Malware Analysis Report

2024-09-09 13:37

Sample ID 240610-rmn3mszbkq
Target 9af4b4a1816ee8f9e39a217527637b6b_JaffaCakes118
SHA256 e2fc76d0382a2dec03454d425b5848e1111a554273757f207efedd5137a92d62
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e2fc76d0382a2dec03454d425b5848e1111a554273757f207efedd5137a92d62

Threat Level: Likely malicious

The file 9af4b4a1816ee8f9e39a217527637b6b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 14:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 14:18

Reported

2024-06-10 14:21

Platform

android-x86-arm-20240603-en

Max time kernel

178s

Max time network

177s

Command Line

com.uypu.ybev.rvvx

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.uypu.ybev.rvvx

com.uypu.ybev.rvvx:daemon

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uypu.ybev.rvvx/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/data/com.uypu.ybev.rvvx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.uypu.ybev.rvvx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 3752556f9416e9de42cac556081fa698
SHA1 e10ad6574914d3ae677ad123ebf669f37a0b1920
SHA256 059e309b3631bcf274ea957dc822bc901cd348bb70836d3c63cf4c774a9f7238
SHA512 6b41be79be099a2e7968a32860e82747854e2e5a503c1ec35424b7746ac814e462929a6ad50893a4e107e395d27184b7a87acf6e2e182c27aef762cbdd1e71c5

/data/data/com.uypu.ybev.rvvx/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.uypu.ybev.rvvx/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.uypu.ybev.rvvx/databases/lezzd-wal

MD5 4006728a013119d003eaaa6f879af7a2
SHA1 3fd25cda27d62dfa19c77b6cf54af6802bbc1615
SHA256 d59d335e74cbe92b2fd397deedc832ce96a2bc70805def1ee50b796206b20b3d
SHA512 f377104c78e843c9f676ba19c6bc7ae97667d8ecbc9b6435a1973d79c84fbd2ade641b00528e12f2dbce8738bc8f7352154a23860e594ef34aa709d63fa3b982

/data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.uypu.ybev.rvvx/files/umeng_it.cache

MD5 cac6911aecacd30e53f4aa8e95b7b483
SHA1 6fb95b38522da3df32a2db3969e105f54ede290e
SHA256 f63e87c9d7889f67989ce7816a57cc889bebf6bd873ebe9e5bb87b784f85f191
SHA512 453d4f5ecc344e8bf814de835d305fe257e7df272cf83df12fc21ca7a5ff9bd56bcc24e798fe00103c9b711c5a268c96c168b8b5c3843b5f516beb391c4eae2c

/data/data/com.uypu.ybev.rvvx/files/.umeng/exchangeIdentity.json

MD5 7025ecf6cfd2131400a6cf7cd1c75b3d
SHA1 0d829a5445ad3a000eafa4b9fca47d03ad89c4f5
SHA256 dd3d3e10d87e1e12eb9bd4113a4b18eff0bd1c66fa165d66d8e48b72a2be0801
SHA512 1c9c0eade6c2eee92ac52678129c9d5db2b2d7b66ebe841254f91ee2031c9260574db310e12b21279f1c126d9fb0238e19a3b60daf3d94f1cfb81ebcdd45ce52

/data/data/com.uypu.ybev.rvvx/files/.um/um_cache_1718029248793.env

MD5 1a90dedb0a999fe7537725746a7da933
SHA1 e8d8d138487015f026bcf9ba06de3b5c019d85ba
SHA256 61477cac6f1645d264f28abc843dc735e2bdc940a9dc8fb5000333dc1eeb0bd4
SHA512 eb7c1f94af58c4a1f0bca20f269274d72ac5b1b7d5becba529dde9035dfb4a9b18a8ba3338012466db56cec22d1c1ede48f45c7af20624d60f095f1d003c79e8

/data/data/com.uypu.ybev.rvvx/app_mjf/oat/dz.jar.cur.prof

MD5 28e6cde4c968faf7a4d8471d0e9d2f41
SHA1 56eb247acbcac474e032f54ebd529e1a5eed5a54
SHA256 8bebdffbdc4da2e121f310b145fc83928db5e8aa87f4d7ba985452e01e4c1fae
SHA512 9a70ba6933630b780fa0f0a1286594b3c58a98fa943b93ea88900f8dcc083162609d2f7f21565293a9d91d09e82d963a4cf7d2ab5c48ee00eac50b49dff3f2e9

/data/data/com.uypu.ybev.rvvx/files/mobclick_agent_cached_com.uypu.ybev.rvvx1

MD5 0f2ef27d6940062136e0d8b616c71076
SHA1 67ed4e544637eb535fa93665f17ab9b4a490565f
SHA256 b76c094e3c9cf7794ad007bfa8467df6692a28b52d673b0fcbfdc73307d23eff
SHA512 93a82649976d250dc4d0e1374b7620604b81f855e020b75a357206a155f6592a8ca4cc0dda57f2c0a4b47cea0fe2dfdc74e4a60e128e03966f9301913016f4f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 14:18

Reported

2024-06-10 14:22

Platform

android-x64-20240603-en

Max time kernel

178s

Max time network

150s

Command Line

com.uypu.ybev.rvvx

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.uypu.ybev.rvvx

com.uypu.ybev.rvvx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.187.226:443 tcp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.196:443 www.google.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.109:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
SG 47.246.109.109:80 alog.umeng.com tcp

Files

/data/data/com.uypu.ybev.rvvx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.uypu.ybev.rvvx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 5889de026a470ad48eaa0bfb29bc444f
SHA1 6ab89ab99259699e683e2b765b4f3f5c1cd70c2a
SHA256 58101c5332286cf07aa81bd691ad4b554e3070e7517b91e10d9e2c7b165b87a3
SHA512 5dd1b4393f8f9021974dd2e787ccf86f9da0e2305268d7d5a884482ca49cfb6c54294e960a5f444a7241bc74c4452a17941d2299b1a5820a5909aa52e4ea9ac5

/data/data/com.uypu.ybev.rvvx/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 b5584d93925ca49fcb3615aed8258344
SHA1 9b368a1a5dbdb7ac0d859797c69d73835d067927
SHA256 6f1f827827be210f5f1bdc7c8907d35af17b46da53af42f80352416e25d05669
SHA512 86ea93b62cc9d16ac60e14fd6799fe48e1d33965a751bac141083087559d2912178f644b77502e1cb12fa5ecb1915341027231b971130647f8075ceef5972487

/data/data/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 5ea0c390d6c00b295a75f4aeffdc351d
SHA1 a12f786ff1a6f4a99b570d4a1305375564f090d1
SHA256 d9dae19bc5be026cf0b67bcbf78c969da8cec6e1c32b136ae29abf2555bdfc4b
SHA512 9b50f7146ef8f04fe868d650b7fe1a7d33f0c79ff74206c6bbdcbaf803823bdc83bcf6781be83f1eddc2a2c3e7effdb1b3fee6f31e2a18a7c3f8d92d65c28f40

/data/data/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 ca8723901de466567f034597b4109835
SHA1 f3787a6591bae493699785444044da7d5fe7577f
SHA256 e322c2e09dd18b16d29d6504f5fbb721ae3b1801c4a65c2ca2812ef66b387fe6
SHA512 f058e23974add90ffa679ca81d1c1e6a2f52fa431c0334ec1a533d5a42ceea9958096b28f4fc14563f9ccaaa4943bdd83840160a649c362774cee07155349395

/data/data/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 cc682a7e9e4d7385b8452a3d1692f828
SHA1 d79287ae30ef1f5164f17d212f475ec10a2fc0ad
SHA256 0f1539cf3a0d5c1072bdf54402c3f79c9cb0322e90363719b465492e2b38cbc9
SHA512 67fc9b0fa83e85da1372f4e8e96e21331afcff4c42119aa997015ec3306c9721c3415a7185a67e08ab4a4a636e0736be975a9964883b481ca2b8cadaac77a215

/data/data/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 dfa2d433e7cd91064426b481e8ba6479
SHA1 53a4df289a45e73f9d9dbd300c4b8a4f73f2edca
SHA256 c978f0c78ef061fcade43a1354f93dfd2cc06d4bf5d888d616a4643295cec473
SHA512 cb21ba5ab0944ca5acb7d458e15cd337af18ab2f7e863e285f5e9806417c9fc42a1cb3ed34dc7d6937e9aa68d54d25e703f12e9d88ded0819ac628c5b30834ab

/data/data/com.uypu.ybev.rvvx/files/umeng_it.cache

MD5 a233b67041c5dcc9a920da3c47ec5f27
SHA1 664fc282cf1281e72aaf63a3f47bb621ce6fbfab
SHA256 da063604a524968f88b24b984bfe82c9130e58a2409d7f3c403cd7e2d405d158
SHA512 4e8d1a43d9a9499a9d8487c4ad21550d07def70e1ead1a39945fff5027467c6ccbb2a9ff9aae9bee11b8a98f3dfa18f898c7d5e75219cb70f5efb4136f219f23

/data/data/com.uypu.ybev.rvvx/files/.umeng/exchangeIdentity.json

MD5 9b631b8e87ab60f282c7bc36b58a6352
SHA1 d25eed4aa3c5d94481be41a0e986433d6686f411
SHA256 3039c39d22e19deedcdc4147616baf82051eb20e040db7efa82e6768495c44e4
SHA512 fc39f6cfc8cf0383ee6af48bc11609f73c7a8d5b1005b721f3d88abc6f85014e10a4073e7b06d1e15e0da6faab0ba191dbbad0eb10dc4565a0548f8442a0d0f3

/data/data/com.uypu.ybev.rvvx/files/.imprint

MD5 e4db0e61717cc0435b247034094825d0
SHA1 8b7fb73a355bbdc380b89276fbd18ebad7cc59bf
SHA256 8e4aaf96d0b01b064a7703f2548eed58ad0483a0b2d3bf950702f6b73c16f496
SHA512 aab84fb37c607fab627548714519e69a9c8e42c3bd57508465713406a754c8bea21bd91d8910cb6be489a2fc34b03e3c9d6884615246f4e1a18c27791e905358

/data/data/com.uypu.ybev.rvvx/files/umeng_it.cache

MD5 14fa1aa384ab2184bf471119f2dffaaa
SHA1 fd0f0fed1069257bd59f6226f05dc51fa7acda12
SHA256 9c67178bb8994a75ec62fe71cf84bfcd4f37b168c04647e28b74dc3ad4be5bb9
SHA512 d04bf458641b0ddf1fe55f7d7e7af781899dfc378f2e8745fdf99c3e095802e574836323e82c373d27513698ef66dca561b687d9079e6730af94a7d723401364

/data/data/com.uypu.ybev.rvvx/app_mjf/oat/dz.jar.cur.prof

MD5 f18763f046eb486c5ea4a6a19ed83648
SHA1 0803f6238c12566ddca7e2a6e9e487e4ab4b2557
SHA256 8bdedbf9276d95021bbfdd95b1d479de6964006c4a40c276a082730b61d29556
SHA512 70e071c03968533fe581a35455ca9a6ccc487dfbdfa8bcfbc6f98d26300a313e37b23c4618c797f6fb302b22ffff8b6c44abfbe332d5fcf72a6f506e70912c3e

/data/data/com.uypu.ybev.rvvx/files/.umeng/exchangeIdentity.json

MD5 dff71acadb82b0163c7ef8c97e0cba05
SHA1 65cd8a5134afb4bd0913ab4a6e6941a88587dfde
SHA256 57098c1bfb2af881e1bb6754bbb0f2c363a5690fbd4bdb388727d2508e44c748
SHA512 434b061be3c430f62343d621ec59eac4d6f5265effcecdfecb7258bb988850fc23c7a0159a70b603e9516b6a843738a4506e1f23a0444e867c9a20e64794f791

/data/data/com.uypu.ybev.rvvx/files/.imprint

MD5 350ddfdf1b043c3575456f4cd2211935
SHA1 e3eabc4c342e7f11dfaa59cb4e3e924852b329d6
SHA256 2aa89e17695d9b4c3aac5f45754499323f03dba3fa0451d3a243ea38e36a6ed4
SHA512 1783790567d3d8bd0b2de35367225531b6daf2ab55cd34e6c21998fad517bfab90bce6a1762529252efca7afe76d90f539aa10a5455205d6e8789a11fc1793d8

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 14:18

Reported

2024-06-10 14:22

Platform

android-x64-arm64-20240603-en

Max time kernel

177s

Max time network

182s

Command Line

com.uypu.ybev.rvvx

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.uypu.ybev.rvvx

com.uypu.ybev.rvvx:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.uypu.ybev.rvvx/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.uypu.ybev.rvvx/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.uypu.ybev.rvvx/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 5c563d9fef58878da7e90397a6eb3c4b
SHA1 9d9f94244c16b3a1ef5c079b45e5a5d4756c33ad
SHA256 c438742195e9234687a34c60ff90cf95893aa191571b5b3ff3cd4831b3ce8df2
SHA512 4bc321927b30cd0e22c4fd4f2eab737010e2e77c8caf5b610cf4f8a4070fc583f587c6024c9add5f9126333d5c32a549970db81982b609b7823e89bc2413f8a5

/data/user/0/com.uypu.ybev.rvvx/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 d3c8a8148c63c5c1199976a499974a8f
SHA1 457652eb0214d92144bce6f712f63f2fa4a6e9c8
SHA256 c1660cda1b1f730b21257a96f70e8fa2df6e6e823af670144e2585911b5ed2a9
SHA512 a3adcb3bbf4dff18ebbe8882bff87bfb8910e1c89f5144d0a52b90c5ef0c7a8aeb7416c8804b460c9c3cabc99233da9acfdd6419a532bfec216e4ee2fa7e8f18

/data/user/0/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 27a1f2b28b95ad1d95bcbb6c1d437730
SHA1 6c49320154ed475446f8c8d328694fd5b96b19f2
SHA256 073bc1f24ad1b4989971e4eeb073c1174cf399039a125bb47ccca5c89f2d5638
SHA512 c2b4459c947497da5c97fd3d69ea2f65346c67125cf14d872bc4025d3f59d4503013246671866492cb8532aae9fdfa3ca1a613a5c745f87d167577a46f3939b0

/data/user/0/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 c481313cf84b6625f7d7f0b7a2b741bc
SHA1 a03190bb697692016111401515a1aea66466c02a
SHA256 07b0712b7f8aeab8b6f0b3b15a74393e6ab0336590563c3112bd9af7421cd316
SHA512 4dfa0e082ef8b407a628d89b2ea339490acd4d2d7acd3db7e649f6676e50b343cd7550c1fefe1d5fbaf1753c681616a9def5cfcd1f7d93d27d265fe3245e33af

/data/user/0/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 5f5da75b22692e4b7f2acff296db7583
SHA1 9d5125e9c68c756925d15f46e357cfed37e4dfba
SHA256 36137b34b2884adb135b98c8e800cab5e1f2bbe739a890bf78ab5b2b9041301b
SHA512 52696821631692814b8830568b974b2e68ff95219eea86055ed16ba12dedc2b983ddb722077a3ca12f33a5341707d0b9db9e7e0aa6644138659c28e514d758b5

/data/user/0/com.uypu.ybev.rvvx/databases/lezzd-journal

MD5 690748e0f51552b7fa6668d622367ef0
SHA1 88cce55a11294278f261d7f7460ffec656c4137d
SHA256 50876b6100e76f15d55d83028b9a12eac5d4f267930874857aa70cab51ecef37
SHA512 5cbe6960e82b3095f091704bf7c1afc16681e53042b8df8fbea7201a649891899a5e84de69a9bdc53e93cf7e5539b486527644eedcee3d4bcf84c1b005c5489c

/data/user/0/com.uypu.ybev.rvvx/files/umeng_it.cache

MD5 5d53a8ca7775739df809b674310e5c17
SHA1 f75b0e70c238074ecede3ff547d0b0ccae4b9593
SHA256 e278c657c609ed2c72d8281b5a1739cc47831ef36f5703dd1892baa3a611223b
SHA512 191cfc69b58b694e0d0797e9b9ee2f3a71b93d7c9c86c791025c09dcced31873888bd24ed5141b80c895be3f9a8fe0ce85faf18f2252b9174d0ad98d503c8bea

/data/user/0/com.uypu.ybev.rvvx/files/.umeng/exchangeIdentity.json

MD5 a62ddd6b4d4494c83b83cfcdf25d9cf2
SHA1 9fbb3b3816bfe5d30266bb3c51a119b179a5f8cb
SHA256 a520ae4be2043d3c8250a6246e20bb88fe5446cc1c41faf9687a90f55e6907b8
SHA512 edd2d8d28b58e8c5fae2d7f2e1a521a26fed2f41f935e13855bf83f465afeeff5216466307980d9724e94b35fd39ea9d1ce21278bbf7c28cf6307837b31899c5

/data/user/0/com.uypu.ybev.rvvx/files/.imprint

MD5 fcdd5445383661deb593b56bc202665a
SHA1 cff20119b2445730eaf0e103ffe2985f098d09b6
SHA256 65d74577d940d929ed35be6c8a71a67b08f8c6fba3d1f47ae4983892a644f75e
SHA512 0f97711d46a494dec286c2fcb774b6280b4de7dc26e20652a061018f9be223a39efb7375b41bd99dee3bb72e7aeba8b2b3d33bfb32c3593d926b77e840569d46

/data/user/0/com.uypu.ybev.rvvx/files/umeng_it.cache

MD5 0b35c210170859e915807b25a92d372d
SHA1 8e1a9c0c50c0be00252cc7619d946f9038130b8e
SHA256 0e17f965d2aaf8a82aec865c7ac0f926f8b2706e6955c9b816b034951228b110
SHA512 583ac07ac1ee6a4404160ae7b47c065fb68b98e8ffab4ad22117c802adedabb764b041cb834d27bb9a3c62ae2955537090216b1da9f902259a17bd971fa5baf8

/data/user/0/com.uypu.ybev.rvvx/files/.umeng/exchangeIdentity.json

MD5 b88bc61d45d9a59ad7684c4ef0998f85
SHA1 f8116b377a731b6dd0fb1ac79e191c724630d176
SHA256 ad79a367857025e923e2421f7178c3b5fe92408f41eb9054210d0e1803f33de1
SHA512 717c4c59fdfdd01838f431d7b698ba9b0d792d73fe3d48f90197b857802f7ab9257d6badcbd7f6d913dbd18900f4b64efc8b6a69c064159dddf881defdb749dc

/data/user/0/com.uypu.ybev.rvvx/files/.um/um_cache_1718029309860.env

MD5 c5b78462a3e15085f4183cd050be2616
SHA1 156ec2d64e2404bb5de4509364e23c36e113ea2c
SHA256 b10b05d6b63915e01b79cccb8a285304860910905c5683671baf2386d025c7aa
SHA512 f90d6c3c066377166bc96d658630e3fc8adc2722e20617b193f9a35655e3e305c5560ea6ba9f187e29341b399933a8447bcc3171e02f0c916c6475420df6925a