files/.um/um_cache_1717590510460.env

MD5 ddc27b0305ad97c31cce59665d33caa6
SHA1 8cce3feffd8ce8b30458056d0337ef6df7ed92a1
SHA256 eb26ce56821f69a4ddeec757246ffbeaa12ae30a0ecd3c59c598fbb657bc1526
SHA512 8b1edaf9ed8d444f6902c0cb0e7e11b352db54899807b5b6dd9001d20ed79c6af02cc1e2b5c14ba63d98dff064a8a43182f7886241fc7eef85eb17c822ea71fb

/data/data/com.afjc.onen.jfjx/files/mobclick_agent_cached_com.afjc.onen.jfjx1

MD5 f689c43a7a963de5203e977f2f5e631c
SHA1 edb253a45f18c3a541b1abd8f8770ca8b2c1ea1d
SHA256 acb68e02f2bf7e5578867fd11e882efc2738e01b8d48a4e14b48cbbce671ffd0
SHA512 7555f3d0de787bb8b2cab27639351126daaa197cb1c224223dd4e3f9d452795d8fe7c3b5a690fc8c102733f7c4cad2eda117b24db78297b8ec638fbd26d95d13

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 12:26

Reported

2024-06-05 12:29

Platform

android-x64-arm64-20240603-en

Max time kernel

178s

Max time network

180s

Command Line

com.afjc.onen.jfjx

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.afjc.onen.jfjx

com.afjc.onen.jfjx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.108:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.afjc.onen.jfjx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.afjc.onen.jfjx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.afjc.onen.jfjx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 aff5961e770efd36adc727d5516355f5
SHA1 3b13cdc22543ff8e835fafb6f8b71cf0aba0e54e
SHA256 9748d30b490b03b52fdb503009f95c52120a97368bb7fca3d9d7ac1daf3ff7e3
SHA512 24a35c71e5017b1f96f9117bf6ebdfee163cc27109113159c4d8ee9d752ef18760e8b381f88217aec973100cb7f396b71af64f8983b36c7e58ebb9e2de6a673e

/data/user/0/com.afjc.onen.jfjx/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 dcf8be1ae1670d14649982a6cfcd6f52
SHA1 3600c015ac03828117b1657f04c23ed9dd11c382
SHA256 37451b21652f6a181b6096c7b5fd7fe8ce271ddfa611f1a56ec422e91b2fe4f6
SHA512 17b2e34919ba21d093f01b94dbb349259bf6842adef984ee0f3aab8ca124097926841d34e73b1fe0adf11184d34ddc683bc37c5c3ef9804c52740be3ded93068

/data/user/0/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 1384c12e8e4c413c89777d811a7a7259
SHA1 0eb9d54ac71dc10a62efaa974bdcfe4644e3821e
SHA256 10d26cf123313be36e5417c6b405761608266fad28c3602e51c738b00c893a49
SHA512 b59c46d70112d514cddcbfd96ac90c58af832138fab2f157d6c9f108d21f35b58cd440f7725ef685cbcad719e10b1c002f00cf376cd0f172c9cc8416a7291b16

/data/user/0/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 003b097e4eef9385979b680f8ede30c4
SHA1 8200dc7c8092d0876c92b772a0935e72eaa33b6b
SHA256 ffaa2093e336e107b15a8e8677842c981a64d031dc7fb15759a154f281b64773
SHA512 53b71b843dd64fb08bacad2a84476796134f7f3a79c490c39f25943cee7ac15866d36cd1cf2bf5c287b0f44230afb6a9e4237b1265c940c701cd82a9fc90d571

/data/user/0/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 c81b689460f72cc5f3d6d0a4b363dfad
SHA1 4b48d2999e8f0c692f9e120fd6dac7f540bf90b8
SHA256 e0ed2e8bd255d5334edb9dbcce5e0290bc6e304d43da1585404013c519f9b49a
SHA512 dd841793cfede2a7426022018034bef16e9c906efb010aeb78a8bec75efc2b6c2b2d1f4584b95031491da997a6d2f9eb804fd6bb136353dc884856277d4b2b7e

/data/user/0/com.afjc.onen.jfjx/databases/lezzd-journal

MD5 c1451194eae8431a7bf407eb92525795
SHA1 ccf7ae67ec41d0ff4798e233d776de624c6520b2
SHA256 74e0f1f99af9fa44e7cff5b4c14cc5ccea49cd28862fb6e4510f0ee37f3fe176
SHA512 93c77eff520a7266eef0629d14d63cf6b45a27bde0e5926b69c343320e87005c11b962b25402e0c73b9599ccd71271c3964d4f7414499af3b7dbd35bb1ac3a20

/data/user/0/com.afjc.onen.jfjx/files/umeng_it.cache

MD5 190db91a019442515080745a87a6605a
SHA1 767410635d829511bcd618f0fdf4501d00041b6f
SHA256 b8c2334ea93d6606ef1666a5c1c9f4166f7f659bbc31cb5bb3422ad40aff2f76
SHA512 0727873016e3aa18f95af178b0c2f4db932c7906338267497ba4b9d8b9165efdd097f0ff091298eb396e017e2e621d80e7f15c50957be402a1f0e81d492b1472

/data/user/0/com.afjc.onen.jfjx/files/.umeng/exchangeIdentity.json

MD5 b43c5ffc90f02cb534e077bbebfe9378
SHA1 f3e3d65a0fcaf55d56e51a2310c0a07aa15e8e7d
SHA256 9747c37c5daecd8286a10da5bfd6373f5df74448a83d142e45fa2e208813cc37
SHA512 965f5644efbf44e0ea950bc92448be336bbc0bb3e865f9afb27d858f51232d84aa71b714ba115153b3d10185303be647eae00f32799f9421c1c0045e1ea1d3f6

/data/user/0/com.afjc.onen.jfjx/files/.imprint

MD5 01583ef8294ca77c8ce72032e3273df2
SHA1 493646dbee5f68d51557216baa351729c8122d10
SHA256 b132298254fdcf41089854d224a52b64f481b06491ec9e86804073d703f3c57b
SHA512 74c40c84a1ad27f8a6206a14dde1f353e65534ab4839203b9cea17d0522f2220b8eee749bc6c5f858721a1a33fc0c046faee1d82d081379fd98319eb96303219

/data/user/0/com.afjc.onen.jfjx/files/umeng_it.cache

MD5 eded87424ed5b3a76cd405bc9b20124f
SHA1 3038c475eac4b498e64be04c5c23bfbfc216ea89
SHA256 206a3e5f7f53afd45cf311638acb134e601289ba0f847a9e64bfe1a97caa93e1
SHA512 871fb6b08dd0195837b79d2fa564731ba71d0a85db0ff97e6061f2bdfaceda1718d65c08828cb5e870bfc9bc4cf0d0028d3a4e8fb9fbaa3950c6b139a4fd2f0a

/data/user/0/com.afjc.onen.jfjx/files/.umeng/exchangeIdentity.json

MD5 45fe42a85271947843b2b4e15cad8325
SHA1 1a074baf8069704655d3eed06b2a365720a8762c
SHA256 d57009741915d7d5cdd98bae6502c5789b09e1348b852da06b224b1417883115
SHA512 a87457dd14500ac48c49cca3f8f275791936b69390fafba7bdf20689661d0a68a822e2420cc889d2417d17a905a981ea5f29c858e0dfb8b710a0e5fc08af790b

/data/user/0/com.afjc.onen.jfjx/files/.um/um_cache_1717590569643.env

MD5 ff7cd7d08d2865d82abc8448ad230cb3
SHA1 bb670d9ec52dd5881ef03b53a7caf52674ef1f3c
SHA256 64c703246dbbb960cc18e599e23068d9147eb22916fc8fa118195086f33a5ac4
SHA512 98a719cea1a0563948fcceb987faee85465a71649f72604b4da91b8051864e1e07076460355c91e7a070071d60701ab5e6bd266da79c1ba4ba5e4c3695f17f99