Malware Analysis Report

2025-01-19 05:05

Sample ID 240605-xvaswaga29
Target 98ff1a5536f7b534676402cbc43991e6_JaffaCakes118
SHA256 56df9f943763eb613598f43962dc00fdc91f4f17c862a1d7d37f23f050ad366d
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

56df9f943763eb613598f43962dc00fdc91f4f17c862a1d7d37f23f050ad366d

Threat Level: Likely malicious

The file 98ff1a5536f7b534676402cbc43991e6_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests cell location

Loads dropped Dex/Jar

Queries information about active data network

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 19:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 19:09

Reported

2024-06-05 19:25

Platform

android-x86-arm-20240603-en

Max time kernel

133s

Max time network

185s

Command Line

www.wantu.cn.hitour

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/www.wantu.cn.hitour/mix.dex N/A N/A
N/A /data/data/www.wantu.cn.hitour/mix.dex N/A N/A
N/A /data/data/www.wantu.cn.hitour/mix.dex N/A N/A
N/A /data/data/www.wantu.cn.hitour/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

www.wantu.cn.hitour

sh -c getprop ro.yunos.version

getprop ro.yunos.version

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 t.growingio.com udp
CN 106.75.70.154:443 t.growingio.com tcp
US 1.1.1.1:53 www.wantu.cn udp
GB 79.133.176.223:443 www.wantu.cn tcp
GB 79.133.176.223:443 www.wantu.cn tcp
GB 79.133.176.223:443 www.wantu.cn tcp
GB 79.133.176.223:443 www.wantu.cn tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
US 1.1.1.1:53 spics.hitour.cc udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 163.181.154.239:443 spics.hitour.cc tcp
US 163.181.154.239:443 spics.hitour.cc tcp
CN 106.75.118.58:443 t.growingio.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.29.163:443 log.umsns.com tcp
CN 106.75.70.154:443 t.growingio.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 106.75.118.58:443 t.growingio.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp
CN 59.82.29.248:443 log.umsns.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.112.112:443 log.umsns.com tcp
CN 106.75.70.154:443 t.growingio.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 106.75.118.58:443 t.growingio.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.31.154:443 log.umsns.com tcp
CN 106.75.70.154:443 t.growingio.com tcp
CN 106.75.118.58:443 t.growingio.com tcp
CN 59.82.31.160:443 log.umsns.com tcp
CN 106.75.70.154:443 t.growingio.com tcp
CN 106.75.118.58:443 t.growingio.com tcp

Files

/data/data/www.wantu.cn.hitour/databases/bugly_db_legu-journal

MD5 a62b792d583898f97496e3495d65a39f
SHA1 fcec8c67f286ba697e547c56a8ad2602a98b0b6d
SHA256 bc72766192c6a78af843496d5e573f92b9503f74aa373a45f5de48bc472cb928
SHA512 24ffdb49f0fdb0608c0d303d7115529d138f170a5b80272fe5141251d8cf9f1b46fa28fe02897b6e4dc3629f11adf2833851569047f55b0cf73ce703f4678775

/data/data/www.wantu.cn.hitour/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/www.wantu.cn.hitour/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/www.wantu.cn.hitour/databases/bugly_db_legu-wal

MD5 82bdbe81139536624b4950630fd83c66
SHA1 5d46c2e744759ad01d9542f85e8fd163578d521b
SHA256 639263e2192d1da8c86cc66b6ef10864d6f9f33a00cf4bdca10ca2624e9432d2
SHA512 5099808ac812072e3acf752ea9172625febc9ba4b9deabc80157f370a05bf5a6e8fef0866e7617a403b1cffb7fa79129a7a2b5916196b7ed3d4d9f637c8328ff

/data/data/www.wantu.cn.hitour/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/www.wantu.cn.hitour/files/umexecption.json

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

/data/data/www.wantu.cn.hitour/databases/growing.db-journal

MD5 1c90e63e1a1253288febe730808863cc
SHA1 b01a94b29ab6a635e1a19d55dd42514f231eb21c
SHA256 e42e25688d43b38a63fbea9b378a654c45257c01a54df966aa47120e26c0be4a
SHA512 770542248aae9af3221c9d6d3833e42d199a8da4eafc70cdc92ce2b28e63d8d8e477e1038e4f4a96d9077e8bc4c4df36d9dc3adc607409bd60a6d20a7d2a1949

/data/data/www.wantu.cn.hitour/databases/growing.db

MD5 52f5cf97603362f47669a7e2b5728e94
SHA1 6556127bf27961d0503395c58c02a0727a287a76
SHA256 b2d395a66bfbf10747eff924be8ea6639f1e7e2ea0d47646b8efd0bcfefa8684
SHA512 f9c234f4ecb3c5fa7947c069df23e5b0de8a0df100859cdfb309ffd53e68c4169198d22c62f86740c424ee67f8c008bd4c32ce3a36b1df653b8596202523e337

/data/data/www.wantu.cn.hitour/databases/growing.db-wal

MD5 a7fdafc08ce0b746b1df85d64c70e906
SHA1 47b0d98547c46b751ce2a35fa55f1ba8a3fe8dee
SHA256 b61d0bb95e859892eb6dfb270762bb81c5c3cb8fb56fde80f902f3bdef0d4933
SHA512 a26664daee90ab9c1e568c82b820419128d28c898413796a50e9ed9a00ed6d326864be54fe539a31c43db62890f3106d71c3b4bc516356ba34e987166d441cb3

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/data/www.wantu.cn.hitour/databases/ua.db-journal

MD5 33235b1b40322d6214ce034c7d9b0736
SHA1 2578a8812f04ef2e7bd2d46a819d27d6d08d0a21
SHA256 bbab3bd15bbf7605b8240ec454f2ce100984621a38db607ecd56c08e8578a101
SHA512 2d5d4896b10450fc25862ffd6698849334b11a2a1a91244b32fa53086b4694e0acee5c36000dc02dca04227feacce637ece98af64daf23be016dba6d060b9e2d

/data/data/www.wantu.cn.hitour/databases/ua.db

MD5 ae2a56aa40b73f012c344d86c240f768
SHA1 1466aed636cfedc68800b7451304e897c9aa03fe
SHA256 4e962326fc334793eca703e26e1592fff4f1e6224f7e431f1d0eba5808930873
SHA512 5491afa775c75b5c1c01b04887894a44ce8ecccfab31f04dd9899d76a3094edf360b3221c666179303bc3a68850f4ea2c38426e9a9b5bf9ad82e70282f4965c9

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 28cfe2ca2de938541b9759dac21765e6
SHA1 7e6717c817757d52b9424b1f36a18c104031c26e
SHA256 449704ef1370c4e247c48abe5a6f6ae609119fc99de656e5e57411eeed6392f1
SHA512 d16a7f1741caabaffaaee544ec1b00ccf3202decc6519fb1d99b76cd5b1a9c19c29507271721fa5c7a010ad74b7f53dc7ef18e1eb00e0c5a1da93eec758f0e29

/data/data/www.wantu.cn.hitour/databases/ua.db-wal

MD5 db870f670fe62ed3903ffb8f8670ab24
SHA1 11d5888feb57aee6aeaab36a5f5aa6d6d140a6f7
SHA256 50b4a60798df5d6a37e2e643b6584542fa9696b80f986e6701c82e689a081950
SHA512 3196700cb5448c1b96362e8b45f888a5fc0b7d2640894da4d839636a8e954666feb0be83ae6d78457f73435d2e8fa27d92a45850365141815cd354a6f1b90ef1

/data/data/www.wantu.cn.hitour/cache/RESPONSE_CACHE/journal.tmp

MD5 37e8e716e0e2f4a0b05cd9571d95b84d
SHA1 f8d068f6931707bddb8cd69f706f2224ad1fea3c
SHA256 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca
SHA512 e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 0611d39575b22a164811b1c87384bee9
SHA1 047b3249140a3bbf117c202bc4caa3fe405967ec
SHA256 69f3b69923e04ac2953b7628bfcea888479559413cc2f6f47bf1fe35d17d5c1a
SHA512 e6bb1b92101fa16d01d81d059fd44a71759c4baab8261ad578549c0db6f827a78b2d15616258bd7cb953a3a41eb31c82c43a6bec2ba370de0ae039cceaf0470c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 564b3a57f7f05e869c291211f3fc6a4d
SHA1 f470f098f12a522521c7c0fcc1a31845c7db9cba
SHA256 4e246e25e7d3a5d7ec3b75ea8f0d540901e304b83b502d8188030bbeb4de55d7
SHA512 324de10bbf1b04e52e549e8a3f3f1ded7c725077fb8e13ac9930cfbf9a894af140ddc9b8254d5195014ce2953872facffce275565899feb090e3713ce8523850

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 59536bfbef2db02659bc606afd313191
SHA1 9f49fcede6ce30040cb36df977f321a9bc5a646c
SHA256 043a1d735658a4d19293f02ea2643daf8434b404a1885baf9c966660852e5826
SHA512 9f9184629550a9803c6cefe2495ff2ce470de2b59a6bf63a38e6f2ae93d761141afd5da858275ad4201ed33c5fea97951d75e9ec6fc3327ecc945045b8b51849

/data/data/www.wantu.cn.hitour/databases/cc/cc.db-journal

MD5 99ce19b1ebfec19636c518f09192bf5a
SHA1 74a3890b257d6f5800a81c3d067e2ed230f54919
SHA256 52471d43a218c1a47f608172f60c2c93e78b18a0560d484cedf112231ab9964e
SHA512 a95b5723eba2863c9a9333e9eb25154ca886c32dedf02e78cc516acc08ef9d1f9e2cec470d7990763148f375d495c5438ec17ac406a34f4438b80c285c485948

/data/data/www.wantu.cn.hitour/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/www.wantu.cn.hitour/databases/cc/cc.db-wal

MD5 fdc27b5c134d5c0764ffbfff78d478f1
SHA1 acdc5d2eb210f4b196c90e9fd6f4567189d35364
SHA256 006ff4f11d9d336c72e8ee87c6adcea757f799356a8b3416b9bef325cee38b7b
SHA512 3c375bb31ffc55e88276f69f6d14cdcf81e08dc719e209b3331bdb7c0000f5067d92b8729290daeb0d7af81d7416af93e3a1bfd90bb356be9983b1bc945f5835

/data/data/www.wantu.cn.hitour/files/umeng_it.cache

MD5 e85b0924093bfaf0eb89c3db75f91604
SHA1 84a1f8ad30f8f470725e2de892b4d2f9eb9adcc5
SHA256 ffdac54e11f8d3d5a478670123b0d86c7060c40065384e4bc11082daa2aadbe7
SHA512 f974d091d91893f802de28ec3edfe83bb5f59a4805ee773566a696296c14f87f672ced09e104e1269edc863f1cba41d698bf0d90d62738df7faf484bfe8dca1f

/data/data/www.wantu.cn.hitour/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE3NjE1MzM0MDUy

MD5 475b0cd387c464c86abc763f2d691699
SHA1 26c779ca982bd2e022c7bcc9f851cc16eabd3522
SHA256 1129031835fac825520a08d3ee49d440ad7748451825d24eec33e0f0cef0c497
SHA512 3f4490a94f31d7adcdfc52b37a69b4aa6bf362ff4e9f5a6b4043f6ec65768d727ba9f882831eb29a88907a53f233d490354ede62844a5bd975eb2bbea2807d54

/data/data/www.wantu.cn.hitour/files/umeng_it.cache

MD5 e717bd60cfda49b5f1610a1c23666472
SHA1 7c07c967fb553e2ea950ab854686b232ced9f8e7
SHA256 02e0c3d119dd4af8963452a1cee299c38d025198a36915bd5b669a769cdae037
SHA512 2d913e9dfeef811f9913f10f95a51d02da38eb506285446c6dcd8583ab1975aca81e0ff44096d0946e687d77366d859d7bc542a4191f724ab698c7dc3e1f0bc5

/data/data/www.wantu.cn.hitour/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/www.wantu.cn.hitour/files/.umeng/exchangeIdentity.json

MD5 da0c22f7f66825f799a3024de8fcebde
SHA1 69d3cfdc43646d9f1dee7e4694c7329070a22f4d
SHA256 d5e12b3721ee8e9982a622528b6f734797f0d93aa2f2066c8d1c284573487f19
SHA512 7156fba2bc5d4f6aef77f7796cabd50e0a7f5af3df7c9bd95e9352ddb502d7147e11245a49a824ee6312f896d7950d8e3e1a3c689603e3b16472f5a8dc5e4d54

/data/data/www.wantu.cn.hitour/files/exid.dat

MD5 26bf0d4be57f3a0a0d56e2efdb74ee61
SHA1 21d7bd86299cc5887aaaa995e102851de4b51b10
SHA256 ec5d42f19414b595b306165ed395f236764be4450712e65e2dc005f34a638bcd
SHA512 ffd915ffe8132becde0a7ec0df5972204780a860188f7b3e74f8d038e3a01abc92419fff4f0dd404478b13fec0ead40e4c00f205e82d67b2c077c04584558d63

/data/data/www.wantu.cn.hitour/databases/ua.db-wal

MD5 2663a44d319681ab64b274e28b7a7073
SHA1 b96dac1d7ae37e5c1eca2d6de0ba0687ff5eb22c
SHA256 56cb5276ce6c255811f2e370c54b9da0f460dfafce47913d6f4eb45ec1f28b6a
SHA512 4bb7ca1ad88eed252af18b184748cb4dcb7edb9a511b892631240987ab938340705a6d55313cc1caf2d4f8d85aff251f86a20dc6da1d6e008830b23b23b83bfa

/data/data/www.wantu.cn.hitour/databases/ua.db

MD5 d604a3bf1f8d992cc320ea5b1f7609bd
SHA1 247f88df0b55c7d523ea5398637711a0e4a483a4
SHA256 329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17
SHA512 67e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab

/data/data/www.wantu.cn.hitour/databases/cc/cc.db-wal

MD5 6725203238de9fc3413c6ffc14fa7d61
SHA1 d12cf64404549a3a554a250d7462c40aefdb6bbc
SHA256 bc7aeaf0df85842bf2fae0ba1c546040ee8752272a0ef5007978d72680f5b3c0
SHA512 ab281bd9bbc99e93d683b6b21e4e050805dfb43194cf61cc0a613142bfc613f9730c998ce1e6b825d3cc08eda65fecc28a6169900e4311ea5a27744d6f1d1b8c

/data/data/www.wantu.cn.hitour/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/www.wantu.cn.hitour/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE3NjE1MzY1MjA1

MD5 e80d74afc797bc147e7efea4abb7bdef
SHA1 793b7c658e3f9d2c46b15702be5b87501663d46b
SHA256 5259a968eb0e3fc2abb629e4f087a42652871b4d338b1a8280c3dc1083ffcee1
SHA512 1d8fab4bdfef4434acb5c493f6d76e968e743040384f7161cae7350c6ba3d2cf0775165dde3e25fcc2f168f373b73d5b2ca53b67839e18b6f1af87f75c51bb41

/data/data/www.wantu.cn.hitour/databases/growing.db-wal

MD5 aa1d6ae67b0b0fb4df16a6de58c53909
SHA1 7052e1cd88b16467c87bf961ada6517db787b708
SHA256 fc1d7d13d3a3912886530693dfe8e0fca8f992fb9ab8668bf2f9bba5c08a8fbd
SHA512 3193b7e76c6b60c0434366f34ff626bf64df37648c2ef0c62c125334f1d2d40e7205b0e961dfd4ae73b1b079f9f248405d57fcf755168fa91e287e88fce84fe5

/data/data/www.wantu.cn.hitour/databases/growing.db

MD5 739fafe90b7dc31ccd0c611f6434f136
SHA1 50f4410343f18491c9b7467a7544fba93df5daf2
SHA256 7a6b7607b721a3632e801c15ea602d7c8b4df530fa0ed00c9bccbb268fb8507e
SHA512 1810abb53b03dea2f7ef1d26b689857c0344acb7f424347960f0aa154c7694ac5abada699a44871a12889f8883d9002a28e1611b135c6ce46d61a64ec813100a

/data/data/www.wantu.cn.hitour/files/.um/um_cache_1717615456212.env

MD5 40d26329ebc9eb2cba8cf52bfb0473ef
SHA1 cf77a479d98da3b8f1e0a78e4353b911004bdf1d
SHA256 8d564bf743f16948e21cdc86699acca7e377703a62943dd6ebf9f55d393f957b
SHA512 c57cf73d885f30263d9bdb4417f8dee008356dd470878f5a93068ef5e98518f40988930f62a62f1ae9b3ecf7e521f2c3aeaf88d71cba2272d15834a63ba2908a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 19:09

Reported

2024-06-05 19:25

Platform

android-x64-arm64-20240603-en

Max time kernel

14s

Max time network

131s

Command Line

www.wantu.cn.hitour

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/www.wantu.cn.hitour/mix.dex N/A N/A
N/A /data/data/www.wantu.cn.hitour/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

www.wantu.cn.hitour

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 142.250.200.10:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/data/user/0/www.wantu.cn.hitour/databases/bugly_db_legu-journal

MD5 f94ab9f4fe13b7f3a8f20001435d0050
SHA1 896d851ba1f50b615f75c5476106d9a414237592
SHA256 943c4af7532dff6dd4d56fb136f2af7dc051ad379f1e2b8731314681cdbbb4a2
SHA512 d1406cb1165bec11dc9b04e2a238c214c7f9385b87453f81adeda1dea0b1283dce5ba207d1d0b8690acf8e070a9c0989dc26db2170af2d4dbc9b399633dafa2f

/data/user/0/www.wantu.cn.hitour/databases/bugly_db_legu

MD5 8f38b6261c78e019f4c6f4df8f5384b9
SHA1 a057222ca66ca8ca605da7b3c4ffe460ab12a832
SHA256 bf9e5b7ae5136308585971a83d3c82cc712b99d2048d4bde2660a9f959cd19ff
SHA512 8292cd07dbcae10a811bacff61d340bc284119601d5f3e1f8af5f2a7389839eb9df457e535835e21ae5fb3c8285f5985f024064bba5389f051bc619622eea767

/data/user/0/www.wantu.cn.hitour/databases/bugly_db_legu-journal

MD5 2e6594990c53d63e7f3ab244b10100f7
SHA1 f0d4cccb4aaac7b9ff4c25358d2b129ef6ac533d
SHA256 dea4fe6fb8b71f1ee8cbcdbdb81d560646c69b472f57f013a6be14f76eef9e09
SHA512 927934511876d3f09f8104db1eff9300ce7ac0d6d77bfb3ef5f8114181557ff32362ab071a528cd412eff04f19fd2a866c917d7048b9703d033ed7d8fbb86dcd

/data/user/0/www.wantu.cn.hitour/databases/bugly_db_legu-journal

MD5 566232ac6e8b2435f9047fcccbc29616
SHA1 65143984a8d83405f89727a5d952b5e240844e5f
SHA256 380fd707c0646b480739ecf84a74a80165810366ddc6041fde647a3d0747f689
SHA512 0bb84fc11e909d6c7f3aba940670a029e896e353ad30b0ee6cb2a59d75c44041cf59f18a7283a0672994bcd003fc17fe26c85497e2ffd4e6c792c692ee465845

/data/user/0/www.wantu.cn.hitour/databases/bugly_db_legu-journal

MD5 3ad462d092087b1a3bf07fa807d8d755
SHA1 2400ade1fd1f6883f69004d615c746ede6036710
SHA256 7245e20eb658156a006edf0100eb767ad12b0e770307d3d482fbd4132c111aa4
SHA512 c253f3fdd2e5ec9a807ce5710be5c3f9a0e9fb56391ce80466e6dfe80df3d5bf096c154de03b5c39b4f1e7e76046399ce69dce3c2157e67c1691a58e932ef6fb

/data/user/0/www.wantu.cn.hitour/databases/bugly_db_legu-journal

MD5 845c0f0b9e07540a2a32fcfe367487e9
SHA1 f58637276a798474a064a7897fd8715e79e27f8a
SHA256 4e5970a28e9101d2ef1bd38792fbc5d9658c10c039f46dff11cb4c003a756475
SHA512 1473130e4bdd31303e3a3e558acd3470ba68dd16f24949a37502b7d3c5613323a3fa59e74bac8da3b85d945534e32ee63f08c5a5b169d7f7842d020bf03108bc

/data/user/0/www.wantu.cn.hitour/databases/bugly_db_legu-journal

MD5 7abaaed3199b4158d978a028b897f041
SHA1 54267ed48e30e598873719c9ff667cba4bb1f9ff
SHA256 21753e1b7b625ca7d71b3d47f1a8d5548b1836755958b5652d8139a98b23849f
SHA512 7f01e53b62e1469a390e73c25231d0a0d125860a806f5aee68a7f9ba4dfef1ebd23891f3097bd578955e4769b641c8749c367e5dd295cbe496aae5fcc5d61b82

/data/data/www.wantu.cn.hitour/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/user/0/www.wantu.cn.hitour/app_bugly/tomb_1717615335433.txt

MD5 3ef7752d5e07f59dcc907bf36e30293f
SHA1 b8a26fa24a7fad3e625cde43fa805893bdf09bb4
SHA256 e64eebbf6dd5524ab28558fdad60cb5e7347ff0d3f1e41720cc76c66d4d9c029
SHA512 7556f7825184d78f5f980926e86e9ac471014a1644fcfe976258a46bce088f4adaa1b9733d37c76c35fe51c5acf6c8af604f9b731d7d404e0cbc9fac4832a4de

/data/user/0/www.wantu.cn.hitour/app_bugly/rqd_record.eup

MD5 ff9707edd207fe2566b4b3379529789f
SHA1 1a7014ab27f37bcaae3c0918fe8b04a65f5071ac
SHA256 c0adf04bb155e24c6cc7addd7d07d55cad01d25a113765800aa7b379c5e3b684
SHA512 030af08ba806a7ae1b73b97466fbbe4e433cff20de48b7e0f336dfab6b34640ecf97d87d5227ad43ad7496c62f9bb4c5a167c32905ea67e7625329d5c9f59971

/data/user/0/www.wantu.cn.hitour/app_bugly/rqd_record.eup

MD5 82e2119440392f8b62a5bf3e41a92964
SHA1 d64ea211712003b5465429048b66b1fd40c9bf4f
SHA256 e1e5d2d52334c4865b48eccecc4ee590d4fd0082dc1105a1c14f156b694e752d
SHA512 b52d2afc1eede69bd87ed98cf1dc5e65c2686930ca304e3464e947ecaa71b734dc0c1206c3fc154a33df85801fbfbcf88b7af6f35e1725dad24032d8aafe4ee4

/data/user/0/www.wantu.cn.hitour/cache/tomb.zip

MD5 b72bc5f49e472af3d8b5c1b254d1ef9a
SHA1 282fe296f1954f207b058c6a4aac6556547924f7
SHA256 9f95374b57c8005d8d0c6535668982abfa9c064c35a8ad3787cbb99e3b9f69a5
SHA512 79f307d6980f0120dfe9b393785b4fd2fa4e466f523b7eddc3f7b14f3e1a51101fa931b9a2966a1d6338c5c6906655ea36126fdc15f1f1317f7d796b9bd14efb