Malware Analysis Report

2024-09-09 13:22

Sample ID 240613-kamwgsvcrm
Target a49cc92a46085d20774d2bf2b9d0119f_JaffaCakes118
SHA256 2878809f80d158edf83ca763cbd7b4a7230ee6b6185613597d0ac578455a3777
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2878809f80d158edf83ca763cbd7b4a7230ee6b6185613597d0ac578455a3777

Threat Level: Likely malicious

The file a49cc92a46085d20774d2bf2b9d0119f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries information about running processes on the device

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:23

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:23

Reported

2024-06-13 08:27

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

180s

Command Line

com.vzur.kumf.ufnn

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vzur.kumf.ufnn/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.vzur.kumf.ufnn/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.vzur.kumf.ufnn

com.vzur.kumf.ufnn:daemon

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.vzur.kumf.ufnn/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.vzur.kumf.ufnn/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.vzur.kumf.ufnn/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 4d728bfd2408a5dd7f7773aceb11bd7e
SHA1 f29523383ebedbb5de3d952f39e00cd6169714aa
SHA256 1b325459ee7045daf40d500240c02696c04dd787c94997e7289f01687d420832
SHA512 cfe8eff03a2639612edb9b5f25c4d89ffa10a305af645d950090ac39d592c08d993d759139ff3f766a909c2be42c7afc7e520c33f81e20173f686b5a9f1d9e80

/data/data/com.vzur.kumf.ufnn/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.vzur.kumf.ufnn/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.vzur.kumf.ufnn/databases/lezzd-wal

MD5 7f946cdc0d0e36f37efb4e1247ccb2ba
SHA1 5771b3932f0f1508f05350ea498487dbda41e819
SHA256 0d58937a0ddd9a56c6102171f3173ae01199fe7e80f20bba96e22b753e33219c
SHA512 3b03923508016db5453334cae90835df875c69911a9ed6bc56b7228b617cbfa865bb8bf9bec83d4cbad569517d3314e23918c97fd40250e9a8f1cc160fb8646e

/data/data/com.vzur.kumf.ufnn/app_mjf/oat/dz.jar.cur.prof

MD5 d824dd01c0a7ec1b6e80b15e26c42de1
SHA1 94499802a87704ced05d81d17eb35b569e4232d3
SHA256 26ffac8367c7a4d72f5cc780e019caa82123d6ee0301f27c50b5e970ce4862b8
SHA512 fab37de0c626071d4ce3173ff4f6ffa003bfeb66950de585c1ea70e377a7f9fe705b8ce6c76b5b2522a3fb8bfc0711c73976be0733d4b558bbdcc38cba033e4f

/data/data/com.vzur.kumf.ufnn/files/umeng_it.cache

MD5 0ff3a94548d89779d753dad47b6be063
SHA1 f8ad7cab3c047a162e03a08d6ef3a48380b7133a
SHA256 f5570ad8869951d62afe7f152c82813eb2adf15b4c643441ac40abfe40b0d515
SHA512 fab1c531cda2506cce996ab694c54f078409edd362cff19bf340d5decf8952803052e0e7918c98c6db8bc1e1abce2630cb8f15f1f1f292505f580dc86a766935

/data/data/com.vzur.kumf.ufnn/files/.umeng/exchangeIdentity.json

MD5 ff04f66ddec026ad0112c15dadfc8cc3
SHA1 61c6dc29668017f4bb21b7f4dc83ed8119fb089b
SHA256 cecf97ec19723a23b36309c93b5f9e09535d5a783365e8ac2c8b59eb5468ca38
SHA512 cb7679c1caf53e618756c23c6b72ab7d2b94831dc847c4bc9b36c07e9079d9c4d9dfca38b3be35a6f45a42b8507b57c5701034766728d9d43b49828d9dc0cf64

/data/data/com.vzur.kumf.ufnn/files/.um/um_cache_1718267161138.env

MD5 4d4bd64b6325196cbcc1eef4233655fa
SHA1 65e4edfea71e9a7441c3614dd55e8a8fe47b0106
SHA256 40f1f94664e967b542fc553641cdf7fb16548f31f33752d9cbe06e60034c8008
SHA512 50bd3b8fd7718b2b9d5c72b7a07f9b673a3bd23cd64f25d6ee50e9812d93273c4cac3f99bfcc9274b588cd061dea4cce6f770ee36362ed17e84bd59ac51cec6f

/data/data/com.vzur.kumf.ufnn/files/mobclick_agent_cached_com.vzur.kumf.ufnn1

MD5 4aaeba6601a431430543ebd750fe13ad
SHA1 cc994f9e550674688a1e0a5d8d648b14db7d7063
SHA256 885e1d4f32d3ca286044f8685e4d96f06926a62c3421365c803920df46c4530a
SHA512 35b44d436f9c36b04fbba0cf2f0a27d62de13e5d66770e615133b64c7afbc424ed916cce0ba1e90d735fb693636850df5e2b6a2f90531742d8078a17de49e253

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:23

Reported

2024-06-13 08:27

Platform

android-x64-20240611.1-en

Max time kernel

177s

Max time network

181s

Command Line

com.vzur.kumf.ufnn

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vzur.kumf.ufnn/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.vzur.kumf.ufnn/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.vzur.kumf.ufnn

com.vzur.kumf.ufnn:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.vzur.kumf.ufnn/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.vzur.kumf.ufnn/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.vzur.kumf.ufnn/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 6c8b681f745c852b7d626c39b8780af2
SHA1 a3b75ef113e6f4fd75bdb7f8d0b0f7aeaf119f30
SHA256 725177d5335b4db535b5d4ed3069a0755a050035ead48f66c3fbcead80028311
SHA512 2a3912d25caf33c5d6678460101e4f598c53cac1a4c7ff02c794ebd547d66de3f83f09b5be0c9ab9fe5961761c089957ba06028a931b21f4516a23c199072974

/data/data/com.vzur.kumf.ufnn/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 acf4b5191b19fc21cd6b2bfe79f88fe5
SHA1 864bae289eee0a2a02230a9e5dd57407c728c57b
SHA256 fbabe348884e0fe3652fcc88697d27ea3be0923045b5771f2b3802bee12f51ac
SHA512 9078b47fae576136ee8117548027fe3acf27c9bef15b30bd3d39ef3a2c09ef432808fecee87bdb78ae05bb8d406e5427ce1fd0d82ae8f3a6344f338dc0d949a1

/data/data/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 e8712cdf646ea38ee65828b29e0da3c7
SHA1 795e451e17b07b5e938f91e73fe81fa25e066f45
SHA256 13864fe68433495880e37b6ecd1b1bcea2500eb2f3bf497bd45d142be4b916b1
SHA512 79130f0213687e2efeee72d39167949222ca85a1bedadd27b88edb555d2094fc1ba2e57440c311e5a1f1ebf2317fccc6f68e8992a94a0dfd9f34423395ca87dd

/data/data/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 604dcde5daad078fa28ca436abeb66c7
SHA1 38929ee72e7295f52448e2830ac21ab2e34d1e43
SHA256 f18f8541a266ea7a6161a58504ebab645c6b6168495bc075deef7c5178c70e47
SHA512 0c8700b8f3630ef912d8ea169d3ad148fe37c1d7714e659f855fd4c8da08934f71c1e005a8ec85be5251e62d5d7e5e3a69341821ce586516c41da80318a2d395

/data/data/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 2efba76d2b18c841d797ff7a2d119c89
SHA1 7ca211dbc80a8608e28ffd12d7f5049c05a1938b
SHA256 a553686afd2b63fd97fcb0032a608e9992d814b0b3433545731cd3f855508e92
SHA512 9588921122925f1cccaaa30dd6a195928905aa2a34e35bbc48fe5ff7f6a6ed98942c113319adfb558b1691a933ec633e2e4da403d83e54302870fa027fae3e38

/data/data/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 14c2772b21d581b286ac5897dc9c8723
SHA1 97281cd9c3deebc65946d7c22f731b955b795b0a
SHA256 8d7782bc073e906a4dc26eba7c56cdc3408645c87e78fc98ba7ba7e53022cd7f
SHA512 2430ae2958b7f3dbb40f0b5c0ca16edb5f103f88253ecdfb59e2d5cbaacee401c653d3cecf2d070b44beca30bf911541a302c9f811abbb13129e0b1d4043f7c7

/data/data/com.vzur.kumf.ufnn/files/umeng_it.cache

MD5 682b3e5ba8f9483f15bd98749a018c0e
SHA1 b00d511f45a4aa0886757cbd38cc7149695fb638
SHA256 03a35a39fbba043322ad01422945e7f3dfd3d06c6210184705bce727836aa3dc
SHA512 3377eb5279874e2d6b002a44f5ade764d398b3bc2ff6f020ee31b1e078385cd6f7f849595749ae35fe3b3a8b0d930e662bdf02c89d00e5dd291d75726b3a8c8a

/data/data/com.vzur.kumf.ufnn/files/.umeng/exchangeIdentity.json

MD5 ed16e9fa21981a32aee09d740cf41208
SHA1 ad2f43f48df7a3f2ad5715f9a6a14753008073e6
SHA256 c8009c262c462dfe69d867a4ae9757248caa9cefa48dbc67fb0da8cccc17152e
SHA512 cd3406d560b6edb23c41cd9ad1c5395ba37ac87b4b8ec04fe819efa79a6ef07c53ebffe6aaab7dafe9d36924dbed76b22a1de0ad4f2b96161f48b5b7e3a3b5a9

/data/data/com.vzur.kumf.ufnn/files/.um/um_cache_1718267159273.env

MD5 cf8e6f635a8e85d4b9089826c9530840
SHA1 adddd753dbf22ff2902d862c62785c24e9687a8a
SHA256 2f90302f3bb11b538ae98dc8081ea26ce5120b0254c8143d4be1576fb252a73b
SHA512 9cb55ab4bd6eb36092691cae1626d27d7932ae5a57dd4d03122a68bd4bf30170984256d2b806d9e9a6634329f022851426109938e3e87e9e1d70f94ca6be1b27

/data/data/com.vzur.kumf.ufnn/files/mobclick_agent_cached_com.vzur.kumf.ufnn1

MD5 54d320a36ebd2ea4644b415bf874632f
SHA1 2ff171e6195497c4f0f1f3825bed113707d5b3bb
SHA256 cfb0448fa5e93b6fd006193a080aeed59f3c67e73f1ffdc402b67c490eb33c4b
SHA512 abe9ff1cfb9801ba63cf2e53c843bcb7bff367107e2fab8970f2e236f50b027390bf0e8a5738fa3bc7a25e499eb86470a73e333902ee5148da4433fe9c2d1306

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 08:23

Reported

2024-06-13 08:27

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

144s

Command Line

com.vzur.kumf.ufnn

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vzur.kumf.ufnn/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.vzur.kumf.ufnn/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.vzur.kumf.ufnn

com.vzur.kumf.ufnn:daemon

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/user/0/com.vzur.kumf.ufnn/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.vzur.kumf.ufnn/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.vzur.kumf.ufnn/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 8d4e573e1150d0c49aac97bf96b30abe
SHA1 b5884605ebe231f6ff29c089c5254f70ed485e22
SHA256 c72bf93fdaf3019d28b5fd3817840e0d129b75a42d04c256e04730c8ea9e1a82
SHA512 42b41b993e416f02da9778477899dd2145e17f3358446fa8fa63b733003862c7f03bb46d9cfe0397010ca2a0d782454ff7087c15c1de2611c95201915654a722

/data/user/0/com.vzur.kumf.ufnn/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 ff564feedb7b5650904c7e34850fb814
SHA1 e71d13178fe77926dbc7a60d0f150816803308ef
SHA256 71c5a161960daf22a22b432b52fd24cd3a4a79a9126d26f65eb4c9ad5ab6a802
SHA512 3d35bbb38db5daf140bfcd1e0d351a8f0b181a6ba97a176b3d8f2d0f190f3f4becaf2fb4645ae930eadc59ece264b37df1b46c303737011e50fe8ac4b4f4d195

/data/user/0/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 eab24e88b48cb173e58af8e78952c25b
SHA1 f77cd6bc5cf5b17d1f5e4d5a188131c725541ade
SHA256 d5f7f2bf366c32dc7fecac01f72d483759b34bcbc397c0770890eddc3c8089c0
SHA512 20cbbd101081e351c3c8197916b6aa73e117ee300516b03d4e77eb8538d7a08f65b112c582d03dd1e857c52f3d3e581a9440556aa5a4bfc9cd09e8a4724c5658

/data/user/0/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 4aaad9adbf08fbc42af0504c970f0a9a
SHA1 daa5d396cd034c8bc49f61b6f792b1f1335db591
SHA256 c4ee39f5276393242bbe5a8d57734d100eeec24a8b6fd6bce4d37335f58216b1
SHA512 2e455da2d6c58e62990cc7e48cf6b698ee0774038b5f6e2d0ac7eab56fdfec9f265c03254f0296f66e1c7a36baf5a1296f9aed8ed66d2d110cb75adf8d3f7769

/data/user/0/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 c3b5c513709202c355d5cbde87670cbd
SHA1 1bcc2e27164c789198b8ad08425322a15820b83c
SHA256 4d3dcfbc8685bd3b87274289040019ccfe2fd4c2f7abaa6dc591939628169d3d
SHA512 32277b52e730a17ad8611261730e915032832c18c1f71b72f1e69ba22f35672553fdc12d5ff7a7542087ac4c36c2266e5458fc9dcbd66bf536b813f6ef0f9a09

/data/user/0/com.vzur.kumf.ufnn/databases/lezzd-journal

MD5 0db248c8caa335030acf5d43794dde61
SHA1 23b3c360388633439e3b24a517ecfca226cadc82
SHA256 1f3d12d970179b3e40cffa5417eeaff2d3d8b1b68161ceb92f9e6e5e2a51a433
SHA512 975e639f272cdc07b0f8015a34194c49b0b07acdc7f4a9ca86f203a1957816d961b04a519884d823306fdea647eb035781cf2313a1a0b62c66e425cff8e31820

/data/user/0/com.vzur.kumf.ufnn/files/umeng_it.cache

MD5 a4b7d81e20382a36e50d0934f6dc4d3b
SHA1 6a0e30cd2f2af1d202d19dce3fd3508dc8338832
SHA256 c472e37a8047082bdd7495df1c2941462f318a61dea32b248efd4a8d8ee37eee
SHA512 c1ac00bfebe7b2ad8869195a789e8f4c8a6b6b183ff9a8eefb8c5e2ac3c974aa0b0e614ebcdd138d1045eba8da53412659ab059d50a5faa636c5b264440efaf9

/data/user/0/com.vzur.kumf.ufnn/files/.umeng/exchangeIdentity.json

MD5 f1c704de267319b1a6caa84ab4a220d6
SHA1 615e02bdb4bd0659b3120a8db2cd6461c30d0714
SHA256 fbb12e25690bab65bf931c86b2efdf539a30716c60608dc32385765ad225fae7
SHA512 200ca113b4eb2d3dd0bdea83e29ee543778dfa268c1cea12b74434bc1d9682b48261b0ed596546ab2667f12b2243775db5dfaeb404c460e7cd946cafa79315ae

/data/user/0/com.vzur.kumf.ufnn/files/.um/um_cache_1718267159445.env

MD5 afff7486fe6b948a5b488a51343992b3
SHA1 3378b33b45950e6d48d8ab54717b9ec338c1c41c
SHA256 f8a54ab577b75ef0cc04361072fbfbe1f713a96e3506b0c622b4fce9d07eec98
SHA512 4185ef72c4ae01d7f7a228423ae92bc22de9c3d38dcc58c059436871fde41d2506aa902ef5edcabc536c19b7091a6c119c6fdb822ced91f61005e1eedd10c330

/data/user/0/com.vzur.kumf.ufnn/files/.imprint

MD5 b09ce343e433b46070dcab7f6311220c
SHA1 3b906ef201c7b961c2aebe80cfcf0b2ede6a8ab4
SHA256 44cfa7c7d11e67f9da4071c314d69a1368faf35d3e8e30506c28632537afcfc4
SHA512 b7ceeaa627e7a6930d7d716b705f21d8953ff4519c4cedc161c0329a8d970bc7bbb68fc52d88c278cca5a4cd143835f54156e9bcdecd9aa11f4259404221be78

/data/user/0/com.vzur.kumf.ufnn/files/mobclick_agent_cached_com.vzur.kumf.ufnn1

MD5 65548021958122a3cd57064008797ea9
SHA1 bc5afc084862010b87ede0317990306a23d0b645
SHA256 447c9cc57cfe2b882fd45953196a6c7d9b319446ab62e6475b900bc1cfc84a63
SHA512 2c086749427870eaee9423c7b63fc5af0e0f7a374abe2bf73cd0aeb8a24773ad0616fcceb73e90d3204212b52a59b143bae70abad1c78c939cddde79b842c496