Malware Analysis Report

2024-09-09 17:41

Sample ID 240614-akbk4a1ckk
Target a7459f38ce11c72b0c0549bd0deda330_JaffaCakes118
SHA256 62609ec9f573dc48bb7b603f04775297e0e626b4f03436e68ebd42c83050b11c
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

62609ec9f573dc48bb7b603f04775297e0e626b4f03436e68ebd42c83050b11c

Threat Level: Shows suspicious behavior

The file a7459f38ce11c72b0c0549bd0deda330_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Queries information about running processes on the device

Checks known Qemu files.

Loads dropped Dex/Jar

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:15

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:15

Reported

2024-06-14 00:19

Platform

android-x86-arm-20240611.1-en

Max time kernel

160s

Max time network

185s

Command Line

com.cdd.cddmall

Signatures

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/bin/qemu-props N/A N/A
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes4.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes4.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes4.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes4.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/classes.dex!classes4.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cdd.cddmall/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cdd.cddmall

chmod 755 /data/data/com.cdd.cddmall/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.cdd.cddmall/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.cdd.cddmall/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

com.cdd.cddmall:ipc

io.rong.push

com.cdd.cddmall:pushcore

com.cdd.cddmall:ipc

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stats.cn.ronghub.com udp
GB 8.208.8.123:443 stats.cn.ronghub.com tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 182.92.245.193:80 downt.ntalker.com tcp
US 1.1.1.1:53 openinstall.io udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
CN 47.93.186.175:443 openinstall.io tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 123.60.89.60:19000 s.jpush.cn udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sis.jpush.io udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 124.71.159.41:19000 sis.jpush.io udp
CN 47.94.92.163:443 openinstall.io tcp
CN 59.82.29.162:80 log.umsns.com tcp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 nav.cn.ronghub.com udp
GB 8.208.102.120:80 nav.cn.ronghub.com tcp
CN 60.205.180.247:8000 tcp
US 1.1.1.1:53 easytomessage.com udp
US 1.1.1.1:53 downt.ntalker.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 182.92.245.193:80 downt.ntalker.com tcp
GB 216.58.212.202:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 124.71.159.41:19000 easytomessage.com udp
CN 60.205.180.247:8000 tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
US 1.1.1.1:53 139.9.135.156 udp
US 1.1.1.1:53 139.9.138.15 udp
US 1.1.1.1:53 119.3.188.193 udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 47.93.186.175:443 openinstall.io tcp
CN 59.82.29.162:80 log.umsns.com tcp
CN 182.92.245.193:80 downt.ntalker.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 124.71.159.41:19000 easytomessage.com udp
CN 59.82.29.162:80 log.umsns.com tcp
CN 47.94.92.163:443 openinstall.io tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 182.92.245.193:80 downt.ntalker.com tcp
GB 142.250.187.226:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
US 1.1.1.1:53 openinstall.io udp
CN 47.94.92.163:443 openinstall.io tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 47.93.186.175:443 openinstall.io tcp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 downt.ntalker.com udp
CN 182.92.245.193:80 downt.ntalker.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 124.71.159.41:19000 easytomessage.com udp
CN 47.94.92.163:443 openinstall.io tcp
CN 47.93.186.175:443 openinstall.io tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 182.92.245.193:80 downt.ntalker.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 123.60.89.60:19000 easytomessage.com udp
CN 124.71.159.41:19000 easytomessage.com udp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 59.82.31.160:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp

Files

/data/data/com.cdd.cddmall/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.cdd.cddmall/.jiagu/classes.dex

MD5 295ec01d15e31ca5126b7b3f5fa2e061
SHA1 f941a9cc22094decc567243188186ff68829183e
SHA256 18d9724c55a42c8491778ab1458984410c8aea51859127e714a1003cce30301a
SHA512 4883e9923c90d6d3023c25eeac9eb25abc71739885881f89cded9018f1d49d17860fb7dd651b3bf4198940e3d02af5570cb013f603a0e6540f9234a7cd897742

/data/data/com.cdd.cddmall/.jiagu/classes.dex

MD5 f968a8775ceef03b71c990157743ea20
SHA1 f9648c3cf43c835b70305f4cf70e31ed09487f94
SHA256 4f2dd6f769961bf0dc49e0c11efa2cb34146d10202bd4a4047d2406adc288ea2
SHA512 b3a99a9e4fd9e59270cbf847ae6d7180da3780a5fe5b955e6bc978d257c3b3ee2f0295f48e811c52f886d0bf0b88c6459efa7af5ecfdd3bc7bb0f4c453a6ae0f

/data/data/com.cdd.cddmall/.jiagu/classes.dex!classes2.dex

MD5 c7faf91561694724d0a064e724af91b5
SHA1 4585a7dc596b430af47deb719368f5387fdd8aea
SHA256 6ef7b3abd6f78c3b3fc31ea2619e8a50b3b965248b04501bea2f7663b6f38849
SHA512 7bb9decfab662c7fda95d4489cef89286e4c227aeb25856f7f4f1b0459c00d6e640977fcccce5d058a3935451e7c08d25a4413344ecbbd01259402796a018ca0

/data/data/com.cdd.cddmall/.jiagu/classes.dex!classes3.dex

MD5 ed9a8864f82e747f93da8ec4a31d4742
SHA1 221a4c122def71a23b50d8a302350c98086abf5b
SHA256 1298499bdd88d29678134d679ea1cf8e37703e2a6ed1c29de2780607a9bfd5b3
SHA512 7b6ef1165255e5c6e76eb35c3ab982e1f1b96139431f0678fc90194231316235e742066871ba295fa6eed27e9552b47b2b6d61830e10e18415a1521087c1d690

/data/data/com.cdd.cddmall/.jiagu/classes.dex!classes4.dex

MD5 ab5b7ec406c0d0ae108e27823b4726aa
SHA1 34f60e6fa358cd5b131bea3d2a85db29632007b4
SHA256 7123110a9f120bcf33e5f2823ecc770e6427ea8fefd608fd2a13f244bad9e069
SHA512 91594d329fcbb3144044f8daa699088584681bb3bcf6665e872452adbacdac8b6cc3d6018e511d3a18c5f95b1dc65f9aa64b80cfb58175d777221fb901ce33f1

/data/data/com.cdd.cddmall/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.cdd.cddmall/files/.jglogs/.jg.ri

MD5 03849ef9bbd3645214745e3798b3a272
SHA1 fb57b2f5e18d6bf336121a5ef9c0387464743e37
SHA256 561729f04b4b1ab0c755ad5686d0342f2391a9b3f0900761d8698e865f3ed55f
SHA512 b0e80fb3c81d591a313ed9e128b2312a33ceddf14f98345600e8361715dfbae6c2e6f98e206a6badef200831c705d93796d89aff81ef27cc3010fe04f21e36d9

/data/data/com.cdd.cddmall/files/.jiagu.lock

MD5 3822cf9a8b34bac18cf0d953e8695aab
SHA1 2ea156c2102135c9e4a4a350f21a22a915cf33b1
SHA256 a2a12a757e1683d38c2c1e45f14dc65a5a90a8768df40e4257aca05fbd6259ed
SHA512 b816e12a6b78181a76e8e941d70124e50bd0a0d5ec7ef6fd027f81f641c9896ba66642d86e166679eda297a8ed484332c6e47e9031fc1ed2c26e4268790f0809

/data/data/com.cdd.cddmall/files/.jglogs/.jg.ac

MD5 0e119dbc2c4f5636ca57018a7b25897f
SHA1 34f112f19e118dbc6593800182c864ac2d037b2a
SHA256 b065dd33aa0e4f47fc64cfdb466d3b71410af4fe18853e696261db8c75c81204
SHA512 8b143a13963340e871589c0cab0876cd9e72fafb848ce8855b71a7fdfb0df2b55f4c6e832103d02f2eb478f8c23780ab1a215874f06f247985b8c7c4d7c0069f

/data/data/com.cdd.cddmall/files/.jglogs/.jg.ic

MD5 67805850cb8409c0ddf4b9bf8f35c9f7
SHA1 96f774c18f6bfe5e6ec3175bf2ffd28af4bc2831
SHA256 067d5f3f2b187d8ef781078129d11f172c4736e2c2575522a56c695835807640
SHA512 952d53cee64bf71b54139876fc142316859ee61eaf70ad62a3ffc2b10680ff35ae0532fd02f2012f71b9c845f7333a68f09b46342764f7ef8e8672f41c9b3155

/data/data/com.cdd.cddmall/files/.jglogs/.jg.di

MD5 f6bbc828d7a3f63317213cd5c8af2c3a
SHA1 1b0aff376656fa94fa76cb21afa8c50eb781abe4
SHA256 c61221d0dd12beaa8d63d21712e9aaa7725ef00edd90d19dca22cc604f88f099
SHA512 c7d8a6f7c15384f090579cad870782ade8d94ec93c4c63383693330831504280ee83eba6f3da01c1e58846d250a952ecefb553b7ff3ad7c503fea6f2cbfd8f09

/storage/emulated/0/360/.iddata

MD5 74522d73ea4f462a0a75c3e372500375
SHA1 da54c94646b5c79d5d2ee7e959adc21dd4d263ed
SHA256 cd740ed5e6c94ff39637092874acdfb874dad7f959b3491d4595861568732473
SHA512 98c89e51bf30672b15168532623fcd681cd4c4d6d3b78023249a82c73cafa1cd2efc785bc2709295f3cb1e31310fae98dc3a2b6923807aeb7908189bfb5e2809

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.cdd.cddmall/cache/image/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.cdd.cddmall/databases/kf_10257_ISME9754_guest1854131731314814072618543396835322144-journal

MD5 300f7777ec10455223f531ef57ccc8a5
SHA1 2bee0b6690a915f24c6d1b5f16bd7779e62be3a1
SHA256 ac5df12685a3a70f9965dd5338c47f6f782599397abc4b7c6e62751409e8fd1b
SHA512 139b040ac6c51555601dfd6821e0c33ee7dc8a5dff69f9ad400c5bc1d87aaf12959d0cfd05659321a06dee486745391594c097a43e15fc261d0cc120c3201ca2

/data/data/com.cdd.cddmall/databases/kf_10257_ISME9754_guest1854131731314814072618543396835322144

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cdd.cddmall/databases/kf_10257_ISME9754_guest1854131731314814072618543396835322144-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cdd.cddmall/databases/kf_10257_ISME9754_guest1854131731314814072618543396835322144-wal

MD5 412048d17e52d552a20c80505787d0f8
SHA1 fe0007823bc10233932624ad4c7fdf86dc7f7a9f
SHA256 993f9f2fa07f948543badc2f3d8acd430e47a0108d1333f646ae0cb3607cdb80
SHA512 1531db452cc3990760cd8e8bb432c6fc8072dc49ad5391ed547def2db76256e149f2227221e84a999097a727a05e8e3f4cf5966acd950a81ec01f32edc8b24ff

/storage/emulated/0/data/.push_deviceid

MD5 50a4479259607b28b12822a740571f77
SHA1 090fbe2590b48727c37b71bf51949594625aae8e
SHA256 d62c052d5a7946e43dc74c9b5f478d48500d82631bff4267d29c38febb3eb775
SHA512 d4d5c54a5489d591dfd5eb34f4a6c38edcd1124e1df1fd2b052525446d6ed41a09d4872a29a31001843b3a152ed5e100ae0b4709e56cd67f92d6cc0279b7a575

/data/data/com.cdd.cddmall/files/jpush_stat_cache.json

MD5 6a6721185c5b4bb227b4753961749fb2
SHA1 a7b0b23c8d7ded5188d521b4c68338f6d473747b
SHA256 6e6860050b2d14d49769be21467e9d2f9337e32f708ae0ba646cb38269dbc709
SHA512 9e6f71b9f6d0ac3df1ccec865c31eef491b155a267f552bd0dc94c3e0074f5bfa49b391d7f3022c612974e3d81f5ce00cb5bd4e5c57eba43a78ae068b7c99377

/data/data/com.cdd.cddmall/databases/ua.db-journal

MD5 dee28e062951c491f36391c750da14d7
SHA1 077fb2e07f765c7b3dbf816865d186377e97fce6
SHA256 0c45b726478baa1e4bee678e2c9cfa25bfdc971ad7bcd7a8a8ad14403633b914
SHA512 c57b5dca2840b5d83b091e17aa3102b5c982b17f950b001c2e5ad801c599720b6fdc287dd721ac248dc5dc11edec8dbf5b6a3490de032fbf9f9f8dc21b209135

/data/data/com.cdd.cddmall/databases/ua.db

MD5 2a150b97b5c6491940a47a187fd06051
SHA1 7dbcaea509df6bd27c6f1ee82b63595ca1be4703
SHA256 666ef0e0cc971c9337dbde7b3061b037454e261eae12f3b9feeb637c5556ab51
SHA512 9cb2e00ec82f5b95b05feca652cc4ada16aad1f13ce09f55c0186e1668115a4c4a777e6aa727ffb7f27ea4dd164bcf3b40fa0b51ec1a66847b7a88a5e8ece816

/data/data/com.cdd.cddmall/databases/ua.db-wal

MD5 15d2b5cdb362bf32f301898c41b9dbae
SHA1 446a56dc9c226734470dcbcb07f01e2476cf7505
SHA256 4a88754fb2aafb8d7b86160aaab7651bf74cadfe37698e8fb433603aeb053899
SHA512 d8068737e7b520dc669d1367a3af78313ba28067ea96c67f4dd40081ca357abde1eb9cda82df8f1b66d3aedb7cf5fa27da9046f59372ee428a54c1df3f253c59

/data/data/com.cdd.cddmall/databases/cc/cc.db-journal

MD5 744a7a35fe700508e07b09a04176466e
SHA1 2dba35403b76df5e8c8fc118a591b30f817f9d43
SHA256 23e128b061e30ebaa151584050eb9658fe819e827a485cccf763f1a97ed33692
SHA512 74b4f4895bdb13ef8708535de4053dd1842e43b728f9fdc3623719baa7c940e594c51d2064b39f3125fd723617d3eeac021e16520ede37046b5dcfaf8c4b02c4

/data/data/com.cdd.cddmall/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.cdd.cddmall/databases/cc/cc.db-wal

MD5 bc7e7b2540f3576db75c054a7a476bed
SHA1 a558e2509db23f09dc0f22a9035506de98c4934a
SHA256 9643d1d7b5c672f1c4b120a4c24edf707d83ba996416d494d00742eef95602d4
SHA512 e64b28a07f945907ba7214ebfd45138dbdf0ad559be6f6e058e0df0cd787cf1603bf2347b4ff2ab62c55a90eb95bd66597fe2a3b28f4e8998813b7697d4d66d7

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 e4b761157508a79c6f698f298f217bef
SHA1 0c4745f309facbfd26ec314fcaea687743a58339
SHA256 f652977d8a729d32e16e0b99bbfb3f4aca8b4932062ecd1dcffa9842925bb339
SHA512 4997f8ff4d9e97fd3278619306e7dc3aea36ebfc7d1a97bb0840516f39aead6ec2df3dd9ae3bcd0fbc3986082c47f7974d7ad050b036c7afe1468cb2387350e0

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 2c251b18c93d2f59c9b05b7b44877123
SHA1 fd9f567955bd2377163f96b6ff29959f1a08eae8
SHA256 5c3352b669b10b8647a618ef14260fd6989240ac61f0b9c6e7097a6b42a57bce
SHA512 26f4bac1ee64c1acf774f500b474c0107e07e253aa7253335c5067762d5b75ae15024a21ed5d817b2437d616bee340727b65ea63356fe1a6ea44b3332e4a36e8

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 20a05b5a6e58e6114b2d1ce5769ba93c
SHA1 c09608c53c9ae2a9c6510507336323cff3d7363d
SHA256 8eba589fd2bb6e03338cc029f7c5b788307167253fff73d487b08ef60ee9e4e2
SHA512 752c9c675b7f40f960b04e3c8d796cbab0e7c6c6fe552a1b5c52b6ad5511c4627ce7f69868321526592009899fc3d6ae2d88fcb1d49e4ab528931e1e6f925f3d

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 338e2c4336cf4339dfdc0a466a002668
SHA1 8e3ee379a6e0344a2d917348f8dc94487b382cc9
SHA256 f61c9b2e13e845ab7f949b03ca85bddfebf74312116db8bfd1300c70ca534f07
SHA512 94a426f65b23c14a5d3b4916b488183366c37942e71f61ef7b4072b83676c73b6a293efcf6af8005708c7990abe2cf0987b5db4831ae10b8f8d8560c83a57e41

/data/data/com.cdd.cddmall/files/umeng_it.cache

MD5 b01f84746a99558ed4ca96c9a43f2ebd
SHA1 a68c074b58fcdccd35ae23105e5a6416c7811a3c
SHA256 0c5c5fd8bf9c049c6e58552c2d7ee876d79567583db8993364eda5a64cd969fe
SHA512 9e88e477f851fa4096fc92fd18af52fd99893cb1a982879dff424c438c436e7e828ffd27fbad61365ea78c5df76d16b20225de1c58601db2e3072ded92e7e364

/data/data/com.cdd.cddmall/files/.umeng/exchangeIdentity.json

MD5 43e5aa01b302bedb00a32d734bf516f2
SHA1 fcea6e1b30f67a657b822b8b6ed412f68ec61dc9
SHA256 ac487ca4d6187fe7f9117a8dcf39d4e3d06cff47c81d29c0aa3c16c90591be3f
SHA512 752168306ea3b7bb6e348ccb6cbc493b18adadc4b5c046811c58e45b7eed0677375a4616fdadcf649332a4879909872251a0bf789cd5e13489b313412f699f64

/data/data/com.cdd.cddmall/files/exid.dat

MD5 48c6dd80a7de7f340b0fc35d299ad3d2
SHA1 332d98162afc7c1c9ea329b42b2998ad153dfdea
SHA256 b688928d493c5d952a10122d52070fc1f6794e0cfc641f3dc047c02331a0b20e
SHA512 202b00b014128f6f8a38b877143b272e5436de6529d5c4fcbd282b9109ea9fa044e4d9f0f146bd4fa99ec2b6fdd0769fd3e5c1a5529782c6f12d199702a3ae63

/data/data/com.cdd.cddmall/databases/ua.db-wal

MD5 74b9300a120ce0191953d323ab87736a
SHA1 b10d0425024f542e792834b50ca18f3c0a77fb88
SHA256 59066dbec27f74f654432324abde0b5d83ce592153e139f2969793837a9a43a3
SHA512 6decaa955204642c081756e20983bf0edbb3b4c76d08ab6e4a534f232939d59824eb99e98fb989a536ddf3d8dc2afa7973c616d26b26382993e0a8f73d507078

/data/data/com.cdd.cddmall/databases/ua.db

MD5 d604a3bf1f8d992cc320ea5b1f7609bd
SHA1 247f88df0b55c7d523ea5398637711a0e4a483a4
SHA256 329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17
SHA512 67e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab

/data/data/com.cdd.cddmall/databases/cc/cc.db-wal

MD5 15c2c017649b68efcbc2c07e2bbdec32
SHA1 acb7b28666da99599207ec4f264ccfeaa11c5685
SHA256 41fd217b665e4d660d08587504c41953646a5f0a3596012f1c5753c04e6767d3
SHA512 fbe7ecc862146db3a7e37f619384e6215cb6f62db1db16553a0babaa117232c5900894f4b9a01544470f455120982655a67037668e8ebd5aa6d17c92cda6fdcb

/data/data/com.cdd.cddmall/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:15

Reported

2024-06-14 00:19

Platform

android-x64-arm64-20240611.1-en

Max time kernel

11s

Max time network

136s

Command Line

com.cdd.cddmall

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cdd.cddmall/[email protected] N/A N/A
N/A /data/user/0/com.cdd.cddmall/[email protected]!classes2.dex N/A N/A
N/A /data/user/0/com.cdd.cddmall/[email protected]!classes3.dex N/A N/A
N/A /data/user/0/com.cdd.cddmall/[email protected]!classes4.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.cdd.cddmall

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.cdd.cddmall/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/user/0/com.cdd.cddmall/.jiagu/classes.dex

MD5 295ec01d15e31ca5126b7b3f5fa2e061
SHA1 f941a9cc22094decc567243188186ff68829183e
SHA256 18d9724c55a42c8491778ab1458984410c8aea51859127e714a1003cce30301a
SHA512 4883e9923c90d6d3023c25eeac9eb25abc71739885881f89cded9018f1d49d17860fb7dd651b3bf4198940e3d02af5570cb013f603a0e6540f9234a7cd897742

/data/user/0/com.cdd.cddmall/[email protected]

MD5 f968a8775ceef03b71c990157743ea20
SHA1 f9648c3cf43c835b70305f4cf70e31ed09487f94
SHA256 4f2dd6f769961bf0dc49e0c11efa2cb34146d10202bd4a4047d2406adc288ea2
SHA512 b3a99a9e4fd9e59270cbf847ae6d7180da3780a5fe5b955e6bc978d257c3b3ee2f0295f48e811c52f886d0bf0b88c6459efa7af5ecfdd3bc7bb0f4c453a6ae0f

/data/user/0/com.cdd.cddmall/[email protected]!classes2.dex

MD5 c7faf91561694724d0a064e724af91b5
SHA1 4585a7dc596b430af47deb719368f5387fdd8aea
SHA256 6ef7b3abd6f78c3b3fc31ea2619e8a50b3b965248b04501bea2f7663b6f38849
SHA512 7bb9decfab662c7fda95d4489cef89286e4c227aeb25856f7f4f1b0459c00d6e640977fcccce5d058a3935451e7c08d25a4413344ecbbd01259402796a018ca0

/data/user/0/com.cdd.cddmall/[email protected]!classes3.dex

MD5 ed9a8864f82e747f93da8ec4a31d4742
SHA1 221a4c122def71a23b50d8a302350c98086abf5b
SHA256 1298499bdd88d29678134d679ea1cf8e37703e2a6ed1c29de2780607a9bfd5b3
SHA512 7b6ef1165255e5c6e76eb35c3ab982e1f1b96139431f0678fc90194231316235e742066871ba295fa6eed27e9552b47b2b6d61830e10e18415a1521087c1d690

/data/user/0/com.cdd.cddmall/[email protected]!classes4.dex

MD5 ab5b7ec406c0d0ae108e27823b4726aa
SHA1 34f60e6fa358cd5b131bea3d2a85db29632007b4
SHA256 7123110a9f120bcf33e5f2823ecc770e6427ea8fefd608fd2a13f244bad9e069
SHA512 91594d329fcbb3144044f8daa699088584681bb3bcf6665e872452adbacdac8b6cc3d6018e511d3a18c5f95b1dc65f9aa64b80cfb58175d777221fb901ce33f1

/data/data/com.cdd.cddmall/files/.jglogs/.jg.ri

MD5 e95c44e32596c81778adf63cdc0655e9
SHA1 7203ba126703108d2dafa16c2c760409cbb36794
SHA256 ccd4eb58cf344ca1eb51fa3e4ea4d33632563f315c3e0084d53ee06cd3b18c93
SHA512 257af707e8b66f42eb90891d50de6b93f749708dec1f6c8ff35957548f16ba0c072d784707579ba0d27f676805a2c00ba793b8fec35a0f8285e1ad003323c2df

/data/data/com.cdd.cddmall/files/.jiagu.lock

MD5 9f9002223d0d0920f0b34209700191d1
SHA1 944ee4fb426cb101305e3da463aea7d4a749dfec
SHA256 7a96a163a9b25b9cb2d8d7aec55ee2e6552311d29979a58431549c16b7768a1c
SHA512 f259b7db994d9ca25786b24b732fb9cc6f21cee7ea53c172aaab8eb42463286b2995ba9334bc01d4ebfcaa62e845ac1fcb2546833e4fa6f253e9f62f03c0f339

/data/data/com.cdd.cddmall/files/.jglogs/.jg.ac

MD5 0e119dbc2c4f5636ca57018a7b25897f
SHA1 34f112f19e118dbc6593800182c864ac2d037b2a
SHA256 b065dd33aa0e4f47fc64cfdb466d3b71410af4fe18853e696261db8c75c81204
SHA512 8b143a13963340e871589c0cab0876cd9e72fafb848ce8855b71a7fdfb0df2b55f4c6e832103d02f2eb478f8c23780ab1a215874f06f247985b8c7c4d7c0069f

/data/data/com.cdd.cddmall/files/.jglogs/.jg.ic

MD5 67805850cb8409c0ddf4b9bf8f35c9f7
SHA1 96f774c18f6bfe5e6ec3175bf2ffd28af4bc2831
SHA256 067d5f3f2b187d8ef781078129d11f172c4736e2c2575522a56c695835807640
SHA512 952d53cee64bf71b54139876fc142316859ee61eaf70ad62a3ffc2b10680ff35ae0532fd02f2012f71b9c845f7333a68f09b46342764f7ef8e8672f41c9b3155

/data/data/com.cdd.cddmall/files/.jglogs/.jg.di

MD5 1ccf7fd1c9dbf6735e5b44d7699dc43a
SHA1 26e9b4ca38a3e24fcbda4ab137e064016ae27226
SHA256 49e83c58cfd07f41f6dae149d84d43900f4bff20dfd1c1e7cb49b32016dee021
SHA512 8efd1329aca011e35851cd66dc8dbdb50594b7de2571c5ec01cb71341f4c70351e8d77226545b93871c9e181e2b1a8b0f220e0b60fe00a7585af4fd9317b8213

/storage/emulated/0/360/.iddata

MD5 b41ee137ad3223086a68724a74e2e363
SHA1 cbb8e2266298fd7fd838dfa0d3ab3c23877fe3ca
SHA256 5603c333bfb0f90aafe97978abc8f05995fccda9eef646ba65340d0ba4d40b45
SHA512 7b5b7bb84cee3898a9f322e88d5c344e0afb33b6c958a5959f33a327b36200f627c573c222e1ef22d62030dd52f37d679c52c84e917f78dfef42c765af431ad0

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399