Malware Analysis Report

2024-09-09 17:17

Sample ID 240613-3kf5ssyhmp
Target a7200c9973ac128c05d02743b1b746c9_JaffaCakes118
SHA256 795ba55fbbb2f656e20bba8def0822a9279c4704d4ec9075cc15f87fd1cd5a3f
Tags
discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

795ba55fbbb2f656e20bba8def0822a9279c4704d4ec9075cc15f87fd1cd5a3f

Threat Level: Shows suspicious behavior

The file a7200c9973ac128c05d02743b1b746c9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:34

Reported

2024-06-13 23:37

Platform

android-x86-arm-20240611.1-en

Max time kernel

150s

Max time network

174s

Command Line

com.lzapkol

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lzapkol

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 tcp
GB 142.250.187.234:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 s.jpush.cn udp
US 1.1.1.1:53 alog.umeng.com udp
CN 123.60.31.166:19000 s.jpush.cn udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 123.60.31.166:80 s.jpush.cn udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 124.70.211.119:3000 im64.jpush.cn tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 easytomessage.com udp
CN 120.46.84.108:19000 easytomessage.com udp
CN 120.46.84.108:80 easytomessage.com udp
CN 124.70.211.119:3000 im64.jpush.cn tcp

Files

/data/data/com.lzapkol/files/f627596d/rawso

MD5 be8465d000084f41cf3fa7ee8aa9c90c
SHA1 b90b75ba0e4d1573777782e686fd408e37b29fcc
SHA256 e355ada5e09bc21c353c3cc066dcbe116bff2d1bf4ec90d0f8df7af51615b03c
SHA512 481fb10cf166c8ce30560eb44c509dc0a49f4d84150b3f2094b1e89d6b6e57afc3db3247d3aa5a9a74d04e4ca46e5a384fde0426b4272aba8d2417faff8961b5

/data/data/com.lzapkol/files/f627596d/armeabi/libtea15.so

MD5 87cf0db28e5dec7de3011a6493e5ad17
SHA1 3644400d9c2bb96b23037525eeb53077c3c0261f
SHA256 6f1a8e047ef418762f6dcea7e8f03ec3598b0ed40da251aad4d77e345d13b1d5
SHA512 bd175dc772c85dac154a04486768db2b9d7b870f92c3be8d674786ec6432341977813417069f8eb97786468389d360a3bf14fab036ebd1264eec7c28e091c2fa

/data/data/com.lzapkol/files/f627596d/armeabi/libtea16.so

MD5 d61b2804fa1cd901303a24df603babda
SHA1 e6cd5a84fc738aea1f9d4ddaa9db57feee08b56a
SHA256 6c2220df7732d13790313080f016dda9ab6dd76f42226c0cc5b273a37a2c08f4
SHA512 cfcd86cafa9d191d9831794aca26a824be49b53bcf0f4bda6c4c1448a8eede057220fb36eecdc90dafc7b35664524bccf43955b1ce5cb46ed0225740e66c4585

/data/data/com.lzapkol/files/f627596d/armeabi/libtea18.so

MD5 12f61beb5c830e2e7d4905cc03b793ad
SHA1 90b0248cfad8f654aa72dd16569a030e85bcf12f
SHA256 bf7372e29d4e658411e84acbd53ba5cd361c89da773188610d50d4debba7dbff
SHA512 34300180e3cf1246877c5f11cc9648a835c92d86df9562f5fd9dd609d5b082ee84cb06821c4dfbffad1d4691d1f88e73496de360e3b1b60ab502a3f4ce879fbd

/data/data/com.lzapkol/files/f627596d/armeabi/libtea19.so

MD5 6ab3e606ad28330db62f264d443b5473
SHA1 cd98fe8d2d1aaaa25739c27402d16cc691612d3c
SHA256 dee6e82e2fb84f3c20368ea7174a28f5ed8629f80e3daf782cbe5010f7763ef3
SHA512 88310ae4d803276d23da05a99eb16439cb1078c3aaa142e95cce105b96ff20ec355cbbba573f5b4f5a073359f219db1cd6f83bbfe1d8557a99806abbd1b9710f

/data/data/com.lzapkol/files/f627596d/armeabi/libtea9.so

MD5 3de42d0ffb006053a2b8ae5cd6982957
SHA1 58eac2c827c440989e6627be33091a47b99be233
SHA256 02c77e3fab16ee785c178201f22160c8f399711b05fceb45f7199b99a622c7e9
SHA512 b026874803d590b528516e1c3bd37000ec1bc66755c6727312be802ff235a767025422b839bccc5a043bf525f688407c51604f367b1f8e580f3b6255813bfa5f

/data/data/com.lzapkol/files/f627596d/armeabi/libteanb.so

MD5 26572f33cc5dfdfe1aad89079420ec3e
SHA1 6d0894b5fd57370ae3f99c2a1b2df02b6e0d722c
SHA256 5bf2068cc862b1dde85d5fcf8af8f16d2c97e1ddd8365e0e559c673039e8008b
SHA512 e71bc4cfed34686ae2ffbde8bda2366b118fa9bdfe719c1e38c77e665291d2d52ff9106a080be12eee0f926a4eba70c1d7b427b67211035d01006a262b13c155

/data/data/com.lzapkol/files/f627596d/arm64-v8a/libteanb.so

MD5 67e37994bfdbbd4b663b6bb29dc36872
SHA1 dc50ceb65b3e24ceb8d68036161bfbb56dcf4b35
SHA256 771ac865e071dc36a1f2ceeef42e6dd9d75f68d9d22525b803a3604a3507c72f
SHA512 766551b787ac2ec5084feaf4038ab245dc9e0c820a23edbe33a35de85635d92d9daf3ff7cf49ac128451aa946789087f34ec9453dc0b293c56ff38b68fe70e31

/data/data/com.lzapkol/files/f627596d/armeabi/libtea_codecs.so

MD5 f5fc82fd229b260675852fe3f1cdda0d
SHA1 ad3743fc8072194228d6854fd5952ff866b851ad
SHA256 e92dfa509669d7ea4c1f838ef5d9b82812171ca25adf9bcae675c5563e4c8709
SHA512 5dd942905b84e83c25d4a34187db6c8c736e9e97e5bac635c60994f3f071567f397ecb34e92d08f6ee8762dc61147bc7bb877c6a0d4733d5f06e9ae592b4ed4d

/data/data/com.lzapkol/files/f627596d/arm64-v8a/libtea_codecs.so

MD5 fb932c398434f47dff156dc1130d03f1
SHA1 1d0c59ac2f641f28ad9253843199860e029afcb3
SHA256 10653fce52b7ee109af86730336fb675dba683f3d0a268b55e86be1810fc1d80
SHA512 1680068e0b712b897b3d8d35c4c3b40b91bd97156aff1fe74a7a60407dc72567d0327f8db29cf2616c0719d1db1b26d991abb882d0060c9f4c98a57eff386dc9

/data/data/com.lzapkol/files/sbf_version

MD5 e0534463f69f4477458372dd119e7f4d
SHA1 5bc44ec4ff36bf72dfc46d1ee3880d4685226473
SHA256 66b628f908075f41901c5d6b97f8c553e478532c2b796ad3dac3f34420a9af0f
SHA512 af14b2a09573044b3257cb34844003a2f186efa242a55b9425cb83a749c513d3a2d3511911b7fc0a5d63f836a6d4674d01eaf38763cbc201302a9d5248cda0d9

/storage/emulated/0/Android/data/com.lzapkol/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.lzapkol/databases/mzmonitor-journal

MD5 d9a26159c209d3a2ae466a24e6bef843
SHA1 1497b228ba4169bb5bc794fed3e59f613e81a479
SHA256 39dfe520e9cb2859024a07fbc2061246a6acb4d6838c088f306f695319980daa
SHA512 12f54b3a4442dd5ec7b364f2b4a2112151b1e783d43dee10090c3b8184bd4b0defc81a000c5c47d7314b6ace2f0d8c5029fe59f0a70ccf75855573b7bee54d72

/data/data/com.lzapkol/databases/mzmonitor

MD5 2b3846aa613b64208fc62eb2589efa25
SHA1 1be0062c99cb05ee150d2c8c8781198001084945
SHA256 391332f611808b6c4c3724ad933cf96605cb06331875393f76649dd1efb78613
SHA512 64542ef4f4a52504027afea9e7e61b79686924f9fc25450a906fccaab605ff08a7cb41c10b7970bca25a332992afbb10a16533ecc9928e1f78affd0c8449244a

/data/data/com.lzapkol/databases/mzmonitor-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lzapkol/databases/mzmonitor-wal

MD5 9af979a00f0f7156b0aa8663a71e7116
SHA1 02d9385264752f5557d76717e273197a81008054
SHA256 1c32db28f59d0be696b66a294f9fe9e123657bd66f0880af9cad04d2f0270ae1
SHA512 e672c594d54af009c4ce8f9e7b017cd12183b4e8f68897110238a76f1f6e1510f6162efd061f41379e59eaa8e79882c5018c41df4f8700d65576bf9d73ee7e64

/data/data/com.lzapkol/files/databases/sohutv.db-journal

MD5 4f2d6ba193d45a5d490b4904c4913bd9
SHA1 6595b5f487b45012ea34ca8db314be89ab91a550
SHA256 2e53f20012780476a5201546cf78d9dd8feb534e7f0b7bd10a7afdc897aa25c6
SHA512 a128045f44bfd604ad1cbfda06beb69cc7c32db1fdb0612459f21c37c3e70fb488ac2b1b3080e3871a79cabf460d551e562cee386072f03a784659cf96cab91c

/data/data/com.lzapkol/files/databases/sohutv.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lzapkol/files/databases/sohutv.db-wal

MD5 15c5a8e8b5686a21aa6dd9de12361e25
SHA1 b3b1fa6bb9e273aa569790a39d44614972303b9f
SHA256 ff845fa02551174b3723f3e0880e423508831b98b74811b769f1a3a20c2135f4
SHA512 e77d5b133f8d91a43a15d2dd56d2cc2e70dfd9e1c981119837893769f1c2d348cbbb5cab40b7c74daf0be4720f3caa8aca5160b73831fe8faba6e99b4bca5127

/data/data/com.lzapkol/databases/cinema.db-journal

MD5 d32a7801d15b89f7e9bcbde8cdda7072
SHA1 d1ba13dfb8bceb8f2ee178e9f996922c67ad2521
SHA256 4c06986ad5617f4733a3f0fc5ef800eb2c64bc03a7de528805b3a03d8326f46f
SHA512 5907ef82306b79bbbbb99c414c77bda07e2b3bf76fa8892c971f52ae9abedd64bcdcd9c112e5de58a05a1938ce9baf36f219da62ed9402badd576f68891e6446

/data/data/com.lzapkol/databases/cinema.db-wal

MD5 88e31963e1e2b0f6a8ec382c08799516
SHA1 7a00c81102db4a5d0d5c65548a0f91024c7369f3
SHA256 455d7056573cd8bb72a0fc3519fb207580e5473ad460b9c9d62d180aeec6815c
SHA512 46e1021497be7fc7b6fa0b87f8628c50559c694e24885e3290977c4e9e6df8a02de7996cc709b0847e4d0811027fcb08339b542cc10447f9b134fae7f8361b15

/data/data/com.lzapkol/files/umeng_it.cache

MD5 95f7b960e4d99580bd1c0531507b5650
SHA1 bfda2a26556ed4f92c677e3e0150b5e14dc82956
SHA256 0517d2e0dd78f402d27e300fb287b73bb3158024b7903d119f02ec7457a139df
SHA512 3018b56270aed591db2d019d59668f7eebf2177de0635daaf2b5c0e365b3d1e58e53f7e96bf423ea8953f0d1c3ad61a39abba752fd6832d3a9b5425b8b0d9f95

/storage/emulated/0/data/.push_deviceid

MD5 a7588095c9ef796a39eea85da520524e
SHA1 2ed3c588483d26d07064cdb465894162190cd4eb
SHA256 52d112c50034f0db8d4c94e13c94a49efbd8c029223d3d3d409abc6d3bfae75f
SHA512 210bc598c8a19235afd84f557b606c2847297ef80532b19445e9148845316789f5da9366fc72b9a8712f8050dc589fb82ebd83e9a1924956eefc00c37416a0c0

/data/data/com.lzapkol/files/jpush_stat_cache_history.json

MD5 0ea1dad3abe61ee5c5e9ea61b8284fe3
SHA1 33714308e09d870202471c1c94c62f36df81aac9
SHA256 cabeed5346fafcb2f902a73a1b77d22ab195db229f03bb8059c6920a3647b3d3
SHA512 b7fb8acfc25764c0cb6d65004d2b43b95c3dc2749da2cfa9d54f3a242fdebf0abaaf159382c73262203dab719677d4fcc8d17813c29859e8861a1677ebdba778

/data/data/com.lzapkol/databases/rep.db-journal

MD5 97f98a56f2a2df1c80cb327818cc8e0f
SHA1 6eb27f6ffb7d932e99c3cb50c2007af1eb0e1478
SHA256 c68a8013be0cc678bde89a99d6ea59390d013f88bdf93e25c8842c0ae23a7804
SHA512 10c394eba812ceed1af7bec916b5870c49efecab72df1008e5bc4d54c9e56996c6939b005d04725dee5b4f7c170f609165209260944b327113182a767acad532

/data/data/com.lzapkol/databases/rep.db-wal

MD5 437be4411a0b710d7ec4f39013b42a1b
SHA1 5b89baaefcacf2a237f0bdcd4474112ca138b865
SHA256 a36263cb53869a6205670769492e52ef0f2564d734ed02fe847a86b7b64b61b8
SHA512 42bcd77667eb1bc27a27a8143e8c9caa02b6e6b17b8be407603625c6161178010e3b694fbfa5a118cab152832dabbb5261715e47bcc1ae9a98e955712d15be96

/data/data/com.lzapkol/files/mobclick_agent_sealed_com.lzapkol

MD5 605d8f0ad1e688b2c1896b57b1be351e
SHA1 91e96f106754230c1adca285d5177f17d621295f
SHA256 c594ddd428181dfed06bca717865f1635f660c6620abd8f60902a05a2fccec77
SHA512 aa2a48a159a71126318098fc660af4dd295ba0ca7780c07b4f21b02f319443c1f8c2917ad1dc78c00ce96f2a0e21fbd8fe68fb36deadf20185a8bc49a8fed7c5