Malware Analysis Report

2024-10-19 11:54

Sample ID 240612-n1j43axcrr
Target a0924f16aa348c15014966f35a23b590_JaffaCakes118
SHA256 455d9bc8b8a3dd753dddc6afe3e1d43b9a70232d469259c15da35282f9a7c3d6
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

455d9bc8b8a3dd753dddc6afe3e1d43b9a70232d469259c15da35282f9a7c3d6

Threat Level: Likely malicious

The file a0924f16aa348c15014966f35a23b590_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 11:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 11:51

Reported

2024-06-12 11:54

Platform

android-x86-arm-20240611.1-en

Max time kernel

175s

Max time network

181s

Command Line

cn.yiqi.photo

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /system/bin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/cn.yiqi.photo/.jiagu/classes.dex N/A N/A
N/A /data/user/0/cn.yiqi.photo/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/cn.yiqi.photo/.jiagu/tmp.dex N/A N/A
N/A /data/data/cn.yiqi.photo/.jiagu/tmp.dex N/A N/A
N/A /data/data/cn.yiqi.photo/.jiagu/tmp.dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cn.yiqi.photo

chmod 755 /data/user/0/cn.yiqi.photo/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/cn.yiqi.photo/.jiagu/tmp.dex --output-vdex-fd=44 --oat-fd=46 --oat-location=/data/data/cn.yiqi.photo/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

sh -c ps

ps

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.weibo.com udp
HK 36.51.224.49:443 api.weibo.com tcp
US 1.1.1.1:53 api.tusdk.com udp
CN 115.239.209.92:80 api.tusdk.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.71.170.130:19000 s.jpush.cn udp
CN 115.239.209.92:80 api.tusdk.com tcp
US 1.1.1.1:53 p.17ll.com udp
CN 47.97.70.27:80 p.17ll.com tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 139.159.137.254:19000 sis.jpush.io udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 pingma.qq.com udp
CN 119.45.78.184:80 pingma.qq.com tcp
CN 115.239.209.89:80 api.tusdk.com tcp
CN 115.239.209.89:80 api.tusdk.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 124.70.128.38:19000 easytomessage.com udp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 113.31.17.108:19000 udp
CN 115.239.209.90:80 api.tusdk.com tcp
CN 115.239.209.90:80 api.tusdk.com tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 124.71.183.120:3000 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 124.71.170.130:19000 easytomessage.com udp
CN 139.159.137.254:19000 easytomessage.com udp
CN 124.70.128.38:19000 easytomessage.com udp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 113.31.17.108:19000 udp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 124.71.183.120:3000 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 124.71.170.130:19000 easytomessage.com udp
CN 139.159.137.254:19000 easytomessage.com udp
CN 124.70.128.38:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 124.71.183.120:3000 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 124.71.170.130:19000 easytomessage.com udp
CN 139.159.137.254:19000 easytomessage.com udp
CN 124.70.128.38:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 124.71.183.120:3000 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 110.41.162.127:19000 s.jpush.cn udp
CN 139.159.137.254:19000 s.jpush.cn udp

Files

/data/data/cn.yiqi.photo/.jiagu/libjiagu.so

MD5 bad90524bd3a2facf926e649e320a5b3
SHA1 0021e1051f80aef052862f69b97173483736505f
SHA256 77bb7b4333febc6ad0fa04ce2a27abae8749825e1beac46fe5f03662c8e4c1ef
SHA512 4673c453ad0185020b07f351004e56abeacbd15f90a2dfb59cdcde52b3354cd9f2db39b1d941409bbc4c6f46655b833c1100ab5587304f0d35b809a6e7c830e5

/data/data/cn.yiqi.photo/.jiagu/classes.dex

MD5 01804b24b4552e67bc57fca3bd4a6efd
SHA1 1f604f20becebeeab964de28ae6123d5dfbaf51f
SHA256 3813b33a2e899cb76991299f0f075af18d9ad3ee8cd371f276c3f20a1c1dfa66
SHA512 17b8754ed9f96c93461d6d5e86a832beaba16e83dcc9d9fa63ce0bbddeb6731689f4a1fd148a5368417437c90ebdf433cec04ef59083a0b12d8499358ae12684

/data/user/0/cn.yiqi.photo/.jiagu/classes.dex

MD5 75dc3582ba1ed257a85ab4b27dd51a08
SHA1 88007a5c5e6dde74b2536536aad7d7613e67b7ac
SHA256 67c0680716efb8ec9750f0194f82bc793ce91e4f849fea807cf5797e5309f464
SHA512 e92095ed2f9d28959cb6bea98187645f9d4d2e189f98da28900cd588a390f53333ea097a1aeac3110babaf039d02629d506439d4da6cfde67e58a3d767e305f8

/data/user/0/cn.yiqi.photo/.jiagu/classes.dex!classes2.dex

MD5 e804168c0ad7bff06ba6df63f6f46d67
SHA1 4645af489fef4482fe5fce7125819307cb3087ff
SHA256 a1343ab07d9f29cd906031234461e05656143093fbbfa371fd1e26ba99f56c95
SHA512 e4d8b0751ab7e413502fb3109147198957bae17ed6a58d0ede3ed9c5d49e764eb24fdb6f63bc5ae2ae9deb3dad4b6b43efbc94f1f836479e25ba03f332715086

/data/data/cn.yiqi.photo/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/cn.yiqi.photo/files/.jglogs/.jg.ri

MD5 6403fd424e2951f61e558adf92e12263
SHA1 c6fe8dd4ee07a036947726c66137579042664d5f
SHA256 2fc23157e8e0af17438140a336d583bfb23a75af79f27414d39084a6cdbe838b
SHA512 2068369df7c59f68644fb26f7bb9c575334fd01d5be70c416c10e5eed19c4e75f8f20392739e09f8152219dd5d4c698b59a77c0e87733c6c1ce56afd34142767

/data/data/cn.yiqi.photo/files/.jiagu.lock

MD5 289e2fe02a23e5fd65383d4495d5f18b
SHA1 32ab0d3b535b649f27808eea98166631d54e1de0
SHA256 fd90a0d87b1f06d22dad1798efe061b3fd67b2d6886f1b4936f9938dd1136295
SHA512 c6b8f64dab4dd14ffb8c1f64aaebca8c34ee9810e959438f9ba48e96423a7126d5c6d2bd2b237b727115e860a2db9f1ffd17865d7fe3a54a40d1682d321c687d

/data/data/cn.yiqi.photo/files/.jglogs/.jg.ac

MD5 a82a1471ba5824742bee7bdb7197c8fa
SHA1 7f9483f1f04b9e8e4d3f9b91031060d939b4855f
SHA256 b3f4da68d0c60623b478830d76bd06a964bae21f91cb5646114c311f2f5ae83a
SHA512 7d9b746ef786f73fe9df20d57afb13f7036941e4d14b733b0918ee3aef41bfea5e6cc1f5ae1c963f274f866722d958681e552436f7a9dacd28b6ca5dfc2467b1

/data/data/cn.yiqi.photo/files/.jglogs/.jg.ic

MD5 e861d0de8daaa5429409388a1e3ec9ef
SHA1 d8aeef98a3b83344e3a4bedeeea2602af19175fe
SHA256 cb38b00779c73901277ef20b7d611e5ac23805ec1bd8a76030435b7425a01cb8
SHA512 17279fd6607bebea788146fa6ed63ab1e5f47ef4c92bc9df7e0dc6152b83fe2a87b2d6ebf9a6a767b3140f358524ef864cd9461eaccf8bad6e2964d60b678db0

/data/data/cn.yiqi.photo/files/.jglogs/.jg.di

MD5 35237675319580a45aac9d615bb3186a
SHA1 c1d6a83d0bfa1000ae3f689230931bf915326f7a
SHA256 5db7d8196831b39838ae0ddce64a31167edfb07ba7619a4606fb6d23c2547cb0
SHA512 63af4aaf901f4d76afbbc2b40fa307915ff90b4f79a4b4c443f48a32ba28bf20bb630297690d4c71bce6f1e1c820b3467b974f9ae67edd2f95b49982e90d321f

/storage/emulated/0/360/.iddata

MD5 d750acecd5434bf1cde49c76ac966e13
SHA1 4565b029ffe111cc47e4d3307ceea4dc204e9452
SHA256 8647d46a995da26e626c96f3d0a1250d6c595c3a182c853c73d26a3d09a92d66
SHA512 7a32f4ebdd211c17eede0e6e023797898460b83a15c6b071135834bd6e43d1cdc29fc799174aa514bc034619faba9fe8ea3c4677d7049523a3e1237d7d8f35c3

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/storage/emulated/0/TuSDK/global.keystore

MD5 6c6345322b0656afb5affedac2df5e2e
SHA1 09a6d0bca121948751d1c9d7c428a17dd41350ab
SHA256 f1c558e6386c119600fac99857a71be218d4aefb004cb258566a72ea6a3b866b
SHA512 892770cd8956734b281a3365d217ba1fdfc3222aea85097911a4ca2337814385609a3b805ff03bc69dcf57b5d08fc48fa1f2d5c4305526e58b3ccb8398b0fc5f

/storage/emulated/0/backups/system/.timestamp

MD5 9af8f3b19427f20abe593809a4c17d80
SHA1 db0b22a73dc927b4bd9f18cafbcd1e84ebd60b36
SHA256 ab83c2a41c6f7ccdd1c0a4c1371f3f5405ae068cdaf3fab9d8f784140c9a63bb
SHA512 e3336358ba64c51d95cd5cbe4cbf991ed82abe7ea41192746445c04f72b6c62d204cea3b8b78dadfb3078ec48f05b5daabbdefcf41c19a10f0ef347df133834e

/storage/emulated/0/backups/system/.confd-journal

MD5 c31802d9fa7c1eb9f99f11ab0a550efe
SHA1 374a5865325216cf80ccc45f04768c1d5e30eb75
SHA256 07dc974bc673a13e201af09c0e963b2b784664a3ecde41a0a3116982e0510f37
SHA512 2e642fd3e2c8f05d316cea8410404906bb0bca7fcc593f187bf1b6f21c7633b178f02a30966e7c618b77b36b59e85a69f0ee6c6f7e43e54a04f2255ccc6a9bf5

/data/data/cn.yiqi.photo/files/weibo_sdk_aid1

MD5 4028c8b91f544d6bd51a266683ff791e
SHA1 d8bacd93b5724c8500f66cc46632704115635afd
SHA256 7cda4149bb95d3c082f01b19b365228fd339ce4fcfa02969294e13bdae41270b
SHA512 a8fdcbe785c7f9eabff76f227db4e8c1d099dc8adc81a41283f8fbf118fd0fbff93be1aaacd3c966888f30f247215125317efa56495f022486f5262cd2cc3831

/storage/emulated/0/backups/system/.confd

MD5 048c73f536f234f0ad0d2fa8bdbda899
SHA1 dba2e666721e0b0988807b8bb3ce0452dad3448c
SHA256 f1a64586ce75e770e2f36a7ef6f7419e26ebb9e9e786df3c5adce50a196d2d07
SHA512 6ae398c682724f0008ce47cfc790a7ad3dd7cc801fb3a8a692d28da5533ea7ed830ea36933bd3e3219fc8cbade90f073c2c418611921bc7d6877d94b6745c4f0

/storage/emulated/0/backups/system/.confd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/storage/emulated/0/backups/system/.confd-wal

MD5 558dc89f33b68ba8034dad34fb2b583a
SHA1 10eab9384a3e73b555da852dbd3f0eb1f9ec4683
SHA256 4c6c63449168ed857dd92cb55f605a0992eac66faa2d95087dece46fd5b97db4
SHA512 e765db81107949cefc841a0941b7f32fd96b673b584ecb8d5cab494649b1eac75f3dd9525ae3c9ac77868e0e360ec3de2277336a87000ebb5dbff4b46b3e51ee

/storage/emulated/0/backups/system/.confd-wal

MD5 d785b6cc9b501ffca0b6fdf03ca4b586
SHA1 746d1cbd9055757338c9449a1b0b0e14428e5eb6
SHA256 b11b260a7024d0c695739acb3936c210ebd98bc0884bffa33c197c3fd0bbadbf
SHA512 aa927fc41d968e826227dd4c195a58410cbeabcebeebec4b155d1b3d9ef4adab7d9fc1f8d636652c4899fb0abb5204873ca7a8d876d9ffd1e7b891bf604d4149

/storage/emulated/0/backups/system/.confd

MD5 20b4c5a4e7944c6575524b67929456e8
SHA1 8c00624e72d53734b11bbd36d92523e4d80ed5b1
SHA256 269e0fdb977c639320baa5a0f88db814d17c1058fe5aaffdfb723764e5029f69
SHA512 c4d54bdd070a8c6b8e8be330700b75c278cbebe6f2325337dbd958b2604b81f9d23e27a537352abf1c628e35a88818efa0c37b6b796b16619754db62f9481cfa

/storage/emulated/0/backups/system/.confd-wal

MD5 57d110306bfd8325893488ba97c22a99
SHA1 032f7f97de3a542ff38fb0a7083aff17bb8b78a3
SHA256 96882144b5404d27d7f9d3020a6c7bc6b059f5dbbbe261114af7352397c6a51c
SHA512 c73b908bf1c78893b1868425633289a8dca5c117436b6a6d53ea0d2c383202fa4db1d5c62961601fdc1892bfb07774198bb9275891b436fec037deb7638a5030

/storage/emulated/0/backups/system/.confd

MD5 06d54475bee386125996fc55d7d28bbd
SHA1 57095a550cb38e2f774e26b91d2e602f91ef9fbb
SHA256 4346c8fd16709dbe83f5e23ef309001ecab9af7ebd92993e142fbf1da262e918
SHA512 7f3fade3b6873d5271dd539d59ed25e1c67f93cea855c19f1a535c7b34f4253b2149926ed8b307e9badf35ed857b06be84d533bff07abce4a67964b949398ead

/storage/emulated/0/backups/system/.timestamp

MD5 48e29bab0b948cacf0b90faa4dc029bd
SHA1 0c4a4dfa0e12b749a4e406a8c8f314e115bb7f74
SHA256 acc8b6ea671226529b4c166ad2894939ea324e3a44375c489dd5ff391af8d5f6
SHA512 67a33c241a7eb47006e2e76f23da457d230f77fdf5ff2ed594133e6b9d72a012fb4b6269424ca80ca4e67d9d8988cfe6f36ef6fca719dd72b60db7cb2e994d3c

/data/data/cn.yiqi.photo/files/jpush_stat_cache.json

MD5 ea41f0ec048ee914ba56d1fb37b7703a
SHA1 771ccdd1e8a549b9507473bbf08776c32f926323
SHA256 fbc5b42613017e1dd25a6f4018000f2ed35aa9337c74d5a99d879cb85dfa8efa
SHA512 d65b3f0de9f695c12a9325a937e4217552f47b0acb8de29efbae783c2a0fcae66b6f2975e1c8885269b313b425f9c14cf80eac8cb159ddb18a2b8a4601cde33e

/storage/emulated/0/backups/system/.confd-wal

MD5 fbce06bd50e9bd215eebfb770f952343
SHA1 fa5c5e72d05ffe0e29e3cbd6c0cbcf205551654b
SHA256 9fa418d1c12663af7451df346d5db973cb73e267c7c5c67b8768a1bf0e6c0be4
SHA512 38163466082d66648beb5715f640c857a491cc0e4a962e259963652002c83ed5f63b9a083ccf09f7597543ba7ac7e0c101d38895bbd2baa27c467b043c549721

/storage/emulated/0/backups/system/.confd

MD5 065787548a5191229533d3b67b40ffef
SHA1 daa475407f90938c78baa7fdc1fb76409117fb7f
SHA256 4fb76674ea64ddfed99a6a3c52606d7a4f6aac877cfd14a7e65dd6543a73acf8
SHA512 01c0c43cc4481a41506f2681053af5efbf29e7eca506edf3c82ef013f30429d01dc23b20417d7f7d0a436025fcecda20b3fd2b691af252181e49b1698bdce171

/data/data/cn.yiqi.photo/files/libcuid.so

MD5 8c9a06a3e01ca5c2f775a4eabd3ea3b5
SHA1 33d05b76609bdaf4620b423bdd7b5df0000c4179
SHA256 cf0cd90fb8748ad611a358ceabec035046ef9754403f79d39bbb93bb4918bd63
SHA512 d97f8e3e7c5a2a0b8fefed86fd2b33b01777bb2495b0d26562c80f3abe871997ecbea006369e1c858310297446b1d41d975f1dfb2a1a7c66dd8adc183959be4d

/storage/emulated/0/backups/.SystemConfig/.cuid

MD5 566cd63beb3b849f54f2dbaa80670d8a
SHA1 ca0bec6aa84e96118ad23c71819a7dc5f1b3545a
SHA256 bb3499d1999655c0dcc7e17aa8b74054b58ce9c60fb52c8c44d68d0591d38f4b
SHA512 ffc24202afbff6149abf17ab53fccbd2b08ba42f286ed473b85bd02c6b5d6af3f0b204a2677ba4ad38ff6f3a71c4f10768f6a031075902d44b1ffd8f484b658f

/storage/emulated/0/backups/system/.timestamp

MD5 7aaee48f6d3a30eb0d4f3a490dfc7527
SHA1 d67ab4dcbe48f415003522ec614158f7fe84b187
SHA256 3f726be34cab61ab1e1e22cda6816671fde0e6f3910e3b11acfe4a1c52a2bb05
SHA512 1a4b6c82bd6c30c16507f58266889d356464895f368d3ff032ecce1a0b9fb7cfd15451f11ab7b6f4868b8497faba1f1380f50d4eea348a3477e6b8ff60fb47fe

/storage/emulated/0/backups/system/.confd-wal

MD5 af251e90d2f25127b595dea0dc384d19
SHA1 be90f9cf1a005fcc0295aea5ee97a3f186054a27
SHA256 faabad131051d13772d291901af34b9d6b22511734a1005a89b0cf7fb4503c9b
SHA512 99cd34395a0390bcd67749b846ec7f584d5450a45d5910612fa23cb459451f6683e974a03c18e1e29d5fd9cf249fa5d808e611d726e9f4f110b4da9c87e41b8f

/storage/emulated/0/backups/system/.confd

MD5 8666540380ad1416371abbeb89f7b392
SHA1 d89e041bc3cad4b19529ef8baffeeb89972d0897
SHA256 98d8c24dee97cdecd1b0c979d5b2f97172809e8d56a3b6c36fc8ef50cac59895
SHA512 386f5f2d5cad49c4f69f7392c9ec0c0712ea44222451197657afb40d789e9359619289801130bc261a2a084c8aad17c45f6a920e207c9a010fbec0056b39f9a5

/data/data/cn.yiqi.photo/databases/pri_wxop_tencent_analysis.db-journal

MD5 f00902e7107d6976e58a47eef21d489d
SHA1 9c9b4793d361b53f7223e6165d903f269155dd2d
SHA256 4bee9e636847cf48c092ebfd2c0007760f61182c8f589083843637a852ad7825
SHA512 a89239b8e2aca34e8c86562175036c68130f6f791d84ab0ce16fd77c09d08cbec07e2430e03303fbf956a2bac625c3305bb5e89e99f80babf7478a849a309a1b

/data/data/cn.yiqi.photo/databases/pri_wxop_tencent_analysis.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.yiqi.photo/databases/pri_wxop_tencent_analysis.db-wal

MD5 288e6cfe53fa66d7a173d335e2c22c10
SHA1 aca3042a16715a9e6d0c3a009b6c5b0ab2a204aa
SHA256 588066b4c2eb3c1b1a813538ad7afc8b66da5c4d5e46fd83e13a782eb9ab33f2
SHA512 4b09482b5aa60a52f17742c93838961e638eaf310ef7afcc7027f5013f0420cbe94011b3b1a05f7728534b69a58047b3bb4687798dc85d045f688f9b85a753d1

/storage/emulated/0/backups/system/.confd-wal

MD5 6a697ca918272d4855512d50ef7523c6
SHA1 b3e71baab3d460c300317cf6a5feeeba6c9847f7
SHA256 77d92ac5d1ca339fe15cb761dc6720c3d70412710db40f2cff85a9b65ef59d8e
SHA512 64576bd5ce9a3a321ce7631e35d2b42ba1de5e5ec8c38cdec1d0c8d2f02f1f6a635d7f7edbda03f32344c85efa556fc4ba8aba07b441082896b8b0fa95a6b44c

/data/data/cn.yiqi.photo/databases/wxop_tencent_analysis.db-journal

MD5 21a82d2e95e4b37c34a704d4da3e23f1
SHA1 1de6a9bf875164290d1cf02f5bdac999737040ca
SHA256 8525983055f2f00ad15124fbfd7a7e1339c753a99f789b5d04fdd2857ec0b3a3
SHA512 a83d9d6e6a83551e1b4bbe69173fc4cf698e7c1b5f83a257a6058a21aaaccb2c4a96e39f7b14c821fa8653b07259239387ee24296b1f25ceefdd4e388ea869d5

/data/data/cn.yiqi.photo/databases/wxop_tencent_analysis.db-wal

MD5 dd0ec7ec994e0a6db806e727ee4d7a27
SHA1 13ecf983193006b10154bc544e980b5e956868c1
SHA256 5e430c8e91aea6d9b2525d18e9debac9a998fdc02cb4ba68e003c2bb21be489b
SHA512 33ea3c11764dbd9ba9191e804b3321288bdf4a894761b919662b68f8ce07ffbb7affa455ad6c71b81935ee0fc2c4d6ac57b2aaca58d0a622e1809e60dea3b6f3

/storage/emulated/0/backups/system/.timestamp

MD5 45196c236aeb1b33c8db3af343ae2d27
SHA1 02311d7725ffadb4382622485a1085cf1c0209c7
SHA256 f1c62ebc6e35882db5f57a2ddd7a719f7fa271791541e2f582cef89f3d8bdd7f
SHA512 4347ec4d3f78bad098c93f97f719dd7aa4f160d7dde829dd4d8ebd337d800d0bf677250f84a15d0e134387743b36a418eddf35c1a310ba5239c759686231c48f

/storage/emulated/0/backups/system/.confd-wal

MD5 baefab40b81dacd435d63e1d5234b7c1
SHA1 250db7ce3abab157d22f0a67d7b2b09ee6187ba0
SHA256 9978b0e1da7e5557281aae81718984d33f8b580dae136f018998da3dccf49725
SHA512 bb555a01c6a7fecb212bfd3472a8114f41b58e2de54f0e592ce4a800446be2c2f45d0236c82e79695258e30035eee94dd8bc160e05c6b1c947d44fe1acedd3ab

/storage/emulated/0/backups/system/.confd-wal

MD5 71270ff3fb1f4e18f785bde922931583
SHA1 fddb222f61ce95f52abda5c4132672570568a1e5
SHA256 a74eb114d2704080163fccb653c49f35ae2608e2316d873b35ad051c1a045196
SHA512 3eb9e788a7d491a4106c5927386e6fc3d7b206117e40fe8854b85278abf314636dd77d5541e8d0602c0d709b844e49f9ad6ed0bb90e941f3a461a5e3765f2e13

/storage/emulated/0/backups/system/.timestamp

MD5 194a5ec6ffc6f76fc42303e44c07d43c
SHA1 a2c5912ca99220a717ce1971a24166c5e0c3dfc6
SHA256 2a8863a04a34deeb7ff4787643b862eefbf9f87f34f73557e197e0a7a376e3e1
SHA512 ef72fe5fb2f4a095b5a06ed6bca2e25a86578ed9fd4c6e204cc55219f487b6c80d60980e4ea9daca98a3a26c0309636d1bfbdc4c63074efd30f6b172b24737fe

/storage/emulated/0/backups/system/.confd-wal

MD5 dcb035aacc1503c510ae832439024f4b
SHA1 5a9cb309fa52d5ca521846554ce9b6c313659a21
SHA256 0cb5527b5d05dafd2d971cde6c346a361c56642d752ca98c9ab73b63f2c26169
SHA512 eb06d8000685e832c75dbc86b0fe2b539a08c8aea2b21c9c2fa70255f687bd7b15e3089ef63b789f613da80e44a832915111e92536e035bb8bf727f4464ad7e9

/storage/emulated/0/backups/system/.timestamp

MD5 532d7a1dc32f415fb50bb296a7d495f8
SHA1 4940f356011fd68c4f62ec26aed000fa832b4a45
SHA256 eab92a253083fe7bbef6fe6ede798a179306e3a30ef565f447d751689de39b5f
SHA512 6f206bce900834b9614c85c565f27ec5a9aa40a8ef49bfcbfda7ab680218e821a5eec8735acb4506516cf1aafba866ac94642b084df81700bcb6182dea60487a

/data/data/cn.yiqi.photo/files/__local_stat_cache.json

MD5 6473fbda94fac58c7cc6cb1e8d825a51
SHA1 669ef77e4cb966700a9ed2583e2edac34deeb944
SHA256 9bf0c6862751c76e6781f678ebddfb32b8fc543e343e6f60812bff96b138945d
SHA512 0f384b0659605f0e8c8e87c19488b64fc929738c301dd9d1dc0a79360e64fb7354483e78fcf0d98ac95b030ae296381527a27f9c0f2c05ab8bf18f8f4c15dd50

/data/data/cn.yiqi.photo/files/__local_ap_info_cache.json

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

/data/data/cn.yiqi.photo/files/__send_data_1718193129029

MD5 4a32d6f0a41c9f099fb8d25acf6213e5
SHA1 6fe9455b51d2c4ea3eedb9aa0a5b81abf0231f9b
SHA256 d1458f0b678cc80b8692479f4d0ae8e3aff7ac8111919fc3ad389a3045ac2ccb
SHA512 e531067a180a97bb9ebc83431d1785125e81f2e02d22b0e4265c7d818f1ed28bf385c546b3323bfe8c97321ed815c20e9df2dfd6a7271c710921f8cfe6252a48

/data/data/cn.yiqi.photo/files/.jglogs/.jg.di

MD5 f48d77f7f5df0f1a6100727759e6e99b
SHA1 2f243132c14d8d9628652896fcd7df9355af73a2
SHA256 4b2fb5531611823d794f7e408a0aedc8dac2fa9aa856d1581a6448c424d6b18b
SHA512 ff8f78e9dd5604f15d13b984dd0b942e24904bb16397003acb0f723521101a5679fe9da82c435fc4ffd64a06b01389c4f30a84be8948f4637f8136af0b8be24e

/data/data/cn.yiqi.photo/files/.jglogs/.jg.ac

MD5 bf8de98eac769946eb8628eff4cbb1bc
SHA1 cabb4544752969f93633abca0acaaf1d9051f865
SHA256 2fb75933f3b1b6f7c24e5fd75e816aea04a9ffe253d551797383bd02a81fe693
SHA512 42f73bfbf6cf095b91bc8ac46bc0a5456fca0eb4a5fc7a966f36516c49d6e30cecf4017e4102c659a5db7a74de6663935d73184d7f8e1e088857a188ba0185ef

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 11:51

Reported

2024-06-12 11:52

Platform

android-33-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
GB 172.217.169.68:443 tcp
GB 216.58.204.74:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A