Malware Analysis Report

2024-09-09 17:50

Sample ID 240613-g4v76sxcma
Target a42e0c6bd5c3fb8e14c0fe901f001bb1_JaffaCakes118
SHA256 a361bbc8f34fcea4d49114efdaf6d2c215324d6713e9672e35a3f465435fb174
Tags
banker discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a361bbc8f34fcea4d49114efdaf6d2c215324d6713e9672e35a3f465435fb174

Threat Level: Likely malicious

The file a42e0c6bd5c3fb8e14c0fe901f001bb1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion execution impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks known Qemu files.

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Acquires the wake lock

Queries information about active data network

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:22

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:22

Platform

android-x64-arm64-20240611.1-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:22

Platform

android-x64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:22

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:25

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

189s

Command Line

com.qihoo.appstore

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.bootloader N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qihoo.appstore

com.qihoo.daemon

com.qihoo.appstore:selfupdate

com.qihoo.appstore

com.qihoo.appstore:critical

/system/bin/sh

app_process32 / com.qihoo.appstore.persistent.CoreDaemon --nice-name=com.qihoo.appstore_CoreDaemon --daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 update.api.sj.360.cn udp
CN 180.163.251.81:80 update.api.sj.360.cn tcp
US 1.1.1.1:53 openbox.mobilem.360.cn udp
CN 180.163.251.81:80 openbox.mobilem.360.cn tcp
CN 180.163.251.81:80 openbox.mobilem.360.cn tcp
US 1.1.1.1:53 api.kuaidi.360.cn udp
CN 180.163.251.81:80 openbox.mobilem.360.cn tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 sdk.s.360.cn udp
HK 101.198.192.8:80 sdk.s.360.cn tcp
US 1.1.1.1:53 p.s.360.cn udp
CN 171.8.167.68:80 p.s.360.cn tcp
CN 123.125.82.206:80 tcp
CN 180.163.251.81:80 openbox.mobilem.360.cn tcp
CN 221.130.199.88:80 tcp
CN 221.130.199.88:80 tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 218.30.118.222:80 tcp
CN 180.163.251.221:80 p.s.360.cn tcp
CN 125.88.193.234:80 tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 180.163.251.224:80 p.s.360.cn tcp
US 1.1.1.1:53 md.openapi.360.cn udp
US 104.192.110.235:80 md.openapi.360.cn tcp
CN 171.8.167.69:80 p.s.360.cn tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp

Files

/data/data/com.qihoo.appstore/databases/download5.db-journal

MD5 b5b315957595a426f4328944f684cc32
SHA1 6ea2498c76208cc4e29b66ce17f5651922227cf4
SHA256 b790b9dbe613739c25d968b98dd35a859b86dc65e8997b5c7bf9c12ec853ec45
SHA512 3f34b543f578f4e0879806b4e729dc0adc497fa6d6b685fc72e26266be1850b51ece32c43261b17de78fdfee0718796dcd30fa6ab5ffeef016d90bdcc5281b2e

/data/data/com.qihoo.appstore/databases/download5.db

MD5 381d1b21994c81886fb2fdc212e84837
SHA1 5f5d75e0aa6a31da8849a8e3523116ba83675e43
SHA256 41c4675690a69278b36a0806dddfad4371d2f9363944d571dff980f59e770169
SHA512 7cef8a78c50b7eb9a7fb839770095f4fe5516fd1c281e04a865edc8c8e908aed78a7bdbd969aa38f104268e0ee66638faa697190656c4eed0d2812398376c79e

/data/data/com.qihoo.appstore/databases/download5.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.qihoo.appstore/databases/download5.db-wal

MD5 e55b2e27d2791b911774fb1c622fbddb
SHA1 0598042eb5bf37fcd19d839fe1847bbc74480c33
SHA256 08c8333ce7cf1d6db461c239c2fa01a20cd1ebe37f65d6c68b13d501444e62a2
SHA512 fb5521e8735958bb3f2e9394d0a9601b9b87e76ec432b1daccc9e530eedb4d3dc4194f90e09e5608bc1363725b169b6e32ff3564f3e71f352ac99e8a1814ebb3

/data/data/com.qihoo.appstore/databases/filelist.db-journal

MD5 9a68e643cbfa51127b7558b0078c4a26
SHA1 57d71adcb24954f972d966ff2bb50be97cd8ab1d
SHA256 609526e21b6b49ee7214adbfa115112c6f55307af095126ca52e33b9fd7c1c65
SHA512 b3db0602049da0fd37c7abdc2799a531a8b9f43be788e5a5083134783cbdac61b3cbfc01f003b7f84b7fa761e14ba23ffd1de8417ae3c20886b2adadae1b7c18

/data/data/com.qihoo.appstore/databases/filelist.db

MD5 1c4274aa7a9a5cac8c6d1df71e4588c6
SHA1 abaecd685e01cc68801292e3dc7085654a22feba
SHA256 3f6cd5f480ae69859b7841450f3d032c528ba385ebf9f371b9c8fdc6eb4231be
SHA512 1adb95935798607bd36cedcd183924d3068f50097d017b278da7caee7771532b61ec3606f6189b6dec8426eb038fe40be75079ce35894b1a8e0d1d815261150c

/data/data/com.qihoo.appstore/databases/new_downloads.db-journal

MD5 09792a526e21bc5259378c5225b31f01
SHA1 33ac63b7bf4803554c839ee3aae6bc25d479ec51
SHA256 ab5798776fd73c320efd258e82b8fbb08af96d5e775519b2f0c9546e5d40c60e
SHA512 45d47e466446b2283747886f8023a2690d357ec0906a6e70ae132053b2cf0de291681bc99c824ae1a10d77003485c82f44c58f1d6e1b8a493ee00cbd6a8ddf76

/data/data/com.qihoo.appstore/databases/new_downloads.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.qihoo.appstore/databases/filelist.db-shm

MD5 3fbf735032c6a00428f8828725dc1dbf
SHA1 0ce1483cc78b11d7ee8a7efce7bbb1eb2fcd5cef
SHA256 e1c2fc2acb87f9a6b01ce1e25e7d265b5c079ce3dcdee42c7ed76742afa8bf58
SHA512 66f426574abfa2746b5a098f2aba0560739f504a7096ea2c2a989296542f6a77852c8983810ba211e98f98340abd84bfd494392ecb5a9943e1c176c55bc1fc59

/data/data/com.qihoo.appstore/databases/filelist.db-wal

MD5 0ad1c06fdd99880efb286f24468e1686
SHA1 5e5e5bd3b9667528d700702d20183a964c2d4f6c
SHA256 c8699aae3b58b46450a553e63429411d53f479f6b527709267137917e571df42
SHA512 4418aeb6f988fe932a92c085545038321ac0918ced88bf0aab55ece28fab81bc16260060cfea7fc266c0129ebe9ba55c1df900ff8a9812a44b672ba98092948a

/data/data/com.qihoo.appstore/databases/new_downloads.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.qihoo.appstore/databases/new_downloads.db-wal

MD5 2c465fa4fdf8276f4fb2b46a304969fe
SHA1 c17915af06718358830ef3e7c9071321735227e0
SHA256 cb38a956457d9fafa7d4a01c1035ff3a56a08953f3514938769cf407a6d7e23c
SHA512 0bcee8c5a618f557afc98456e8e4877567c2105b8904cf61643e71377e9a6e06fbf0df1834c22f617f97523c27fa34e285661e4c0c06b31daf6a9ab0ff6f3d16

/data/data/com.qihoo.appstore/CrashLog/LastCrash

MD5 8807910887db8c2d512e2ff59cff89e1
SHA1 3c607f81c93fb9b56bbf6c4f4ad175cb7c1d1bc3
SHA256 186be069c5ee7b063b2706c714187b983f52d91760ed8386b3250a1dafd9d2bf
SHA512 fab7c482751d82e12a15bc5dab77eab5e1a361c48749e9bbea72485f657c416bdf9f48f77924aa168fad33b5a90964efb08ce7d8a20f9a5e1c2b8c702fd57b7b

/storage/emulated/0/360Download/Logs/LastCrash

MD5 a380745528e538e96f15bf854298ecc5
SHA1 9eca3a5068b0a799a0e3cb04b6ffe420ee5095de
SHA256 363a113f01edf8215e1275812ac3a1aa96635a16e33021b3001b9e80a45afd2b
SHA512 fcc50c9ea57ca152d02d53398ce2b14597ed8761534df9fd3f7c541249f231be4c2076ad9389c41ded45f3b78daf5729bd93b2245581bb65ae3e9449119d91cc

/data/data/com.qihoo.appstore/CrashLog/Crash1.log

MD5 72e92c87b5d3ada521c31ca87b76ff50
SHA1 a7122ab25e0741746b6eec77b67f58cb2b9c590a
SHA256 78e2f37a2978ed52ba978c4e01fa16780266ee80afb9ada43a92be169bc1d800
SHA512 a5833f622445e8028e0c34580d77220d91f8a76fa9683c95152318a67924b63b64487618ccfd00f19dd2960ae91a285448b2a7a3021cf60e8542d7787f685eb3

/data/data/com.qihoo.appstore/CrashLog/Crash2.log

MD5 e539c5ebdbf0747e40554e12591bfd10
SHA1 734e7d44500b8c180f16d6bbba8adb744be663e6
SHA256 2050f3ffde9612084a466e81a164c8080ea7fda1e5d7fbc0ae7697b7bc60e996
SHA512 75cfca8b00109cbc59d3b6f0f9e34206afa8a4ab1bfe49229d4b25878b7001180e856a0985d7b334c9d59576aa73de3ad667732eb73f3ea530771307abe761b5

/data/data/com.qihoo.appstore/databases/ignoreupdate_appinfo.db

MD5 60e4cf217e77c56efd3707b603797c5b
SHA1 816247b4883d3adb30c4db39fda16d2288e27de0
SHA256 8e2b8343f703045fb8596dee1888f65fc66b64d10304a4a49fd4ad1f63bd67ea
SHA512 22a8cd2974663e8caa220177e7bc64aaf35735dc8abc3870a7e47ea86b02d8b06b041000e5505039b3116290aee67e9645ad2d9c26218749f5b5b2e332712af2

/data/data/com.qihoo.appstore/files/360/sdk/persistence/data/Y29tLnFpaG9vLmFwcHN0b3Jl

MD5 2ed1fba4a0436a11bb2a10d4a796d58f
SHA1 a859954d8cdf492aa20e269c7da4091a711a7783
SHA256 d85649fd894b2522a4eb3d367970345d9be5f475bacb67fd7aad25a7fd604003
SHA512 1964a45f7904cf3ad94600dfd3f1a3761f0d5499a3a01bb2ee0d4b2e3ce1dc948622abebdff28d7906d75c371488710ef2cb8d944d7cc1ccd1513952ad8ec0e2

/data/data/com.qihoo.appstore/files/360/sdk/persistence/data/Y29tLnFpaG9vLmFwcHN0b3Jl

MD5 e007df16d4486e698166e833e3cec301
SHA1 d5eb205f84adf53f94b45964f673ea518fdd91e0
SHA256 37c2e3fbe2dc70c4238690897420d7e81ba87a0a348afca15dc6080f0d194b31
SHA512 dc68c1ab8b8629df3e8ff257d49392ec5d4a8a0825da2e2640c7c6668b173dfbe304b49d7a763d56852f63fb93b61e991eea7914c9e29d18d008276dbbb5773e

/data/data/com.qihoo.appstore/localApkInfo.json

MD5 8666b1f551724eced262357258b0bbc1
SHA1 611a233dce55225b525a1ea05f22461b3f556057
SHA256 54a82864b2f20bfb29868fa04de26121b5f27dad29b497ff5e7979fdb883f4a5
SHA512 fc9b5c5326530b003fe352b1e22a92285381101fda6b45ff8ff34c5b7a5a8541b16fd9bb2d8b0a4425e56b088b41bfcd2040591844ba67f8989e5b240caddd1d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:25

Platform

android-x64-arm64-20240611.1-en

Max time kernel

177s

Max time network

189s

Command Line

com.qihoo.appstore

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.hardware N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qihoo.appstore/files/rooter.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qihoo.appstore

com.qihoo.daemon

com.qihoo.appstore:selfupdate

com.qihoo.appstore

com.qihoo.appstore:critical

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 update.api.sj.360.cn udp
CN 180.163.251.81:80 update.api.sj.360.cn tcp
US 1.1.1.1:53 openbox.mobilem.360.cn udp
CN 180.163.251.81:80 openbox.mobilem.360.cn tcp
CN 180.163.251.81:80 openbox.mobilem.360.cn tcp
US 1.1.1.1:53 api.kuaidi.360.cn udp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 180.163.251.81:80 openbox.mobilem.360.cn tcp
US 1.1.1.1:53 m.irs01.com udp
US 1.1.1.1:53 p.s.360.cn udp
US 1.1.1.1:53 sdk.s.360.cn udp
DE 47.254.148.188:80 p.s.360.cn tcp
US 104.192.110.245:80 sdk.s.360.cn tcp
DE 47.254.148.188:80 p.s.360.cn tcp
CN 218.30.118.222:80 tcp
CN 180.163.251.81:80 openbox.mobilem.360.cn tcp
CN 218.30.118.222:80 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
CN 123.125.82.206:80 tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:80 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:80 tcp
CN 125.88.193.234:80 tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
CN 221.130.199.88:80 tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 221.130.199.88:7 tcp
US 1.1.1.1:53 md.openapi.360.cn udp
US 104.192.110.235:80 md.openapi.360.cn tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:80 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:80 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 221.130.199.88:7 tcp

Files

/data/user/0/com.qihoo.appstore/databases/download5.db-journal

MD5 79e8601163dee7de15eceff3bbd07923
SHA1 1be327ec33cfc175c054ae221d4cf16af71ee885
SHA256 80190288a1c5f651a793545bb35de5e62c9115269f98b80d9a44d55e51bd8357
SHA512 ec2cebfb1fc1a6821ac8b61068f4c53e67d08604844df8d9f306ef981acf5949b8c1a20e2d0c0697e0a1ef4a87ccae7e708007f40e473137deb66b5a8bc08501

/data/user/0/com.qihoo.appstore/databases/filelist.db-journal

MD5 2f2eb8d88384f2bc290edc2bfc9ce97a
SHA1 ada91616c7941445f1c3c659c540607627b634c6
SHA256 54ade8369e7e9bc24d809586a255620414f0c8604ffe20a8df83c3cdad0ded90
SHA512 2da0c0552cf08046eb30fb25913497ad6a1c9aa23c6b15923dfc6f8870b0a766ba154af195e33691ec529addb90fe19d867b19af975eb0991c703a7c6877252d

/data/user/0/com.qihoo.appstore/databases/filelist.db

MD5 4d19af96da06418178499c04db731875
SHA1 0352b2652d11045d5182e33af58e0255c273847f
SHA256 d50813c245cdad140ae77883c223b7a1dca15373ce03717cbec76f094861032f
SHA512 7fcf173fd2580fba2dd20d5b7ca42f4939dce08e5e5cc639bc6dd4a1bee7a22ca5fc1a5c75cc4782dd1e51a92e31115aafab05281cd452796dba04297cbe425c

/data/user/0/com.qihoo.appstore/databases/filelist.db-journal

MD5 25523546b07fb4f0f365d193820dbb9f
SHA1 61815ef9b24191a7cf49fecd3370ed6775881740
SHA256 728a73048e3b503ce07902c65a998c725a69af919e48d32951ea8073a5dde7d1
SHA512 5d7582b4a66ae7f287553fc3af04b29cec016dcfb19aa83508597170f4b5cf85d553542ec23d328938ed5ffe84b550040df6e15eddc36c3ef34460ef2a72daa4

/data/user/0/com.qihoo.appstore/databases/download5.db

MD5 5ffe83dca324fe9f60aa98b82a80fdc0
SHA1 3bc4e62621eb9ad56e62d63d9e367ab267b5d070
SHA256 b2a3a4471eef610f9663d95dc1abb432bec7226a43736419792dc605df7ec983
SHA512 e9992f93b506a135ca4feca79f8e91b11aff30e83026b599daae7568b4ee83e7199d24b546f0ef9c3318990a7c81bbd825d75dd94d1fb7e0a6d56d2a87896f0b

/data/user/0/com.qihoo.appstore/databases/download5.db-journal

MD5 1a173ae74542301d40a3e89c4d0cf550
SHA1 ac00490a7048757d08cb400dc0157d8bfd809a1f
SHA256 6fde70f94390e2a73a221e05006892a241fc246ed858929d2aab13dcc269f485
SHA512 227b84d996b40f258810edffde12a0e09c7bf0baa668c43c17a68c2b3810fef00c0f363030979fdfc66a6234ce10441bf5127e2ed945e349afa463201a44739b

/data/user/0/com.qihoo.appstore/databases/filelist.db-journal

MD5 944f365354660badcfa386f4c6b8368c
SHA1 e8f2a2357e8d44554ef58c151777986b9dd02772
SHA256 a2c6a236f4b8044fce61ebf62d9c125ad29159f403ed74e2ee1b4462e1a988fe
SHA512 66bcc413fee627cff1a25bf5bbf3658aa1cb699d2d990804c7fef3ee01ee0a686267a8a0163d97b1ac0cae2b98eb67dada14712917985259bb824e1482da291b

/data/user/0/com.qihoo.appstore/databases/download5.db-journal

MD5 3ea968aac634efea28efdcf92963c57b
SHA1 499984a79bb78f6d8fda3f5bc7f6f1fd7e63288d
SHA256 3b2c90e0f299210d6aa28d7543eb913f7d210ebedce99b5ab629c25304da454e
SHA512 270920b683520b46587c56cca4eb13cec29c1d545d989656c04998f3fea6e6edeef7fad73edfd57ab88da4f35063340f84a6021193405af134f3c2d82acfdcaa

/data/user/0/com.qihoo.appstore/databases/new_downloads.db-journal

MD5 1d8acb473576b99bd4a51f0cbab817e4
SHA1 32e8a8c293e9c6572d96b26c0624b41ffae45f84
SHA256 fd88e2f913d3b8d2ef00feb6f8616a9c6b8ea96033b4c02891a116ead0cd66b4
SHA512 3a460fb38f453da7561a0f7a34488f7dc7e1f7c652491721b1ba2905bd671c7e0e071fcc2750f2d94b376dd1294e97850a168a357f13eefdac69439432248474

/data/user/0/com.qihoo.appstore/databases/new_downloads.db

MD5 da30447946e2d70726bb630da1968fb5
SHA1 218c2c3c6a41f77fbc520f7e93a7a9b6790a01dd
SHA256 9058433ae1e6c81955a74044abafd15eee72c985ad4bce8e4f3054275e8513b1
SHA512 d15637b801b0112ace1110abbb25d6eda82741df2401df8edb749eb9a733306be33a438d66433b02d29883ff9314d338431f39a5779e805945fbd177535b2ba5

/data/user/0/com.qihoo.appstore/CrashLog/LastCrash

MD5 e2438f1cc8582848ffe49cf271fef785
SHA1 dc72d1e1515f6be309e14ca7010ea33376dd4baf
SHA256 92f18c7a0dd55098ab6d8fac4bcd879922502687447a1433ee8b400d59ce67ed
SHA512 419f897f8a4b75722e69ccbc3bc7559a7778c086a03df7845d69aacfa60763e57125ba4827ba43e982d1b6587e4c73ced9315d4eed6b4dc855855d0308007344

/data/user/0/com.qihoo.appstore/databases/ignoreupdate_appinfo.db-journal

MD5 a4c9925b54a56d17738216d491a44a3f
SHA1 b26bfe36142c6ceea2acfbc61ad42cf15835c0f3
SHA256 e0641624d1b142c516ec1fc55817a73edcd8c52f8c7e53ca7adf943decdf4137
SHA512 8e01b7ea2f496dff347c9d554b4640582c23067fd66717ea80a62d04d9e76dcb057e499fdb159b85de986ba6e92fc5c65986bce56ffa9ddb2baf6d0816664f83

/data/user/0/com.qihoo.appstore/databases/new_downloads.db-journal

MD5 79bb88c51f6592fa6b36d76c5e2f9dc9
SHA1 ab6d2b103c3d86cff02f2ca6175ab8060f557ed9
SHA256 c1ed6649dd3114d92836520c61480a38308dfb2eed5869a5d296fbcb48fac233
SHA512 f2c5951dee97bb24b4ef8249f1d13e2056ce36e5f27647670635ce80b5976926f382255c01ecc0b318cc7e1233d83d8fb8e03ae747cfba9d9c7d39b26550152c

/data/user/0/com.qihoo.appstore/databases/ignoreupdate_appinfo.db

MD5 21c983a49e966f56e32c8e903d6b6e4d
SHA1 8dd947fa95f05e53644b57c00d8df6b468568099
SHA256 b759b5525e8f8a12af6e7c2ba7ab4dd8f733fdaa6868ed5f9f70369291e07899
SHA512 0a17b980c062a2a3fe65b628f1f009c3fe66a455d144bb3231b880ed66e27915559dec00af3f7ac4e44ebfef492acb9676b06cb0f811c832698030811e537cf9

/data/user/0/com.qihoo.appstore/databases/ignoreupdate_appinfo.db-journal

MD5 016d5dd6460c693afddb2aebcd2acf63
SHA1 94a2a8923f73476665effa1f45f042686682b342
SHA256 27d521ceb147008fb15e200b477aa5321fe1d862bc706ae913a6f5d5df27f54d
SHA512 8fa07eda74fb22b2c8abfb9ff277b55180b073f3dc9ec8c650de3d46bca677abe3a9dea3bc4a66567d7a1caf92fbcb1aeb55a4c0d5d1f390d67c66b6d99a8dc8

/data/user/0/com.qihoo.appstore/CrashLog/Crash1.log

MD5 2e8d2b7e3b1a8758ee427d301314b7ef
SHA1 32bcf7c03fd4934e1224feaf2114df2ae56d0551
SHA256 67b1e827a498e60301f0b57d15e0e342027c49266e8be14c7441dc7f774c299d
SHA512 2a7acd5dff858b159ad5ddd05f8392dda9a0d2185dd5b2b4b20ab660d8946bd3686cdaaaeff7317d717a23a2da1d86e5e42e0221e20e55cc020a2d9a16b0869f

/data/user/0/com.qihoo.appstore/CrashLog/Crash2.log

MD5 459b692f3e47b58541fd8f7e640e3685
SHA1 f34d77aed6a3ab278d5dff9ef6e90f49e6b3605d
SHA256 f153aa89d201d60f5219f4ad9f0b57e3712a9acf0a46c1c905baaf3abf1630a7
SHA512 810f627a5552d4944c04f9adb32cd9ab502c85fee295caf5c326f0aad4573e01d07207d4ec7aecddc68a48265f744fab57b3afbb3c95dc17be7fc1da4c935738

/data/user/0/com.qihoo.appstore/files/rooter.jar

MD5 e6beb4e66852e393f6560e87cb757635
SHA1 80a65db419468db4e69f9fe12d9eea1976a00de4
SHA256 26fafeafdb66c57aabed31fb2973fdb6d999812de4fe61296c5cc5ee74e0548c
SHA512 de3b1234b0ea20c0c04f229a72d4b46e8aebca6670dd1af3a02741b0d9c33317dfe52c1b498310b7d0c2c1624f3fbbe8c7320f72699bd1713fc6f644876751a5

/data/user/0/com.qihoo.appstore/files/libsucore.so

MD5 dcd7b4ecd6b5b75fde80d66880b8757c
SHA1 a5f926eb632c94599be0355a9cf6ea9742a014df
SHA256 33ded700b32448ea8564eb14257c67dfc8e0e4ba09652efd2af9ab8d90b0b6e5
SHA512 15506fec5f86d57328e28fb892419601253f5f6b1ff61ce01202bd50c4a870b4df6feabe12b5c742a70503b22fb114aa8b5f338b72e0f56c513cde8723bc5fad

/data/user/0/com.qihoo.appstore/databases/_ire-journal

MD5 811e1cc55baad3e08a4919c1cecef707
SHA1 22643e1cd30d38f0d3d16b534e6e15c7070c658e
SHA256 df6b8c6aa977d4d8db7e739956de25af06329731bed2724581c940af2ca20246
SHA512 756ae22496387591da424283a12533bb223a538ebcb1fe5b50fabec9e3dc3235fef5eee2bd482cd7bea89301b83626d05b6c40cb3b2643f15bf068d1ceaa61d5

/data/user/0/com.qihoo.appstore/databases/_ire-journal

MD5 1fe63e631e2d061f1eae430ed8ff1a9d
SHA1 62f85c11d90cc93fe3ed6bd42758436536f917c4
SHA256 e74b6319fb5f849b078aef7b75dc2096c8669af4ebbc55ae6f5e83fdde2d4ac4
SHA512 98845a36ed5e62b35de7ac097e8d0f68683df7171a76b377b04430150dc9cc9c443cc1274198b7e8fec87315f28430a1832858afaf4acd86768c4a31830cb18d

/data/user/0/com.qihoo.appstore/files/360/sdk/persistence/data/Y29tLnFpaG9vLmFwcHN0b3Jl

MD5 d917e96a88ce79c005bbbf76fa725f83
SHA1 e890fe1c4b2f2f9063cdbf10467225857cb505ae
SHA256 5e3083b577585c7f8e0038c92cda0b9d722d6c685134dabfcd10adab8976f372
SHA512 5609ea72371d520980c0c27cb51b13dfcda0b5f2a21c2914d90e5de6f8ce5559a08f449cdb20909dc9366e0818e05a2f4de263b1d98a9fa87f9677339d665034

/data/user/0/com.qihoo.appstore/files/360/sdk/persistence/data/Y29tLnFpaG9vLmFwcHN0b3Jl

MD5 8c180053effb166026c7dce4a74221e6
SHA1 ca889cec1aa2acb7d7b6e40b09452c4b9ea9344e
SHA256 887731887afe153c83f094ee75918d8f2074d4b680728b185d47ab6e657b846f
SHA512 69f91fab2e72fffd79a3b0863d0cf534782f8d1cfd8a5db5b2786defc7460d518ec8a86ebaa1359f7545f1c1a837f5e7c8f6aea7b6bcdd8cb23227062e0ba693

/data/user/0/com.qihoo.appstore/files/360/sdk/persistence/data/Y29tLnFpaG9vLmFwcHN0b3Jl

MD5 9b22542e86604e30e3435d03424c7b92
SHA1 679c8217c36284d11ff036cc294f57239323dca7
SHA256 8d75fbb7c7b26075bf5e32f99ea4234936244649a0fd66da17cca9ce8b992edd
SHA512 391e65b21177a0ebc761b31c499ab369e002b28747212f6c0ba78431aa18d2bffce101be53e38b746371e23e437be8353487a569a321c6c0e1a921741eb31a99

/data/user/0/com.qihoo.appstore/localApkInfo.json

MD5 8ff7b6a17910cf169f5aa04aa27fbb55
SHA1 5be0bc97267a10119060c922b1a373a08a51fbca
SHA256 2df935791154a4d75bc3770127655eb04cfa46e0a8dc3bae9df32abc45bf8912
SHA512 05878c211eb299b9ff3e85bdbd71cd6b8adf9ad03ef6d14eca873240d7a1d9db39705294927d82b6248b2c81b2d01e9821462de6f6487d49e16f3369f5b73512

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:22

Platform

android-x64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:25

Platform

android-x64-arm64-20240611.1-en

Max time kernel

8s

Max time network

132s

Command Line

com.qihoo.rooter

Signatures

N/A

Processes

com.qihoo.rooter

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:22

Platform

android-x86-arm-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:22

Platform

android-x86-arm-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:25

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

140s

Command Line

com.qihoo.rooter

Signatures

N/A

Processes

com.qihoo.rooter

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:25

Platform

android-x64-20240611.1-en

Max time kernel

9s

Max time network

152s

Command Line

com.qihoo.rooter

Signatures

N/A

Processes

com.qihoo.rooter

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

N/A