Malware Analysis Report

2024-09-09 13:19

Sample ID 240612-3yzjaszcnr
Target a30759feac44f4b571dd3ae82f7aeb8b_JaffaCakes118
SHA256 f022bfbccbc5cec1a00ff5b459753efaf13927ef68794b314b5e2d870e32f041
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f022bfbccbc5cec1a00ff5b459753efaf13927ef68794b314b5e2d870e32f041

Threat Level: Likely malicious

The file a30759feac44f4b571dd3ae82f7aeb8b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about the current nearby Wi-Fi networks

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Checks Qemu related system properties.

Requests cell location

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:56

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:56

Reported

2024-06-12 23:59

Platform

android-x86-arm-20240611.1-en

Max time kernel

87s

Max time network

131s

Command Line

com.yghys.doctor

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.bootmode N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: qemu.hw.mainkeys N/A N/A
Accessed system property key: qemu.sf.fake_camera N/A N/A
Accessed system property key: ro.kernel.android.qemud N/A N/A
Accessed system property key: ro.kernel.qemu.gles N/A N/A
Accessed system property key: ro.kernel.qemu N/A N/A
Accessed system property key: init.svc.qemud N/A N/A
Accessed system property key: init.svc.qemu-props N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.yghys.doctor/.jiagu/classes.dex N/A N/A
N/A /data/data/com.yghys.doctor/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.yghys.doctor/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.yghys.doctor/.jiagu/tmp.dex N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yghys.doctor

chmod 755 /data/data/com.yghys.doctor/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.yghys.doctor/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.yghys.doctor/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

sh -c ps

ps

ps daemonsu

ps | grep su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
US 1.1.1.1:53 www.yghys.com udp
US 1.1.1.1:53 restapi.amap.com udp
CN 59.82.132.217:443 restapi.amap.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp

Files

/data/data/com.yghys.doctor/.jiagu/libjiagu.so

MD5 7e7125a1193cfa8a696c1b8a6d2a103e
SHA1 af193df6127a47f455ebb7d5b792d2e982f4e004
SHA256 707cbb7d210699b111f050a382224f04ba2dbf72ecb4ee8f420d5759b6a23681
SHA512 91a62f00c2a9dc3c28348ef512ca56ab44d999e11dd806d565109159e79f25833c9141023ad639c7f5132acb8038ca0d7cc049ca2118534570d3ef1b36798b03

/data/data/com.yghys.doctor/.jiagu/classes.dex

MD5 8fa88efa13f592e38a4904c4fb3248c3
SHA1 a10b7a7b0fe18450bf8217a7cbe256762ef1be75
SHA256 d114c5dd531cbbdcef50763c51bdd3c9f972ccaea9b89d409f27cafad6b836d4
SHA512 2ae90c4d007c2d6427a7b81d2e728c6386504ce9a9882a54d8b31f27dca290fb84a1da5d88c201c06a3d439f9a7fe8dd79b1e1dfe7ea6e2c87718d8c1b1cee58

/data/data/com.yghys.doctor/.jiagu/classes.dex

MD5 5ce8c72a6acb4dea0b907f31c71f1638
SHA1 c32fd2d1f50b23e2504fbefd282e255ef7694dca
SHA256 3d0d1b7969ea11bf1cb8edd2fcf315556a3fd989cb09f5d31c5f4c755b2a404b
SHA512 d84494057ae4f337aab1f315e84e1e4bbf5cfd6cf3585f19b12151c3181d71bdd12c4866abc5ff9172b00de6497ca4a55268bf54f9ac90fef05c96b42a892c3f

/data/data/com.yghys.doctor/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.yghys.doctor/files/.jglogs/.jg.ri

MD5 a2e9c91c9b51e7437c07e770eac40e9e
SHA1 33d4aa344566bf6af4cd4971d075348f32d46f29
SHA256 dfe6e5dc33d0c9052eee7d05633c78b8e798404f994e949adfc1bf9b9430b5a3
SHA512 3c7df32da81e09c7e97d8e6ddba473b806d58d9148c2caa72bdb2a9c10e9f4c455870c2e65cfac3d49e7d688ffeed4614775da057bfe577ef560d5d85da5102b

/data/data/com.yghys.doctor/files/.jiagu.lock

MD5 d0f3dd39fcad68f5cd9d8329b9d38c51
SHA1 32360e72962ba4775e27871bdb9c7fefe18c9de3
SHA256 4b4f290c82ed0a483ae497fc3c48812a25050be44919be5fb89df4f265ca466d
SHA512 065154fa0f3762ce729e7eda1498076999c89ff8f82088825b97adb492017a9717e82cd710c90c686b104c59e077c0e8d00f4f885ae3899227e916700969ea37

/data/data/com.yghys.doctor/files/.jglogs/.jg.ac

MD5 1e97807150d46ebb5a26e479b98d1d27
SHA1 517ccac0293bacdce708717a9bd8c72ad6fd844e
SHA256 638a8e25da2400fb2ffbe5c63bc2325ad9d307b56054a26d6264fb61187b5576
SHA512 24038807a1b0d4f3ea2515a56f5a7784e722b4dd32fb734369ff05f49cee66a3257fd71c5a3092f7a9aac1099838c1ed1f1f1b2ebb9d2ff71b870b692672a6ab

/data/data/com.yghys.doctor/files/.jglogs/.jg.ic

MD5 aae085fd882690f574e23d72b498fc45
SHA1 36acae4729cb4a9412a21768ac2fb32a439e2026
SHA256 08c0aa0943c5f35a70c8557c7729b3894192cbeab658b67e3fe981f605549249
SHA512 29740a1e5827b6a72c7d1cfbe1ce9b917369aba96cbdef351dc10b258d8f0798f071ae192e3bdb58afc51227252060f48ea099a4975725933ace178d0f00fe67

/data/data/com.yghys.doctor/files/.jglogs/.jg.di

MD5 1b2de5ea119556cb256073f642608b2b
SHA1 fe29b38904488f5de63a1f6131e2c05d9dd040a1
SHA256 e375a867939af21cd2c3600a352bfcc1872ca102745cb43a26f8fc535b240335
SHA512 0c447d7daa3dbedabce3d74b696c7b578064a43b6ebb9e48954d66c9c8b8e450de0dd0ce6be5f5390ab21320c4f8ac0ce642e6c958ee9fab559fb064ea2a2bf3

/storage/emulated/0/360/.iddata

MD5 6f0772a051314af5a711ec1b6e72f5ec
SHA1 a3c7d02a96f92e29d037a4e56c1ee7ecf89dbda6
SHA256 e10089131de56ed9426e2233e3af340b180b3a909e73a0f0271da402cffcf0d3
SHA512 d19eb6b4e2d8519d4fdac500e151e52bc4cbcb835ad3f64e55917065fc1fb0c691aba277f7e5a8efa72b4e7aba920466fd2aecc8c37cda545c6f8004b86b21ab

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.yghys.doctor/databases/logdb.db-journal

MD5 28b8aef0984eda8509b0af424e1e995c
SHA1 1520163a9fa335fb2b421a79ca81f6c924eae1ee
SHA256 d7fb27f511e44c0faa99e778c53aea33c15b56db183f8395021f8d068586d3a9
SHA512 f0a348fe19ada44f7ac0ba584d1dd3751a3fc47988273dafb92c1e92c1062b6f268e49a8fbda55a14487b634080b7abdaf73d298ed718795b84a6848c23cd809

/data/data/com.yghys.doctor/databases/logdb.db

MD5 a7b5debf648af8527d38065f285c6754
SHA1 ad8513c878ca1483a2472c7f8dfc8a416418517e
SHA256 0d8f1987d41b042ee7aa1ae97d1950a40884ff4ed620fd02371017160e50eaf5
SHA512 c879b912d723e9c382e547f605dea4d77830d9300c3cdb1a14c2758cf4e895000c7ba2afe37584ed2fb94a9893e8ff47bdfda4dfbf2dc47aca75efc5d28984e4

/data/data/com.yghys.doctor/databases/logdb.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yghys.doctor/databases/logdb.db-wal

MD5 6b76b007a39a0dfe74357a9d6b7e472e
SHA1 6e0a5ade61891e051278f7f3aba75bc45e0ee74e
SHA256 483bb23c95417c6bf9cc219046b7689684e729ffb1be3844131880be71489b19
SHA512 7f4a992f95cf918e072afd8f6a6b8fe34c690a71cfa49020781947b591f12a5a1143f56cc4b2c3cdd6d1246c55731460b1f8ebabca4181536abe3c16d07e9ba7

/data/data/com.yghys.doctor/databases/hmdb-journal

MD5 568e6fc42ab583c4cd3205e2b67c1046
SHA1 d2e84c319944efc82d3e6c67b53a319c368a81c0
SHA256 f69687c980c430c398bea03e7c93241fa573b5b1fa12cf7c3bf0065d53b84cbe
SHA512 8a3619ed83922f5f25a1cca3ca1f8fefafe04b934ce7e60321d6d673d31715c68c957e3f03cdb0c648af5b5c5389dbd8835154c30b3181e4c7f3d0ebb16073b4

/data/data/com.yghys.doctor/databases/hmdb

MD5 3fe30614d7e0d11db870b4624f6c50e0
SHA1 053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA256 67c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512 c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae

/data/data/com.yghys.doctor/databases/logdb.db-wal

MD5 dc41680d9e089209c84318339a20ae25
SHA1 29279d44916911118d65a91be49962aa6278ef88
SHA256 6db6c29cdb33666bf4dfe2ba52c8cdb8aa02e2329d61783e60c12e0d0780e83f
SHA512 9ff4686191fb9ce98b72834d32fe006af3af112ef32803c0833aea1389043ddeabc90f2342b90036a15e0dddb0576a969606110f5d29e3c70e5c8228141baad0

/data/data/com.yghys.doctor/databases/hmdb-wal

MD5 1efe779e355b3d1f22e268fe16598cb4
SHA1 51414f90a2e829db44f0178eeb6fe647e0e4ec7b
SHA256 61cff3692173cc769acdc68113dc80da9ed9d0eeed81bc7f78afd9e84ab0f672
SHA512 849f94ef8a48150d3cfdfe14b81744415c846d616df34c374154ba0c0dbb0943a253a5e3c0f955b157abac413ff1ae8ef5ca8561a74d36fb86dacc77785e9ed3

/data/data/com.yghys.doctor/databases/logdb.db

MD5 46b79f26c9230f98561376eefc08fc7e
SHA1 54c2c21e59375190c602180acf41fca8e3d1320a
SHA256 a555ac6ce81ba7ce41d5f83177848bf15fac43ac0ae4d0d24c554e259eb5499f
SHA512 49b9575368ef9b0fc29b730bb6e3be3d03f8f9604566c2383dbb0ce0cb50d4063278c8f79343b2c1b384ee0cc03214576c126962b3847376faefeacdfcc6278b

/data/data/com.yghys.doctor/files/a/k.store

MD5 21b24d3cea3aae90c2466a189a6cdbdb
SHA1 7357cef0927fe48bbb0af40a7bc42acc50e652a4
SHA256 5c95b879c50a971d168a9347075eda8093b65ed50c47354a2ada45ebab60ffed
SHA512 e0e28c6eba12feb8b973d632ec0d2125c8656c45d4374c9418a0e1a238b0cded865f4ea12ae3f7a5f52b095f7131cef4402185d913bc55366feaf4b122592ecb

/data/data/com.yghys.doctor/files/.jglogs/.jg.di

MD5 04b472287d2fe36da545cfc2bb28ca52
SHA1 09e37ed6e9d8dd153da39daa222f7544d579a384
SHA256 408e0f903041f868f7a920c9962ee20a0aa935e0be4f05f37396cc65f8804b6a
SHA512 93977085f442052d8b99ebc3086da73cd2c534fdc0080727926f53c59f732c73441a5a1a1b40cfe70bd7ffcc9512febf1ba78ae7cda809f1a2d1fc993760472c

/data/data/com.yghys.doctor/files/a/b/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.yghys.doctor/files/a/b/journal

MD5 0cf77f36c527abcba3e91da23011c1bf
SHA1 3bd240ceb6e24c9ceb3e2ac8cbaab6cec10cdfdf
SHA256 a6bb2d97757402adee9ec84cd2497f9e23a9408d3ac4f09f2d8fd23066cad0b6
SHA512 6e6e40d6ff7a2e539b81246e9176b4ee18937c9f7884592a91b7613f4eaa754c54c97dde39c6c7c81fbb6901231c3136a288c801bd3c654e58bf24a29112cca4

/data/data/com.yghys.doctor/files/a/b/4c984fe24161907e5b5b9423ecec3163.0.tmp

MD5 60930797c9b80f505e1619737ad9befa
SHA1 cb1a2cb2704e9c4ff99b67583f177215b9aa6ae7
SHA256 572b3312207b2a69e2b4e03d7485223a4a1e2871fec0c1944cfce131b668b9ba
SHA512 33a8f0f1baf8cf79a568d1c1dd34e996ca246d428dcf82a9f7e9dd460734ec629f300a0407dfd13919db29eaf1272192f04723c290e99e72c403eadbc38a8984

/storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db-journal

MD5 5e9a7d4d18916dd9b6b599f4cb4c17dd
SHA1 ff23ba75bac3bab6c3350988e467880cb004a5a3
SHA256 73fe831f2b51d99e5cb1f4282a9481d318aec92b4fe19b3189fa01a69a9b011a
SHA512 afc5a2cb6b3e87981f92edd380832119526f4aee01d46daadffe094ccc21317bed053638c033dd1861e90e41cc5dad178201b1e79ce4fd087659cde396205225

/storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db

MD5 731fba9d21f23915576ea5dc2ea3ffb8
SHA1 d1fdbc209db8b71d1b4e5341e75b8cc88647146a
SHA256 87510194f38897a04cd1f80bd6fffc3344fa8ef21baa61de020a2e790a7268ab
SHA512 b643177cf3a30543342d3a521a2dcfce70df4ec450b040e2b61d8692bbed4b3cde2f9f304cbf496869b89455e3cc6a501e8ff720edbdf0f6898e6a5f31fec25d

/storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db-wal

MD5 25bc3eb6fc349c19d637073dd7b1ffcb
SHA1 ed3b24f696b94c8bafefbd2e5c4a8c1f2646c300
SHA256 f192632e3c1f225c2e1d96625680ed13a5442861c5e702221c42f61ba4e210ec
SHA512 cac84b0ecd9d5fc5914f84525e85fd347b4911207167a00066d21ba70b733749cf6224a5ccdd2df0dbdba996321cc54768567485fd985fa7423ccc626f27303f

/data/data/com.yghys.doctor/files/.jglogs/.jg.ac

MD5 25228da03bce961c6a26c65c3b67d1e4
SHA1 91a013dd07e27dbdb408be0cedefb79659f2402a
SHA256 9e30a17ba8afecb3e3f0bbb0fe102356bca9d9ebdb68ed026c9aa9a99f3588be
SHA512 6e6c34b71c38df4446d67b7a78a88a4fcb4be0ba5134c440815ece90fdbd6ad6af9326a0f2ce9250b1db504bf4c5e4f713b201b997f3bdf8d74d9451d8935f35

/data/data/com.yghys.doctor/files/a/b/journal

MD5 71f6d92ab0c026c080b146fd16205b3e
SHA1 860ef123417c3005d31e8ec22e7e3ec70e07e132
SHA256 a8eb1409fac1aa8351b7b137f30d664099b47db7318f65cec4c9793bdedbc304
SHA512 5685625ceda7a46a35859bcc863fea11687d586dd197dd70cfacafbc9f898a2d50822056ca40e43f8a4063e028f8ea2a6455fb62bd9d3d834bff06c81ff5f3d4

/data/data/com.yghys.doctor/files/a/b/302ba74a656c04e34a61632854136ab2.0.tmp

MD5 f61b010134c90d8e98f43113de4e2905
SHA1 412836948526497ee0720586644b775b1e76c590
SHA256 4b3589abde03155ee128fe212225a8ca29caf2078997d1176d47d8ad5d3093c5
SHA512 a052ddb40da3b9e49c111dd8e6c01e33a40b7b00f44893dbd227f05fe34074fb3180ca7117fafaff1c8aa0a36f32aabb862b6553f0b9de60682da82af91d0df0

/data/data/com.yghys.doctor/files/a/b/journal

MD5 a31fa9a297e892a3cc42f29907d78dd4
SHA1 748071d2117fbbe331810c89823211c099a981de
SHA256 67866ae64faa6c1696fc4710a8771d6ded9acce66f2f32292495a8d7ba192a73
SHA512 2feea36281e462ee7609acb59499819ea339d0b050391e7b6563b14b516b3f9e66d0171da87c106db761d5f7c4b1d3ca4e0df61979a550ffb9f694e174118d99

/data/data/com.yghys.doctor/files/a/b/5ad6cdbb45b4a14283563bba26a5e0b7.0.tmp

MD5 59f8d3561572d950886482bf834128cf
SHA1 f92e3ba1297d5b78eeff0e7fbfadb96ea166814f
SHA256 8affe5879b68d61a3b5606adfab4d7bb15e87f55c71099ee56c6a824125ba682
SHA512 41bd3624e362248dfbdbb20b7d95b69c0323d3d53f94fbae925ac926c2f0ba4e800dc7b7bf3068c1b863c6f5367952ebbeeb53d15197551064864b6199cf8802

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:56

Reported

2024-06-12 23:59

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

135s

Command Line

com.yghys.doctor

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yghys.doctor/[email protected] N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.yghys.doctor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.yghys.doctor/.jiagu/libjiagu.so

MD5 7e7125a1193cfa8a696c1b8a6d2a103e
SHA1 af193df6127a47f455ebb7d5b792d2e982f4e004
SHA256 707cbb7d210699b111f050a382224f04ba2dbf72ecb4ee8f420d5759b6a23681
SHA512 91a62f00c2a9dc3c28348ef512ca56ab44d999e11dd806d565109159e79f25833c9141023ad639c7f5132acb8038ca0d7cc049ca2118534570d3ef1b36798b03

/data/data/com.yghys.doctor/.jiagu/classes.dex

MD5 8fa88efa13f592e38a4904c4fb3248c3
SHA1 a10b7a7b0fe18450bf8217a7cbe256762ef1be75
SHA256 d114c5dd531cbbdcef50763c51bdd3c9f972ccaea9b89d409f27cafad6b836d4
SHA512 2ae90c4d007c2d6427a7b81d2e728c6386504ce9a9882a54d8b31f27dca290fb84a1da5d88c201c06a3d439f9a7fe8dd79b1e1dfe7ea6e2c87718d8c1b1cee58

/data/user/0/com.yghys.doctor/[email protected]

MD5 5ce8c72a6acb4dea0b907f31c71f1638
SHA1 c32fd2d1f50b23e2504fbefd282e255ef7694dca
SHA256 3d0d1b7969ea11bf1cb8edd2fcf315556a3fd989cb09f5d31c5f4c755b2a404b
SHA512 d84494057ae4f337aab1f315e84e1e4bbf5cfd6cf3585f19b12151c3181d71bdd12c4866abc5ff9172b00de6497ca4a55268bf54f9ac90fef05c96b42a892c3f

/data/data/com.yghys.doctor/files/.jglogs/.jg.ri

MD5 3d8f52ea7a7e075d0869aea3fcfe0006
SHA1 7fd7788c189bdaf58c9e9dea06f4c8e61954029a
SHA256 2be34e39f6d67977b19d018c54d31753fe940c667c5d9936ad2fc82a9d9cc54e
SHA512 dd4d1da28dd12a89850ba96d8e155e6922c07995cf8aa7bb00e189e94fd24b23007412418fdacb219863d2a4cc8303f6e89663075483055973d488ca094ba817

/data/data/com.yghys.doctor/files/.jiagu.lock

MD5 866640d6904c9f92644669d44d990541
SHA1 2701acd8b091541efa1450f72de11111ddac2b97
SHA256 b69c77eead2179ac94200bbd2f9a0ccc97683dd0ada5a01b2aa1989b0a46262b
SHA512 ce6b2139ba275daa3a1798a8f935f2345504c84ffb58a369fa0c9de4454e9ff211db4b94821046c0e7fcae2c18569425f190fb0820e71d670f778930b870bd17

/data/data/com.yghys.doctor/files/.jglogs/.jg.ac

MD5 38d891dbe6cb77063cf764f287e6de32
SHA1 ac7f548f7020ca02072130358c2621a686eaec8d
SHA256 b471d7092c334e8d5153da23e3cc0bc57a7c68dd20426f074a367aaad20964ee
SHA512 b95de7a26daa85f13ea8915dc277619bf81653e2b391fb79ce311e8eaa8ad0e935259fabc9b237bea30042e63b5797ac4576307aa0ad8052b7a02dab2f5815ce

/data/data/com.yghys.doctor/files/.jglogs/.jg.ic

MD5 cf0fa17aaf0a8a682fc32aed1b0460e0
SHA1 f4f9ef86a604ebc591ff5af85ca6d90a75158f9d
SHA256 1d2f6053688f4164291a24c45b4a7076db22a4020ad7f726767f606bf00a5ae7
SHA512 c15e55d8472bef6572be38001fe167c02676aa0347e29c22483086c51f39376c8442b94b1f9b814340316e5bedf60ca82b5c3ef7d9b9a3e66dfd4986a43b2f88

/data/data/com.yghys.doctor/files/.jglogs/.jg.di

MD5 94f4b4dfd108dbcd64a4855eeefb18b3
SHA1 ece001b995fb877bc0e481453247ca013031cb3b
SHA256 d6b1f198f2b85a4b8afc92086992b2f87e75af253ecdbe40ab5cfeb2bca04e5b
SHA512 dd261a2b2f30c84d23a7cfb051c9c4c16a3c3de501cc910fa4d975d1b3f897c5485cebad59523766552b32694e2278f2b9f892114dd0967abb463ac6a9e40fce

/storage/emulated/0/360/.iddata

MD5 175990baa143138d5cb4a712e172c3f3
SHA1 fac3640580ef9443529023878fa50795431b5ab1
SHA256 598adf3b09f46774a6cd40b947903d2aa2544a8948b3ffdf188117f7dd9b802e
SHA512 5611281fb2a9d0a9cd1287108b032bb33eb06817e2f6d86edbf34ff9df8f3993429dc15685090e70fc95b7730d66b66073c84af14d2517b3c672a40184bbd8f2

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399