Malware Analysis Report

2024-09-09 17:10

Sample ID 240613-3rmk6awcjd
Target a7290f583b7ad5a960f1da6e5d02796d_JaffaCakes118
SHA256 baa630bc3288cb1146c12af9e6016831f73570017ca6fe586810f22ae972f8c6
Tags
banker discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

baa630bc3288cb1146c12af9e6016831f73570017ca6fe586810f22ae972f8c6

Threat Level: Likely malicious

The file a7290f583b7ad5a960f1da6e5d02796d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Queries information about active data network

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Acquires the wake lock

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:44

Reported

2024-06-13 23:48

Platform

android-x86-arm-20240611.1-en

Max time kernel

174s

Max time network

184s

Command Line

com.shwoww.bbfafa.jfrhy

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.shwoww.bbfafa.jfrhy/.jiagu/classes.dex N/A N/A
N/A /data/data/com.shwoww.bbfafa.jfrhy/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.shwoww.bbfafa.jfrhy/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.shwoww.bbfafa.jfrhy/.jiagu/tmp.dex N/A N/A
N/A /data/user/0/com.shwoww.bbfafa.jfrhy/files/adbase.jar N/A N/A
N/A /data/user/0/com.shwoww.bbfafa.jfrhy/files/adbase.jar N/A N/A
N/A /data/user/0/com.shwoww.bbfafa.jfrhy/files/extend.jar N/A N/A
N/A /data/user/0/com.shwoww.bbfafa.jfrhy/files/extend.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.shwoww.bbfafa.jfrhy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.shwoww.bbfafa.jfrhy/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.shwoww.bbfafa.jfrhy/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.shwoww.bbfafa.jfrhy/files/adbase.jar --output-vdex-fd=52 --oat-fd=53 --oat-location=/data/user/0/com.shwoww.bbfafa.jfrhy/files/oat/x86/adbase.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.shwoww.bbfafa.jfrhy/files/extend.jar --output-vdex-fd=52 --oat-fd=49 --oat-location=/data/user/0/com.shwoww.bbfafa.jfrhy/files/oat/x86/extend.odex --compiler-filter=quicken --class-loader-context=&

cat /sys/class/net/wlan0/address

sh -c ps -ef

ps -ef

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.bwan001.com udp
US 1.1.1.1:53 api.windmillplay.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.speedtest.net udp
US 104.17.148.22:443 www.speedtest.net tcp
US 1.1.1.1:53 riley.as48070.net udp
GB 94.126.239.4:8080 riley.as48070.net tcp
US 1.1.1.1:53 api.windmilljoy.com udp
US 156.224.173.101:80 api.windmilljoy.com tcp
US 1.1.1.1:53 ebjvu.cn udp
CN 112.65.70.244:80 ebjvu.cn tcp
US 1.1.1.1:53 api.iclknet.com udp
US 38.162.69.61:80 api.iclknet.com tcp

Files

/data/data/com.shwoww.bbfafa.jfrhy/.jiagu/libjiagu.so

MD5 39d77dcad8e2a44dd7226f442b3a6c92
SHA1 6560fa96c6b5a038abaeee5f139a16e46088d9d7
SHA256 99cba035cae818dbdef989e70e738463798528b8ca52dbf38d2b8a72152680c0
SHA512 7ddfc6c05839160813e58e8f8c50d2dcda7e7b5e7f1d27cffb802ee91de4bb664bc5c257137d39152ed6e8cad0d3c1b067bf8aeb7e53f884893887b54480a5e5

/data/data/com.shwoww.bbfafa.jfrhy/.jiagu/classes.dex

MD5 bcdd44c847ba168f2747a9ead140e39b
SHA1 113fd4f2e39b3879fcfc75d81e8c54df4170adf8
SHA256 53fca30b75e5c62b31aa8e4589f28e66e5b774c4fe321c11cc591b81851decd6
SHA512 117b15f59e75405f6371dc8dec1f33e7b3231452bfe6734b798e0e105d38d645aec57b982953b65e26dab069d890916758533f63f561ed9e08f1d55ccb02eb7c

/data/data/com.shwoww.bbfafa.jfrhy/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.shwoww.bbfafa.jfrhy/files/.jglogs/.jg.ri

MD5 0e9d4ac4f0fe1c027d36360824b6ea79
SHA1 019b176eda64bcb83fdaa23cabbc3453fe5a8ca0
SHA256 54c4bce09a3ae7364896a6b9f353676f5e1460cb619595c6122a5186cd0de0e5
SHA512 0661f354c2167dd29b77acd30fdffd95aadf73c1a7bbf6dd0043695f66aecc7a50e0f0c6fbebeb0348b180d39914997ce8a741c1f7adc6c3b675797b119a76aa

/data/data/com.shwoww.bbfafa.jfrhy/files/.jglogs/.jg.ri

MD5 3df301511d5a392ff009d9e5d07367d8
SHA1 71bc129539ef7173c03a3d3f5e5e6736dd5499c6
SHA256 aed137b08ab55d1442c3222dc430042dbcba8e0973f86eb506102a06c129f98c
SHA512 5c4bdbdec45ad586fee27b3f493f3641c37cf623e8bf334d5f3f34125f204dcfc83521220ce8b8a1748614da5a4af2297d71d0282717d7bfab8489b3dcee6548

/data/data/com.shwoww.bbfafa.jfrhy/files/.jiagu.lock

MD5 a08f037e7be709c12f79f6dded371ea8
SHA1 67c25caf4466312e7558ce93aaebc12a93e9ce0d
SHA256 52876dec71aac2aaced15c467975e0f04e1f05f8dd6ea14115b6a0016b2532c1
SHA512 a0c10ad43ed3a51e6355d5b5f6b24c518f1fe25cbc5fbf3c854a22d15d9c894c34b7a77bf22d601ab28ae01b989ca84c608705f3b6ebcdd8dad5774ac1cb43d3

/data/data/com.shwoww.bbfafa.jfrhy/files/.jglogs/.jg.rd

MD5 54582129785746b4b7e6f305d65ea79f
SHA1 00cfe5b7d2779c63b84089f88691df95a13791db
SHA256 1520f75a2222a38cea61cc036c3d9331a1b6cb2c66b53092e6396423a09b2d08
SHA512 dc3ae51aca643c97d27179e1b12edf1c4b04e1941f07bb3d5fd63131a61fa771b1d88ec685790cdd6a2b915bc35a7d9ded985a718df2f9c8e3d2141716a173aa

/data/data/com.shwoww.bbfafa.jfrhy/files/.jglogs/.jg.store.report_pid

MD5 7d76b30a84de28f0005276b14ee03b5b
SHA1 fc8ce63f0d148ab6ad21ab8bb476508c28659dfe
SHA256 2c0db45f47a02de750185cd6a2d0d8bb8b7100d101c2ff412574dc9972b806bd
SHA512 9390a51dd0efe40a563d95708686997385b3d80b5d7f338464ca243b4abaa284681ce10708401d28be00821a5aaa235777e37fe1ba4977cdfddac3315aec859d

/data/data/com.shwoww.bbfafa.jfrhy/files/.jglogs/.jg.store.report_pid

MD5 ae4e896c06b21d60efa4b24c1a1ae490
SHA1 060a045f6ba7867e618f10f901aa256e6ba437b9
SHA256 7a93123831bbded0e25fbf42aae2a1e1985dbe0265a310f324477c5533e452c4
SHA512 1b8cdf82950e35f9a7abe74b51441dfcfe7dfbc28932b15f31ed9b1b98bbe8031853171df94be3dd95bd5b29d87aa479c88cd6cf7526ea615a1e19d8ee846147

/data/data/com.shwoww.bbfafa.jfrhy/files/.jglogs/.jg.pk.h

MD5 d8165d04eb5f3a7ef9c8d3ff2a8a1aa3
SHA1 d28b4d95991a55249b1c30c45b64aa9b82782c93
SHA256 be0377cadffa2baff0a1c086bb5b0e94200e0da8c074ded17426544ac91c82de
SHA512 61e3642a36b7908b8a61db7181dd3c6773cd6a10f0ceda460e905322b01805c4b4054d569924ca585ee74ad184ddc4b31a17fe3f2a4d7dc36991ce47f6be9eb1

/data/data/com.shwoww.bbfafa.jfrhy/files/.jglogs/.jg.pk

MD5 aefb2a5ecc52884b5d4ddfcf39d1bbc6
SHA1 f4bc3d5706bcbca3e7bd6612ea99784f6049d02f
SHA256 69815765d1664ac5eee9e914e5f6b148f3a7d82d0ecc1d62688dae14c662a3bd
SHA512 6f94147623efac472886b1d7bc0e0bb3547b85f5e3d09174572bb87d2803c7951914a5a77c77d8923c042bd888e8886286f6956dd07842715619525157c48045

/data/data/com.shwoww.bbfafa.jfrhy/files/.jglogs/.jg.ac

MD5 b01414b47699730ffb5abf86ef35eff5
SHA1 73a0052e85b12067573185f075bbd75124cb4b6b
SHA256 c29cfc7b25242ba99e89a199da08867c5939074d7293ac72d80b4fe09abf7967
SHA512 a5ed17b0742aa8914b6d54848f7c31932de412b83bcac27b77a55c4df2f04cae989d20a9c2e0ad704ede7aa08ca3c0c88dfad265a8ba6377e16612b50ecb26bd

/data/data/com.shwoww.bbfafa.jfrhy/files/.jglogs/.jg.ic

MD5 f8696bfb07b145d38a38fff40137931c
SHA1 57855640a03549677be4267aba78d80d7f59d4cf
SHA256 e0532449c8fc8c93405be3af62fc395ae341cf85a0c29ee41a679300cbb01c63
SHA512 e9f3af1ee81048f765dbdbebde63c42a3973cca6eb633ae42fa21ddbea2cec7b68bb6cbc65d646c7f8bcdc4a07ef6de4412a8c20c356b5967cfcedf0d75ded3c

/data/data/com.shwoww.bbfafa.jfrhy/files/adbase.jar

MD5 45c127db9213dcaf96041bf38d80a6b0
SHA1 e29c8b16c59b44b607afa30233d1bf0ded093094
SHA256 eb5b3fe15eeca58667063a0b394f48533a389d5e2ca2b617b2b24e8f2e186ed9
SHA512 c400ddb0dcb4656b5089f145e358f0f9eccdd8815a232f9a98862d28785ea36b3c9e9d689edaf99f55ea68e1772f43d53f2d56116bfe37c94a7944c59dc0bfdf

/data/data/com.shwoww.bbfafa.jfrhy/no_backup/com.google.InstanceId.properties

MD5 cf8c6f60549383085ece6357cbaa65fe
SHA1 37d9b99bb3ecb974ae3b9476351496c5b511aea6
SHA256 2f324e106c0c6b77727f9fef150c0bba17b5302ba737624d1e4ff4386474fc99
SHA512 eb039c2f5c50b453a02b383a55d25898f2deabfae8e9a84c0b86f648027300fb968fb8b1ab7710d26acbdbf4f1243e0864c6b2ffa3ec429b26d23ff854cb3172

/data/user/0/com.shwoww.bbfafa.jfrhy/files/adbase.jar

MD5 075950b678202c0d8ee259a23a94ae9f
SHA1 36e519f85b99f8d2221a9b325e630d1dd5477600
SHA256 e5c0a990fb7c5e1f3078b6f5101b76bd78583ac4e2a11b19554485d1a934a625
SHA512 51c99cbe76b385ab832b5a9a9aca46bb3bc07e7f59c135ca46ce0faccfb39f737f5c6c1ef8f1d85b6e414536ddf1503c60ebf787cf8c0ac6144d251e01ae8ff8

/data/user/0/com.shwoww.bbfafa.jfrhy/files/adbase.jar

MD5 92b77a588b462e87a58f047015b797c9
SHA1 d2777df831ad17550c859821debeffe57f48e51f
SHA256 711448d00c5f7b1b02a112cc1d77b84bea68b748e523ad56d94e80ea74617db5
SHA512 9268d95bed9b6170fab091c2218f86f7869d40a3f708b310aa715d3a711f7c0d837ae8ccd29d6553b4f1ce169187db2d8d7edffc733b06d23c46ffb818910fa5

/data/data/com.shwoww.bbfafa.jfrhy/files/extend.jar

MD5 9644c5091c7e2511eaf2bf3047249592
SHA1 03bea0baf91d9bb62945a7dfeafe0ebd87679f72
SHA256 b41cbffbf88b4e4b515b5dfed5b728525766c874bc8ccc5c8cdea9c02bda18a3
SHA512 c2854e6ab3c9ab0cd19c783a9710e13714d79638824f9d23622292920cb244aed97ff4f78a241c6001d30f721f13989ab60458a805daad39d063fe303b2db211

/data/user/0/com.shwoww.bbfafa.jfrhy/files/extend.jar

MD5 1a38ed7d3a7349ba068965a4b69b1ca3
SHA1 59e04ca83dfc3ef0c57379aa120e6536ea743ed1
SHA256 0cee48142b980f5d4d733cc5b87bcdd1f6c401d61882679fb2221afb388b3519
SHA512 5646ff17dea4bd7c14f2468c96345b3eb04a3d209791b895cfc3332e3391a0af6828249bb40403fa9a8b1243243c11267826b19a61d959e7bc5963d50f792993

/data/user/0/com.shwoww.bbfafa.jfrhy/files/extend.jar

MD5 900045dc76a74473c1d327a38966ee3b
SHA1 e21937a611e719475594697b167baade598a7b7b
SHA256 fae11ef94615eba191373311fa2f6f8dacadd10cb01929847d31783648a4e78b
SHA512 c0976f25ff21ace30417ddb9e9d48ddde1ed10e3cb616e5c5be048b0944c62a17026a20e04c57aa02280da2f1d4536b24d0fc317909dad05ea9702980a2718c8

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db-journal

MD5 ab7ec7de6c8b7f948d622f5d34a20753
SHA1 3a4714093c7f2945658cb4914f35b96f2593a39d
SHA256 06de2c273ef43c77a4b40e394adba42d96e181f0c2b91101720eee55744bd055
SHA512 477d4b8c04cead517d0b11956103e01c5b1a1224eb7a117018db71457c7eb3bab07a84e80573a0858629c6a0d48229d8a7bb033aa93d088e4a045ee555f9577d

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db

MD5 06f10275717990e883dff70311099d28
SHA1 506631c161f171452d0259ec2e2427a1af6cf164
SHA256 fb1fd029e73c65d19020280deb8f607499d19615dd399236ea414bc36ff9cf59
SHA512 7f467ad782d5e0497ead5fd4b6b23dcb83d7325bea8bdf14d02a8d101ab45d6732fdf884b360dc0ffe94f06f50458a98c4e8e66e6f13bb96aea893eef5e0c94f

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db-wal

MD5 b88b392deed933635be36ddd272ba3ef
SHA1 a62a0c312349e3e6765ee6ab1ffe6e55d5a5b204
SHA256 8b17a950439e849d6a7a044a94f3c4893d02e304923b5a9c27f3c8faf3b0c5b1
SHA512 643d5243d13671ef59d33b8ebb9b9512a3703600614e38bd238f87cb522f759403299a168048466d11486cf8214591275e203d297eb66bcd13fa7ead987b3511

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db-wal

MD5 d375ce098886070f3ed5b98d378dfba5
SHA1 e2889bc0e69c68426085832ded5bd07759403bb9
SHA256 cb2130eb58da48ae3460f0880b431b067e18c3f70b79aa01c425e2e766276789
SHA512 2229f3b2a3cf811ab76b21e73a0621f918001b3b7244e8ead0775556f9dfeaebb8621ac902f62b4918f6f951eaf88c8c67233701e0225c6f9ba93c2bd0d71fa9

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B849D01F8-0001-10C1-3EE70BA4C9B4BeginSession.cls_temp

MD5 cc3fe04df8515d0f74d1c26a1191aa56
SHA1 d61e45b003f03e7928005806b755364959926f17
SHA256 5dede0148ee2a3a10be9fa787071a554700401c07df8e6911df069bcd16a3560
SHA512 c186b628e38f589fd46432ece55ceac72d9a4a54d611306df9333207711e1d0553f9e87e7c0a56dd784d2b0f2a35a329ec587ed57fa781ed8aaf58c76a187037

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db

MD5 b72611400d8fe0817cde9e4bf3494b1d
SHA1 37257bad74ea1f4e0d911b1ed53c1bc0c9c807c2
SHA256 c3c3148929ccf9465d25a5c05372b76abf76eb3fe04260eaef9da9fe9ee9a030
SHA512 9bad0d1746d3b1665ceee9ab8db5b600f2d40beafaf11535ecfe51670efe1b698d28bc37b4172e4111046848c5bad0bc3bca139580500de4939b710b11c9090d

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 c9dec07de93c03471e2b74abbec27b08
SHA1 08552be1a8ac359fb8a6e25dce523b75c61e862e
SHA256 a534242deab3aa5ac04051ebb8496778b7c2e554b20402e1f2712e8fc2117219
SHA512 b1efc80b3fcc8bed6f3e563f06f5659c399acda72f62caff6fccf87165f3bd5fe1bc4853d497372192f55b944b7bb50e206bbea2a03a3558c59df6d7a1413e1f

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B849D01F8-0001-10C1-3EE70BA4C9B4BeginSession.json

MD5 87d3046ef92302ce18bb354b25671459
SHA1 205551e7a17403b43e380d9fb104376c0711f9f9
SHA256 9aa3f09d35fe6b4277adf8d4688a936b0cf567c968a3f2d5661e88b4543a8ef2
SHA512 b595ae39dd411e50921cf759963732e4ad2be6e600faabed516a9f6c4dfe96a92968e858909e623f284029a5f480f49a44bd36e6852615b6823085679253f821

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_55b01f75-28f0-4aac-96a0-5d9e5ca3a09d_1718322341701.tap

MD5 903861ec5c7422b8c2a2b60365c7053a
SHA1 d1358d2f4f2ec74d21be0dda5e6a6e1d60e9afbf
SHA256 0642163596b650032d7cacbf8bd6a9d2895d59358b8f5e866b1cd2ea6966ab24
SHA512 64ca7be52cd80e8405f328dab17498ca1bd84cb614399f4ed32ce5a9a1cac6dc9f3d82eab8c6e13a643cf80d3fc9d3af0d85f1262c558871b13e5db09be2177d

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 60f9d7c6db2929cff82047137a5de622
SHA1 9bd840ce89d02d6d1edf4fd4bd891f2e0cce28cb
SHA256 ab5ca0326db2f133f146ae7b1b94269543a6262f19d2c350fd4aec578d85feeb
SHA512 e8f92e3cb8b8aa9d1b48b35e74a7d48e55ce242bd96f0cd12957df017a17c669e4acbcd2390dd835bff549e2be396af3c09d12057a9563fb3c9c3e1ab0e76938

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B849D01F8-0001-10C1-3EE70BA4C9B4SessionApp.cls_temp

MD5 e1a48c2d08fc17ff61ab5a69d3a20375
SHA1 5cc733364da25b8effcef9cc2df5a2f6220c851d
SHA256 4bd98ad31b368ae4d9bccdb28fe7ee4b680ba9c9cce7eccdd636a9a4c40b6035
SHA512 d2db15b9629a98f9c25d83d945a2bb5f1fd2db79c648db52119d39149fbecaefa68029a122614724ab5ccb78102626bd30b97107ce4453a3a7bac3d8d3d00513

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B849D01F8-0001-10C1-3EE70BA4C9B4SessionApp.json

MD5 c1c55458c53dea99a86250474b40d0ca
SHA1 e1524f70e105b68bb1392fc085d1aa1e01a4eb96
SHA256 8a0d85550f897f4251f2a50a279c893d2462139fde7ce24dcd6ea9d98e5761de
SHA512 946ba17164d79cb22ef47a0a43d11aa7568021b424a86f6529ad4a1d8b39f373b0df7260ee8f89db4a74f2aad60b86a5826c0b904f91165998a65b6b38d56433

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B849D01F8-0001-10C1-3EE70BA4C9B4SessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B849D01F8-0001-10C1-3EE70BA4C9B4SessionOS.json

MD5 93023624eb8dff5c20050da136aaae0a
SHA1 acfd1ffed752c28fb135ba83c0c6345ddf2f6995
SHA256 968bcd7c4f1abed89a09cc0e6dadd238a81e8655e64196b39a86be49ceecd39c
SHA512 bb25dfa144d3f0e17203936c503c5fedec5f9ca710e177f99e273010ba4a682199d4bda5684151d65f3cb1549f4611b3a645ce39646d3db9a1b2c17d6b160579

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B849D01F8-0001-10C1-3EE70BA4C9B4SessionDevice.cls_temp

MD5 cf9cb0612d588a1f71b63084cea67316
SHA1 3d035bb92fd3f8997160cf8025c40239af74d3ca
SHA256 0d37c5a64baf86735501f9044eeb926b3d46548cdcf67c2cd1f773df36624ac9
SHA512 70f000233e181e3b7c6fcf07aa04fdb570f970335837f8d1c4680a9f78af9f9e17c73a0a5646770f7a8787e338899edc4a5197b023865a4da894b1aca12bf600

/data/data/com.shwoww.bbfafa.jfrhy/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B849D01F8-0001-10C1-3EE70BA4C9B4SessionDevice.json

MD5 75db92d50c80a89e068550028c62acec
SHA1 d78ea55f5dc682e4da456d26383249f608fe894f
SHA256 1dfc488309883b61beb3462567a9befeaf36bb475a07a7ecef2be60bedb4b5a2
SHA512 dbb81daa5fab357f087dc295e7861444f945eb4c3883a09926b47312ce526bc069266a8a24b2a5b4921fb13e797696c5824195f0a79317e279ccf7855ca2ee13

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db-wal

MD5 fdec0c20d19f97eb1e3f210029d1964a
SHA1 a43e982b345d111990f935eb6f204e9267859302
SHA256 503bc9b3cf9a7dd57ea16b2a1092e1a46ec035e8b4f11ac3df0cb9a5a64e6d79
SHA512 6babc0f508d6d23258264b42559547ccc99527de8d107be352a4c7d7a96d8cbc5791143a42f0b0e3026183b4a16efb065368d609e2fbd6ce0d8501f786cc916e

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db

MD5 2b6f6c5301b0161a5a191ff766df073d
SHA1 99317d790310d1a129b248570942e50d16d78be8
SHA256 8f369196baac366bf0a2da0a8477dd1b4983906b2ea8f3c4cebc1851c79f32e0
SHA512 a0930546ef22db60be2078b7b87ddc034c05b707e5452e18b10484420167ba582d41505ff80e5d2e323e2efbaf59d165d222fd463a358803a13b368f3b803fb7

/data/data/com.shwoww.bbfafa.jfrhy/databases/ping-journal

MD5 47cd7784a6cb5a1924878c6b8291aae4
SHA1 183a2566d81408502ec4463da46ec8ffb67ff711
SHA256 10ff97541cc1820073e2192f1b3d68d5c002e6581f0a85a4d90e5816a0fa7a56
SHA512 db09e0da5578eb2162e65d3dca854eff2b6c2b1d02de230fae69d4ddb1da26dae259cf4f3eec7a880196f76f7b83aaee4edb56ca110c63c957f2a8bfa13b62bc

/data/data/com.shwoww.bbfafa.jfrhy/databases/ping

MD5 e90ea921239d1fd7fb91691e5353d86d
SHA1 76699b26b98db472021dc490dc55883c2c7293e4
SHA256 a469c40779227c6056e29c0a80faaca576d0a5574b75db49714abdab9aa8cead
SHA512 246c09beb1feb1c2814d666415c01613d7c5040d4ab64ef2a8824ff5a23d1ae747d591c68480b2ef3569a3068d9bbf2599891f710e0850610a73713944f27c52

/data/data/com.shwoww.bbfafa.jfrhy/databases/ping-wal

MD5 939b6731a4be11f3d0d1ee434dfa21c8
SHA1 feeca83f41879d070ad734eabeba9ceae8777cb2
SHA256 4d2d4574660a1dd9830759c0f441d521680d35f0d0bb1e4d7c06d97716befcec
SHA512 90cb5a4e149d876ed70a1c51d66dafde97e180f13b69fb07186c5cd3b290b1f9b1aa31ce9bfc02c253e31631c87a693db88e4ea62f3c6de1ae3778794a72f7ac

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db-wal

MD5 a07f3272a3a814bd9d86187f17484146
SHA1 632c5e81821437ae57401fd5fb9dd53990d6b423
SHA256 a7f0c35ed0707ae95d0b023b6eebcc70987a76b461db578c52701990967b1f6a
SHA512 01ae3fbcfe30316bdf301b19ca4751e2ad680f4a76b20934ba136bb9bd6e6a3b96a7096906834f7e412e774e589478a9425f98338d496960763b08cd71c34c98

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db

MD5 344dea8796a9964695ccb09ee67d68b9
SHA1 8747a3902a323d95d53670d772e6c85e628b5da8
SHA256 5dd530a776c4f69d56a8d714929d51b99d6e869370aa4e102903498771571f48
SHA512 c75410cbf5961fb7871f7a46a07277c07a1941b518df18b6548eb3d9d5198b3565e631c6eb071d42969802a011130a0507a52cb86d32dd296b7791fa2ba3fe74

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db-wal

MD5 11c31d84bacf64b82bc74fe0770d7ea4
SHA1 86f52cfe1e0d808961e4df3d0bf446a7e75c9d92
SHA256 b2cdaf5cf06f6ae92f5b587cd20bd26d5bc522a77e611f8a80618985a143324c
SHA512 fc8dc717b25d2242dd8855d78d86e54af7026c21803953cac2f90f4d6438e0285095da59d073bb6eb7fdc56cb3a880512e09732010833b7358b684d279043577

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db

MD5 c1c01034dc1b9bb5fafcdf6653fde4b8
SHA1 3d66318ffed342b1068a6c861dc1dd17214a8c8d
SHA256 44cd4445c6c6ad767fca94a1b7c2e240f1f64557c7486da4de6098ed098b97ed
SHA512 783355362a588da2f7b5c78d95a394f7cb082bfa81995d063f15d7d06f5c46f1608e64c00b96f1fff2b7e6302e07a2817c2fbf260fc582f120dd241180434198

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db-wal

MD5 e62765d3284842f1826adf7b65dbaa6f
SHA1 cfc4f3461f561dedb76fd5d37efb85a401f5d3b4
SHA256 e9af242964fc64e97a81ced51c5580ffe5909af419dd1a68709a2e4e28f5f894
SHA512 7f1d3a30523001a97c0577701d24dfad3381369e26cbc7519f3bfce8d9dfadf0318c2e031b6841ab9d299c45fbe0d6c139509ac4076514a886455611aa33a8db

/data/data/com.shwoww.bbfafa.jfrhy/databases/google_app_measurement_local.db

MD5 3dd6a452d2db2a90730e9bffb1046cb7
SHA1 e8d3d3fcaf4cf66c1ea64510462106eb44b576b0
SHA256 060b72c18f85df54805263b53a339d910371ebede89d3309d32fafdf53b8bdf0
SHA512 cb2e37d5e214b3fe38a957cf9ccfd6b0ac1d7ac0cdda34754ce88ef680b91a038160b42fc01e514d1f38f8ee3c7248337d7ac678ddd1b7944e3cb817c6944c4e

/data/data/com.shwoww.bbfafa.jfrhy/files/oat/adbase.jar.cur.prof

MD5 dcde68e978a1190c29061fa74b8da0ef
SHA1 9ca669e014046a88bc7d558c12b89583bbb5d08d
SHA256 e6e43e14046d12aaf60fba18ec2a8ecb68090d3d47d9dac579bfb0c9a4f85988
SHA512 3256ce77a5253c51a0a9138ff79d88466e6e6e6b0fd44feb23d42fbd801545b8ed0a22096f406604758d7b7e209d32848ae7048ef431d610e0c9e53bc247dec3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:44

Reported

2024-06-13 23:48

Platform

android-x64-20240611.1-en

Max time kernel

3s

Max time network

146s

Command Line

com.shwoww.bbfafa.jfrhy

Signatures

N/A

Processes

com.shwoww.bbfafa.jfrhy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.shwoww.bbfafa.jfrhy/.jiagu/libjiagu.so

MD5 39d77dcad8e2a44dd7226f442b3a6c92
SHA1 6560fa96c6b5a038abaeee5f139a16e46088d9d7
SHA256 99cba035cae818dbdef989e70e738463798528b8ca52dbf38d2b8a72152680c0
SHA512 7ddfc6c05839160813e58e8f8c50d2dcda7e7b5e7f1d27cffb802ee91de4bb664bc5c257137d39152ed6e8cad0d3c1b067bf8aeb7e53f884893887b54480a5e5

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 23:44

Reported

2024-06-13 23:48

Platform

android-x64-arm64-20240611.1-en

Max time kernel

2s

Max time network

131s

Command Line

com.shwoww.bbfafa.jfrhy

Signatures

N/A

Processes

com.shwoww.bbfafa.jfrhy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.shwoww.bbfafa.jfrhy/.jiagu/libjiagu.so

MD5 39d77dcad8e2a44dd7226f442b3a6c92
SHA1 6560fa96c6b5a038abaeee5f139a16e46088d9d7
SHA256 99cba035cae818dbdef989e70e738463798528b8ca52dbf38d2b8a72152680c0
SHA512 7ddfc6c05839160813e58e8f8c50d2dcda7e7b5e7f1d27cffb802ee91de4bb664bc5c257137d39152ed6e8cad0d3c1b067bf8aeb7e53f884893887b54480a5e5