Malware Analysis Report

2024-09-09 13:35

Sample ID 240612-1pljza1hrc
Target a28c89841d88c0a759ac1b022af073e8_JaffaCakes118
SHA256 c8037e71f38e39b55c81d71b62aca6b330e2b763e54eb3c0b50dd90b71257b0a
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c8037e71f38e39b55c81d71b62aca6b330e2b763e54eb3c0b50dd90b71257b0a

Threat Level: Likely malicious

The file a28c89841d88c0a759ac1b022af073e8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries account information for other applications stored on the device

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 21:49

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 21:49

Reported

2024-06-12 21:52

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

140s

Command Line

com.hyrc.gauv.erlb

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.hyrc.gauv.erlb

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.hyrc.gauv.erlb/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.hyrc.gauv.erlb:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp

Files

/data/data/com.hyrc.gauv.erlb/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.hyrc.gauv.erlb/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 4b984f54a88966c9da72824ea9353f3c
SHA1 380cb7b673129abb0f2ea0ab57965763d83d0d00
SHA256 07bc58b86dc214e74127c0fb0b029c2ae521724e94f79b6a7e6720ef0ace4919
SHA512 e583280e2fae071517bf13149c3aa56f3b3c2cbb830bf4e0ae1bf563fb6ad37a9ba232f0db9fdf6cd2e80d427fcada0eb789b2651b8be5a978e941b7a9ab6fda

/data/data/com.hyrc.gauv.erlb/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.hyrc.gauv.erlb/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hyrc.gauv.erlb/databases/lezzd-wal

MD5 5dfae0d2c6ca26ffc125572a0e82fdfb
SHA1 25526b93f98e0535f2b87d1675676e8fbc210baf
SHA256 28efbec3437b62028ce8d6bf0e58657aa0bcb52b05037a053afcad690ae4311a
SHA512 98d24b632d426a3f024c1b02ba2fe1c4692e897aff52243c279361a923e61b25f2a1a527a0018703c6d98e71e3fb0630191b8e8786791af2032e341aa8aaf817

/data/data/com.hyrc.gauv.erlb/files/umeng_it.cache

MD5 9bc3f4cfabea40952967374024ffb28c
SHA1 1e92ee535268fb14501aac1a7406e67db57c97d8
SHA256 ab95eac3820a4d7327ffb5040da29c49e3c2a59bbaf6fe69fa4ec63ea1d64482
SHA512 60fd0ce3ed1d8092c61f0208d4d65758d4ac6e3506a5def2dceb5a70891f7e1172fc62a3c8316fab88e9ced752a99ccb43c7b34bc82cf8aa151867fdfde8ccde

/data/data/com.hyrc.gauv.erlb/files/.umeng/exchangeIdentity.json

MD5 624c38460864c7d59efa3b0612e60799
SHA1 e35788397d12a3c6402d79f357787101f1233e64
SHA256 71b517959a7756a18a3dda99bc2dd736c949593afb7f37b1acaa21571e8a3df4
SHA512 99269b42f489ee1b3ab40c1330d796a2d43c7cb770f2196ae497055ffef423646e1a5225d0b501ee90bc143eb296a229dd14636bcaa6bad1ef7d3e3021b54874

/data/data/com.hyrc.gauv.erlb/files/.imprint

MD5 506029eafedb62e33d65c136424ffccb
SHA1 9551b51e4f128998f8f72e9c88aeb7d8b2bb9099
SHA256 e71b22e5efbdcb501d788e1db36d47ca8fc985fda7dfb043f7f3ff5b9f204c8c
SHA512 7751706421545fc154cfa6613e45a5ca04fdec8efa08f48a300fb34f85393f664fb83beda9c9ddc7753b6e3570c77485d818d32f7e06c04f46523e5ba2910c09

/data/data/com.hyrc.gauv.erlb/files/umeng_it.cache

MD5 8b030f1fdb86c3ee2ad54ddd5036c319
SHA1 64d30cf8d95cea7fab6481f2aa6cbd0e5398bccf
SHA256 dced28be6ec11503d2ccd40f7fcbfcdd3ab2f220962bb0bb273bb8021e708925
SHA512 ac5401bf7e169e1ab42f43e3da4a30e28f2b451a45de99d58d6ebdba0a79e4d51dd0a042eb179a46c6517e4020c12241c1210b0bee74879616f3785d40752f1d

/data/data/com.hyrc.gauv.erlb/files/.umeng/exchangeIdentity.json

MD5 4edb9d4032e9eac6c4babbb7c5c16f3e
SHA1 9ae594443364c0d070d4ef903b478e9cd45941e1
SHA256 09197bddc2ba584d3398fa6dec304d3e15693c1c3b3a995a9cd4d71d557d5019
SHA512 02131b78112775f5364548fcdda3ed29d91e9bb3452abb02a977d041987097229573f1a6f23c08c4c2b30ec76031da4616dfde78e839996c550b775e06756898

/data/data/com.hyrc.gauv.erlb/files/.imprint

MD5 03edc5eab83a46f2430229b2cb0af2a7
SHA1 af4bb67c66263cfef6b5ca97f37b19bee0f67bd0
SHA256 68689060fa0171312d4834db7d9ba383933d7b3b496615e5d431a56b6bd2a282
SHA512 173ecbaa10340cf34c7611d824e27ea0cac763a1482dce98126c0f94fc0407590fbc1637f0225ead0455566c1510ef17037bb39eae06f8a7666e26d7119029ca

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 21:49

Reported

2024-06-12 21:52

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

181s

Command Line

com.hyrc.gauv.erlb

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.hyrc.gauv.erlb

com.hyrc.gauv.erlb:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
GB 172.217.169.42:443 tcp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.hyrc.gauv.erlb/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.hyrc.gauv.erlb/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 3f88aaf61879c995c2933886181f3dc2
SHA1 291e235abd76dc9a4d2d2bac9cb0d30ec550cd04
SHA256 fad25ae00943e0ec94008669d96f10f1231030b622eabf61188e3472b5a1dbfe
SHA512 003b02fa194a3fb229e5545de22b940054d87121e0264802381e70ebe5db7d35bf504d95dcf5327c6b008419937dca183be0cc02e1f1cfabbf10a3bfcdbc6168

/data/data/com.hyrc.gauv.erlb/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 cc1943ce1232739f2089014a3634864c
SHA1 b3b9c8bf34af2139e87877aba9f5bba3b9754606
SHA256 baf29d4929f1cab9b26a6280fb2131a3df4e8edae0a644a8a0e1f0e723c74a49
SHA512 dbabccc472de5969a1909e7067419474c4df47485f7933873e603021929e5f15530b8d9f9e1e8e4683a51b87d7b7f8fbf15cb527123816ac8839d2e048f21520

/data/data/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 fc60dfba5507d4ae4f52618bce2b7b79
SHA1 0b74d0097f8c8a06f0851288a0facdad6769dbab
SHA256 7c5cd83ad29f5aefe3dd6f92512857451d6fc1832e3322241550f63b8737ec23
SHA512 8e2eba8b2b4dd61adb74711e5b51727b8a59d211d3c5006a9133cf549d90e40aa03ea67ab54ca256371c422e5f7ffdfef9a8c6d9bf81d3ea65e8bfd3b3d04e58

/data/data/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 63944d8a5a9ae6618dd524ef7761616d
SHA1 9eab1a88ec4e93087bf8cd84c89dca00b8987cb9
SHA256 91d393b3974d14624b98f9be8e0991d8611732fe53e603aa3a08cf4337138026
SHA512 00146c0ff78cad2cdfd2add5a2442ca7424efb5d88c4d57fda432739b6fccf63c7a269a77ac57a5aa1ac2ee2545df878e46018d52fa9e3e3d305076de692a0a9

/data/data/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 b2b0659a826371aabfdbb027500f07f5
SHA1 5510feae32a6a2b09830a7acb2d478fe1dccdcae
SHA256 0f046ca6e9a08be7ac9ce1b545fd388b59e88b1b78dae5e453ed53c78867e08c
SHA512 9ac14d04248a0b3d1ec004dde8b7528438c6da3aa5bf438ae4e0cf48d5a19b343292cdbaeb4cdef2369dcd380aa9c5587fecbebf6a8a0392c12087eeb612f131

/data/data/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 c8e8248b384c1b97dac0fef48c0e7597
SHA1 b8ac64cc8900c7bfa57694300510a3dae01a140b
SHA256 fa2cb09e22f3048b6348bb34d2d1cbdfd4a9f7ec9a030f2e875bee0a94c90926
SHA512 e36ccab0550afc29400fae764c57ba749f749d21ff703079cd90b6fbaf4587c8fe64e3eb13f0035c9eacf9893a857edef3a1f0ff4d21838c4d3cd84d7885768e

/data/data/com.hyrc.gauv.erlb/files/umeng_it.cache

MD5 b3dd0229d7148cbd6728ca2f465d9318
SHA1 1ddc8fb492897d1677af637e42667065ccb02ab0
SHA256 321621c84ba2739e10603a2c628901f71dac00e710484b13bf49d25ab315c1ad
SHA512 c88bcd2a454b051ae5367a7b7ad2ffa2662f4d91fd593f96503609dafd77501a2599f3f4452b4e8a96ef60da39ca31bc6363f927391739bba86f18218708fe3b

/data/data/com.hyrc.gauv.erlb/files/.umeng/exchangeIdentity.json

MD5 6a41e8d4b82dd443cf81c69587fc7792
SHA1 877d4e12beaa66e6cac86a1aebebc26038aba5f0
SHA256 8e13c378666393a5182e18070d315a1365cee1daa10ea2d720cab1b0b83bdbcb
SHA512 4cb9a3f9dbbf54591abc4b3420f8734a708328a93150c5e240e56b49d94a3a49fe689ed45eb4514cb5738b82b526b9f0c1c4fcc0aaecafe07bc1590f9acfe56c

/data/data/com.hyrc.gauv.erlb/files/.imprint

MD5 d173c9bdd74a8556edb9852ff0d01ba0
SHA1 e9d5d9490e98b5dbe8f5db2fea05a3359d62be7c
SHA256 0dadc8576eb6d8b6a9d34784827f8ea5ca2beeb30a97b1f8fef3f94c88d9ab87
SHA512 a8d3935cd43beb8192bc9aa11c5954516c81da4cf8b86796a0f78799d9e96e99339715f50ef0f62212083c97811f99b2208b7024c042c7470c4c1ff49bed48a0

/data/data/com.hyrc.gauv.erlb/files/umeng_it.cache

MD5 23e79a6c0fe1641e960017b9c9909cac
SHA1 e46bcef4dbd4fcc46f6b3d0eb18465995d6a27e6
SHA256 22e4ca6d496e8f6ad43fbaf3107390accb32da67e41bf096896682a0718b8627
SHA512 06589546ae59c8ca9ae71f4cb8de0e5ebb6ce6f5c490084ec08ffc8b5ac81e8e4e1aec421124d7170c576e7adac8483beef545eef046f8c52f9f9456226f31ec

/data/data/com.hyrc.gauv.erlb/files/.umeng/exchangeIdentity.json

MD5 e02f2f73bb0648ccc99d83f6035c9e1c
SHA1 88756371c536c15ecc434e2050a16419ac4222dc
SHA256 eab02c6091c3f33257dd11ac4ebcdbfa6cb8731e0db75b66d1f2c902ae76730b
SHA512 697725ed83ccccc2585d7802bba4ca7c991114f3f90fcce3a7cdd5d19d013f6aef91d22dfc31f70f36b2e6e31941b3662788bd0b779f9ff893724b93df8d0bc4

/data/data/com.hyrc.gauv.erlb/app_mjf/oat/dz.jar.cur.prof

MD5 a87dc1222e6546c25bd22b812f178fe6
SHA1 a7ff038b70956810393286e7548b0520db8b0fec
SHA256 6c57fb585b9619a0b77b41356f48ffe452d24bc8824eb273facb7952e208997f
SHA512 4fd4fc5fb5cad953ac9e1240526c3ad3f864d197b08bf98713b70992ba1d5def64aa3d104786fd16828cb5e064cd931893c11189b4f8d82bc701d01a62bb4d1d

/data/data/com.hyrc.gauv.erlb/files/.um/um_cache_1718229155010.env

MD5 f4f822ac81520a56600a73f480e6c0ec
SHA1 954de7e7fe0625cbd00c555b3e91bb03bdd651ba
SHA256 1ce3ab20748fa9ae15d59c518481f200f272d2af1aed2c251fe6db15bfd5a14d
SHA512 05c5dba45c80332eb77e3adffebc9096d4b7783c10cf169e81285fe25c8872eca78ad7d8fa324af0025c136ae70ba5f0dff564cc17ddb6b16d8a54c28f0c25d9

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 21:49

Reported

2024-06-12 21:52

Platform

android-x64-arm64-20240611.1-en

Max time kernel

178s

Max time network

132s

Command Line

com.hyrc.gauv.erlb

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.hyrc.gauv.erlb

com.hyrc.gauv.erlb:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.108:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
SG 47.246.109.108:80 alog.umeng.com tcp

Files

/data/user/0/com.hyrc.gauv.erlb/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.hyrc.gauv.erlb/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 8bcb22ca2d957bf53be4dcc5c6d3f6cf
SHA1 2eea679c905b7aa928fcaf106ad56c4f6424090f
SHA256 3e4489f324c1add9a39c252f6ef270f267e9508f7c9cac89a62ad08544c0f389
SHA512 b39b611e66dd6a0451cbdd6f7733e799ea7b367692149f8af9a2ec5f477b99318a3e86432f3524bde45956c5f2bc8ed41514aa174d52117c0643725f51e9425e

/data/user/0/com.hyrc.gauv.erlb/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 81d58bd3870d56e9b0bdf40122b478f9
SHA1 8dca51eccb090c8a3d22eade9046c1bb0d590da9
SHA256 a3448bc868c9da72f8395f9387bf7520d9e4c25a923564f0fc270c2bc6ba7f5b
SHA512 e9679b31797506d8149b5047fb843195ffb378a9ac18f67e9eb4db46c8b8b7786cad2d7e0fac8a8c39a5c7ae7c7a9b03020fef2baaba0347f0c050809b3c79ea

/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 18688b640126f206b203fe79ab9ea3cd
SHA1 43344106d575071c4df3d7d7d0cf0c1281311d5b
SHA256 5e5dd5d95dbd22d97b47daee65ffb599665af0fba4976aaa9f61b84a7d6f236b
SHA512 1e15067572804fa58cf31d609be4db5262de1e76c53dc430908d0d5df8caefe9d31106c7cd09eb3fabf9a1e86b54881a396e8ae3114c97882b181658349fae3a

/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 a6efd6eced146ee030aa73eae7cb244b
SHA1 5396a8a5e2141c253cc4cecbbcd2a69c44d9b73b
SHA256 d4ea922a48c762b02c3d6038a9e8efc5e5e6cda6f548a029f8e139bb9e8f0806
SHA512 6e230b88cb4e1cb5673a3315198dfeca802f7ceeeb41f6bbf4c0dd68ef91faffa4a68398edd9fa48f394d72e873f099237a9245f3aac5760d5c699fdc785684a

/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 7ae8a0496e85017f728d6bf9b7261082
SHA1 a6a5e9ece69be0d75c07e680501100f374429261
SHA256 e9028470bba36e26ca3fcaaaae0ac17fcb358d950920580c09ff8d6c5904867a
SHA512 4c95091c77af1463b4ba13d84375f6ddbcc0e96f6243e8cb4e2770eae991f8e135cc8e46621cf870cb26f2030c6a10cf74637ee23e85326c207d3afaea52bb5a

/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal

MD5 e7ffed570f78e7cc06988c7cad8356ba
SHA1 ae1592bba395ebe003ddb43d270062d7905eefb7
SHA256 c6f4263a08bf4874f1d445de68a0371773ca5b764f27c6c5c1299d2c4ae3c76c
SHA512 01a7588efd51195110d0c794a8e09d530421812863faf7609da6b54114667d155837a9b5093e0f05cb80e38ea9fb768f06bda168c65f55c307a32911f3424049

/data/user/0/com.hyrc.gauv.erlb/files/umeng_it.cache

MD5 8cc44c3774568441e044ba8536ac9aff
SHA1 9090298ba3588d8a61eeb5dbaba591bce954a68c
SHA256 a074baef47b84ff2b2f80749c38422b6964f6cdaf5651701f3a8e6ac8cdcb29a
SHA512 8916580fe40079a540e8a2b7c699a76dc96636aa4a196daecb8f78b64cbbf97abd4644516457873e632467b9ce4c8cbc84d4b47fdfd1bb84d5cc3ebe25d025c6

/data/user/0/com.hyrc.gauv.erlb/files/.umeng/exchangeIdentity.json

MD5 3558befaba29a4d972b1e61b790f37dc
SHA1 5156a797d9d12bb1966cbd9e1d22846b55fa7e82
SHA256 f6eb7d021ca80671cd2a3b8a19727c3f7c8d65b4a831c7e59318a4a9d6b0c784
SHA512 edd39fc38540e868c42aabbe2f70fe6b1861075428ef98eaa37ac3fbf0cc743d20cc3ab96670d3040b9db439128fb48e8610ee4f3cff1a9b5bd1cd8cbb4d77a7

/data/user/0/com.hyrc.gauv.erlb/files/.imprint

MD5 b50da9490b030fe7c1aaf2dd9d1b3799
SHA1 23daf57268f4920b804daa5c321ae2ccc0ee4943
SHA256 7c8d18dc165c9c4f22b34bf6837000a364bad70a43eb5456c6353364f7852a0e
SHA512 ac9e4eaf9b700598d0b1ce700496fd1ad04e2683f63c6f6e653c65911cc9f4d801526203655a380e2942a153770ba4083f4fd3ca70063854dcf2633fde102d89

/data/user/0/com.hyrc.gauv.erlb/files/umeng_it.cache

MD5 50d0f7b70ccdfb1f47d018d101abd5fe
SHA1 45026ba4f907398f6cb39a1b066c2253a1c1ca3f
SHA256 f44055e5d8ec64e28ba1f668230828d18c5445d499b665adcc9382bd5d268cc7
SHA512 4ce685e17d72db5764e7a75f4f5b73a3e02c97f40d204b71bca6d4399a8716b0a670d1e71b837d8c2cccfb92a3c0f69a094e3b21b06e8ca3c18de132a52756c8

/data/user/0/com.hyrc.gauv.erlb/files/.umeng/exchangeIdentity.json

MD5 4885b1178b63d12142519c53594e11da
SHA1 2e2f89658badc57fad251c3e7d65c69398ec6b0f
SHA256 f52e48b1f2a7e5fc93e9e0dad7ccc0b3c0307964a910659a89fc2d3cdb84a94c
SHA512 99d8fd732e0e14994c71dffb23ad815e5a4c3fdc3a95d87cfc359b468a6cd2087575431572c1e4b1e8dd46a281a6051261d0460202d78d5b1ded6a7ec2dada30

/data/user/0/com.hyrc.gauv.erlb/files/.imprint

MD5 e1ffc1e8d97d716d825dca2ec882ae4b
SHA1 ecfb54a5e561347e8d22fa0c8677d21c331deb5d
SHA256 1b2fe1f270713276604ee72c1de98b2fe7142b124aeb5f16e0f0188ad0e034b0
SHA512 a176a1a34dd1efd16598d66e72d9fb002a65d84a7cc2fee72bbc62a16da66da6571da5b948d849587ff9792df4349a94e60e9ea78161f30c3e6337afc9a1cfc3