Analysis Overview
score
7/10
SHA256
5f9e147476d6207f96829ce7694536e4d0487340594d2e1a317367507e5f35f5
Threat Level: Shows suspicious behavior
The file a524bd886e412435992366e9726b6418_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Queries information about running processes on the device
Requests dangerous framework permissions
Queries information about active data network
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK Matrix
N/A
Analysis: static1
Detonation Overview
Reported
2024-06-13 10:45
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 10:45
Reported
2024-06-13 10:49
Platform
android-x86-arm-20240611.1-en
Max time kernel
176s
Max time network
183s
Command Line
com.jxzc.zhichengsd
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.jxzc.zhichengsd/mix.dex | N/A | N/A |
| N/A | /data/data/com.jxzc.zhichengsd/mix.dex | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.jxzc.zhichengsd
sh -c getprop ro.yunos.version
getprop ro.yunos.version
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | bao.financesd.cn | udp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 124.71.159.41:19000 | s.jpush.cn | udp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 1.1.1.1:53 | update.sdk.jiguang.cn | udp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 1.94.137.180:19000 | sis.jpush.io | udp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| CN | 123.60.89.60:19000 | easytomessage.com | udp |
| US | 1.1.1.1:53 | tcp | |
| CN | 120.46.141.4:19000 | udp | |
| CN | 121.36.15.222:19000 | udp | |
| CN | 123.60.79.150:19000 | udp | |
| CN | 124.70.159.59:19000 | udp | |
| US | 1.1.1.1:53 | tcp | |
| US | 1.1.1.1:53 | im64.jpush.cn | udp |
| CN | 1.94.2.18:7003 | im64.jpush.cn | tcp |
| CN | 139.9.135.156:7004 | im64.jpush.cn | tcp |
| CN | 139.9.138.15:7004 | im64.jpush.cn | tcp |
| CN | 119.3.188.193:7005 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7000 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7002 | im64.jpush.cn | tcp |
| CN | 139.9.135.156:7003 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7008 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7009 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7006 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7005 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7004 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7007 | im64.jpush.cn | tcp |
| CN | 124.71.159.41:19000 | easytomessage.com | udp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 124.70.128.38:19000 | sis.jpush.io | udp |
| CN | 123.60.89.60:19000 | easytomessage.com | udp |
| US | 1.1.1.1:53 | _psis._udp.jpush.cn | tcp |
| CN | 120.46.141.4:19000 | udp | |
| CN | 121.36.15.222:19000 | udp | |
| CN | 123.60.79.150:19000 | udp | |
| CN | 124.70.159.59:19000 | udp | |
| US | 1.1.1.1:53 | tcp | |
| CN | 139.9.135.156:7003 | im64.jpush.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| US | 142.54.160.10:443 | bao.financesd.cn | tcp |
| CN | 1.94.2.18:7003 | im64.jpush.cn | tcp |
| CN | 139.9.135.156:7004 | im64.jpush.cn | tcp |
| CN | 139.9.138.15:7004 | im64.jpush.cn | tcp |
| CN | 119.3.188.193:7005 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7000 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7002 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7007 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7009 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7006 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7004 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7005 | im64.jpush.cn | tcp |
| CN | 1.94.2.18:7008 | im64.jpush.cn | tcp |
Files
/data/data/com.jxzc.zhichengsd/databases/bugly_db_legu-journal
| MD5 | 2c9f991e77a370179224a4a2bc526ccd |
| SHA1 | 32588364c85a6fa00087d2ef6cebd3c613f4e70e |
| SHA256 | d8d96c42aaf9de87a56f9043b79ef84e899b63af66570e5b48820ba9d2f67483 |
| SHA512 | 78d267fa61c985dc94910d1cf573ec4683e5a3c943c93c7e0225be4770957ff3967b6d0971a11202ca0fc5bb719f4c64fab6f08580c3f9dba24cb23d42803437 |
/data/data/com.jxzc.zhichengsd/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.jxzc.zhichengsd/databases/bugly_db_legu-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.jxzc.zhichengsd/databases/bugly_db_legu-wal
| MD5 | e1432c2a9236677be65e0e95d689006a |
| SHA1 | 925a0ffbf9eac6870e4e78f1d5b69ec494d73fb1 |
| SHA256 | 051941ce72554e2632e57ad81ca460dd0ebeacc1171851932f5880fc6c2f1024 |
| SHA512 | eaed17ab15a1f53cca50e4d4faaec9f9f0d3930cdf1bc8be2991edd0f0168307a487b1445e9a8175e3bfe9c16a6a848be220e72f3e51bea8be9218933adb6125 |
/data/data/com.jxzc.zhichengsd/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/data/com.jxzc.zhichengsd/lib-main/dso_state
| MD5 | 93b885adfe0da089cdf634904fd59f71 |
| SHA1 | 5ba93c9db0cff93f52b521d7420e43f6eda2784f |
| SHA256 | 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d |
| SHA512 | b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee |
/data/data/com.jxzc.zhichengsd/lib-main/libIDCARDDLL.so
| MD5 | 37f9e6b4dd3a2abb2dda0bd9bb1e8fed |
| SHA1 | 4a9eb3d907f8c5f0e9ec38076e080822a8d250bf |
| SHA256 | 66da20381205685da4fa94b1e04f279ce04eff2229e2ecc123ac7af0d6526044 |
| SHA512 | 3fe1b0de71fa8a96bec7f50c54c2451ea37f0e409e0f70807e2165e2e80a740f002e6040bcc78c70581d279b64a95ad1e0306cc2eb4436985df834e0e19ef156 |
/data/data/com.jxzc.zhichengsd/lib-main/libshella-2.8.so
| MD5 | d310811174bdc53f6fb483e4503970ba |
| SHA1 | bfd9aa7da06c7b76a23ece8b6ef33f787f5ba82d |
| SHA256 | f446a00492cae9803125ec64674204ff392cedb113f21b349c690793ea822fdd |
| SHA512 | 3abd061bef1497e7223ac6acc0b412df190b235a6fa31ffd78168fb506c358a08a9ced9f8d571206d4892d3889b0cdcdd1a7e37d87e27b2361f75a03c9b007b1 |
/data/data/com.jxzc.zhichengsd/lib-main/dso_deps
| MD5 | b3b4d9bb5e4b1ce8dfaf09ab2a70faa7 |
| SHA1 | c14410fd7eda0d65bd9d3415802c0ae7430e6f5a |
| SHA256 | 0cc7a0eff4862247b774c7da552c41da0acfa55cf426e5f082544defb15550f7 |
| SHA512 | 021ff637de06a8f6a3851d26a41976c4debce7ad52f4cbce77e92b22cab1dc3691c7c87447333b3e92a342ceefde0d97751be9b8bef0a728c2b5cb55b201105a |
/data/data/com.jxzc.zhichengsd/lib-main/dso_manifest
| MD5 | 1f40f5ae1c7c376616f1776cceef8799 |
| SHA1 | ecf0a437aac019da21edb27f09ccdc7bc9e595b9 |
| SHA256 | 080f72463cb305762b4542eed9c91f9ac6e7137e9308194a689183723afd33d5 |
| SHA512 | 3066cc5a12eacbc5316a6cf202e1bc9e7d47d0284ea35c4d35b643e2c5722940019340cfaf5787bda325dba691b6c8224ff7ee4f5fd55620ef4e3fd0a107ff71 |
/data/data/com.jxzc.zhichengsd/lib-main/dso_state
| MD5 | 55a54008ad1ba589aa210d2629c1df41 |
| SHA1 | bf8b4530d8d246dd74ac53a13471bba17941dff7 |
| SHA256 | 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a |
| SHA512 | 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339 |
/storage/emulated/0/data/.push_deviceid
| MD5 | 1fe22feb2fc5f4d454783bfa52d2742c |
| SHA1 | a65fa1660069a0cb80f7269eeabd468d5c9bd7a9 |
| SHA256 | 52d523e38545f7ea4f973404db3c98c2fbea43441e67076f661775e704e80c37 |
| SHA512 | fdfff27a2d186bc1bf55ae39c8e55ebbec56442c37f0fc28eff91ed74637c4a2bab5206dceb9ef48bf9ab030dee27cb5e73f7456dbebe9f1f3e54cee5e37a099 |
/data/data/com.jxzc.zhichengsd/files/jpush_stat_history/normal/nowrap/99bea5cd-999b-40c9-96fb-9766ad4a1ac5
| MD5 | b12cb2b29f06fa8adf00a80db7af3693 |
| SHA1 | 3a0f9f84e44b6dc6d622d3a3a198b531b47ab486 |
| SHA256 | e3acf88930a43db8ea06414dbcc1575a5e715ca91679372799b5b76f49bc49cd |
| SHA512 | 6fb7063bbdf2b398cfdc832ea0b10d2cc796f8469d8a5cacf9193abf7c781bb90a4d4d921a69b3341eba84d13547e8454aa5626168ff95b098495c0116e093c3 |
/data/data/com.jxzc.zhichengsd/files/jpush_stat_history/normal/nowrap/0e94c91e-2fa2-4e9e-a109-8bcc4e140233
| MD5 | b139f5d20b55cacdc4971a8bb835f403 |
| SHA1 | 1942b33a7155f6ddfdae6d8da786d5cbd08478fd |
| SHA256 | 9a34ecb90e290535db126a4e19744768749b45bda1ece1407599ecd2878ae4a6 |
| SHA512 | fe1c831e978838751fde5a458e1fea413ad88a5688e2828c3b2d34bf8651d3eb3bcab9717b5166cfb77bfd0aa45adfb71f043ebb36e4b004ee46d9b8daaf5f53 |
/data/data/com.jxzc.zhichengsd/databases/google_tagmanager.db-journal
| MD5 | 8d2273b327e781e4afef4fbab3e308d3 |
| SHA1 | f9314cdd44334a7aae30ceda712311935a365162 |
| SHA256 | a7f7f13ce645720d7be009e227aa39e3f611a06056066add826eedf7bce1b815 |
| SHA512 | 7af93f789bd467787c19c95c41a2ca7e198356284976f729a549fa765cd5df824586727b0f7b2622dc06b6140ab4753d373a35d8ed5fb04cff1f42f3a9c0b7d4 |
/data/data/com.jxzc.zhichengsd/databases/google_tagmanager.db
| MD5 | 5c0157f7bab02442289883c5db928a8b |
| SHA1 | 9023da3e899e1290d9dcdd0d84270180a615be19 |
| SHA256 | e061da032ed90676ebe9dfe4900f2c50d7a1c0eb5b9c55df1634f20a744153c7 |
| SHA512 | 9e3730815a67f6c138faff4c159927785658ec4608d337a2e3f4a7c8db26f911b1f4a01d9f90f958c378bd88cd9185814fe5951d6a045ae3c32ba2b88d28932d |
/data/data/com.jxzc.zhichengsd/databases/google_tagmanager.db-wal
| MD5 | 5b6674fac707834878227b7e0a26f6c1 |
| SHA1 | e0ebdf04ddd70de41b4cf778662623977396cb7e |
| SHA256 | 018fcaba0d6427f6e6da1b40c12be09456a0813f6ae73fa6d1e4c227124b4c2a |
| SHA512 | f8a30ecc6205a0ff5c7b9741f1cfa4b404820d194be2e63cb3452c6b8b87790783d22f0a0db86af2e3b16ae7141ffe34b04d8339a1866b5e55e10565de5f4c9f |
/data/data/com.jxzc.zhichengsd/databases/google_analytics_v4.db-journal
| MD5 | bb77abb3c2e2dfb3ee37ef1b46c1d08f |
| SHA1 | 30411755d9a5a5c1e17363a9cff6bd71a25357a3 |
| SHA256 | e5799c43a9c7edaa256ded219dc998d62394bee7f2973ed609eb15d3c9ea8c09 |
| SHA512 | ef25bff657b8ff2f4475d0c75a38e96979e324e80aa18b6db5fd93065d02152b04e6e6eb0778fc402842c6d2a7e0845575ebd26e291ecb208a5e255259b844d0 |
/data/data/com.jxzc.zhichengsd/databases/google_analytics_v4.db-wal
| MD5 | 4ee27ab3ddbd82e3fdf25cfbd962a15c |
| SHA1 | 1e092e9c145da649c05b7379a384cb6300b065c0 |
| SHA256 | f448eb6656a3205dad3969744f18eb082ad7f099a1f7566bfce44db3c3851432 |
| SHA512 | 0b2b564ea860f5a1d2e0d86b2a6bce168f0d805a6b8e41f6e8eab8813faf923fb0052eda6391ddea1d7e5913ce321d6fef94b7d447f434ceae04b26228d3fe6d |
/data/data/com.jxzc.zhichengsd/databases/RKStorage-journal
| MD5 | 9740afac2328363fb6578226c732167f |
| SHA1 | bb5ade176bd90ade6a4e8cf9fbe68cc995035af3 |
| SHA256 | 48583e603cc22c8200564f233cb3f476e66a3fbad5e01ec0cc66e848b4cb447e |
| SHA512 | b64bc46ca226f388f5e9058e337858a589fc9c97bf85ba5b3a0d9137dabf51569a17c5ede982b3bfd578369d28f6f3a8e3a16d70d8ead46f9d5f4420a63adee9 |
/data/data/com.jxzc.zhichengsd/databases/RKStorage-wal
| MD5 | b398080ba7de48c14dbe634dee304e16 |
| SHA1 | 012d7a76eeb0c6d3d9767b8ebb74effde33434bd |
| SHA256 | d3036765856fe850121b215b334370330082d3ae8350aad949471d888d83efe4 |
| SHA512 | 3b27fed214f344b843bc0fe30c92234444b59c958df7eb4de03aef8628a86fa1e64d4c3b7d48019199419a1cbe9e9ce848fdef670b5d8d8229c7aa7a77ce2a74 |
/data/data/com.jxzc.zhichengsd/files/gaClientId
| MD5 | e2a53bc7ed047d9d0c62ca322d864f95 |
| SHA1 | 599b2985a6a04a958360a66bf979296a74443373 |
| SHA256 | fd65ac4301e84c29aa98d9907f39b7d4261cce1d40fbef47a0a65da744643a5d |
| SHA512 | 7509d1aee8fc57f15b5c8090e4b40d458fee6f8274ec5c86cd6f3ae8b986164458d8347c2597d2b3469b4bff7b7cfbe12e7fce9d7e25e580f041bc06eec620d1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 10:45
Reported
2024-06-13 10:46
Platform
android-33-x64-arm64-20240611.1-en
Max time network
8s
Command Line
N/A
Signatures
N/A
Processes
N/A
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.16.228:443 | udp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 216.58.212.196:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
N/A