Malware Analysis Report

2025-01-19 08:10

Sample ID 240606-b3rwgadh9z
Target 99babc2465f09409fbbdf802b54f3a3b_JaffaCakes118
SHA256 3d54e9c23c02814e2ac13ca57ab4d42cc3677d45358cfca36dbb6797301b853f
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3d54e9c23c02814e2ac13ca57ab4d42cc3677d45358cfca36dbb6797301b853f

Threat Level: Likely malicious

The file 99babc2465f09409fbbdf802b54f3a3b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Checks known Qemu pipes.

Checks known Qemu files.

Queries information about running processes on the device

Queries information about active data network

Makes use of the framework's foreground persistence service

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 01:40

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 01:40

Reported

2024-06-06 01:43

Platform

android-x86-arm-20240603-en

Max time kernel

178s

Max time network

185s

Command Line

com.nstyun

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.nstyun/.jiagu/classes.dex N/A N/A
N/A /data/data/com.nstyun/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.nstyun/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.nstyun/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.nstyun/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.nstyun/.jiagu/classes.dex N/A N/A
N/A /data/data/com.nstyun/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.nstyun/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.nstyun/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nstyun

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.nstyun/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.nstyun/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

com.nstyun:pushcore

sh -c ps

ps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.94.9.210:19000 s.jpush.cn udp
US 1.1.1.1:53 cs.zijingcloud.com udp
CN 123.59.170.73:443 cs.zijingcloud.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
CN 1.94.9.210:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 123.60.31.166:19000 sis.jpush.io udp
CN 123.60.31.166:19000 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
US 1.1.1.1:53 s.appjiagu.com udp
CN 110.41.53.90:19000 easytomessage.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
US 1.1.1.1:53 tcp
CN 120.46.141.4:19000 udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 121.36.15.222:19000 udp
CN 121.36.15.222:19000 udp
CN 124.70.159.59:19000 udp
CN 123.60.79.150:19000 udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 120.46.141.4:19000 udp
CN 124.70.159.59:19000 udp
CN 123.60.79.150:19000 udp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.138.15:7004 im64.jpush.cn tcp
US 1.1.1.1:53 tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 124.70.211.119:7000 im64.jpush.cn tcp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 124.70.211.119:7000 im64.jpush.cn tcp
CN 124.70.211.119:7002 im64.jpush.cn tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 124.70.211.119:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 124.70.211.119:7003 im64.jpush.cn tcp
CN 124.70.211.119:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 123.59.170.73:443 cs.zijingcloud.com tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 124.70.211.119:7004 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
GB 142.250.187.206:443 tcp
GB 216.58.213.2:443 tcp
CN 124.70.211.119:7005 im64.jpush.cn tcp
CN 124.70.211.119:7004 im64.jpush.cn tcp
CN 124.70.211.119:7006 im64.jpush.cn tcp
CN 124.70.211.119:7005 im64.jpush.cn tcp
CN 124.70.211.119:7007 im64.jpush.cn tcp
CN 124.70.211.119:7006 im64.jpush.cn tcp
CN 124.70.211.119:7008 im64.jpush.cn tcp
CN 124.70.211.119:7007 im64.jpush.cn tcp
CN 124.70.211.119:7009 im64.jpush.cn tcp
CN 124.70.211.119:7008 im64.jpush.cn tcp
CN 124.70.211.119:7009 im64.jpush.cn tcp
CN 1.94.9.210:19000 easytomessage.com udp
CN 1.94.9.210:19000 easytomessage.com udp
CN 123.60.31.166:19000 easytomessage.com udp
CN 123.60.31.166:19000 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 120.46.141.4:19000 udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
CN 121.36.15.222:19000 udp
CN 123.60.79.150:19000 udp
CN 123.60.79.150:19000 udp
CN 124.70.159.59:19000 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 124.70.159.59:19000 udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
US 1.1.1.1:53 tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 124.70.211.119:7000 im64.jpush.cn tcp
CN 124.70.211.119:7000 im64.jpush.cn tcp
CN 124.70.211.119:7002 im64.jpush.cn tcp
CN 124.70.211.119:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 124.70.211.119:7003 im64.jpush.cn tcp
CN 124.70.211.119:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 124.70.211.119:7004 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 124.70.211.119:7005 im64.jpush.cn tcp
CN 124.70.211.119:7004 im64.jpush.cn tcp
CN 124.70.211.119:7006 im64.jpush.cn tcp
CN 124.70.211.119:7005 im64.jpush.cn tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 124.70.211.119:7007 im64.jpush.cn tcp
CN 124.70.211.119:7006 im64.jpush.cn tcp
CN 124.70.211.119:7008 im64.jpush.cn tcp
CN 124.70.211.119:7007 im64.jpush.cn tcp
CN 124.70.211.119:7009 im64.jpush.cn tcp
CN 124.70.211.119:7008 im64.jpush.cn tcp
CN 124.70.211.119:7009 im64.jpush.cn tcp

Files

/data/data/com.nstyun/.jiagu/libjiagu.so

MD5 e102893683a16d223c852ac584155d58
SHA1 5560d79d71fb1951d6ab0a464af87429a4933c2b
SHA256 41c76fbc6aabf843f22a1cf49a457bb99a7579b7260e46b2841c30afd82523c8
SHA512 3129498f917661361bc9a0eaba6b7b6490c2216e19dd7cc802b1f2f22fc16ae43b86a7ca97273cd2e2504a7e7e08a173daac34f5085a21ffd4ac1d84e76cb8ab

/data/data/com.nstyun/.jiagu/classes.dex

MD5 bf550e6e61a97e8a70dbe62936d7ca8d
SHA1 c1b18608885fb9922368fd97236285cab696b0d4
SHA256 c66867243f7e7871b2267b35e36e8a646b4de4a377d8879668f6008e4ff1494a
SHA512 a6529e5e6d9b456a6d3d4ec4ff5fc57c9f91304c536836e9a4126fd77189bfa0a7640e007e30b2d15ae8bdeb78ae164ef698f8ed85fb76d10cae0dc17a6bf3ac

/data/data/com.nstyun/.jiagu/classes.dex!classes2.dex

MD5 9ce46494faa37086efad3fafd889c016
SHA1 49ebb4d37dfbc595185d272133ac10b665f30a43
SHA256 50c5068027aa7fb94cfd18c04828d1bdecb373ad07bece882902bfcbd5d68d9f
SHA512 3e82dc3666a90d17021af4f32d29e9c3a10c02d935c0546936a13225f78bc0a194d108d82657320436eba986ed5189a48e688bf782554249a94e23117b026785

/data/data/com.nstyun/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.nstyun/files/.jglogs/.jg.ri

MD5 6013ca82345d9735ba4b51e760870b14
SHA1 1cc5cdccec53282efb5595242d15831000c97110
SHA256 79c55ade8728df02bccf86d1454eccb5bc294e33a003115348aa259473e9a738
SHA512 648a3727f1332635dc524ff7759aee5309fc8c4da27bb46b6286cd1f5b75cff3a9b2fd6722c799a594d3b5339127513fb7635684ac4a690b062ac0c730a4d78c

/data/data/com.nstyun/files/.jiagu.lock

MD5 64454854dc4ad106e585df964a58b2ba
SHA1 7c726e68e5695530fb0fc710c6c58aa5dc2f8349
SHA256 ce3d102afa26d00d8f571c47c7b4edda7122b53439472d45f1f42f7763b26970
SHA512 7db100d70af7277ded3d21cfeafaffddd07e82c4159c8f9887495dac17eb36b9bed49c1a259fe9a6abb76ff0ff6649cf96cbfc113a26469be83558f4a44fcd1b

/data/data/com.nstyun/files/.jglogs/.jg.rd

MD5 6407d916d0478137ac0e79c05109ce05
SHA1 d68053917905d540cd1b530bbc13fc01d2258734
SHA256 d1d6d814b5b4e98389d90774113e8c4f082dd6dc9059c200664c14f755dbe4df
SHA512 6dd62ce801178b2cf14caf3d80f54d820a55caf36a5efa493a702fa6a74174f7dcbf44a6894c611dcfad71eaff4c62900ab1f76057b416dc98ab3383344e6eef

/data/data/com.nstyun/files/.jglogs/.jg.ac

MD5 1fd2f7d3e8fcb96d4f00a0ce3478e3d5
SHA1 ce5bb0a89f254b2bc7ce869847a2bc081f71fe60
SHA256 6eb5332b9364bc93aac769c1e4dd4cdd8c070f6db43bf5e19df82fa87cad9a1b
SHA512 e3308b190ebf1ec4e02e0c6fdecd499bd2546bec1335e04ab72313df21b2144c8eb224f594c5bfac68579c54ff349c1d91d12840bb13b81f26ab800bf898ce53

/data/data/com.nstyun/files/.jglogs/.jg.ic

MD5 a405bce63b78757b7ae625105e6d18b4
SHA1 fd005bce887e97545c8eea56e0767972d63a9b76
SHA256 2cbc494bf062fd017c5e1bf151194b15f4729ced49542321ecffa150684552c0
SHA512 64afb423321bf2e49c32ec4563000f5261b82b5486cc1589296136d3767089a0b03e2dcb958fe5cdf99639cf83b26966b69ab3020b1cdfd2ccbaff2e66a7d0c2

/data/data/com.nstyun/files/.jglogs/.jg.di

MD5 d0b8ca3d616ca150c2f147125c1b26bf
SHA1 d43e7b66f7e33ec80e6142fb7f4ea32537f6128a
SHA256 bb54293e4988242d3044377befc1732be21bd77a2070ff677c439edcfb7b733b
SHA512 df0dce9899ee6e3dbea45a40f9c80c367bbb7622287505e8059e6c3bdc7f3788a969bab40a9befbf36c8ecfed7eac479f751d0026d327532ff4bedcbfc24862f

/storage/emulated/0/360/.iddata

MD5 5775659330b1911386e4766e7528f6af
SHA1 87cdb5a2f06485dc88c4aaaebed9e302381e5c8d
SHA256 48240a5cfab722c2b527ab87ee67d46d1e38d9ff3fb67a6afbf6336cb8897792
SHA512 e5da5199feb20a780af8afbedcabde8ef820556f7f48b300cd5047eec62bb49ae917ddb7ca2f3cc178f4305db889a325ee0c96cd4e5184664f4f007879133778

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.nstyun/app_crashrecord/1004

MD5 dcabc7ee424156433c42d24031f374f6
SHA1 6038c7315bfa181c41f78c5dd4bd0a42834b25bb
SHA256 835b3988202bb7c8391d0b0770c5baaa00456d770fad7a47de72e5b1b3e8f987
SHA512 aaecccb82eb71ba6dca9d522b7d6feb8b40127a5f07275cfedc71bd3c436e885d98dd7949e46ebe2cf390115b6e8c41866de1f03e868a967351907cca9a72f9a

/data/data/com.nstyun/databases/bugly_db_-journal

MD5 d4882c19d0d2a01c9adfc1c47f178fac
SHA1 b3d35d80bedcf9d442392dbff4a533522f540264
SHA256 f5d7a7ad40f64be0a1f555dff58b7a24d0e4f72d154ef13ae4bbf8cd45e4c0d3
SHA512 f219a82a9e42ad260ed72007f804afb8accbc8e6074b191a4941a79a8d248e992c437f40a39c2172ae0c5591c78a3791d43bdd52b72a659cc1583fa026d5a152

/data/data/com.nstyun/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nstyun/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.nstyun/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nstyun/databases/bugly_db_-wal

MD5 29a72311e654d297950b6e69828cd23d
SHA1 26720b3b88aa1d2269d7d1912e35c472e289ad79
SHA256 076a4bf715322344a0fbf4d074d6f169cf5dd4c2f2d34e1b5b76fbfda9fc2163
SHA512 11c822f4f08e125c1f60888d5f08a53242f94e3a8cf9f1477663d531ef9c3a82f43bfdec3ed8f6611de27b1f92b5e7d1d379473551eece22c89329965afc5754

/storage/emulated/0/data/.push_deviceid

MD5 55fda1d1f0a2ac87d7f7211ae50f15e5
SHA1 3cee0475dd3fbad67f4d77f04b446753379126f2
SHA256 3b97955d43d0decdfdd61bd4e69f626330f6a953cfe06df23c2b60da85d651cc
SHA512 2ec43e5ed02eda188ad684286c12b91923dc696713b6f9afdbd340e3d87b7122c320bdebc71e6d8180b74a876fa9a3e70d9aea005d31be39f0aa8fd4bf9b6d17

/data/data/com.nstyun/files/jpush_stat_cache.json

MD5 4b5307c2b447d6594398274121a5c8be
SHA1 f5db1375a722f0fb8fa017688260f70dfc68304e
SHA256 64b4b04a7254cc1184e216b112ff52e53ea33d6ae0aa0c8e9580d0b98ea632a4
SHA512 92dbd9f5085cdfb0820c7f769464b576a02abcbe5da346f2a171430c140862dfdf73bdae4f88e7f149ed1a20efb2d3603c46deffdaef8779f07276b434858a8b

/data/data/com.nstyun/databases/call-history.db-journal

MD5 c040ea0dde7c9a706f32185eea75e35b
SHA1 5b5ca8eec20de56a14509ce2fcf927c9e36be095
SHA256 77b46373fe8e245a958139bcbac7a59cd6bfcec50ef382ff579caf0bf99d14d5
SHA512 4c9a705e7dc807544617dc5a382b8118f0299cc4066a451dcf88a837e4b5f098319ccf14b6a3fae5980546b9548e120050ef86ae6328ab61aea657442dac6dd5

/data/data/com.nstyun/databases/call-history.db

MD5 000dc9f2bd2ec8c6b182cd0b392f0697
SHA1 b0afd3ff6b575e624eee675604517ae653dd7549
SHA256 6dac518c7e2a0bf607f6c2915f4d2e04501a2c0af4b4ce6956be88cd0543582e
SHA512 ee420f29fbee3ec40ca0a767dc98f9ae032e7a1117d13ee96e0100ce3f16eadde658de5ee94d2861c7ced53aad4ffc5be24115dabf02ef79dfca51a8d965d101

/data/data/com.nstyun/databases/call-history.db-wal

MD5 0753bb4ddc71839d4ccb056689eb586a
SHA1 92041a396b56465b4369420b634906f922764a17
SHA256 3ab186ec1b756c78b34efd99e4b71898387cb719beb5449afe10f0f1cda503da
SHA512 0763749fa338b18d1b88ccb148b4eef12c589d740ce5f536c365620d335139be13d9d09fa9fe75a509b348dc1d47377422f2226d331865dff3f5dcc09c1c1b18

/data/data/com.nstyun/files/.jglogs/.jg.di

MD5 cc9ffb7e31a1852343959ab9ee78f03e
SHA1 12ebee4bd40bbb185d3d26b94ffc78409e77bbd6
SHA256 e809ffe8dc3d20fa0ab7f0940fb839e3ca7e450fce8ff6e7ab01c735c3482df6
SHA512 fb96f1123ac8f188ac227d8844e41908debdd72b45ed157e178e06fa65013d228fb584a69bf21fbd7bfc661f57b54942ea2a0b4e6b630c8c430b0195dda91618

/data/data/com.nstyun/files/.jglogs/.jg.ac

MD5 2527523b2dadef28cb6eb6d9f16d97f5
SHA1 5e624d46163be448e63063883382cd7b13f1bf4f
SHA256 2828cf391a09208957af07927b2abe48bfb707f2e7498a87a4f6cfcc6b156cc3
SHA512 b866a47fc80cb2b8a4d042df31f2a7f41b045676e4bc3b17ca520079053f4f36c76f1959f8abf31383b191146f5d168e89f073a7b7b26f33ef5409597aa98b5e

/storage/emulated/0/log/log-2024-06-06 01.log

MD5 101cc165efdb06fcc54b65f400bc64b8
SHA1 b5746fe490010e4c942650742d93a27cccb5fadc
SHA256 bd9ef8e74a8430026dada9b45d104c3ad42072591663c32581881f19f0a9aa93
SHA512 fb97240d0ef8e956e7ee01273c7cb7762740762c8812e9bde0bac8d2caf36d51d0fafd6fd914c1ad7819dbab324f4b7093d69969749569bafa148dcfb17a32a3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 01:40

Reported

2024-06-06 01:40

Platform

android-33-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.204.74:443 udp
GB 216.58.204.74:443 tcp
GB 216.58.212.196:443 udp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A