Malware Analysis Report

2024-09-09 13:33

Sample ID 240614-2bwy8aycrg
Target abbfc842d462adb69849061e91d5a790_JaffaCakes118
SHA256 68203feb3411dccd4b1bb6afd3ec1f72589737b6324d82fbd9df0d14df66cc28
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

68203feb3411dccd4b1bb6afd3ec1f72589737b6324d82fbd9df0d14df66cc28

Threat Level: Likely malicious

The file abbfc842d462adb69849061e91d5a790_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 22:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 22:25

Reported

2024-06-14 22:28

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

150s

Command Line

com.xhkk.lssp.foyj

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xhkk.lssp.foyj

com.xhkk.lssp.foyj:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.xhkk.lssp.foyj/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.xhkk.lssp.foyj/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 61f4cee21280711341bc3e19968b1642
SHA1 319505f6ddb239925e24749c7cd7adf062b5fd0c
SHA256 a16bd2a103d00f514ca1342ebf1759748b2f0fbc89fd25e4bb5afa21409bbe73
SHA512 90ddbc84631464b16c54cf87efd14c399fcd5aa9e26a558cf1fa9a0f4e9868bc4e5a60fc209693cdd0f1cc8a2ec07279dc677bdfa856b98949ef16f930f6af30

/data/data/com.xhkk.lssp.foyj/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 c28b20beccf909176cdf3e20c2e61c3e
SHA1 66c866c685b82136f16b118be55a651b7a0f9e96
SHA256 ac5dbf92538a4bbcc69d81bfdc97f4b1bf8a450659852bb4b7ec3eae9095fae2
SHA512 1fe6d0afffbc5abf23df625f4dc6b5220faea197709bda6758da5bb3fb174578723a90bf1d9fb3e5c4ae068d2aacaa792d4f68230379cd11d6fe13f6dd01eab1

/data/data/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 77e49cd11180afa57840acbd0ef465c2
SHA1 f0b2b78c95dab7cb9bff7c215c81990b5c76c66a
SHA256 b269b1456536cf910cc988fe59e728b8a5493f2d7496296c5164fda6a1b23b12
SHA512 03b6b1015e0ab88c2393f5c45cd8eb18f52b620239902b042f27376ccc8022d9eaeba8413d88625d446ce8909bea047a6c8aee8d28aa28c5bfff2b0b2f98f5b0

/data/data/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 46a195096f3ce55e3ec295f346a1962f
SHA1 853ac1922f64113eee761495791d28fc05132138
SHA256 30c142a795aacee3bcb4415409a664366db998d6f151604d13c6005034146b11
SHA512 aea5408ea8f5ceef51bc9c71e4874babd4e8ab1fe4d9900f3a4eb92073ab7f303865e64e348ca6b6dc091488de9a37cdcf1c1e528daa4d6889c95241779a4ebd

/data/data/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 235281b6f45e8ea15ae0777f3fcadde2
SHA1 1b8bac61896b87880925dd96fd36bccb7b97174c
SHA256 94c68d43648da90ac1fd82682aced179c23a893fa20def4f3c4c283f0ed58b20
SHA512 f519fa1f4ef3fbfbe01780e7d6149fed458e510f75f291c3a841847ce06183beef0d1e65cf828519d7717e00db9660b1f6e9d2b1742ba5b7fea2e76b518c08bb

/data/data/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 aaebcdbc5f22df76bb8727ffb3515300
SHA1 97fe903f1cdfa40dcacf7768c169d2867ce10160
SHA256 570bdf8af36349cce60d924a830734dd5b800f8fa7cc1ce65d1bc08bf949c1ba
SHA512 5010addfa4715aa3d18d3a7698810f583075e46f800cceb750c3c91486b434235c2124f61c9d1575dd90bbafe4485bf16dff79eed56b5a92ff29be318804dcec

/data/data/com.xhkk.lssp.foyj/files/umeng_it.cache

MD5 ea6d53403fd5f11c0d7c91cfb6dce946
SHA1 36473f04d36750de15122bfeb5c225cf1a9c6170
SHA256 34835ef19ebfde287f9262ed5613d10ec3f8d4bc573f545ff5ddd0310ecf41e3
SHA512 0a03a7c22bfdcf67dfc8cefb8f194b2b77accdf72e93a9254880fc784be0e1270a21c0424f5b5026c223ce423d15013cc3b726fce165626d7313e7d7163efed8

/data/data/com.xhkk.lssp.foyj/files/.umeng/exchangeIdentity.json

MD5 842a43a0cadc16a6cb496ce6daa38e3f
SHA1 7ab39a7fa48592bc6e972d7a012cc5771793de51
SHA256 2ac1525edda072d634993273a8f64c12ec0a8fb9abe118d4f0b8d4b39fc94248
SHA512 dead88f846f33dac353dbed92bafcf66ef4c0e0fc3f4402b90694ae0f7557344b3b17f944a0d4e15986ea71ef593018f5a6f74c1b4a1d2e9469722caf939adb6

/data/data/com.xhkk.lssp.foyj/files/.um/um_cache_1718404025871.env

MD5 63690af71fbfb813e61c36f998931a7e
SHA1 d704b081770b6189b837e3854aaafccc9663ca6a
SHA256 857c44b5e75511549b38589e88a93f42a16e2588d3d9fc514e874b0173462eda
SHA512 5a3a051b8a0155cbf2a94f832f5af0e8c13f89c62bc6a1640d88543472f7d01ff9292dbd80da9b6f3a3aaf39a055bb85d4555cdef0d3d5268bd68f8916a2de86

/data/data/com.xhkk.lssp.foyj/files/.imprint

MD5 2e00ba06dcd863c702a47970e3a0e361
SHA1 115173ebf0e09b23a134acf1eb0c1658d93a3e69
SHA256 14779ae6ed2e2b23acdb066087d2f865e58a088bb98a0921cc1b68fcc6c1b68d
SHA512 e7dd750daac8039410752683a7aa8e3e56ea36e1ff648e58ce05794c75044294f18c85712573f506a70770bff33bbe1d9f04a6e1e9e1883ddbe18a1b7576128c

/data/data/com.xhkk.lssp.foyj/files/mobclick_agent_cached_com.xhkk.lssp.foyj1

MD5 4ba51ff8533280b906afd08da6165d9b
SHA1 d3fe1fb819a91715babe5c4095c86a698d1232ce
SHA256 a0afc243b55ff2cd2053699cfdbc26f148470548530caac25f3af474942038f1
SHA512 69fd1236fcb15d5e923fe7667bb0a6991a4a0b1712360ca728dfd62c1ed125eeee373ecf1cc960373c6a8ca3dd90e6c5b630b63bffba7d0c7def2606f1d90485

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 22:25

Reported

2024-06-14 22:28

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

178s

Command Line

com.xhkk.lssp.foyj

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xhkk.lssp.foyj

com.xhkk.lssp.foyj:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/user/0/com.xhkk.lssp.foyj/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.xhkk.lssp.foyj/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 c73b3b25b62ced2accd74aaa6003c963
SHA1 1922aef60fb7941b38857bcff5eb954a0bea73c2
SHA256 95a58f5106fdb1f9bff8bbf5996ca7064abd1ab3ab66c1dd0390bd6d28e938d5
SHA512 8deae11e3fa84f8acbf3979c07b21605737f949c6959ca19369b356ae5d5ad1f9961b42de49a90692563da844bf33388f1f9e95c5705d420314a638c4f45c180

/data/user/0/com.xhkk.lssp.foyj/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 cf8ed1e181a6f59f82210188ef6c777f
SHA1 3be1f363843ba92b16ba9aa91691459761ae0835
SHA256 868542a2fe7a75095a5db28efcaa5071d784d4431b707b4be59b82c0d29d19f7
SHA512 115dcad19bf70147cebc76ddc5415e7cd15829b62fae4acf0a464b7fbe51326c5c220865392fd481278bac5e05928b7b5dfcf81185fd7694df045d3b2ad09050

/data/user/0/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 fe8160e70ecfad49ccc7022a149aabb8
SHA1 c1edd7ed6e8302dd4e9c2b709d1dcf9d07a4004e
SHA256 510d57f470fd39bfa4310abd7a517e8ade8409f81f13ae953b3bbd90098d947d
SHA512 a23d096b91826b6cf1ea6bb8237ca8d1e3a5525fd8c92cad1ded40c6659f15779a0482fc28f5ee89cef4692604dde71b2d855e13f5493d31712ee02f31e509f4

/data/user/0/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 d10b7008c652b4ca1754f8ac6b1207ec
SHA1 7fdb57f0d85bea57ced59012785d1e09efb041b3
SHA256 bd67cce7c75cebb8ed202a1c45b6941966006d58c8e2a686840f0c9197120535
SHA512 af5b2dd4582d1266346fe8a4effe73bd144d3964163bb0ab4538f68e5eb12d4de5737da92128aab18586808ee11f1e110515a187c596fb8fd438eeecd5df247d

/data/user/0/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 9b34fe45607bedb8aa76b2c1c7fb40d8
SHA1 1739c0f75616c0b3bc64c98f021428f66699f8bc
SHA256 78ce5101b33c07399cb1587071bf24ae13768ecdbcdd01aedc6a0b177a1459ef
SHA512 5290664a64948f0025434109e6c6f0330e1aa9048d14472acbe90d2816db9646babc145a6c21e18f3bcaf00e86d8aecbdfc90e2cc592bc69f64fb8981953d0e7

/data/user/0/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 0f18dc5c3c8e98c677d0945276d358fc
SHA1 b4daaaab87e22d6443a1f44f1bc80b56849241c3
SHA256 9b11fceee0c9f7661d18e2e68fd6075932774195635b20fca699e12ea32f408b
SHA512 71d9cdfd3ccd4f5bd4ba8a4cb7a01ec20e1ee6616c9dcafd6edc5b4ff9dc94b29c9b350ea9e9017194c70588eec5e287be25f6c5a53f0cb586991f36b6dfebd8

/data/user/0/com.xhkk.lssp.foyj/files/umeng_it.cache

MD5 6f0042372006b82982bcbe6ec93508e7
SHA1 60a81d1f98b448514a80a77f47504b30c56ca7fb
SHA256 9ca12c2a19094a13eff0bb081d71f3b96b31093605228fd7f60e0ce7270d16de
SHA512 4efafa9002cbc25827726db0f843204e387ecdebe339c8b0b2122c489b1f47b01e739bc21495000d8f45b219da9d2af58d66f342e1dc671996081f69a9b05cdf

/data/user/0/com.xhkk.lssp.foyj/files/.umeng/exchangeIdentity.json

MD5 adc9fe43eafbaefff6cad3154a32a25e
SHA1 f6aca78d26f7c9cba743eded833571ab9e87553c
SHA256 a9b95bc66232da1ef834560b7652d6a08046123ed92c489f56555a0c46136802
SHA512 5b9546a740e0768933c48cddcd69d5767db4524251f7dfa3e76072745fbd7fa9b5b783c15126f396a52680016cb814b04f5315e14f880305a36d638eb221d69c

/data/user/0/com.xhkk.lssp.foyj/files/.um/um_cache_1718404021552.env

MD5 013d8e3878484fb44c57e17c8431c9a9
SHA1 5b0c33dd27a69ff942d186d2df7b4fc2efb4b624
SHA256 4f3bd73638c2dee7551600bcd68cc06e2f862b7f16d3ba0c39c93c2353b79478
SHA512 4d5e7d83d6718c0bf0d90a0434a25b89b3354838c64f54503487d0604d689cfa2a9b2f3ce079b0f60b6f6d2cbf045e2b6cb51f0d386acc0874632d033ae75e74

/data/user/0/com.xhkk.lssp.foyj/files/mobclick_agent_cached_com.xhkk.lssp.foyj1

MD5 fda9740c7c65c6b17b6c3e305e5738ca
SHA1 eee59e9feab3e8d02e6195b3b817d3643e14b45a
SHA256 c1a85a8082fbfeea188b27342833daa13af42773b882589c39d360b9c5a34f07
SHA512 5e315745060a536ab089a5ddb7bc98ee9f0fcee347a3e919dd5de0c42aac0184bdbbb28d10e087275231a0dfe71ecc63fccd88f696ad7195b0b3f4e3b6d93dea

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 22:25

Reported

2024-06-14 22:28

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

177s

Command Line

com.xhkk.lssp.foyj

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xhkk.lssp.foyj

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.xhkk.lssp.foyj/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.xhkk.lssp.foyj:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.xhkk.lssp.foyj/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.xhkk.lssp.foyj/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.xhkk.lssp.foyj/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.xhkk.lssp.foyj/databases/lezzd-journal

MD5 ac0bde97e1404a034e3e4aa5f78b50fc
SHA1 459b563495dc72014f7378ca8ffa6b0152ec6abf
SHA256 80538c4879303241894d8795d94fc12c7322decdb9a0c0f6904bdf2fd567684d
SHA512 97ece969742df371a3e086b89974bccb693481d9ccffd97ad33245b4314ef4b39628fdb9d392205951bb9fdb43ec44ccd2278ccdc45ed6f450e39112e3644ab9

/data/data/com.xhkk.lssp.foyj/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xhkk.lssp.foyj/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xhkk.lssp.foyj/databases/lezzd-wal

MD5 a75309b6976f60d80a4f87bcf5914d37
SHA1 dba9ae0f8bfb2d25cc7c26274cadd2d848719a03
SHA256 f452091c737fbbfdda0bd841ff8a9d7ed0cb04a821c0e21eb23e52bf83fabcc4
SHA512 29a18b13df3750aa8fc3caa35e929c779af26b7ffbda94d903156ab38e7b94ef28988452eca45cba3428235cb469b9090337fb70302a0c4aec5761ab19c9001d

/data/data/com.xhkk.lssp.foyj/files/umeng_it.cache

MD5 1c59b25e1247ebf5ead6f3145f13fcad
SHA1 aa084bbf125afcd8a6db5396324f9cb6260e4e90
SHA256 69ab6e7790c8c41797a1e740f597f33dc0bead69a1f4ac3871bfc69e66a62ca1
SHA512 0e16a62c1c161e7270e9716d3b948d73eec28a55e0056e647a455d8d7d168dcf44ae09c13e424ffb84545d51b20e36a7e05479be410d4f3ecf9f9dc585bd6a24

/data/data/com.xhkk.lssp.foyj/files/.umeng/exchangeIdentity.json

MD5 bfb22647e0b4ee0012845cfe9afa66a1
SHA1 6bac49d90ccc63a9a7af140b35a5ec80ab9393ec
SHA256 e803d50254df34d7aa1b17961d755a94c6eb749caee044ac23346891355ae80a
SHA512 d283439db7b43f7277819395c2daf39fb2e9bb1fd945bf730bfe53e09e99d27827ff6bd30ff886c83458ddaf4f23cd6c749de81efa54ac8f41fccf7f75753ebe

/data/data/com.xhkk.lssp.foyj/app_mjf/oat/dz.jar.cur.prof

MD5 a883806bdc631a026eaa6a5b0d82ba90
SHA1 a571d34bbb8b217829978229c8054ab88622e763
SHA256 5414c0547ed0c79c2639b23d26775fbf5751b645f7cfb649c90c66a36d9e94d9
SHA512 91b5b2f6f4cdcd4307b5a36f192f1c398de10b8ee6c0e1596de73778c61f06ea7c6015e2ffc8c67a187db7065e138e6728cca00414c93f0120da2531a2fe98a4

/data/data/com.xhkk.lssp.foyj/files/.um/um_cache_1718404021602.env

MD5 9f0739d022c893a2d35854653e770c4b
SHA1 f47078647957277d8a9a69d3fa0d8f45a5b1b281
SHA256 21714e6874d09b2a08ce9f5cce40914613f500eaafbeb9c6349b75fc180221d8
SHA512 91b1ec7bf74979fb424e5017059acb3a27586019539874b9955fc90d6a9b86f09967dac6dad5d4d11a787065826a29b748994ef598803af409503581fecf31bb

/data/data/com.xhkk.lssp.foyj/files/mobclick_agent_cached_com.xhkk.lssp.foyj1

MD5 20703e4e301425212053c49af9da4b00
SHA1 11186fbdc9ff2c33c60c55768657dedd836a804e
SHA256 a88903f32351f833ee37c04c218ae2a220f613e715307a906f607d5fc5946752
SHA512 1448137c232ef42d25cddf81c4968c0445b81083e86291d497d530d3d49cf1b8f02b1eec1c6f2d0f9e5e8e07fa9fe7b80557549254be1eafb8c9114b1c566fcf