Malware Analysis Report

2024-09-09 16:24

Sample ID 240610-2mk14atdjh
Target 9c2ef89a20d2962525ad9a4f7abbd2c8_JaffaCakes118
SHA256 22db042f25b777f50f53c952c714cf589895878524435e8bafe86f668b7bc986
Tags
banker discovery impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

22db042f25b777f50f53c952c714cf589895878524435e8bafe86f668b7bc986

Threat Level: Shows suspicious behavior

The file 9c2ef89a20d2962525ad9a4f7abbd2c8_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence collection credential_access

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries the mobile country code (MCC)

Reads information about phone network operator.

Queries information about active data network

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 22:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 22:41

Reported

2024-06-10 22:42

Platform

android-x64-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-10 22:41

Reported

2024-06-10 22:42

Platform

android-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 22:41

Reported

2024-06-10 22:45

Platform

android-x86-arm-20240603-en

Max time kernel

154s

Max time network

131s

Command Line

com.zg.hyb

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zg.hyb

com.zg.hyb:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stream.dcloud.net.cn udp
CN 43.142.150.110:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 sdk.open.phone.igexin.com udp
CN 115.227.15.233:80 sdk.open.phone.igexin.com tcp
US 1.1.1.1:53 edu.megalight.cn udp
CN 119.3.57.40:80 edu.megalight.cn tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 119.3.57.40:80 edu.megalight.cn tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 43.142.166.20:80 stream.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 49.234.42.40:80 stream.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 115.227.15.235:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 49.234.44.193:80 stream.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 115.159.41.92:80 stream.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 115.227.15.237:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 124.220.154.50:80 stream.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 150.158.157.83:80 stream.dcloud.net.cn tcp
CN 115.227.15.239:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 43.142.22.58:80 stream.dcloud.net.cn tcp
CN 43.142.67.81:80 stream.dcloud.net.cn tcp
CN 115.227.15.229:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 stream.mobihtml5.com udp
CN 115.227.15.231:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 115.227.15.7:80 sdk.open.phone.igexin.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 115.227.15.225:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.227:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.6:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.241:80 sdk.open.phone.igexin.com tcp

Files

/storage/emulated/0/.imei.txt

MD5 3984836a530a853ec6beec425bd31b5f
SHA1 ff63cd1acb6e92d3e48a2621206d6876d3a7cf23
SHA256 c3de98ec5e5ad76a0f718aaff169ee83c369b71e456306964da32e18818e46c5
SHA512 306e0d51d587300e8808c70c41dde7b9c258f78397ff2f47f89d1521008d0f2c5798140cdfda89023e1b2b649879a6dccfc945f20b980e8390998d9e220083fb

/data/data/com.zg.hyb/files/.imei.txt

MD5 5d858cf8c188932f4b85363bd775593e
SHA1 e4b25cfb245d48e7a7fee801766fd218806075f7
SHA256 8beca4726668685b0468fa102489d4aceb7450f6cd02fa9b9215cf07ee0c48b3
SHA512 1f07f54324516767c81bd24f36821fdb6ce3b7706b99b1475c2b419c86ac1ecbf12a4cca1c3445237da6e49a3b74b5971f3d780ea740182d8b2c74273e067b36

/data/data/com.zg.hyb/shared_prefs_ext/test_app

MD5 e20996e3d4e627a393a969b6ce8d184c
SHA1 61588d0887c2887abb9caae22df4855698b2b2db
SHA256 2d99307322f6f911adeec621931e7f2a72f0bf68f967f71f795f2ceb9992e0ea
SHA512 1d86e22c487c2ce0f2a1ab3beb5160a701cf88e5aa27eb271df9f524996f3759f75c94f0e49aec245df3e00204e8e189a47b1877dfa8c02e16951dd6ce650796

/data/data/com.zg.hyb/databases/cc/cc.db-journal

MD5 3501d05b27955b9f3a5c6fb3f23c7ccc
SHA1 338099b59090a553d0935f9a5aab106495ee6fff
SHA256 9b43f9b11534bc2fc80621d1b805d0842a086580bb383d31c14246844255e54d
SHA512 fea8db3926b397721b79375caa2fe51c838a3e21474b5a6bdcfe3d9f0ed9ddcbf2938c6b124e13b881c80bc293b72d2a787b67b44350834196aa12eca736b120

/data/data/com.zg.hyb/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.zg.hyb/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zg.hyb/databases/cc/cc.db-wal

MD5 e045eb35d7d5a7752ad6192a0c8c011e
SHA1 3ccdd83a2a0a02998250d481e75e5a348c96f60a
SHA256 c7546ff988e7fdb173f2c9834cceb0b1179b7ec7c066838991adecb43cc64c53
SHA512 609c9c974545b4c3d90edf068a6a99da025059d64f577c157abc129b5a4b1ba4a888a8bf8ad7d06f9bf95141e92e336aa8fa62547b0a7c30e1a05ee95aa37673

/storage/emulated/0/Android/data/com.zg.hyb/apps/H53D5E97E/www/manifest.json

MD5 0de6eab12b91f3df50652e3f01b43c21
SHA1 6e9dbf2eef6a1ceea271c20651a853709d5cdc0f
SHA256 d6dd545ef358cceedc713fd8131811efc1b488712bd14ca1178e0d54afdd0c56
SHA512 1b848d2a62368df4c452d8f248d380afe0e23721699ee3ddb260049edbce52e8a512559ede0653274e6748ef38effc766aa1ea4cb019b02c4459ab1aaabf31dc

/data/data/com.zg.hyb/files/init_er.pid

MD5 6f494c7f3e0751e260e464676ee191d5
SHA1 2f5b5143a1b9f3aaf21f150c946a2e6338fb5e5f
SHA256 20c0446a8229bf39b7a4d92165d0fbea333559d2ac680be255e8737a377ec3fc
SHA512 9b4b86f18cae46b63e0c4e8e7ec8fefa2d2d1c58eec3b6bc47d064215fedefc2844e15161e364583a6e385b30adfd6c87bedac8f7335f71405bcef6bdf613689

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 4451bd303863d4beb2695b3b01ced8f3
SHA1 c23779e4309235ddf3a528f2c6a232630980326a
SHA256 5fb64fa6b997546cf1cb8f59637ecf8800348c0f905cf2899666bd06893d93a5
SHA512 df852e2734bdd1285d8d291673f5d0a6fcd10b9cabc348bb33173d74c234e706d629a79b057389a21284744bde7e32d24b342cc872a3e1410733652d93daf086

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 d21c2a187d53eb75d85e64bd559621e9
SHA1 879706fa5a40cdf23859fa3ee82d5928f9a5cdcd
SHA256 4c51273d7122a962bb0ac361772aadc8ee1496b4db0280c3b4fc116994021b79
SHA512 0c049f25ff06c1a376c64c8ed84b7bc47ec691611496bc5a95af73de0d3b5797c24c3393527019f9a1e5f873c957b2b86cd3c29cc23376a6ce2c1ae80b6d8b26

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 eb61d672edba4b13644ed881b30b3fd1
SHA1 b5502b2595712b4ecc241ccb437c3b6d95f9a850
SHA256 052a4cdbda3129b344fa473231bde3d7ac395eea3c66985ece2e5f60b279df5b
SHA512 51a5b079ae3a7413493703062ba30d958ee8363e4d98f37993ab25a544bc5b399e1083af05350cd6eb1bcc008b2aa1840c838f5c7b0281be604c4e5f6eff7c4c

/data/data/com.zg.hyb/files/umeng_it.cache

MD5 e721b5058914c6964404ecc5ff6f624a
SHA1 ac87ad7f24a53abc21261b1f3234d20b34d1900c
SHA256 1c748c40f434961829a17c1469de39aa82cc64412c771dbc53015410d476cdc6
SHA512 f4b46292d84ec7bd434b36851f8bcfe7ff2bf21996ae8c52d454b6dcb4c65061bf4eb4728a8469f3f290e5fffd326094397cb752ca73f088a82c76407a08f5d4

/data/data/com.zg.hyb/files/.umeng/exchangeIdentity.json

MD5 2b081a3e62ee7eddb36fb98728d95442
SHA1 78260ca1b3cd587b155f23372db990b9116aa321
SHA256 faca3f0af159d1cf494b1ad0e87292c1dcbb547361e052cd93bc8acf1e0baf03
SHA512 43228195931d8993190cf49541646174ed23114a1bb5ce7854cd48760d2dd5de7d9f06eef8d25205d8be4bafac10f8da7fd465d8214f217925a5001e5d6c0b36

/data/data/com.zg.hyb/databases/cc/cc.db-wal

MD5 d966a6b8164a2f38c958f2d86c847743
SHA1 ede94184718b7bc29d06f24a22ecf593476f318d
SHA256 8204df41d24d78762fc15e58a7a5cbb99431af82f429afa5a716cf227db7afab
SHA512 4a8cb6d38cd7eb7108edfe5bdc5e38459762a9cca7b6c43d9c901490d462ec2d47654f9a78fcc3d8831746f3e8a00681604ecc253b9d78bc6c5aceea345bb5ce

/data/data/com.zg.hyb/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.zg.hyb/files/.um/um_cache_1718059406119.env

MD5 c63800019e5db9315906229aef016bbd
SHA1 05fef15fe47c43f1936bd27dc684868d0f5bde82
SHA256 c16dce9c66699b0551f94d51281ec4a64f272f11f5f8e480ac23ffe29b203cee
SHA512 6eaac938ed66e15bb1bff29e7138d4de482432796d9577d704cd19f394a7c0df24df4ee6136f98b9bf9ddab7f71e9546c71909455f089db006bc66cbfbe34fa3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 22:41

Reported

2024-06-10 22:45

Platform

android-33-x64-arm64-20240603-en

Max time kernel

160s

Max time network

130s

Command Line

com.zg.hyb

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zg.hyb

com.zg.hyb:pushservice

Network

Country Destination Domain Proto
GB 216.58.213.4:443 udp
GB 216.58.213.4:443 udp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 stream.dcloud.net.cn udp
CN 43.142.67.81:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 43.142.150.110:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 edu.megalight.cn udp
CN 119.3.57.40:80 edu.megalight.cn tcp
US 1.1.1.1:53 sdk.open.phone.igexin.com udp
CN 119.3.57.40:80 edu.megalight.cn tcp
GB 142.250.187.206:443 tcp
CN 115.227.15.237:80 sdk.open.phone.igexin.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
GB 216.58.204.67:443 tcp
CN 43.142.166.20:80 stream.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 49.234.42.40:80 stream.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 115.227.15.239:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
CN 49.234.44.193:80 stream.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 115.159.41.92:80 stream.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 115.227.15.241:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.180.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.180.3:443 udp
CN 124.220.154.50:80 stream.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
GB 216.58.213.4:443 udp
GB 142.250.179.228:443 udp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 150.158.157.83:80 stream.dcloud.net.cn tcp
CN 115.227.15.6:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 43.142.22.58:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 stream.mobihtml5.com udp
CN 115.227.15.7:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 115.227.15.233:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.235:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.229:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.231:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.225:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.227:80 sdk.open.phone.igexin.com tcp

Files

/storage/emulated/0/.imei.txt

MD5 43166b2a1678b6c65cdd1ca05d6f53c7
SHA1 3f76ac35d4ac7c0b41e264e15c46501baae21d5b
SHA256 15c7d3482f1541435fb9666f3ab60c2fc99c8504e2722e2e3b868fc5600087bd
SHA512 8d957d4e5c6388ca5d7aa0b0096569b005421d9c4c166213cc8ab75de19ab50c48aab94b98426593b7f031a23b957e3d5b53112fb4044ddddc4800a1c53a97f7

/data/user/0/com.zg.hyb/files/.imei.txt

MD5 cf75bdb15378271ef54be1b66a1d8f87
SHA1 6dcf7e57d11cbe1db5cabc17772d7139b803769a
SHA256 c8964ce1545407dcfeb6d8b71d7aba63f6ff5ea50147d575475b6b33c23a1161
SHA512 cd47fcde3341d63aa049862f7ecd387aca37cec88e17d017b49243c8e34d30977397bea918c33e52994333b4529a8a9431501f497b8420bc1084dea194d467d7

/data/data/com.zg.hyb/shared_prefs_ext/test_app

MD5 e20996e3d4e627a393a969b6ce8d184c
SHA1 61588d0887c2887abb9caae22df4855698b2b2db
SHA256 2d99307322f6f911adeec621931e7f2a72f0bf68f967f71f795f2ceb9992e0ea
SHA512 1d86e22c487c2ce0f2a1ab3beb5160a701cf88e5aa27eb271df9f524996f3759f75c94f0e49aec245df3e00204e8e189a47b1877dfa8c02e16951dd6ce650796

/storage/emulated/0/Android/data/com.zg.hyb/apps/H53D5E97E/www/manifest.json (deleted)

MD5 0de6eab12b91f3df50652e3f01b43c21
SHA1 6e9dbf2eef6a1ceea271c20651a853709d5cdc0f
SHA256 d6dd545ef358cceedc713fd8131811efc1b488712bd14ca1178e0d54afdd0c56
SHA512 1b848d2a62368df4c452d8f248d380afe0e23721699ee3ddb260049edbce52e8a512559ede0653274e6748ef38effc766aa1ea4cb019b02c4459ab1aaabf31dc

/data/data/com.zg.hyb/databases/cc/cc.db-journal

MD5 6817820d12892e6dfd9308d3b92846d6
SHA1 d48f92feb2e6c0df3f8de8ab27bafe8916d0f6b3
SHA256 c4175def3ba92c85190b9b3075da7e8340b76368cd901d96a1b61b2cb1d41a1c
SHA512 170e76a2fafa7dbdd889735aac6d1809639e0c19db9fefc0c541d38b13b0ab1a0bbd4467e9cccf210f399c920d43c2aa5d70630e7a5c8cc110c86576f4ed6cce

/data/data/com.zg.hyb/databases/cc/cc.db

MD5 b986a138e325f9ed31653e246087baa6
SHA1 1cda06c101efbf7c89305f44b552e38282225064
SHA256 6945d75275af161fa082eab8b348f4cdccbab03854963f5e861fde210447e058
SHA512 5894180006885af44962dcd92c6f33a640d6080060a51a38ee4e348ee2dafe9abdcf2a931cfad4c395ebe20e08b96f810ca54b5b1f584fa232cdabc76be0740d

/data/data/com.zg.hyb/databases/cc/cc.db-journal

MD5 1993096fb9888ec44f0ae999e60221ec
SHA1 b5ecc6e7b3245021e813eb1ac7d72fa770264963
SHA256 840d03d28f4498dfbd2a015a31b3a489dfff749e489bd040fbb0ca44fb53b91e
SHA512 aebb910edc0adb435d5961d25af3e218291556f700b07cb27a0423751c61140f9bb78eea3288c2025ae00bc25459d5afb2544a1d4258b42e28b54fee3b181a5e

/data/data/com.zg.hyb/databases/cc/cc.db-journal

MD5 55354449bbbc4fca63076f96e7ee5fd1
SHA1 6cba8b7272debfadfee34babf34577ffe122ad78
SHA256 4e47393e37c84ff7a12bcc88a8231ad85518fa7dfe30672c2da10201ba0d81c5
SHA512 e649ca3189032d7e5f2ff5f12cdcca92187519b9cd471f28ec19491d81437027bb773c762af5be577353f1617ffe0d22f9a91857a6a8e57e6c70dc70a0a6d496

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 a396e51318b9663726982330922fb5f5
SHA1 21879b43aeffa298a3c36dfaddebe0146977d11b
SHA256 c5cd05d72701caa309cf71e6ea3af2abc9ca64a76fab9297cb630d506b7edf6f
SHA512 9d4060c0ebb0c237147def751d6edf9140bf033e160d4e94cfc21e86417c8f552b37bf909443f79815de99d9d438c72cb73723fb915ac1e9a8b67ef8dfbcecc8

/data/user/0/com.zg.hyb/files/init_er.pid

MD5 cb1176b3b181373d5f34e7ab4d53186d
SHA1 2f6ad4370234f00ef708d82ef99b471226b1ce48
SHA256 0de5f8cd5f0a5d3bd869aa727db594fadc3c5ed618897ffe1b72c80748ed1a7e
SHA512 44a1da496901107115427a7c7f64d316bad9fbfc5038d43472df92a8058aad0979c5f2e93249c2607a45205d68ce1ea92141e8d9495e7bd9f5f6f0994f048dd6

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 2799392ea99771f56b64e69c4e59e72e
SHA1 2863ffa9134abbc1307ccad37769be6611912024
SHA256 03b0e350dbce8f941a9c6cca998db84190f4400989bc1a8de4d7b4936c2864a8
SHA512 a4b8c253261c45ed485ccd205abbbb90c9b2932064570ac4eb4bf5122ebff58f29b9b7ee0adad0267ffb89729ab7347e01f09b44a52348c95a87cf8dcea5a60a

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 3298cc32b3617dd0590db8631d8c3398
SHA1 1ad65626cb61394f4c7e69087f2e435e6f525d01
SHA256 b84ef46a77cc5ccb19d0e2065c16524e114f15da8b0803fd0e0cf2b7b28ac685
SHA512 c5a3240fbe148c7965f9796b6143b947e992086348d7de352e01898ec98dd89be4817d5fc6e0961828618dc82afabb5c0956000c656749b761d63e9c7ceb7dd2

/data/user/0/com.zg.hyb/files/umeng_it.cache

MD5 adc5691d26ca9feffae3d9bd534995b4
SHA1 88cfcc6c550d50fbc892920b09e1f9810dff9197
SHA256 85d8a0277ed9acefe5531845c71dea685e798bbe608f9ecad3e33afae4af5723
SHA512 214dbd3b5fafc738a34e5c125263950ccb752c6d4c5c072f5a8e5d9677a4a65c05695f22569a54699602f98213aa4d95c8a9bf02dd6db54eaa1cbf191054ccc5

/data/user/0/com.zg.hyb/files/.umeng/exchangeIdentity.json

MD5 0d0931e9a317cb19316fde078459b37d
SHA1 603c48a274471cd56682254588fc325f50777811
SHA256 49e48a8fddecdd900a9013bb9ea0bf514208fa04b69a0764f4ccf2b604636318
SHA512 b43ae2bacbd47a6adb429826b5d3438ba706181ef27d7c4bc326c6bc3c6bb8461ca5085ffdba91c55ca0f13f8e34fce377deca5b633afd48bcd905fee26f8dfb

/data/data/com.zg.hyb/databases/cc/cc.db-journal

MD5 a492b712af843739054ee7a2f1f5288b
SHA1 d51341f74458604f8cb8dcb19a4d7af69792c721
SHA256 f7608fceff4db9307811752997289ac78b4ac4c16d9cb3ae0cee596af02bea73
SHA512 1f8bc73bcf7c184ecbe585bf3b488d473386fadf2756b499a4f41612de8e46dd824dd2a05f42cc0c00825ca10c5491ccf8a297040d95c0a6eb98cfb2dc278aba

/data/data/com.zg.hyb/databases/cc/cc.db

MD5 1b77217d803a7c04af9466680b92d104
SHA1 0cb959f4773c6730e8aed5746706c0f3ecb35c1f
SHA256 66c83ae35e997c33eaffe9c0557d98ee31931c18b99585a64eb6cc8f63d303e3
SHA512 39ea189895ca93855bb71b4a5447815e9373ffd39b50611ac172ae321ee7716fd4af5f86c1fd0d17e12b771f4016a86184620a7c5d07f57b88f017c4ce8312ec

/data/data/com.zg.hyb/databases/cc/cc.db-journal

MD5 eaac2cb71da937ff42e1f7f8f03169e0
SHA1 5295752dbc9a219bf119eee25f2b6205e8f90a3c
SHA256 04c885eb2d7c7c0d146a39dad596cb22fa427f01bb103ce138c1c86b1d659aad
SHA512 59d0f719cacdd91ddbb94a518e24bb5775155a043c498b4b8509180d24d7513ca69587e2f32451b24c2980ec14adbed3793b20a82a374edf6878fca72d8fbc49

/data/data/com.zg.hyb/databases/cc/cc.db-journal

MD5 38d09b00175ec063ec2941b8bd350e7d
SHA1 2f2fa70946b77ac33886cf4bc3f943be87eeded5
SHA256 b29e468dfebb5fb29f74793637b19f63c2c6a69fb8b476b343cfb8e7075a5e35
SHA512 c679a9c4bdddcc70868b96c29c0e4d2f8cad1bbdd2bf7cf507ae916c22ffc2eab773a9eef7ccdeaec8f633ea445156cee9231975c3ebe755a4a8ee50f0af41c0

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 22:41

Reported

2024-06-10 22:42

Platform

android-x86-arm-20240603-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A