Analysis Overview
SHA256
3ec5aea05c57cad11be0fc90683cc56a491a9dcb1b380c853465ed9899af2b38
Threat Level: Likely malicious
The file a497f3ef165ae8a2057f56a9ee20b577_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Queries account information for other applications stored on the device
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about running processes on the device
Loads dropped Dex/Jar
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 08:18
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 08:18
Reported
2024-06-13 08:22
Platform
android-x86-arm-20240611.1-en
Max time kernel
178s
Max time network
179s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar | N/A | N/A |
| N/A | /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar | N/A | N/A |
| N/A | /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries account information for other applications stored on the device
| Description | Indicator | Process | Target |
| Framework service call | android.accounts.IAccountManager.getAccountsAsUser | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.sspi.twlj.dwav
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.sspi.twlj.dwav/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&
com.sspi.twlj.dwav:daemon
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.3:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ip.taobao.com | udp |
| CN | 59.82.122.8:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | c.ioate.com | udp |
| CN | 59.82.122.8:80 | ip.taobao.com | tcp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 59.82.122.8:80 | ip.taobao.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 59.82.122.8:80 | ip.taobao.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | o.pmuro.com | udp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 59.82.122.8:80 | ip.taobao.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 59.82.122.8:80 | ip.taobao.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 59.82.122.8:80 | ip.taobao.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
Files
/data/data/com.sspi.twlj.dwav/app_mjf/tdz.jar
| MD5 | 293ea5f01e27975bed5179ba79d80eac |
| SHA1 | c5b0806a537fd1cb753e11f1a9684933317716b8 |
| SHA256 | 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b |
| SHA512 | c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53 |
/data/data/com.sspi.twlj.dwav/app_mjf/ddz.jar
| MD5 | 23ba0b249042b7ba33e92c0199b0ea4a |
| SHA1 | 99b13ee9f7307316c2337953fceed87e9942b794 |
| SHA256 | 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2 |
| SHA512 | 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861 |
/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar
| MD5 | a54a18b58c6720991c021f433dfb2a46 |
| SHA1 | d2ffa07919f92b6e04914e39843f08fdb2a75b68 |
| SHA256 | 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3 |
| SHA512 | e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc |
/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar
| MD5 | 9b47e78a6ff90cce5755ce4742047627 |
| SHA1 | 831b24aa9e116eb8d7065efd430088d419dfd6c7 |
| SHA256 | 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae |
| SHA512 | 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc |
/data/data/com.sspi.twlj.dwav/files/umeng_it.cache
| MD5 | 9cfccde5a4ca2e47f34f9205598f7ef5 |
| SHA1 | 4571f04e9c75c43ded2bdfd0fed268e32fd63155 |
| SHA256 | 2a800170d53576db743cca2128beea44f39580ae1a65c4c6e653d213e8a013b2 |
| SHA512 | 08760793cbefd8b754189e90a19cb749b5a594af7b85dae6f0f373f98860b973ed4da1466a88f3434f110b495768cc708870195f6352d0f860cea4ae5846adff |
/data/data/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json
| MD5 | 517e983a82a0d0395db7b41c7c8c7952 |
| SHA1 | 9f6f9eb469875ff2f0fc4bb67c79e510b71231fc |
| SHA256 | f188f707de5bdf96fefb198007df4678f32da4383a311402b338c633651722cf |
| SHA512 | 7d8e0b9864d57b8c4f2451d7584dc9d48e1067abfc95eadc55cfeca370a14fda0e070de2fa1e8b00a334a7c5c9efdcd46b92c3c3f0e36d9ffdc7270106a6f3a5 |
/data/data/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | d583454fb09e8632cc8d658776ae5178 |
| SHA1 | 851cada3b3f81a559a969f28a13a8d6b90021553 |
| SHA256 | 376ce4ff4bac9f71c40aa4408e0949631cf7997f32b7afbdda8d21021f2102b2 |
| SHA512 | 7678532fbc0b2daf3d0eebd0fc2c40bc57fbcd1cc6c2d6084629836a4759f8b9c569e239bb218917b4f4097952ecda682594c0d3b55b934ee70f584c0e39fbc9 |
/data/data/com.sspi.twlj.dwav/databases/lezzd
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.sspi.twlj.dwav/databases/lezzd-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.sspi.twlj.dwav/databases/lezzd-wal
| MD5 | de9378c20236dd79d577c753c5e61d1c |
| SHA1 | 96ebf2efae4931d151f2314d7e08b056ee34783d |
| SHA256 | 35ea0f3ed165690e4c1f1df8f54caa690f5b355c4caa79d5e82616d93dfb9798 |
| SHA512 | 8979842fe8b360ad303be502c13d48ca8cb8f046512cacdab0a5071e683e831d60d3eedbe95d9a3ae381dc02fab614a10ea1153c54d7917e483f201ae35d798e |
/data/data/com.sspi.twlj.dwav/files/.um/um_cache_1718266803441.env
| MD5 | a2c7fd99b3dcc22c0665c09092bbdc04 |
| SHA1 | cde350aba6d0cd468b3468617751bf809825af53 |
| SHA256 | 112a8bc064c92ea4af754f65b47167d8862e6d59c920c9be35357fccaa727283 |
| SHA512 | 6df36b7cb70480db6fb613490b7f79badfb38cce958ab189acf3e364369c4ae72a25af012f25b2fbf39d81afcd9d35b247ea4889d92b827ee1101aaf4d3be2e5 |
/data/data/com.sspi.twlj.dwav/app_mjf/oat/dz.jar.cur.prof
| MD5 | e58aa47308fa6ce5c7a10c06b64bad47 |
| SHA1 | 5cff29ebd1a5352ec4968bdab96fb33b2db8adbf |
| SHA256 | 553d35c78f543897e54d4f8ab83b5c0ca159686849044d3ff497f1a4f7aa605e |
| SHA512 | 29a787ab02e538be65368ef48b6f71ca8d62240444f1efa64a0fbedf5adbcc604d4003dfed67be99f5b5a694c43e4414e677b6aa9b279484b375329eed42124b |
/data/data/com.sspi.twlj.dwav/files/.imprint
| MD5 | dc56c488d442cf8d63530920bfa7a9d0 |
| SHA1 | 6891c31eef995865b8f830cc31dc0fcab1065b25 |
| SHA256 | 03b1eff209ad46ae1fe74cffc8390d7b3789cb7cafab5d12322256159ff5035d |
| SHA512 | 588c34d54e54ac2b3c4d8517bdbb21858db82a21a2594e6344d4fc5a022888c386115302b5c13d1f9c96e457fd17b6303e5cfd2e7544dc4d6cc5bf81ddcbf3e7 |
/data/data/com.sspi.twlj.dwav/files/mobclick_agent_cached_com.sspi.twlj.dwav1
| MD5 | ddd44b6a8dde4a2457de1d497873e625 |
| SHA1 | a89d9b304cfdb1d028d1c4cb578de0e118cf7d69 |
| SHA256 | acdbd930165944b9a3486021454d5674086c71b9d2af53903ac4af0ae8d80808 |
| SHA512 | 80a8cca2a9a08fd52151579c9a1e609afdb4008029772de2bfd8444960162946bc364e44d702889cd1435ceb30ad968ef08faf3bc139cd7691c70be057b4c0a7 |
/data/data/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json
| MD5 | e48aa01d8892227f72ca86032167b711 |
| SHA1 | 76ef4cdc8d5f01e7578203c4b6ee7f4ff8bd0e55 |
| SHA256 | 246611c1fcb530954e563dbc50cfa6de9e1887c1412ed127323476e3012a2a8f |
| SHA512 | f148a4d43a83a76aaeb9f4978fe4a00ffb87813b023ec47bfcc91a242d26ca506fc18461d6dd414a85fa4fa480453b01f80d4e2057f0d43a2df355f743cecd80 |
/data/data/com.sspi.twlj.dwav/files/.um/um_cache_1718266912313.env
| MD5 | cd133eaabc680fa82be8c6f33f89ec51 |
| SHA1 | 71a3dce99b2a3db22eb3382717e99ef6bd1ce4c7 |
| SHA256 | 1286884a0a2128c3c50556454bc4258bad0ddcabb6b1898db3d5de700242df66 |
| SHA512 | 0124cdbd1268c0fc195fc21ca4876cf8f5609601c0592d5315c838831d8be96d2caa73c5d11a3796432732d054430766cc3aec38ed59b6edd618a53fd631054e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 08:18
Reported
2024-06-13 08:22
Platform
android-x64-20240611.1-en
Max time kernel
179s
Max time network
180s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar | N/A | N/A |
| N/A | /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries account information for other applications stored on the device
| Description | Indicator | Process | Target |
| Framework service call | android.accounts.IAccountManager.getAccountsAsUser | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.sspi.twlj.dwav
com.sspi.twlj.dwav:daemon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ip.taobao.com | udp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | c.ioate.com | udp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp | |
| US | 1.1.1.1:53 | o.pmuro.com | udp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| GB | 142.250.200.2:443 | tcp | |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
Files
/data/data/com.sspi.twlj.dwav/app_mjf/tdz.jar
| MD5 | 293ea5f01e27975bed5179ba79d80eac |
| SHA1 | c5b0806a537fd1cb753e11f1a9684933317716b8 |
| SHA256 | 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b |
| SHA512 | c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53 |
/data/data/com.sspi.twlj.dwav/app_mjf/ddz.jar
| MD5 | 23ba0b249042b7ba33e92c0199b0ea4a |
| SHA1 | 99b13ee9f7307316c2337953fceed87e9942b794 |
| SHA256 | 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2 |
| SHA512 | 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861 |
/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar
| MD5 | a54a18b58c6720991c021f433dfb2a46 |
| SHA1 | d2ffa07919f92b6e04914e39843f08fdb2a75b68 |
| SHA256 | 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3 |
| SHA512 | e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc |
/data/data/com.sspi.twlj.dwav/files/umeng_it.cache
| MD5 | 8567c006d1d803553e9de909baaf59cd |
| SHA1 | bd63739733b2e1015f6bb1a9471a504c3c708c68 |
| SHA256 | cbbfc10f3231e055333a481d02c0f6744bfaac7ea34f99fd6f9d9818384ceedf |
| SHA512 | 15abfaaa2683ac74b7745f75c5835aa3fb0c06c4bbdf7eb1460a33f7f6beb9fa0c3d96d23bbd8b7f530ac50d31055ca2be1b1d49a6e598392347e74348276ddf |
/data/data/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json
| MD5 | c860b90aab195c5869b3417d1dce2418 |
| SHA1 | be31e34a6842e96951fc53d7e185e25bef475d6d |
| SHA256 | 224456172b2fbe09de3806afe72ee234740c45b05e0f2a8c184fbd36ed1095c4 |
| SHA512 | bd53c38648f3e47d6809d927b0067e9801d4693b1b6b4d9a4d48102a01b6ee3b1041ffaf18530bd703a111ec2edb4b69ec6704023056bb0324fed651616d9d83 |
/data/data/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | decd0794c1d5d7ba2f5d5199fd6029bf |
| SHA1 | 28f5f89cc9b4804d46fa781cc28e6dcd7f0277c0 |
| SHA256 | 3a0cd78d870de850738ccfbd50c264ab01c0b07fe51d7a57b1d4686e5cd9b781 |
| SHA512 | 55399e5c2ef17802e77fa864049a30c990e094f7ac8f5608c10d087b08c62ce70ea877994da920d9165c380ddf3e2bdb4dbfdf7b6fe7bb09384d194a9fe20bc6 |
/data/data/com.sspi.twlj.dwav/databases/lezzd
| MD5 | dae68dcffc3d522a79f98ebbc3b6d457 |
| SHA1 | 6df5dce9a50f12044a2d20b8d1742ae47b82ee03 |
| SHA256 | 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286 |
| SHA512 | 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd |
/data/data/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | 212716ed6b0e59a9850dd5eff5bb3100 |
| SHA1 | c2e4dc50a44c037931cda1a94ccf65aa6a46aa89 |
| SHA256 | 448aa508ae89e8d02435f903380e4e776d78140a57a5d546ba88e3c458fcaf41 |
| SHA512 | 7acd65420afe70897cc248ee140b26f9453106a0e1564c803374d99284ed18c4aef5f3e5f224de1a5e1e7803d66bf659a03e9786cc7810dcf7286bcbed419115 |
/data/data/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | 31e6d3b6e271663f6cd832e547f75a69 |
| SHA1 | ecb45b83d49a2238d04b0205e7705b830cc07117 |
| SHA256 | cb00e81077d849f9ba3248dd40314ac7d011d66964054f135ac8888c41a031a1 |
| SHA512 | b1e5d224e571eb52d4ecdc0bc41e7a2edc7ad545d93d027a187a0746748c24b1cc5a6060c85b36b2ddbb51d8794ca4c6c74b76fb3707331c720bf56d07b5c29c |
/data/data/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | c0f62c41fc1a115887b963fb9fa3b171 |
| SHA1 | ce3864d2af6cc37c363474636f8b84a27c711ac9 |
| SHA256 | f8954c96116c939956261f3cdc84d3da63ceb852d2662a96441bc85cdf37dfda |
| SHA512 | 08a62c23e246b98fbfaae390a69e4cf845778be1ff3e47e5c0544413d06f925b0b5ee102f8cbec6de45f0ced00ca0ee6a22fd28f074d73a326c5b835fbf1e943 |
/data/data/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | bb94c97004620ebe62983960f5ff8044 |
| SHA1 | db38026eb089e07b3c1ec9845186f1d82cc0a1d2 |
| SHA256 | 8b8e2d702c8a850f2d63e0f4cf41cff52615be917ff6839e98fd4c0f284198f5 |
| SHA512 | c43cf0f54c3e3683434b87abcd6d3baee84bfcf086753baf1db6652687dc42aa919474d1c5df3b513d7c0735afd722226f9b6a0b1f6fb063858ef3ae88f60b87 |
/data/data/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | 0b012ba26eb112d3bab5abf875f8d9ce |
| SHA1 | d0f1ee1008eb9a1d044c1f9253cbfc3becfa6412 |
| SHA256 | b9cf798d9e19df2f549d8dc18c22f250c90909074dc518fcde6bd7ad5bea88f9 |
| SHA512 | 2fa4ec64f3c08cdc7acd6317ba11d6f1fb9013661255d60a907819d2189748c000e9bfa11f2ba1fef86970d24085b46a9286a9907c9cea835a4122f756913350 |
/data/data/com.sspi.twlj.dwav/files/.imprint
| MD5 | a102cccd4a3994c3f03402cf3a5d1d2d |
| SHA1 | 140b2fc4d76eb18a4e8d34230163c05dfe7294aa |
| SHA256 | 3abb1db494d519dec0c4163bf30f4f204f79ee1055a98429b10c0216f10f262f |
| SHA512 | 70cd91f543f832f34098f89e8a3398511e61d9af271dae005d2f59b067408de87a4342352c215929a46b863db254fceecad9ede8d6cbea928af4bd8408414ef1 |
/data/data/com.sspi.twlj.dwav/files/umeng_it.cache
| MD5 | e98c01422ce162244db7d9828ad08434 |
| SHA1 | cc1756c014f3463b4e62b59c757badab620a4bb5 |
| SHA256 | 794a8eaf88de915778f11a4a338de9b39b37ad1f175a3d7bf9c91ab8ff276108 |
| SHA512 | 8e059d29995d8316cb3ec1294d0e4375cd008283ddc0652b2791557d3da7253bd69a710e5e515a7a41aa3f62dbce3c0b9e44a80c6e14061e6ab8606d587af0a9 |
/data/data/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json
| MD5 | aba42b77de2e39adfc92b110a6b8c6cc |
| SHA1 | 0ce74f774ff86d35a6c0a5d1d6474bc9bbdb0d38 |
| SHA256 | c082acd3b20c982698e4518d013011960be8a01f847f99efcd11ab47d148c031 |
| SHA512 | ae8342505eb68054a4584ac7259147e783776ec63ad5a50725c5a686b141d432c0f37526ef2d952b6aff2b5c05112e20ecd409f9ac0a78e31ba3c4cba612f507 |
/data/data/com.sspi.twlj.dwav/app_mjf/oat/dz.jar.cur.prof
| MD5 | 23c181a2d36eccbada96c4a58386ff94 |
| SHA1 | 4cc44adf7fd391ba6474547827d07722270af8e5 |
| SHA256 | 562322ecfb89a7d02c0bd6a17a66cd1f96c81ec7bbf0e322bce177358f74307a |
| SHA512 | 59429c8524df4f4d1d1e2ca1c507f41a82364f2c455aed7000dd95191b5d47da4fc8aba9cfa7439bcaf7bffdaf29f5d550efff8bc06d432e179620c95ab90857 |
/data/data/com.sspi.twlj.dwav/files/.um/um_cache_1718266851951.env
| MD5 | 5119748d28d261a7045b8bc710ee3738 |
| SHA1 | b55bcac11b232bceab36068469d1ba6c7dd372c2 |
| SHA256 | 82f12c2825abc3564b46a4b45166245f6c7465734e39c7d775593ef38a47efac |
| SHA512 | 1f9b92a70ce10e067107f3689c29a44f7f985f63dce9c562151b152e9e4b72641d324407aabd4e9c176901fae5ed2bc0e3d0cfadeaab5c42194253244a7e60a9 |
/data/data/com.sspi.twlj.dwav/files/mobclick_agent_cached_com.sspi.twlj.dwav1
| MD5 | 925467ad1da221314e624010cdfd5502 |
| SHA1 | 41f53470753b0c67328b74a5322223804c0e1544 |
| SHA256 | 7cd7c6891a7793c51d76ff52146c81fc499b4d3d1dda25f9ee4ba17997b165ac |
| SHA512 | 54f1f8ff2d49dc9c1f496555acd397b388ef7151808cd40c5cbbb247d4564c38bca48c0eec2e20ff66667b2b0e84f5a6d919392b05d6b6d177a8d89d5d601b91 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 08:18
Reported
2024-06-13 08:22
Platform
android-x64-arm64-20240611.1-en
Max time kernel
179s
Max time network
188s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar | N/A | N/A |
| N/A | /data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries account information for other applications stored on the device
| Description | Indicator | Process | Target |
| Framework service call | android.accounts.IAccountManager.getAccountsAsUser | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
| N/A | alog.umeng.com | N/A | N/A |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.sspi.twlj.dwav
com.sspi.twlj.dwav:daemon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.78:443 | tcp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ip.taobao.com | udp |
| CN | 59.82.120.37:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | c.ioate.com | udp |
| CN | 59.82.120.37:80 | ip.taobao.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 59.82.120.37:80 | ip.taobao.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 59.82.120.37:80 | ip.taobao.com | tcp |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | o.pmuro.com | udp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 59.82.120.37:80 | ip.taobao.com | tcp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 59.82.120.37:80 | ip.taobao.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 59.82.120.37:80 | ip.taobao.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 172.217.169.68:443 | www.google.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
Files
/data/user/0/com.sspi.twlj.dwav/app_mjf/tdz.jar
| MD5 | 293ea5f01e27975bed5179ba79d80eac |
| SHA1 | c5b0806a537fd1cb753e11f1a9684933317716b8 |
| SHA256 | 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b |
| SHA512 | c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53 |
/data/user/0/com.sspi.twlj.dwav/app_mjf/ddz.jar
| MD5 | 23ba0b249042b7ba33e92c0199b0ea4a |
| SHA1 | 99b13ee9f7307316c2337953fceed87e9942b794 |
| SHA256 | 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2 |
| SHA512 | 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861 |
/data/user/0/com.sspi.twlj.dwav/app_mjf/dz.jar
| MD5 | a54a18b58c6720991c021f433dfb2a46 |
| SHA1 | d2ffa07919f92b6e04914e39843f08fdb2a75b68 |
| SHA256 | 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3 |
| SHA512 | e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc |
/data/user/0/com.sspi.twlj.dwav/files/umeng_it.cache
| MD5 | 973e232be838c51acf231e4aba3623ed |
| SHA1 | d8dd5e6209f92a5a4b3acdf5513441b28debfda1 |
| SHA256 | b9bf34e6fb055398315e2e0f7a6340de2ca3f304933c2acbd6f01e8506e445ac |
| SHA512 | a4d516a9f35b63096ad83f0d912ea9a6322e1bcd805f31c7586065f90290e6fc8b479ae7bb390cf56ad95b907bb7427b9dfbc86e46e876250bfbda6abada1154 |
/data/user/0/com.sspi.twlj.dwav/files/.umeng/exchangeIdentity.json
| MD5 | f30e6e244efa61ed2ba2daad81b50072 |
| SHA1 | 22283658ebd697a0e5d006492fad1fb05b233707 |
| SHA256 | 9dd9547dfba62020e04136ce8f2db58955aaf2290206e65a6f81c6c0c417fd2f |
| SHA512 | 6a7618bc5edf1ad3dc319bd3eab8a1edac88046b67e0a55d34fc438c3f1e0acc1bf739da7fc43fc347b0f976bfb63cf10754529531bce1cf720413f7b1ea956a |
/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | 99a7c12ec37244a4cc6f5518f68d3aab |
| SHA1 | bb707f1980b9985351f7938249327348e27dbf66 |
| SHA256 | 98b7b37a25b6afd9aed05affbdaf45c5d85f3818be84219ec83d84afafde4b07 |
| SHA512 | e31ebc5cbf560b00bb521e302479398b77fed3f118cdd5ef4fa466ed663dcf5ea6b0fed14e1b37e12f77514f3d9782959728deb244607fc4a88f2315fbcb85e0 |
/data/user/0/com.sspi.twlj.dwav/databases/lezzd
| MD5 | fdb8a92e5060ce104e8f0faca55a47ce |
| SHA1 | 270d7ca30673e18cec1d2b9add71cba96dc426fe |
| SHA256 | 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a |
| SHA512 | ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122 |
/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | 13cdba657228dc96ad9c95fb1aefb83f |
| SHA1 | 2f596fd67d39405eeb1edbd8aa85a45bfb8add69 |
| SHA256 | ceecb034c605742d73537616465fc7f567ec48b65396629159678e7f4d22fef4 |
| SHA512 | c475acaa7c13dca2b024be1fcf7825f01c85d61c6b0088c1e9bb4ed75da444aea95587ddfb148f1d94aec94228eb18b317073afb243ea3c750223d4de72c24e4 |
/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | f29a45ff04ab6ccec84da148a2f70812 |
| SHA1 | 90a6ffe6d263ef9f7fad660e52428886b966ad94 |
| SHA256 | 8e7cedcd230672afaa63db029f81e8f491638e1852f4aad8a80cface0d6347b9 |
| SHA512 | a2ca2774dfd10729c5be2980eb81ff4088fb113a9de856d8d1642b0c9fa0dab72d9b85ec874864c5ebc1e0eb3aeb1baa5cb2300703d5ae2b456b31995587b54d |
/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | cabf0c8d3ade5ebc68d40032aacc30a4 |
| SHA1 | f5e8d10e0165460667cd321dd034080ea30d0624 |
| SHA256 | a17fd442ad7ebfbb212514f89eb64819ae9582f99635491ef4f8ac17be45c244 |
| SHA512 | 29b4e27fab33818d30d07856c182705fc27b734e2ca2d102d28d1f4ab509329789b0cb182f8c99a46f52357c81bb5aace72ed82263f601eb8c7be7a65b226265 |
/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | 7e65eb86541716f8ef9a936743dee7ca |
| SHA1 | 9e330b32c1212c2aa7751accd6b38470a7375212 |
| SHA256 | 9ecab4a987192db14e56dd18d35e1b4ba240c536bdeeb2c8e092a225804a19f6 |
| SHA512 | 443d5cfb06846faff83ce3adde3fdf3b370c5de17bffcb04fd7647a11f2be7ff9c79cba0c58ed0beb3cdf781696ae6012493446c706f750007f7a5832ef0afbc |
/data/user/0/com.sspi.twlj.dwav/databases/lezzd-journal
| MD5 | b473fb48325508081d555970ed80f5a7 |
| SHA1 | 45ea8d3a321b7cb32bf4e7de74e441f7f4b1f7e8 |
| SHA256 | 448f13fdcd25880a823c394e1c6291b2144d1942509aa08379b6263880d877f5 |
| SHA512 | f6a8ec11ac05c7b2de02dc2644d62d24fd6d38040d7f6039851ddcfee7bf9884f7714fb74761bf290c2de83e89fef5531a27ebd95a20affabe4f69b6d4bea919 |
/data/user/0/com.sspi.twlj.dwav/files/.um/um_cache_1718266803414.env
| MD5 | 9844639e36f53279936bbb626dc5a327 |
| SHA1 | 02398f24464ba525c7fbca85b7313eed638958b5 |
| SHA256 | 37eeef60a9699daefb9fab720d53d59ffb7376b5a9f3686b1988615337265530 |
| SHA512 | d66612bb23d527cbdb3b74b867fb15ac86abb516a62045bc37908501448eedc3186a7a0ec47f10f7668134890b445ddca4e7c9614975da20e8dddb66ee9ef5fb |
/data/user/0/com.sspi.twlj.dwav/files/mobclick_agent_cached_com.sspi.twlj.dwav1
| MD5 | 2271901f7a22db4ba09241cff888dcc3 |
| SHA1 | 376e7398f6a0a793f9c5d9e1afd93ff14577ec0f |
| SHA256 | 34c6bb3133e8a03dd32a852f9aeda851207b6afa60b580232585e59f746698c7 |
| SHA512 | 0d9dff1af34edee9c10b41ab9a0fd3ae04e6a6519af03a3b6c6bf41cc52f41ea99f0ac80b19f9960c9cc92b5a8254887a00463e8686d09e55560b1335c2d90fb |