Malware Analysis Report

2024-09-09 13:19

Sample ID 240613-chldma1ajf
Target a37b4ad34f51957f3ecd532ab535e3ea_JaffaCakes118
SHA256 3d9db4de30932cb36bbc631f70ed516d93c90e51d481bd48b94bdfb83f8a66ec
Tags
collection discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3d9db4de30932cb36bbc631f70ed516d93c90e51d481bd48b94bdfb83f8a66ec

Threat Level: Likely malicious

The file a37b4ad34f51957f3ecd532ab535e3ea_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion execution impact persistence

Checks if the Android device is rooted.

Reads the content of the SMS messages.

Queries information about the current nearby Wi-Fi networks

Queries information about running processes on the device

Checks Android system properties for emulator presence.

Checks Qemu related system properties.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests changing the default SMS application.

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Listens for changes in the sensor environment (might be used to detect emulation)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:04

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:04

Reported

2024-06-13 02:07

Platform

android-x86-arm-20240611.1-en

Max time kernel

169s

Max time network

183s

Command Line

com.mida.messagehelper

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.bootmode N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: ro.kernel.qemu N/A N/A
Accessed system property key: init.svc.qemud N/A N/A
Accessed system property key: init.svc.qemu-props N/A N/A
Accessed system property key: qemu.hw.mainkeys N/A N/A
Accessed system property key: qemu.sf.fake_camera N/A N/A
Accessed system property key: ro.kernel.android.qemud N/A N/A
Accessed system property key: ro.kernel.qemu.gles N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.mida.messagehelper/.jiagu/classes.dex N/A N/A
N/A /data/data/com.mida.messagehelper/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.mida.messagehelper/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.mida.messagehelper/.jiagu/classes.dex N/A N/A
N/A /data/data/com.mida.messagehelper/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.mida.messagehelper/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mida.messagehelper

chmod 755 /data/data/com.mida.messagehelper/.jiagu/libjiagu.so

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

com.mida.messagehelper:channel

sh -c ps

ps

ps daemonsu

ps | grep su

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.mida.messagehelper/.jiagu/classes.dex --oat-file=/data/data/com.mida.messagehelper/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 umengacs.m.taobao.com udp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
US 1.1.1.1:53 api.midainc.com udp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.179:443 ulogs.umeng.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
CN 61.160.192.102:80 api.midainc.com tcp
US 1.1.1.1:53 umengacs.m.taobao.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 36.143.252.48:443 umengjmacs.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp
CN 36.156.202.75:443 plbslog.umeng.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 106.11.61.135:80 tcp
CN 106.11.61.135:80 tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.11.61.135:80 tcp
CN 106.11.61.137:80 tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 36.143.252.48:80 umengjmacs.m.taobao.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 36.143.252.48:443 umengjmacs.m.taobao.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 223.109.148.130:443 ulogs.umeng.com tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 36.143.252.48:443 umengjmacs.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp

Files

/data/data/com.mida.messagehelper/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.mida.messagehelper/.jiagu/classes.dex

MD5 a48506bd2578830c5df386e74aea63f4
SHA1 648910706f768e0cef01feeb805e4579c996eda5
SHA256 56cb5bcc778f899d96aa6ce005615e17f94a79d05998bd11ae70f64aaa457e79
SHA512 9be724646a8504ee031b8836e6d29b43b9e75f70e5af6f4c9fe933eb05af3e19e4b3537a7986d828c4e223de833f567d4c336d8cb0ffe0576a3bb5f0e51fe7cd

/data/data/com.mida.messagehelper/.jiagu/classes.dex

MD5 40c3f0229a49ec43ebe166338a4832ce
SHA1 f873387967223971c406c5b85928bb3f87c973ec
SHA256 cec0c50334c9a527d2dc2e1ba010850beaf2e63eeb914c0c333e54ba21d07b8f
SHA512 bc6efc3e3d76305333f6ecac782f59967adb7e19e997179806c170bd9080c5c7186b5ffd2ccc2568e5c15748f8612125765f06c8b0feba4e6444ec65eb8655a8

/data/data/com.mida.messagehelper/.jiagu/tmp.dex

MD5 0fff15d3b34a8550f60a9a3badcbfc03
SHA1 9c22373a6ab2f0de6d76711a590471bb6a9933f7
SHA256 cbc16c371064ea26f46ff80bbc4377c8b9d79aebfea7d9bf6efc302c7e5b36ed
SHA512 e696649c331d5b6a7f4ab42be2e9e527ca0d23801bd526290459ec952a33eda2f6453faa486c25f5baf0cd251f4f7145aa26e36b227bc2fefd3ee05ce7a39507

/data/data/com.mida.messagehelper/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.mida.messagehelper/files/.jglogs/.jg.ri

MD5 803f73f3b3ba59814ee8ce50f63d4a9b
SHA1 9281b463c8bd6e20cd5fc8d00b93f43bef5a74cf
SHA256 e69634d8a9ec165c2b72370b3ccb68d2a547c2ba70e527abd5527fe37f5f83a6
SHA512 e8193b96b11e3009d03e3cb2e548926f41528bd5ef677f5140fbf360304e494591aab54eb83099e02ff78456c72bb8c8dbc3a5925ba025e32e09d6de7d8e1277

/data/data/com.mida.messagehelper/files/.jiagu.lock

MD5 001699482f1ae3962ba7f5aeeeb1f225
SHA1 318671308a7db17f029ab779528cb7a02f17fa7c
SHA256 8435ce23744fddbf624d187c149e284ece5c33b137de32f7c73e18c6bdd993fc
SHA512 05fb5bc022c2f9210e93a63615e54d845dd0fe22d90e29d9882a899a696ccdb3c7a28664b5095b7a6b30eead9a77af41b0efbc2f10a1b858799e70464a33f383

/data/data/com.mida.messagehelper/files/.jglogs/.jg.ac

MD5 86fd528d8acdb461fb5b5a2cb7d2df86
SHA1 d4d076ac787307a5f1478d94bc90802831f534a5
SHA256 6d4294e850e9a002e9207056923e5854a21c37d56de5a55c7f83db1b1e3f4bb2
SHA512 33caa48e196966e3ed95499b3acc683594b7519df2df43d2439c334ff90e68caf90c2f78dbceb55f6e67b46637633c262dd06d1972e8d28f5b2e4a6f3f73a109

/data/data/com.mida.messagehelper/files/.jglogs/.jg.ic

MD5 11eb329c688b45b26fd452236415c88e
SHA1 ec4291410b54e899d5e8688243ffb2d60996665f
SHA256 e16eb10ff95957c4cc483031fb95de85b49723882e9a56ae0b5c34e745311de8
SHA512 6fccf616d9c601005b178ee5d2e2350143b3755d4a6f3e0be99e2e1e189e09bbe07e8ef42908bdd7f5ece49d602ab8d87c49176fcf66c4312356575f4dcd1443

/data/data/com.mida.messagehelper/databases/MessageStore.db-journal

MD5 486e2bac2b3e9e1cb411d2838a4854bd
SHA1 81dd0a7537f4af319b830ae834908986be85da8b
SHA256 5644a250fa6cef16c2c802b98275656a5fc39dcf89bcc22193742d85c7313f57
SHA512 c146789563dae163e373489b3df53f22efebd32b69643992969241eb5ad5eec668de67e7cd2aaf5c3a8af57b0842115d00183825734f57643d3fdb09835fe681

/data/data/com.mida.messagehelper/databases/MessageStore.db

MD5 09f9201985f13ab6b9e18bcbe7650dc3
SHA1 1d2570f41f93d21bfef268b1c62e64c27b2fe5c1
SHA256 e3f28ffe91bd2df5797a031cdf2266d4c992c3d7288667955b44141cb9ab484d
SHA512 0ba9d113ef15dcb69f1a45fa00cb1d564d9f86aa5c52edfcc315b87cd4c6234ef0b3494c8e3bcb12ad5571d28b304847083dc5b5d4a116a53b3767ccaf6d684b

/data/data/com.mida.messagehelper/databases/MessageStore.db-shm

MD5 c1f0a01780112d24f4ec3feff91912ef
SHA1 269836c3cbe93cd11e1069d6c240a5452176a48e
SHA256 1648f3c68c98502b99bce7f46baa8d91f99865243bcc1058877d190524e00b49
SHA512 41ceb0e41d1ed935ff7200cefad1d13b83bc7a53f3c581d59023a9c7ea88aed3469bfab43674d12f4ef714dd6bec82dd40a7b8da01795ebe6f35b01287928e29

/data/data/com.mida.messagehelper/files/.jglogs/.jg.di

MD5 b97e8906857874d0f8a3eff49eee620c
SHA1 d4036d1790e8f960f098391802b49371b4f3b230
SHA256 a727ed51e9645e98e0374a9dc01a2d347b1d941e97d4388ab303ed72e63876d4
SHA512 eb48693994dd9438ae7b9cb8ad27494c2fab0d012c6bb9ce7098b9fac64a96a44f655387edca4449728fe10f73b8edede22abe87515c71a946f3a05f590e9c3f

/data/data/com.mida.messagehelper/databases/MessageStore.db-wal

MD5 56db6031344f1c1e9394e9737fbf6052
SHA1 db58051bfa9c641ea6831377938097dffd18a6db
SHA256 7660b92bd4ba5bfcb3f5e32e79eef2d5f85347c00c1bb5abe48e970d9cd3fd1a
SHA512 5660393609744738ea1cde44035740ae0b4adbdb7ca7028f35933f7e8481620a32c0836826907ac043cc313ef615b948e5d089282d76b2cf6aa90147ef91ac9f

/storage/emulated/0/360/.iddata

MD5 87c79e5628af05167e8db387a6ae93e1
SHA1 5b8e3ef8d360f1f13db9aa19f30450298fd8e2ae
SHA256 9a1731820080d24981829f86c8da616bf2bc3b564e9000bd47b515494fd623fd
SHA512 254e5c9b9881777d7632ff5a13e17dd436d06e320ea797b9a53c0140a47752211fbd84d5e152fb7a091271443a175c8019120667ff20f61351730210ddeac42a

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.mida.messagehelper/databases/MsgLogStore.db-journal

MD5 5d3a56202883d7bdcc98227380f54582
SHA1 424ca4e0459005a76f00d02374345b421a435eb1
SHA256 9a74080aa4dc857356f89711453650818f2079e3ec5e5a2e9173effedd7888b8
SHA512 491c9f190d4eda4cafb2eadc9dd67d37562f7ff16cb2d0f39406c0664540f5004145a945e5589fde580649b85babe92e42b061f5f258873a0bb9a8d6ff6457ee

/data/data/com.mida.messagehelper/databases/MsgLogStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mida.messagehelper/databases/MsgLogStore.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mida.messagehelper/databases/MsgLogStore.db-wal

MD5 fc3d9968a662a013f5364b109c8ac16d
SHA1 c0494bcf6833bfac5ea2ab5802ac63adefac1424
SHA256 ccd373061dd0b037494070f8f4ccc2664c027fe869eb482e6f6dd40a97957b1f
SHA512 e9071a47654ed6672701ddf29310c3252fc2b72a8db352752da6725359661483ec28606c646917e782332d4a8feccd591be4b6ebbcbcab0aa6fea98dc07e054e

/data/data/com.mida.messagehelper/databases/accs.db-journal

MD5 ed77631f578b2f7706ae8451cb87385c
SHA1 3f83ab06db129b2c904c02c944ef7585fd8fe0fc
SHA256 bcef6f8326d4212581fe0683a03b8c3a1889847c34f44ccfc870ed279f0df5cb
SHA512 e98588976d9b342c2be7f8da31285c12167b72e72fdb1beefb2886a1b89d4d1da098a47456a42b4c7b9392684c9becfcce1ea4e653501ebc24bf626fa9895b84

/data/data/com.mida.messagehelper/databases/accs.db-wal

MD5 0e0414fa38135f5ed0467e16f51453b6
SHA1 b67052ed78456e4a330b15942036edf95b572fd7
SHA256 2275373666907ffdb7b10cc60fc6f86a671615812fc039cd7e87ef829518d33c
SHA512 3e4b70fb3b349f2949578be290316b9c1a4bb3af4bd597e1a9903ded23292a82c57b0e1253de0b0ef56446a54945309ec604e3e1198560ed100d2045c75aeb51

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 c6876f6c68cae6541ff15278c91324a6
SHA1 32bdad3980dd3c3321c92b8e4973fae5b962d8ca
SHA256 90ec026a087a06f72fb148deadc8f97e9fcf056c3eac6bf8409cd05ac74f70a8
SHA512 87b7487c7b9b6ab82bf5a08c0adf687d388e9353f07032403d98e50154c6ef3185dc2c0b284c188b40c7ffbe3f9bdc038888cf7d3aa93bf9bab96bf24fa71090

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 d22a2143a8c63395ce40e671c2bf89fe
SHA1 c33393efe3d27576bdc83007b732b0de257cccf7
SHA256 faf850edfd32f697cecccda2f0189f2a2caaf2672fe77b9840788edbc9ddf87e
SHA512 9f39221e6c8d1be2b4b177b7d5289e3142c741f7ad15e227d607e7ffa55f3dc49ade4136b794f3a60dc1af35d8eef2de92087961983516430b02598248b0336a

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 8ea822177e044b2c3ce0f19c81781056
SHA1 0ef643752014739ed5eadb287401ca7c98a205a5
SHA256 1b7b14db0af9e1a792d3be816a121983a44feb047fb77d5abf5c6f8c3a07f6dc
SHA512 c90feaa7e55510298409ab1d509ba3b838afb961a39b0d42c7ab8ded9fd7b36f724d5e0fb289eb3cf38e486490b919073217fbe98ac0ba5a9bc085eb3fdb460b

/data/data/com.mida.messagehelper/files/umeng_it.cache

MD5 a3a5a1221f09f1a9b2f97e58280d8212
SHA1 35cc9e69f9b92040db12615bb76b51ae5be66232
SHA256 7899cb7d660cdce7d4894fb2803ad52488e747ce16b59bcba0a57313c37b6355
SHA512 2b851a773133b9d20cb42a36d3688341f29d42648a7a1c464f27d17fdea7df99790f6e06359975e2f68a6bde4e23162627893878ba1804ca8e1038288b0b1ef6

/data/data/com.mida.messagehelper/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MjQ0Mjk4MDEx

MD5 e6bfd9575d112c086b41d667c4b531be
SHA1 f21123686c16eaf7386a8a747828c8826127aaad
SHA256 f9d321320685c37a357a31913eddfae392bb1df645adf7305a7cc01eb4b4b476
SHA512 b6a49778f12ba2d637655f2c97174edf586f45068f436814b4a956e8f3c8fabec54776f87898c9bcc3cffa1a8e3159d2f6b40affdabc2f71cdd85be713b94f00

/data/data/com.mida.messagehelper/files/.umeng/exchangeIdentity.json

MD5 f27d5904e9af317e49fee0bb8c7068d5
SHA1 1a838f89e9a3627baa6f6a3fb36c337d4efc7ffd
SHA256 bff0d7e3557acdb9dfb8bc0b2341a8f7492fc5c155dc12b77e3a7a50bd563363
SHA512 27052cf1f9d7c9bbf2eed4a5ea4b06ec532eebec0ef0dd40bbc18b8c997377e8ff1bd81b3cdf28eba8674f5b8ede785bcbadf29acd0b52f196fc028d998fc699

/data/data/com.mida.messagehelper/files/exid.dat

MD5 697af77aa5c818747c96dc973bec9591
SHA1 6cdd297ed45825fd6631ba58cd8a2b6176a72d53
SHA256 97ea09062fe2e20c9a3186a334ffa9891085687bdf0027ce6d858bdc725dcda0
SHA512 d9f39a82b05d03ac8308bf57456ce854ffb838809afcf75c71bad93a523cb5affeb7d9cb45db3d14251e45511deb503fb5da485895ba46658a9f11d0c4da47de

/data/data/com.mida.messagehelper/files/.envelope/i==1.2.0&&1.4.2_1718244302301_envelope.log

MD5 66a60d440ca0a44421299103a7269b85
SHA1 ddb9e9c843109a88db35cd416d6ae10682222c0d
SHA256 ad5ff25d6af1633c0456f22b42032878b39c8e75e354897afbd9e0a37a47853e
SHA512 ccba159db9831b7025cce89dd0fcf5a3389e65a9368d155dedace4a61e56afcb16fdeb93c5ebd10c7f98eca696280dbf082c221f890cd2fe1243a528bbff1743

/data/data/com.mida.messagehelper/databases/ua.db-journal

MD5 d4ccdcb706b67d4a2aca0d6c76094ce3
SHA1 c816ebb171530ed10bfceaedeba467716b4fc675
SHA256 e6dc66b5bb50fc2968bdf0cc60a0b8a9c808187837598bd361573cdefe6289d7
SHA512 6f6b0d466dc2ad536b2f25da9bd13cc11188d3749cb0c21386205bd948d43e9b25c0e5ae53c8f45c013db216376010c5c3db8e6b001d86ea32b44221d6554f06

/data/data/com.mida.messagehelper/databases/ua.db

MD5 0adda9c85a5e4808f5b1b74c0a8591a5
SHA1 5048107883ab1e345af9cf2e6849ce46e0e612bf
SHA256 1e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1
SHA512 646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1

/data/data/com.mida.messagehelper/databases/ua.db-wal

MD5 9a938b67f50f40b6afe60f21887ca558
SHA1 4e7171c54aab5815fac9cafe20a80940addb23bb
SHA256 40d8c11a1577c0ca21cbf1acfe9f55ee8d14ca3f6c2f88f1205c047ec9caf990
SHA512 1789dc7b8fed4665c85848e8be30652d01cb8c10fd480ff2f52c2aba488621580c30142183bd99b1358f0adbd9cbbd95d2771f68443341a7075c2b973f8efabf

/data/data/com.mida.messagehelper/databases/ua.db-wal

MD5 2186b0b6fc037815b43f9511ddd8dab9
SHA1 299f0369884155e7c43860b57add29a6a08cfcff
SHA256 f9116497fa24f43c8156097a4fbd09bfd55bd2239234dd762c2482713f2a08bd
SHA512 9693d01c95faa17bc2b87d6dc8be1e1bda5f72d3611ffe7e87521f5ec3b5496f057f37acdfc645627767b0d8996a5dc9f11a07ceb2833b76528d01cb556ceb13

/data/data/com.mida.messagehelper/databases/ua.db

MD5 ea1954bac7f3ac3d00ca2d44fa696642
SHA1 06f78b42a9114f9078e021c5536f5a7b182b25b5
SHA256 8d35e86110346fa41f37de8dd1dea24f1c0f755e2221cce46b75619e9cce0e55
SHA512 736f3994c1a62406d240868cbbdfbd3475800822777b3b54384a3218aec95f5a2b00a7befc2356de985bc775712eede60f0c3d8b3133d1ee6ee2e30158826491

/data/data/com.mida.messagehelper/files/.envelope/a==7.4.1&&1.4.2_1718244305593_envelope.log

MD5 b6767363daba0fe68ec08984d0d75f14
SHA1 834b89d212d3c3a576eaee2e7604385f246f14a7
SHA256 47fee18f338c10864dea19dd6681e3411a0528d74bacfe34922d680941409981
SHA512 1f21881bd5806db19efe0b8392165646881e23c3095a9683fee532a1816be5afec02aee3183f3d8ac21b62b0321ef88f9026bec83f5e0159847876a54fd0f350

/data/data/com.mida.messagehelper/databases/ua.db-wal

MD5 9cb9f446e909fef748966d8b80c9577a
SHA1 3d31fc1f9295b77af541668b0867755879d6a7da
SHA256 38d9c73a48615ece34e0f3a63509f336105f0b329214d3ac9854e7768f4754d1
SHA512 fad9c37f7901e2105d0b1fcc7cf263c5a65e64ee64406e841dd3f455dcac240991f86797d35e69a34dba5369f70023d1866085d5e928142f58a18d33fcc12c16

/data/data/com.mida.messagehelper/databases/ua.db

MD5 92d6a296afb9fc21c7308733ac7982ca
SHA1 c0527bc02b398e131ef519d4f8f4fefc800ec0b5
SHA256 fb496f5e3e29cc439f13a47619e3a3485787eda78db69932b485cd4e791c25e9
SHA512 fda068b7be07fecd58f11f8f33019fb42f9fb3c0d2a8e533495ce3360d2873c4d265ed3158d4c8d81e2b7ca64ed55b21e9c60817c895a6ca2c5988dc4a5becd9

/data/data/com.mida.messagehelper/databases/ua.db-wal

MD5 250ecbbd1503554d5be3b42bf08ef438
SHA1 ad1bcd6e92554e390911dbb1a8d7781b0364bd86
SHA256 7801e2e5a503a43feeb884efea4edacd52a5ecb3a9aa4632e4bbf10383eb2325
SHA512 8a985073543ceebe2172bd397709dc87ddba1a6b200b36069d206d4255f86113d038e023cc181fb1cc409143546b859bb519e6f8421b9e70f015fe12d603ebc9

/data/data/com.mida.messagehelper/databases/ua.db

MD5 708e8a9216226b0db6412f09fa3ac2fd
SHA1 c2a9692eac7249cb0b84299bcfdcfe5f35ced3e5
SHA256 c0e98696fb13237ac4b732cfc3817feb8c49d1fc966e634e19c43e3f5ad73838
SHA512 fb18bf4e155b65d0aa4ce218861f3af6863f36cca71909f978e9185db84450554c8f01920095d346930d13891aa003663abaf724d2eed4e94bd4dd0e2a2e9561

/data/data/com.mida.messagehelper/files/.jglogs/.jg.di

MD5 fff6278996ee5e74473af968b400bf25
SHA1 d3a59e6047b3ad26cd1dc510478fd9fd44abc005
SHA256 c2c8822e978ba7c0905ab7aed99b5c0dfc8abf446dd7d1ae8e924075145bb085
SHA512 eb9c7ff62a55ac574ccc00efbe04641b77aca08137ee9669b668c06e7629ea099f7a52588e2860a29aed04f56607ef40488967a4a76207a9059d23f1960a271c

/data/data/com.mida.messagehelper/files/.jglogs/.jg.ac

MD5 3b4ca5e2af0e9696d2550d5d287ba6e6
SHA1 42b6eaf5215b7e97669e13a79291a31273791bfd
SHA256 d1cf540d7702a2e96b35478530bd69aa01c4d20676fc10cb0ff502832b5f3048
SHA512 5be9224c854c0d1882285221569700d728c747d57871cb546367ae8bcba710e3863d3feac52ee820797d3e0069b420ca66d60e9e36323319f7b3dc0d802015dd

/data/data/com.mida.messagehelper/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MjQ0MzMzOTk1

MD5 5e2c76d8498bf52c62b10167ef9a2b81
SHA1 58908fb9796e1ebef134c23684de960bab804083
SHA256 ba9322e27f58774b03ed2160d72e5ba04118ff925828cd2f32d419d8ae3b434d
SHA512 62f0313797e2c891f9c3725aa1922d70360b1ab68eb82bf5bad059dc10e84c15ed608dd96ab9ac19bca26aedda3d9549848a00cede64375bd17a43664eee6e3a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:04

Reported

2024-06-13 02:07

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

141s

Command Line

com.mida.messagehelper

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mida.messagehelper/[email protected] N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.mida.messagehelper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.10:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/com.mida.messagehelper/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.mida.messagehelper/.jiagu/classes.dex

MD5 a48506bd2578830c5df386e74aea63f4
SHA1 648910706f768e0cef01feeb805e4579c996eda5
SHA256 56cb5bcc778f899d96aa6ce005615e17f94a79d05998bd11ae70f64aaa457e79
SHA512 9be724646a8504ee031b8836e6d29b43b9e75f70e5af6f4c9fe933eb05af3e19e4b3537a7986d828c4e223de833f567d4c336d8cb0ffe0576a3bb5f0e51fe7cd

/data/user/0/com.mida.messagehelper/[email protected]

MD5 40c3f0229a49ec43ebe166338a4832ce
SHA1 f873387967223971c406c5b85928bb3f87c973ec
SHA256 cec0c50334c9a527d2dc2e1ba010850beaf2e63eeb914c0c333e54ba21d07b8f
SHA512 bc6efc3e3d76305333f6ecac782f59967adb7e19e997179806c170bd9080c5c7186b5ffd2ccc2568e5c15748f8612125765f06c8b0feba4e6444ec65eb8655a8

/data/data/com.mida.messagehelper/files/.jglogs/.jg.ri

MD5 6dc592d71009ccc38b91e30ff298e574
SHA1 dac35ba37bb330672c6ea3612b209db8f3c3e3cc
SHA256 4808f82a72c109f3f4b5cedfd7084275c4974b2600485b5dc5ae45b474fe5cd5
SHA512 aab90f48ffc030e8b77d399f1430b29ee69476521b633189a34ed559a9fffd52a00461ed051fa0cfbb8ff716f1e60254b34449de9f6fb229dc37c1095d8be75d

/data/data/com.mida.messagehelper/files/.jiagu.lock

MD5 617fc6d934487e528902b97b681f95e7
SHA1 14b11237c54ed4d37200b8e10106899938d79db1
SHA256 fa32caac54cdc88c91baec288175ca143220faf8c133a0c53b4c136007ed2f1b
SHA512 cedf2dc1095e26a7b64941d6901999c53a81e13d8850a7f61e52eae64a6a666addaa6276d4dafd42add9d21a3e57122ec67a15ad205510fd79827c1939fb421b

/data/data/com.mida.messagehelper/files/.jglogs/.jg.ac

MD5 a22ca5f04b5f5373e4430a6abb5120f0
SHA1 900a7b6852aa6970a80a7cd505284d3a76ef99d5
SHA256 2eb29f397a57d51aab4235cd83188c4fb457cd2a3312d9f553e7fca932f95ba4
SHA512 fe09549e0d4aaf1451591024d7c554c72c0d58152a03dc22f7b1f5d2e367384cdf143392ea6065b779c695abc48828a540969ac433914affe888940c02060259

/data/data/com.mida.messagehelper/files/.jglogs/.jg.ic

MD5 4cdc92a556bd47669da56f8b7b4938f3
SHA1 71ae67e5ea5d7314b35058486086eab7938dec32
SHA256 2b04c4d44f8b02135aded1671117361f42bc562e3282c3f31e7ad840cedbcc26
SHA512 f6d7bbe2af574a7f86a3a0e382b56ebb86c8330d4f7f9232a14cee971ef618ad516521768bc661611aa703904374f5535ba58787069da8cd8a50a9c36ccd2b5b

/data/data/com.mida.messagehelper/files/.jglogs/.jg.di

MD5 38635e4d6e36d18b279327db1ed5460a
SHA1 5ce373ca593175c58d172be8722360cee8f3de9b
SHA256 b70e3f850361399e9f93f5c7df754138cf9f90a244d0c20e8b64819909367d5e
SHA512 ed930ba9a0670fc8b65a2ae7d22e7550e184771357768a50bfb4670e30bb0be06520d0963afde100b09fd97093a52a1a2f9f85d972265f8086b31b0e9be2de4c

/storage/emulated/0/360/.iddata

MD5 fc2563cfc2e516c666a3f028767d663a
SHA1 ad2cdfd86c1a4a90330985bfaffdd223a2a8b62b
SHA256 c6b3d486f899038545c1a5ca50e11cd314662be5cd963e2e283cdb1fbc1a666c
SHA512 fbb81518883e67f53df0a6bbaad8ea098ab997fec143d0d501274a06df9cbe03e294a8e43317737821bfc21a212792f6d58fa886da22fa8dcbcd516c1ef01a24

/data/data/com.mida.messagehelper/databases/MessageStore.db-journal

MD5 2060291837caeafcd06d32089d4728b7
SHA1 c7252b3cac5ceacb767c3183a2bcbca6a3db2039
SHA256 ed2d3d909387855243138e1fb75fb386acfc47db3c3dbe98957735d5adaee43a
SHA512 1f0c1b6c1c5a57408039af97793a59426cc165cbd221580d0f6fe2f214040a7a5ef07e1b7908dd5bfe85fa8edef377f35bdcf8f0b9f594f3a9ee7e5a0c2a1f88

/data/data/com.mida.messagehelper/databases/MessageStore.db

MD5 15669eb47bb19111cb64fa7508b227d7
SHA1 c7585424afeb0fc7051697b771eb3d81e0e3aae3
SHA256 ecb0e8c93a782292a1dfe20a90e204d1c1c804e2773f1831c9ca34826aa62071
SHA512 13c2cb45912090ba0b670b36050eab5954e22d57b79e141d2236035dc1ea2000960d93ebc544fc4dee48765335a3d52baeb5d31c8a40407224c624fffebbc11b

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.mida.messagehelper/databases/MessageStore.db-journal

MD5 dc2b91f01b6f7efd36f11974754d4dde
SHA1 ddc1ab37e8e74c86faf9b6e4eb73a27bca237539
SHA256 b6a571975c07abfda935162e5ba1b725681a42ae662606dede816cf66d2c3c77
SHA512 ca8f774754a4247bab41e0bf81038147c0447d7ad1c4f9096212f657142cb7abed145697b0c3634ade0808e6aebe3691c7daee3a5ba191accf89358aa30bd01f

/data/data/com.mida.messagehelper/databases/MessageStore.db-journal

MD5 073846933c3423f11093f800df7f4260
SHA1 6bd521183efba3655704f51b7ec31e37a9144fc0
SHA256 ca132b535d95d7320f09689916e2a7e76ade8d17d932108492d39fa9d5d05d35
SHA512 ab3a33dbe63bc4a68d09b34256448e2e372a3394f1612c2f1db5da1b0dec43ffa4e6c09211fe7e9272ba90a673b1c21f8728913ba01de8b4a4cf1b3e3242d5d1

/data/data/com.mida.messagehelper/databases/MsgLogStore.db-journal

MD5 83fc34762bf24c50e79ed414fc86c401
SHA1 4706155abb2383c6e70a612ae15214698681a0bf
SHA256 379ef7c85864178d662437bff1f05e4926866a9a3e6e520c3e08dfcbac76e40e
SHA512 da11dc940401ebb32a16fd81f92626806cd27b4ca844c8da40a9d533632a52e999870ccdadc20d4bbc6c5dbe45411442d574e3aaef3cb0efa44149b209ee8f2e

/data/data/com.mida.messagehelper/databases/MsgLogStore.db

MD5 9cec591e3ef91ae568f4cb6e7c2a8745
SHA1 ccf756b6b465ad9ad7ff6bfbeb4e8345ba3f6ff7
SHA256 05be88f05e9bfd4d6496caab584a704e7956fb87036529a0c8028f1e2bda309c
SHA512 f824b3268338787275c184bb740d152d53c1d8e57a044f587530735ef04d021a2671cc2aebb17ae3b497a0ad171060da484a565bfa62d32ed334ae5ffb538f51

/data/data/com.mida.messagehelper/databases/MsgLogStore.db-journal

MD5 5010a8feea503bc91f12599c547e8d7c
SHA1 ee81a05a551b35c69b026dec884e66bf35181eb5
SHA256 3515571e04f6ac9cd5d413d115d549f4380299bd0f1ae43a0cf13e3742c9c785
SHA512 7f71aa9394fdec4c464ce413b014a49145a5593c45767c7dc92ada3039f58be9346de68dfb469bd855d738c45ea3b9240fbb1ddb418c8b94156a0fff3cd9212e

/data/data/com.mida.messagehelper/databases/MsgLogStore.db-journal

MD5 84486613fe2fd6a54b929bba639b503a
SHA1 c9341072224ffe81e6a2c6d9d446470ee34c7b09
SHA256 c93a083e6688fe343ed551246b1eb55a1be16aea2976392fb66b2cfe23473c19
SHA512 dd02eb207262768335e11858e1d8078ef3de294a66e8af4a1d3ba3365d45b3e672a49e58a734b3b94c3bb41b70203919eb9f2cfe3043efec63f972e76871ce03