Analysis Overview
SHA256
c686f5f38b52aff239d744bd382712b4d82b6847a6de342cd2dd1155b227998c
Threat Level: Shows suspicious behavior
The file a3c4a7e99f32434bf4e10b096dc73401_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries information about running processes on the device
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Uses Crypto APIs (Might try to encrypt user data)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:02
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:02
Reported
2024-06-13 04:05
Platform
android-x86-arm-20240611.1-en
Max time kernel
177s
Max time network
184s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.gikoo5
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | www.easemob.com | udp |
| GB | 79.133.176.222:80 | www.easemob.com | tcp |
| US | 1.1.1.1:53 | job.gikoo.cn | udp |
| GB | 79.133.176.222:443 | www.easemob.com | tcp |
| CN | 139.198.122.162:80 | job.gikoo.cn | tcp |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 1.92.77.21:19000 | s.jpush.cn | udp |
| US | 1.1.1.1:53 | a1.easemob.com | udp |
| CN | 47.95.246.247:80 | a1.easemob.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 1.92.77.21:80 | s.jpush.cn | udp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| CN | 119.3.253.130:19000 | easytomessage.com | udp |
| CN | 119.3.253.130:80 | easytomessage.com | udp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 124.71.159.41:19000 | sis.jpush.io | udp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 124.71.159.41:80 | sis.jpush.io | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.108:80 | udp | |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 113.31.17.106:3000 | tcp | |
| CN | 101.201.233.110:80 | a1.easemob.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 1.92.77.21:19000 | easytomessage.com | udp |
| CN | 1.92.77.21:80 | easytomessage.com | udp |
| CN | 119.3.253.130:19000 | easytomessage.com | udp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 119.3.253.130:80 | easytomessage.com | udp |
| CN | 124.71.159.41:19000 | sis.jpush.io | udp |
| CN | 124.71.159.41:80 | sis.jpush.io | udp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.108:80 | udp | |
| CN | 113.31.17.106:3000 | tcp | |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
| CN | 1.92.77.21:19000 | easytomessage.com | udp |
| CN | 1.92.77.21:80 | easytomessage.com | udp |
| CN | 119.3.253.130:19000 | easytomessage.com | udp |
| CN | 119.3.253.130:80 | easytomessage.com | udp |
| CN | 124.71.159.41:19000 | sis.jpush.io | udp |
| CN | 124.71.159.41:80 | sis.jpush.io | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.108:80 | udp | |
| CN | 113.31.17.106:3000 | tcp | |
| CN | 1.92.77.21:19000 | easytomessage.com | udp |
| CN | 1.92.77.21:80 | easytomessage.com | udp |
| CN | 119.3.253.130:19000 | easytomessage.com | udp |
| CN | 119.3.253.130:80 | easytomessage.com | udp |
| CN | 124.71.159.41:19000 | sis.jpush.io | udp |
| CN | 124.71.159.41:80 | sis.jpush.io | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.108:80 | udp | |
| CN | 113.31.17.106:3000 | tcp | |
| CN | 1.92.77.21:19000 | easytomessage.com | udp |
| CN | 1.92.77.21:80 | easytomessage.com | udp |
| CN | 119.3.253.130:19000 | easytomessage.com | udp |
| CN | 119.3.253.130:80 | easytomessage.com | udp |
Files
/data/data/com.gikoo5/cache/com.parse/applicationId
| MD5 | a689895f98eeba3ad54c857fb7d3d491 |
| SHA1 | 7b4bbe717287a91a5a6ab19a0bfd0a314fcca556 |
| SHA256 | 898acf5a8ab518b0b83c6df22462def9085de719e0f25dbe6097acf4fd140206 |
| SHA512 | 6e3594e8dd35521f5b8aea180ec54b6a09365a5f418241a0eacbd131cb41883b3a60f23fe0cbaa216ade13b29e73a35283ded1c5c4330c07e85068af0e17b803 |
/data/data/com.gikoo5/databases/ParseOfflineStore-journal
| MD5 | f82fdff836072ae6b4d881484b530bd4 |
| SHA1 | 051c6832e26484fd01b74f146bf5c2bd66824d2b |
| SHA256 | 941ba1e0190577a20741e129b037ff17723bc3dab88d82b992bff57d60c9dc1f |
| SHA512 | 04350b56460bc63e72f8142744738614f93ad2126326d5b8e28db83b20da0b1edda1d4e44f333a0b68612b66092b85a0d640f6ee52a6e831d4322d465b5ad2d3 |
/data/data/com.gikoo5/databases/ParseOfflineStore
| MD5 | cb82aba1c84a4838189ffb3e839f0424 |
| SHA1 | 5b56390c9bdae34787a06ef93a4e72a4db218b54 |
| SHA256 | 2010e5743590b7c98cba19d7fd5241fca270cbab520e1c8fbabe51fe540972c8 |
| SHA512 | f2d29795c2f979a6f19fdbd136d639912e3bb1d945409a4bb1275396d5aa163eec0ecdf14af077f3edde260330a8eed42f204150b4238b7801f7462173efef75 |
/data/data/com.gikoo5/databases/ParseOfflineStore-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.gikoo5/databases/ParseOfflineStore-wal
| MD5 | f577d1b8e52a7af7c8a0e6847e88c2ad |
| SHA1 | 77703a606bb4f9e023efc3feee671aef83ea5dd9 |
| SHA256 | b1299c516880e78658d59199674a5a5dcc431e6bf8f35dd3df86fd34e0e36ddb |
| SHA512 | 8e3f74e08b29c951badd3832380268cf568463e4271e5d2112ae5925b06f300d4a877e6603dbacb26be36cc33bb9aa3fbae4b15de39087269feb3af581ade94a |
/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html
| MD5 | 08ca9898d3256420c5fbd383bdff5798 |
| SHA1 | 8469f0e2a432896cd92ac76bb845b890852fa674 |
| SHA256 | 21d5f7c12757c8e9b57d1cb7244fd70d5f0e18b76c98ce270ad58826d7f19a3b |
| SHA512 | c2f07815705e8eeb6f3dfa09b5aa4d7126957d5276af5618fe7e563c83fa5adfd6f852a2aed7a24e79f2ff8da82bcf9ad4eab4003660d8d455078a29e7fb0dac |
/storage/emulated/0/Android/data/com.gikoo5/cache/uil-images/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html
| MD5 | 7486bb38eb4534d1a39efa1483e548ab |
| SHA1 | 4d917b2368d1dffcffb97fa7974f6bc82a78fb64 |
| SHA256 | ffc6bb04b4714ab69347a3233953fff1d966e891354869ace3ae68aa46343973 |
| SHA512 | c0965df0992598133ec93f892a56812793285394c97e5d7733a2c4f5d9e4b184b517f398beb73011494cd160ba5071bf75346e1faa9c2573449b815e76b6d7e5 |
/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html
| MD5 | 54684f064c62caea0f70c12d06bfb8e4 |
| SHA1 | ebc504ec9d35ab8dd7d21b905f2d4db7aab8219e |
| SHA256 | 1a4bc2406b7a295e67a85225dddebcc2bcd04597bb48bffd71f14f2af369890d |
| SHA512 | 21dfeb49ba4a243dcf901c44b66c51dc4946a7f4a48ae9861a257c412f4e647f73b251fbbfa2697593b1dd5bef25c31de59d003213d8cfadaaefecd25f4335a0 |
/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html
| MD5 | c68a4c9b11f51aab7d175ed095a38876 |
| SHA1 | e9b7a4c2979ddae878a9094b7265381b7c27fbb3 |
| SHA256 | 5de77f62257806a3ca12563f7177611aca817be5a3c19a5f6cd70cf5b1e72d1e |
| SHA512 | 5116064fb9268041d2c3dbe96bba6a71a7bec9d1b581bbb4aa28bab8a1f17d42fd05c32a7842d4c0057cd91637e57a06e44838f5477f55a0e2130c0886d92049 |
/data/data/com.gikoo5/databases/rep.db-journal
| MD5 | db0e5b4190a737cc825b2731cde80185 |
| SHA1 | 188afa8ca93c3df4b31a175b48f037961a0e3aa0 |
| SHA256 | 3bd19b9511f0460d794914a10f91282b103323ebf2c648ec7b318c42f7b1a8dc |
| SHA512 | 633e7fce62d947ddebb5e90b4f279fa72d852ef1be12b97b4ad6d24efd9685d088b96fc77f9923f87d6b822afb08499b330ee8b3136fbd967e4dd4a87b2a4bf6 |
/data/data/com.gikoo5/app_sslcache/www.easemob.com.443
| MD5 | a0122b61da078ddd118b917ae62ba411 |
| SHA1 | bbee36ccbcac96d3ffaa95a5a77d54ca0d66b9a3 |
| SHA256 | cc9e1087bc91c4aadf26130d086df96be54c55576f8c6bfbbad29c0d416c343f |
| SHA512 | 142f9b600dd57b984d2084ff04bf5064f49e962e73cd694d348236759bdbabb043f76723deea42c1506cd3c9f9f8051f632e73de0f716ac357b66b6cc03a9342 |
/data/data/com.gikoo5/databases/rep.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html
| MD5 | 05415b1053f3df4cc8849f07602333bf |
| SHA1 | b777e5275b635a35d26eaba9702076c17e68cd8a |
| SHA256 | c970071ee1bc3bb2808e902ab53345f994319f6d59e825895714c293b15f7173 |
| SHA512 | 91b8fd53c3cfe7dcf6e4d8e6d2e69bf18ff0c60821416a3735ea5f9f0428862ed9fae84e4191a2c33beb270a6caea787c59d8a80c7f377488a89a4ab4be0e71d |
/data/data/com.gikoo5/databases/rep.db-wal
| MD5 | 60199292b1bbb56350ae54d1be10eac6 |
| SHA1 | 8cb8f7a9ab7198206d7d9e9e2eeb5f115d899388 |
| SHA256 | 39d4310ccaa955240587cf1e207f7dd4707a52430dc424e17ad09aea92329ac5 |
| SHA512 | 848044501ac4817bf509c6085e8902fa848ef88fc50f09fad3a9298e062405180c7996bab943e547a68c4ccab2299b3d2641857582d73b8f520c0ae5ac0e8297 |
/data/data/com.gikoo5/files/jpush_stat_cache.json
| MD5 | 3e00310e0f34f52a7b0c3ae2ccb8b5fc |
| SHA1 | 340522bd7882ec495199645f32cbdfea2c41967b |
| SHA256 | b9291baec451aba7703eae5cc1139087b342a606c61c4e051fb486e121d19cf5 |
| SHA512 | 29dc1582d41d68127d3ec57e2d9a61e42c589de2cb14c3420141595fabd3398f6b824d348f75bbb0ccc068a8339a17c9a6a1e7f054c16452c4f3a80cc022034e |
/data/data/com.gikoo5/files/umeng_it.cache
| MD5 | 97369c027f855d10e9bdfea6c3772efe |
| SHA1 | b27f356d97859394bf8d6cc2beac036552799270 |
| SHA256 | 21ca424388aae3c7ad29469a85125d14964029542913ac1e1f3c67b8ef69bff2 |
| SHA512 | 648f1b5f628a114a765a72478e3aa36f3b35d6b27937fa9e71f6ce655f98181418121200638e124abf62c8cc278a011894e8a41b79ea3000942ddc47c2a54beb |
/data/data/com.gikoo5/files/.umeng/exchangeIdentity.json
| MD5 | bdad2aaaf63207ebbe66ad7ba95220b1 |
| SHA1 | c7131b047b6909da7d1cb3502b06090f7622066a |
| SHA256 | ab53737a0697344161ca557afbd8a7d26882e192fda52ce43c8c6feed985afb4 |
| SHA512 | 5e1aa40a99beec23e6d788c17eb025e3a8bdc990ec1bc29177219ff0186f5b014ee7ba7aefc010263f52e87a99a77bb675b5ac07c07079f53d619f98d91c8444 |
/data/data/com.gikoo5/files/.um/um_cache_1718251425452.env
| MD5 | f1ef26d93d3ae9dd2a50b25f8c97f971 |
| SHA1 | c02033b9f2a8c5b1a10d639aac716a74ff5c2bbd |
| SHA256 | 1540c564634250d31fcc207325253a772128d2a4115bba7044932158c12ce612 |
| SHA512 | 54f42c69b8ac62e7112ae48423ec2d28399635f00b7b6e2171753bc32d99fc5bf4ec918d616bb876bd01eb8b47c69978267470fab88d1c8c14d94ef86a9d21d8 |