Malware Analysis Report

2024-09-09 13:22

Sample ID 240613-j7p7fa1arc
Target a497f3ef165ae8a2057f56a9ee20b577_JaffaCakes118
SHA256 3ec5aea05c57cad11be0fc90683cc56a491a9dcb1b380c853465ed9899af2b38
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3ec5aea05c57cad11be0fc90683cc56a491a9dcb1b380c853465ed9899af2b38

Threat Level: Likely malicious

The file a497f3ef165ae8a2057f56a9ee20b577_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:18

Reported

2024-06-13 08:22

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

179s

Command Line

com.sspi.twlj.dwav

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.sspi.twlj.dwav

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.sspi.twlj.dwav/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.sspi.twlj.dwav:daemon

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.sspi.twlj.dwav/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.sspi.twlj.dwav/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.sspi.twlj.dwav/files/umeng_it.cache

MD5 9cfccde5a4ca2e47f34f9205598f7ef5
SHA1 4571f04e9c75c43ded2bdfd0fed268e32fd63155
SHA256 2a800170d53576db743cca2128beea44f39580ae1a65c4c6e653d213e8a013b2
SHA512 08760793cbefd8b754189e90a19cb749b5a594af7b85dae6f0f373f98860b973ed4da1466a88f3434f110b495768cc708870195f6352d0f860cea4ae5846adff

/data/data/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json

MD5 517e983a82a0d0395db7b41c7c8c7952
SHA1 9f6f9eb469875ff2f0fc4bb67c79e510b71231fc
SHA256 f188f707de5bdf96fefb198007df4678f32da4383a311402b338c633651722cf
SHA512 7d8e0b9864d57b8c4f2451d7584dc9d48e1067abfc95eadc55cfeca370a14fda0e070de2fa1e8b00a334a7c5c9efdcd46b92c3c3f0e36d9ffdc7270106a6f3a5

/data/data/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 d583454fb09e8632cc8d658776ae5178
SHA1 851cada3b3f81a559a969f28a13a8d6b90021553
SHA256 376ce4ff4bac9f71c40aa4408e0949631cf7997f32b7afbdda8d21021f2102b2
SHA512 7678532fbc0b2daf3d0eebd0fc2c40bc57fbcd1cc6c2d6084629836a4759f8b9c569e239bb218917b4f4097952ecda682594c0d3b55b934ee70f584c0e39fbc9

/data/data/com.sspi.twlj.dwav/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sspi.twlj.dwav/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sspi.twlj.dwav/databases/lezzd-wal

MD5 de9378c20236dd79d577c753c5e61d1c
SHA1 96ebf2efae4931d151f2314d7e08b056ee34783d
SHA256 35ea0f3ed165690e4c1f1df8f54caa690f5b355c4caa79d5e82616d93dfb9798
SHA512 8979842fe8b360ad303be502c13d48ca8cb8f046512cacdab0a5071e683e831d60d3eedbe95d9a3ae381dc02fab614a10ea1153c54d7917e483f201ae35d798e

/data/data/com.sspi.twlj.dwav/files/.um/um_cache_1718266803441.env

MD5 a2c7fd99b3dcc22c0665c09092bbdc04
SHA1 cde350aba6d0cd468b3468617751bf809825af53
SHA256 112a8bc064c92ea4af754f65b47167d8862e6d59c920c9be35357fccaa727283
SHA512 6df36b7cb70480db6fb613490b7f79badfb38cce958ab189acf3e364369c4ae72a25af012f25b2fbf39d81afcd9d35b247ea4889d92b827ee1101aaf4d3be2e5

/data/data/com.sspi.twlj.dwav/app_mjf/oat/dz.jar.cur.prof

MD5 e58aa47308fa6ce5c7a10c06b64bad47
SHA1 5cff29ebd1a5352ec4968bdab96fb33b2db8adbf
SHA256 553d35c78f543897e54d4f8ab83b5c0ca159686849044d3ff497f1a4f7aa605e
SHA512 29a787ab02e538be65368ef48b6f71ca8d62240444f1efa64a0fbedf5adbcc604d4003dfed67be99f5b5a694c43e4414e677b6aa9b279484b375329eed42124b

/data/data/com.sspi.twlj.dwav/files/.imprint

MD5 dc56c488d442cf8d63530920bfa7a9d0
SHA1 6891c31eef995865b8f830cc31dc0fcab1065b25
SHA256 03b1eff209ad46ae1fe74cffc8390d7b3789cb7cafab5d12322256159ff5035d
SHA512 588c34d54e54ac2b3c4d8517bdbb21858db82a21a2594e6344d4fc5a022888c386115302b5c13d1f9c96e457fd17b6303e5cfd2e7544dc4d6cc5bf81ddcbf3e7

/data/data/com.sspi.twlj.dwav/files/mobclick_agent_cached_com.sspi.twlj.dwav1

MD5 ddd44b6a8dde4a2457de1d497873e625
SHA1 a89d9b304cfdb1d028d1c4cb578de0e118cf7d69
SHA256 acdbd930165944b9a3486021454d5674086c71b9d2af53903ac4af0ae8d80808
SHA512 80a8cca2a9a08fd52151579c9a1e609afdb4008029772de2bfd8444960162946bc364e44d702889cd1435ceb30ad968ef08faf3bc139cd7691c70be057b4c0a7

/data/data/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json

MD5 e48aa01d8892227f72ca86032167b711
SHA1 76ef4cdc8d5f01e7578203c4b6ee7f4ff8bd0e55
SHA256 246611c1fcb530954e563dbc50cfa6de9e1887c1412ed127323476e3012a2a8f
SHA512 f148a4d43a83a76aaeb9f4978fe4a00ffb87813b023ec47bfcc91a242d26ca506fc18461d6dd414a85fa4fa480453b01f80d4e2057f0d43a2df355f743cecd80

/data/data/com.sspi.twlj.dwav/files/.um/um_cache_1718266912313.env

MD5 cd133eaabc680fa82be8c6f33f89ec51
SHA1 71a3dce99b2a3db22eb3382717e99ef6bd1ce4c7
SHA256 1286884a0a2128c3c50556454bc4258bad0ddcabb6b1898db3d5de700242df66
SHA512 0124cdbd1268c0fc195fc21ca4876cf8f5609601c0592d5315c838831d8be96d2caa73c5d11a3796432732d054430766cc3aec38ed59b6edd618a53fd631054e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:18

Reported

2024-06-13 08:22

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

180s

Command Line

com.sspi.twlj.dwav

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.sspi.twlj.dwav

com.sspi.twlj.dwav:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp

Files

/data/data/com.sspi.twlj.dwav/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.sspi.twlj.dwav/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.sspi.twlj.dwav/files/umeng_it.cache

MD5 8567c006d1d803553e9de909baaf59cd
SHA1 bd63739733b2e1015f6bb1a9471a504c3c708c68
SHA256 cbbfc10f3231e055333a481d02c0f6744bfaac7ea34f99fd6f9d9818384ceedf
SHA512 15abfaaa2683ac74b7745f75c5835aa3fb0c06c4bbdf7eb1460a33f7f6beb9fa0c3d96d23bbd8b7f530ac50d31055ca2be1b1d49a6e598392347e74348276ddf

/data/data/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json

MD5 c860b90aab195c5869b3417d1dce2418
SHA1 be31e34a6842e96951fc53d7e185e25bef475d6d
SHA256 224456172b2fbe09de3806afe72ee234740c45b05e0f2a8c184fbd36ed1095c4
SHA512 bd53c38648f3e47d6809d927b0067e9801d4693b1b6b4d9a4d48102a01b6ee3b1041ffaf18530bd703a111ec2edb4b69ec6704023056bb0324fed651616d9d83

/data/data/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 decd0794c1d5d7ba2f5d5199fd6029bf
SHA1 28f5f89cc9b4804d46fa781cc28e6dcd7f0277c0
SHA256 3a0cd78d870de850738ccfbd50c264ab01c0b07fe51d7a57b1d4686e5cd9b781
SHA512 55399e5c2ef17802e77fa864049a30c990e094f7ac8f5608c10d087b08c62ce70ea877994da920d9165c380ddf3e2bdb4dbfdf7b6fe7bb09384d194a9fe20bc6

/data/data/com.sspi.twlj.dwav/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 212716ed6b0e59a9850dd5eff5bb3100
SHA1 c2e4dc50a44c037931cda1a94ccf65aa6a46aa89
SHA256 448aa508ae89e8d02435f903380e4e776d78140a57a5d546ba88e3c458fcaf41
SHA512 7acd65420afe70897cc248ee140b26f9453106a0e1564c803374d99284ed18c4aef5f3e5f224de1a5e1e7803d66bf659a03e9786cc7810dcf7286bcbed419115

/data/data/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 31e6d3b6e271663f6cd832e547f75a69
SHA1 ecb45b83d49a2238d04b0205e7705b830cc07117
SHA256 cb00e81077d849f9ba3248dd40314ac7d011d66964054f135ac8888c41a031a1
SHA512 b1e5d224e571eb52d4ecdc0bc41e7a2edc7ad545d93d027a187a0746748c24b1cc5a6060c85b36b2ddbb51d8794ca4c6c74b76fb3707331c720bf56d07b5c29c

/data/data/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 c0f62c41fc1a115887b963fb9fa3b171
SHA1 ce3864d2af6cc37c363474636f8b84a27c711ac9
SHA256 f8954c96116c939956261f3cdc84d3da63ceb852d2662a96441bc85cdf37dfda
SHA512 08a62c23e246b98fbfaae390a69e4cf845778be1ff3e47e5c0544413d06f925b0b5ee102f8cbec6de45f0ced00ca0ee6a22fd28f074d73a326c5b835fbf1e943

/data/data/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 bb94c97004620ebe62983960f5ff8044
SHA1 db38026eb089e07b3c1ec9845186f1d82cc0a1d2
SHA256 8b8e2d702c8a850f2d63e0f4cf41cff52615be917ff6839e98fd4c0f284198f5
SHA512 c43cf0f54c3e3683434b87abcd6d3baee84bfcf086753baf1db6652687dc42aa919474d1c5df3b513d7c0735afd722226f9b6a0b1f6fb063858ef3ae88f60b87

/data/data/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 0b012ba26eb112d3bab5abf875f8d9ce
SHA1 d0f1ee1008eb9a1d044c1f9253cbfc3becfa6412
SHA256 b9cf798d9e19df2f549d8dc18c22f250c90909074dc518fcde6bd7ad5bea88f9
SHA512 2fa4ec64f3c08cdc7acd6317ba11d6f1fb9013661255d60a907819d2189748c000e9bfa11f2ba1fef86970d24085b46a9286a9907c9cea835a4122f756913350

/data/data/com.sspi.twlj.dwav/files/.imprint

MD5 a102cccd4a3994c3f03402cf3a5d1d2d
SHA1 140b2fc4d76eb18a4e8d34230163c05dfe7294aa
SHA256 3abb1db494d519dec0c4163bf30f4f204f79ee1055a98429b10c0216f10f262f
SHA512 70cd91f543f832f34098f89e8a3398511e61d9af271dae005d2f59b067408de87a4342352c215929a46b863db254fceecad9ede8d6cbea928af4bd8408414ef1

/data/data/com.sspi.twlj.dwav/files/umeng_it.cache

MD5 e98c01422ce162244db7d9828ad08434
SHA1 cc1756c014f3463b4e62b59c757badab620a4bb5
SHA256 794a8eaf88de915778f11a4a338de9b39b37ad1f175a3d7bf9c91ab8ff276108
SHA512 8e059d29995d8316cb3ec1294d0e4375cd008283ddc0652b2791557d3da7253bd69a710e5e515a7a41aa3f62dbce3c0b9e44a80c6e14061e6ab8606d587af0a9

/data/data/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json

MD5 aba42b77de2e39adfc92b110a6b8c6cc
SHA1 0ce74f774ff86d35a6c0a5d1d6474bc9bbdb0d38
SHA256 c082acd3b20c982698e4518d013011960be8a01f847f99efcd11ab47d148c031
SHA512 ae8342505eb68054a4584ac7259147e783776ec63ad5a50725c5a686b141d432c0f37526ef2d952b6aff2b5c05112e20ecd409f9ac0a78e31ba3c4cba612f507

/data/data/com.sspi.twlj.dwav/app_mjf/oat/dz.jar.cur.prof

MD5 23c181a2d36eccbada96c4a58386ff94
SHA1 4cc44adf7fd391ba6474547827d07722270af8e5
SHA256 562322ecfb89a7d02c0bd6a17a66cd1f96c81ec7bbf0e322bce177358f74307a
SHA512 59429c8524df4f4d1d1e2ca1c507f41a82364f2c455aed7000dd95191b5d47da4fc8aba9cfa7439bcaf7bffdaf29f5d550efff8bc06d432e179620c95ab90857

/data/data/com.sspi.twlj.dwav/files/.um/um_cache_1718266851951.env

MD5 5119748d28d261a7045b8bc710ee3738
SHA1 b55bcac11b232bceab36068469d1ba6c7dd372c2
SHA256 82f12c2825abc3564b46a4b45166245f6c7465734e39c7d775593ef38a47efac
SHA512 1f9b92a70ce10e067107f3689c29a44f7f985f63dce9c562151b152e9e4b72641d324407aabd4e9c176901fae5ed2bc0e3d0cfadeaab5c42194253244a7e60a9

/data/data/com.sspi.twlj.dwav/files/mobclick_agent_cached_com.sspi.twlj.dwav1

MD5 925467ad1da221314e624010cdfd5502
SHA1 41f53470753b0c67328b74a5322223804c0e1544
SHA256 7cd7c6891a7793c51d76ff52146c81fc499b4d3d1dda25f9ee4ba17997b165ac
SHA512 54f1f8ff2d49dc9c1f496555acd397b388ef7151808cd40c5cbbb247d4564c38bca48c0eec2e20ff66667b2b0e84f5a6d919392b05d6b6d177a8d89d5d601b91

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 08:18

Reported

2024-06-13 08:22

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

188s

Command Line

com.sspi.twlj.dwav

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.sspi.twlj.dwav

com.sspi.twlj.dwav:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/user/0/com.sspi.twlj.dwav/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.sspi.twlj.dwav/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.sspi.twlj.dwav/files/umeng_it.cache

MD5 973e232be838c51acf231e4aba3623ed
SHA1 d8dd5e6209f92a5a4b3acdf5513441b28debfda1
SHA256 b9bf34e6fb055398315e2e0f7a6340de2ca3f304933c2acbd6f01e8506e445ac
SHA512 a4d516a9f35b63096ad83f0d912ea9a6322e1bcd805f31c7586065f90290e6fc8b479ae7bb390cf56ad95b907bb7427b9dfbc86e46e876250bfbda6abada1154

/data/user/0/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json

MD5 f30e6e244efa61ed2ba2daad81b50072
SHA1 22283658ebd697a0e5d006492fad1fb05b233707
SHA256 9dd9547dfba62020e04136ce8f2db58955aaf2290206e65a6f81c6c0c417fd2f
SHA512 6a7618bc5edf1ad3dc319bd3eab8a1edac88046b67e0a55d34fc438c3f1e0acc1bf739da7fc43fc347b0f976bfb63cf10754529531bce1cf720413f7b1ea956a

/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 99a7c12ec37244a4cc6f5518f68d3aab
SHA1 bb707f1980b9985351f7938249327348e27dbf66
SHA256 98b7b37a25b6afd9aed05affbdaf45c5d85f3818be84219ec83d84afafde4b07
SHA512 e31ebc5cbf560b00bb521e302479398b77fed3f118cdd5ef4fa466ed663dcf5ea6b0fed14e1b37e12f77514f3d9782959728deb244607fc4a88f2315fbcb85e0

/data/user/0/com.sspi.twlj.dwav/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 13cdba657228dc96ad9c95fb1aefb83f
SHA1 2f596fd67d39405eeb1edbd8aa85a45bfb8add69
SHA256 ceecb034c605742d73537616465fc7f567ec48b65396629159678e7f4d22fef4
SHA512 c475acaa7c13dca2b024be1fcf7825f01c85d61c6b0088c1e9bb4ed75da444aea95587ddfb148f1d94aec94228eb18b317073afb243ea3c750223d4de72c24e4

/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 f29a45ff04ab6ccec84da148a2f70812
SHA1 90a6ffe6d263ef9f7fad660e52428886b966ad94
SHA256 8e7cedcd230672afaa63db029f81e8f491638e1852f4aad8a80cface0d6347b9
SHA512 a2ca2774dfd10729c5be2980eb81ff4088fb113a9de856d8d1642b0c9fa0dab72d9b85ec874864c5ebc1e0eb3aeb1baa5cb2300703d5ae2b456b31995587b54d

/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 cabf0c8d3ade5ebc68d40032aacc30a4
SHA1 f5e8d10e0165460667cd321dd034080ea30d0624
SHA256 a17fd442ad7ebfbb212514f89eb64819ae9582f99635491ef4f8ac17be45c244
SHA512 29b4e27fab33818d30d07856c182705fc27b734e2ca2d102d28d1f4ab509329789b0cb182f8c99a46f52357c81bb5aace72ed82263f601eb8c7be7a65b226265

/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 7e65eb86541716f8ef9a936743dee7ca
SHA1 9e330b32c1212c2aa7751accd6b38470a7375212
SHA256 9ecab4a987192db14e56dd18d35e1b4ba240c536bdeeb2c8e092a225804a19f6
SHA512 443d5cfb06846faff83ce3adde3fdf3b370c5de17bffcb04fd7647a11f2be7ff9c79cba0c58ed0beb3cdf781696ae6012493446c706f750007f7a5832ef0afbc

/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal

MD5 b473fb48325508081d555970ed80f5a7
SHA1 45ea8d3a321b7cb32bf4e7de74e441f7f4b1f7e8
SHA256 448f13fdcd25880a823c394e1c6291b2144d1942509aa08379b6263880d877f5
SHA512 f6a8ec11ac05c7b2de02dc2644d62d24fd6d38040d7f6039851ddcfee7bf9884f7714fb74761bf290c2de83e89fef5531a27ebd95a20affabe4f69b6d4bea919

/data/user/0/com.sspi.twlj.dwav/files/.um/um_cache_1718266803414.env

MD5 9844639e36f53279936bbb626dc5a327
SHA1 02398f24464ba525c7fbca85b7313eed638958b5
SHA256 37eeef60a9699daefb9fab720d53d59ffb7376b5a9f3686b1988615337265530
SHA512 d66612bb23d527cbdb3b74b867fb15ac86abb516a62045bc37908501448eedc3186a7a0ec47f10f7668134890b445ddca4e7c9614975da20e8dddb66ee9ef5fb

/data/user/0/com.sspi.twlj.dwav/files/mobclick_agent_cached_com.sspi.twlj.dwav1

MD5 2271901f7a22db4ba09241cff888dcc3
SHA1 376e7398f6a0a793f9c5d9e1afd93ff14577ec0f
SHA256 34c6bb3133e8a03dd32a852f9aeda851207b6afa60b580232585e59f746698c7
SHA512 0d9dff1af34edee9c10b41ab9a0fd3ae04e6a6519af03a3b6c6bf41cc52f41ea99f0ac80b19f9960c9cc92b5a8254887a00463e8686d09e55560b1335c2d90fb