Analysis Overview
SHA256
052f6523fd87e0b889b50d16390bac3c322d816494566dda077c640a66fe1067
Threat Level: Likely malicious
The file 98cae89ec80bddb72d245fd330ee539c_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Checks known Qemu files.
Loads dropped Dex/Jar
Queries information about the current Wi-Fi connection
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Queries information about active data network
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 17:38
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 17:38
Reported
2024-06-05 17:41
Platform
android-x86-arm-20240603-en
Max time kernel
156s
Max time network
153s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/bin/su | N/A | N/A |
| N/A | /system/xbin/su | N/A | N/A |
Checks known Qemu files.
| Description | Indicator | Process | Target |
| N/A | /sys/qemu_trace | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.qmdk.fqgj/.jiagu/classes.dex | N/A | N/A |
| N/A | /data/data/com.qmdk.fqgj/.jiagu/classes.dex!classes2.dex | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | s.appjiagu.com | N/A | N/A |
| N/A | b.appjiagu.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.qmdk.fqgj
chmod 755 /data/user/0/com.qmdk.fqgj/.jiagu/libjiagu.so
/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.qmdk.fqgj/.jiagu/classes.dex --dex-file=/data/data/com.qmdk.fqgj/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.qmdk.fqgj/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed
sh -c ps
ps
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.234:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | app-router.leancloud.cn | udp |
| US | 1.1.1.1:53 | api.leancloud.cn | udp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| US | 1.1.1.1:53 | www.zhonglongit.com | udp |
| US | 1.1.1.1:53 | api.map.baidu.com | udp |
| HK | 103.235.46.245:80 | api.map.baidu.com | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| US | 1.1.1.1:53 | s.appjiagu.com | udp |
| US | 104.192.110.60:80 | s.appjiagu.com | tcp |
| GB | 216.58.204.74:443 | semanticlocation-pa.googleapis.com | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| US | 1.1.1.1:53 | b.appjiagu.com | udp |
| CN | 180.163.249.208:80 | b.appjiagu.com | tcp |
| CN | 106.63.25.33:80 | b.appjiagu.com | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| US | 1.1.1.1:53 | api.leancloud.cn | udp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
| CN | 106.75.100.17:443 | api.leancloud.cn | tcp |
Files
/data/data/com.qmdk.fqgj/.jiagu/libjiagu.so
| MD5 | f7f5e960db0c8a6f3b5b8d1a0427a042 |
| SHA1 | a8b623f9f87a6e785508befe07314da2fa903bfa |
| SHA256 | 17ac5b03f2a51ebdf2cce66314bc8e3e1547bfa0dde61357fcc07768aaaecb3c |
| SHA512 | ec889d1d9428cdbac082d0b5ab81cf33ac417874a416daf27b02af3d207b1b02ed794fc0b3f0ea266c8edaf3bfeb8f3cef7c631af689405fa629fee948ae8cba |
/data/data/com.qmdk.fqgj/.jiagu/classes.dex
| MD5 | 884d4a76c074f77baa27307dfff82392 |
| SHA1 | ff03cc10ab162c3b1850d3841382919778c407b4 |
| SHA256 | a9cda39251842b275e24898a13c5f073ce0705e424b8a927ef7bc4057db808c6 |
| SHA512 | af62c6dc4c668e04f1733badc17d3abb88eef0f5a3feb86b53fdac8f7f7eca526191765dd22adab4a13adc0aa584347deeb64636a2e3d7d63737d05df6f6a838 |
/data/data/com.qmdk.fqgj/.jiagu/classes.dex
| MD5 | 756fdecbbcb8b33a8632e16ded65c18c |
| SHA1 | 24239d58376911e4dcedfa22b16ed7b837d6c1ca |
| SHA256 | 14d530c01cab67093973c73d99d858f0f1fea3e2164a88fdca9aaf0cad2274af |
| SHA512 | 3a6491f04fdd8be2cd46b86dfcaa6485a54fcae477b93c6b2329a7481ff3be81ef743a255d5973f8c5fb706146a593917fc0b27bbdc49e700b3cab8f8c6c401e |
/data/data/com.qmdk.fqgj/.jiagu/classes.dex!classes2.dex
| MD5 | c4111cfaca162b46042310b11ea9a8cd |
| SHA1 | 1ec963a64a2561f02811fd8ec18f4503b0ae4dfa |
| SHA256 | 247553a455dd3464a4620badddd20cf62de48c52fa59b4902a45b84a92ddff80 |
| SHA512 | 07ed4d5b2f05e9dbcb9035d2406053aa8aa8521d9e159afcbda94f1a6418d8ef665603e9f40e4fb71b86bc26e149b5a8760b344be79386fff63ae280b14fcd07 |
/data/data/com.qmdk.fqgj/files/.jglogs/.jg.ri
| MD5 | ad3921efd9896f24065fc7484f8b8384 |
| SHA1 | aae1b3fb8efaf388a2c763cd2ca195850c25848e |
| SHA256 | 837516a98c7cf44d10d4a5c76c30aac87f4a8b32822419e63bc8a0adbf305d8e |
| SHA512 | 0ca1156135f6ee6951001d3fec7f5534c1e3103e6722c90391699dbb17f8c64ab0f558a064646392e9a870c81d78722d9bdb8b2d08ef9153711d8d7647b2ba56 |
/data/data/com.qmdk.fqgj/files/.jiagu.lock
| MD5 | 893d6e8aa45bd6b51caf9ff08362ba50 |
| SHA1 | abcf47953ab79de69ca2ccee46145ff73f94a6df |
| SHA256 | 7361c28fa45b7ff5f96ea109fc3b566228dead44e96ebc2f637382e45c454350 |
| SHA512 | 495f59f611926c203493cb68b727774940c5672a8d3b47b9c983d45d65f40ca9ccebaa7319d89eb00c8066209d7187599a613f2c3323ff8365d49250e99d6bad |
/data/data/com.qmdk.fqgj/files/.jglogs/.jg.ac
| MD5 | fb646c85c9abb88a289cfa977a9e9aa3 |
| SHA1 | f7600d7204adf7ce2a996034bebcda0550242b0c |
| SHA256 | d673e78ef450a1cea44667118b9d7e9a93d82a232cca78c20caf7fca1c8d552c |
| SHA512 | ca4e7059a8201b9dbceb50e3d346c2f46064a0cdb45bc2ae0ffdc35a816ad06c9a06caea7298801fa2391f80dac3636aa26ce967ef87d7f4a50b46cad2a9fbe5 |
/data/data/com.qmdk.fqgj/files/.jglogs/.jg.ic
| MD5 | 71a1ccd95c88ff3da04a927b7cf15ca4 |
| SHA1 | daa7780ca9237a05d4a5011c8cf659e672bf5458 |
| SHA256 | 3114a87d80b7c6dc5edbdb91332c3d4e9d02352c8a0d726aed07b009b147d93b |
| SHA512 | 9e16f36f6d3972e4078e8eae05f79c0b4d5de370709a509589f8050d9b72ace01669d93a9f09e6c4fbc38c76c2de70f194d650dda77fab83ab782decd8607ad7 |
/data/data/com.qmdk.fqgj/files/.jglogs/.jg.di
| MD5 | 8c2b4780ce928355457d1d5a67e1ae96 |
| SHA1 | 21b13ecac11b1990139a1a2e3d47241efb303494 |
| SHA256 | 2b14497707352a5e72f96752bc7f17dad13995d9e0b5568d967b5d8c6e5e7b44 |
| SHA512 | f4693a12474f11fbdef8aa1d3565038a1bdf3c18df99f5e59850078f0c1481cfb816db695666dbb078a499e114376e952f1f25a63b9848b41ba5540233dc84cc |
/storage/emulated/0/360/.iddata
| MD5 | 73f9fceeb41eaaca4c93a2db7eade5d0 |
| SHA1 | 555b794a6a082c11d76df76b09826325a6196cee |
| SHA256 | b4af43264b96d5dc103a0c4712d31bb44bc226865e1cfd0bca7dab9943d19fe9 |
| SHA512 | 56625ba4dca96bfd4082ab9b245d55566e9736ccbe6250fcc9d48f4de7525e1538628c9bf2fdfde3405139c92bbaaaf8d872ac4697b06da71f5fa79dbc2c295e |
/storage/emulated/0/360/.deviceId
| MD5 | 1d8d16c4e3b19ebf18988530d9b9a757 |
| SHA1 | bc94c1cce05cd848a53271ecb9c5311e27ffebf5 |
| SHA256 | abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7 |
| SHA512 | 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82 |
/data/data/com.qmdk.fqgj/lib-main/dso_state
| MD5 | 93b885adfe0da089cdf634904fd59f71 |
| SHA1 | 5ba93c9db0cff93f52b521d7420e43f6eda2784f |
| SHA256 | 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d |
| SHA512 | b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee |
/data/data/com.qmdk.fqgj/lib-main/dso_deps
| MD5 | 63507b65b722048bdd68dcf0af03fde8 |
| SHA1 | d072108896d4c3c8b35ee32646b52141c5bfa164 |
| SHA256 | 60efce0a2b0acc96c04fdf2778b1ec553d9bb29286cf8e39036b0101fe89323c |
| SHA512 | 8c1c9f98c3f602685f65dcd57ff2fb300ffc329723716174e1bab778279de2ebba967206fb3d3c90c5b65f16023b4029a02b5017ee1e97d0a85610ef1b6668eb |
/data/data/com.qmdk.fqgj/lib-main/dso_manifest
| MD5 | c06857e9ea338f3f3a24bb78f8fbdf6f |
| SHA1 | c5a0a2529d2deb60fec041b4fbd722a2ebe31702 |
| SHA256 | 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027 |
| SHA512 | 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1 |
/data/data/com.qmdk.fqgj/lib-main/dso_state
| MD5 | 55a54008ad1ba589aa210d2629c1df41 |
| SHA1 | bf8b4530d8d246dd74ac53a13471bba17941dff7 |
| SHA256 | 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a |
| SHA512 | 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339 |
/storage/emulated/0/Android/data/com.qmdk.fqgj/files/tbslog/tbslog.txt
| MD5 | 992080ab6049850de20261fc95d43a40 |
| SHA1 | e348ab6536cad2fdf01e58b68b0531f12ad906dc |
| SHA256 | 342de70b9642715786f1b2735064771192c8663d8896f277f73459278801efa0 |
| SHA512 | 9eb2f97b82a5ff9cafb35ad67e2d2ec5f8c0461a484c4e60bb6b9619f755cb98c86365f0638add48e8c888a3eb75354123828c21a6f779fc80adc60ada9dee75 |
/data/data/com.qmdk.fqgj/cache/CommandCache/a221f94dfbaeeeebd4aeae0c3d6ab347
| MD5 | 545fb8bbed93d214b6a61a03245936b4 |
| SHA1 | d85ca31c6021ec6b2bd0de5794c057b9f7684b84 |
| SHA256 | 38f6b23d35ee2358210d7061a48c91867cad603e81d49ee3e55a77e4c0d59c6e |
| SHA512 | 9617ff71328bdf9fe846812817bb789e0829a0ab5a46a64c86bbcea2a76449c93549a9f8af88891af8ed7ee66e98984e69197dcd46ff735d7ee72f09be49dd44 |
/data/data/com.qmdk.fqgj/cache/Analysis/avoscloud-analysis
| MD5 | 71466861646b617eacafde345141f770 |
| SHA1 | ad1d03571b3578ca7ab9096e09204a54670a4f28 |
| SHA256 | 5a2c87ec66b464a71bbd52828d55172954ed47d6be703a88c8af1f133fbb0657 |
| SHA512 | 214bf8bf8fb101e2e613047598addcee0e1b3faf41f520800444815795585895b24704c6501240e6fdd3983c05f52427e00ac825493b5373d31325a982c13988 |
/data/data/com.qmdk.fqgj/databases/RKStorage-journal
| MD5 | 80797c667f4b3470835284680f85b787 |
| SHA1 | c7d0c67accc4d97fc185dca410cee05e7d51a66a |
| SHA256 | 43dfa776b262d34a5f79357c8e4764c5d9d639935e162c268065586a9613f062 |
| SHA512 | c98a19ac9f371e7f1572453f506f9a822f3d2ad64094868f8914f21115657feeddecf80f68f4811c486772ed31bf97b1aff056c444daffda3f06cd18d4a298c6 |
/data/data/com.qmdk.fqgj/databases/RKStorage
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.qmdk.fqgj/databases/RKStorage-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.qmdk.fqgj/databases/RKStorage-wal
| MD5 | 1bf733e7d3f77cc913923cd15dafcfaf |
| SHA1 | a797030f1c77f9681de915c6918406f050b9de10 |
| SHA256 | 0e71c67a27e525a2ee27e3fd6f05788c9207694d8cbf3025e8f3fc9fbae301c4 |
| SHA512 | 17d1a2f5612a9dad0011f2935d63d8e7d946ad88349fa39ba1c72370b8fa56257b4c337922cf471cb3aed7d2adb3973ff55aa5e938e9f166eddec95393019074 |
/data/data/com.qmdk.fqgj/cache/CommandCache/feaebe3233781579d301893b1f207885
| MD5 | a1e2da023f1d37b77153e9422091359d |
| SHA1 | c3eb961fd7d7f79ce832d547a75a311cc2d5cf51 |
| SHA256 | 1180f5af2d1967f20235f7167f7341f9da8e2633c1c3fc6c5bf2d6627e8b4b88 |
| SHA512 | b6947cd41855fd271c57023edb9f38945776281b35610c32f52cfb1d29a9cf1a5b24411b8f4f8bc4628e34465e3c3e1fd8d5b378e3bb1e0048cdce7dcab3f5ea |
/data/data/com.qmdk.fqgj/files/.jglogs/.jg.di
| MD5 | 8dd87529e7eb81879ee2a896bfd29600 |
| SHA1 | 4e71012af9fd33391ec1962c6c7165847f075413 |
| SHA256 | ec95733e466fc56528c4d611fade67ec81bd89a15ed24c82ea8f2294564b83a8 |
| SHA512 | 37a972df58f2edd8d600a5ffa413a4f5d56441e62ba92f69f94d443c02328e75dca06e1210dfb107347c83d3f0d1a4645b13dc5c5c7f8cf9b764afb8f232ea5f |
/data/data/com.qmdk.fqgj/files/.jglogs/.jg.ac
| MD5 | 002a38d2bbf96a643aaecc21a2a4e347 |
| SHA1 | 7edcf11771f999ec4d3d4707f8b4654c1b29418f |
| SHA256 | bd8c80511e6c9bcea670c66042e0b4f0878b833e04328e9545387199d51bc885 |
| SHA512 | e0c11a118b734d302af74f1073cac1fdd4438deec7f83d8015ecc0a9ae14bd2d18a303bbbd0a7c43916eae383f6d216d02e137833c2000b921a2f445821496dd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 17:38
Reported
2024-06-05 17:38
Platform
android-33-x64-arm64-20240603-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.36:443 | udp | |
| GB | 142.250.200.36:443 | udp | |
| N/A | 224.0.0.251:5353 | udp |