Malware Analysis Report

2024-09-09 13:40

Sample ID 240614-alzpbaxcqg
Target a747f1b07f567aac7297a30f9adb2756_JaffaCakes118
SHA256 8a3140bd82d33ddfbc3da852b6eb58dbb5dc8511d0c11c442a2e30b99482492f
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8a3140bd82d33ddfbc3da852b6eb58dbb5dc8511d0c11c442a2e30b99482492f

Threat Level: Likely malicious

The file a747f1b07f567aac7297a30f9adb2756_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:18

Reported

2024-06-14 00:21

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

184s

Command Line

com.nwto.ybch.ubum

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.nwto.ybch.ubum

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.nwto.ybch.ubum/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.nwto.ybch.ubum:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.nwto.ybch.ubum/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.nwto.ybch.ubum/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.nwto.ybch.ubum/files/umeng_it.cache

MD5 777cfc8e0720db55a3c95eb376de2079
SHA1 b6d299d5104639b3203cae76066642e6024c88a3
SHA256 10121e57bdd9fc784c9bc67c3ec967fa8c79bf089dc4c4a2bb29782ab7dfeb05
SHA512 17dcda780f91bb0a52c6e89c3f71500ed8870af4db5504a7ab688278e9ae6c1d431c937932df44db730c48447fc3119b27f4093f0097ad8651350f78ee1d3957

/data/data/com.nwto.ybch.ubum/files/.umeng/exchangeIdentity.json

MD5 bdbc615c6db5a51a7b259503b9ef6eb7
SHA1 f9c2766799078fe27186f668b8a1207bb7c19c7d
SHA256 9de59483924978dc72bcc31968ac4fdb878cfb664a2aae807565f7bbd917471d
SHA512 2dd89a2f07f2b093833605e569aae839492a22545f4900afa8af0518e457c799e3bf1e5409885473acc2ca5d00a1b41de4e2477a8c9b8ded861f82b04d7e91cc

/data/data/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 e1468498c8d95f65210427bfb6bf7a64
SHA1 55c253768e35cc81b0b5ee62c9b567d3c379efe9
SHA256 f32d1bf27665d90b70b67b55155ffd6ea4c0a4869b35999288afa248b75c37a8
SHA512 a27ee5b4fe3b149b6429eb9d31ca5f4ee55612b3b47d1f08602a6cc61e61184a3298c4b5acbf4d2c7c4f431e4eb27867b609429ca5033ef9d61892ca475d2a0a

/data/data/com.nwto.ybch.ubum/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nwto.ybch.ubum/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nwto.ybch.ubum/databases/lezzd-wal

MD5 90954b4ec3e9ffb2f3127eefe9df5677
SHA1 fa0ebf6c34194e24e509e3b548479ad7517450bc
SHA256 c6cc3d009a2aea079c9c585d3a46d290d39620dc558a9b9ee2a507809ef82bff
SHA512 86655fa5a600166d653a93ee0d53e5012526ede7d6140bf00339626a296702c9554c8f2edf0833040ae41186ee5a862905f4cea8d5ab92af3fbd66fcaddb7aad

/data/data/com.nwto.ybch.ubum/app_mjf/oat/dz.jar.cur.prof

MD5 970bdbd4abd492b67b22a28249cf8b3b
SHA1 5bc6b5fd0f89432e9a8be5c0c06ac155e7e74e99
SHA256 eb442570e93bb944ed229b3d72c10317b80009f22c698df6437bf028fa88bf81
SHA512 ce7ca643d03d01bcf6e8f66a73548a09a0e8a1a2c8e2f711a01117f8c85d839aee767edeb9ed82de745be0434b62f4143ac72137ff143d82a9ae9bab6e98084c

/data/data/com.nwto.ybch.ubum/files/.um/um_cache_1718324394008.env

MD5 084a92dcb6e7b21a175f397bc5d34b23
SHA1 41cf46c915933230abfbd8483dd5eef78853c9c3
SHA256 40cc2ce009b8115b5446386dcf0af3dfe9f703ab74de54cb2f90ec23600d3c52
SHA512 d42daecf53740edae82cca1f03067f6b478f6b700c25ed210259a10b28b5dcfd47bb888e5f4064a991bf4389151ff8429a40a2d90428ef0bdb05f2a54bdfc437

/data/data/com.nwto.ybch.ubum/files/mobclick_agent_cached_com.nwto.ybch.ubum1

MD5 3cbcbfa04d5b53d3f659653b6b00d5ee
SHA1 a108b46aacd46ccc52f10f8538d481ff7c007a3e
SHA256 ad1ad55998d6b9e0bd31578defcd9d291438bfd3b182632079a77ba4051416c5
SHA512 76864095914c4f55f9ebf65da9b33ec4b614e042935b122dfe7f2321966c021b5db37c938c37bf5592e305ec855f9aeb09ac0caf56f7c32ddc858706ad0a1688

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:18

Reported

2024-06-14 00:22

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

186s

Command Line

com.nwto.ybch.ubum

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.nwto.ybch.ubum

com.nwto.ybch.ubum:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.nwto.ybch.ubum/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.nwto.ybch.ubum/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.nwto.ybch.ubum/files/umeng_it.cache

MD5 b12f584471875b07ad3a856d356cfbfc
SHA1 df80b5b412a93202cc65222df4dbadd973ae684c
SHA256 d9bf49d17767a9709156c5786f554ec1bd3945e7a5fbb33fd8c251c4ab82bce7
SHA512 78f78545911d5cd92fc320f81ac2eedbc9a404f89892c258d9ddc746a9e4ab0f7e45eff1d6e02e877cb40fe9edbe36d686e42639e31598f87adc3720e013e48b

/data/data/com.nwto.ybch.ubum/files/.umeng/exchangeIdentity.json

MD5 99743c15ab2ee0d7dac31b30df6796f8
SHA1 5cdfdca9804a7a1af282222d2c8d51dedf2688fa
SHA256 4f39304e80ad0f0ce94b66e62bfdb52d255b670ebc621210b25a0897b44e83cf
SHA512 607a5fd99c7c592d58ada5986644881180ccf5142f5c47276044db30b71337e062eac6c5f58ff2a625d8294ae755a753f312fcefd843435ea19990f92f401ce8

/data/data/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 a115d9656f1c268d5c7c7a26ed17f91b
SHA1 10592e7db88240f9dfb1797a7538e04f9ecffb9c
SHA256 f84594ff30bb479d5b0ac602d47dee3d9a53daf9b31da2723c4bef05ef7861e9
SHA512 04af431f0c84968cd7b420bc6f40dca0b747d66e3e6fbad07d0c5b12b3dbe447fdd5339a549e003a5df7e4144e9f97702e230e721800d733716b44a0e4c1a8e1

/data/data/com.nwto.ybch.ubum/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 44f979889bd3937e5c2ab8fd4d332e30
SHA1 eacb306af7c3167192b30caf60e12eda29d3f36d
SHA256 572f17ce493a5a278d9b3fb4d28d9d26a64d57fb43405e65b4d339a686ce21b0
SHA512 134908283900f79923e850266738b5af5f651b70c490570904af2ea4bd6855116f87baf9eb71418a013f0220f038af7c398a6d057c96a2b022b118298fae6003

/data/data/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 fd791c446a69dd1d470c30d96f1c6f66
SHA1 5c675036666d346e7ee5d1d97ebda3431a348725
SHA256 4b08d7177c66c60973440572e3f6662419ab1b799caa75f5981955546d85079c
SHA512 fd4a076a403e3b3b08c204b4a8ae351874182a3bd14ac71c99db16aa0b0c1e8767c9ad29e42bc6d4d9ed793e1a85989b7bce3c1792bd4b9036712870f93c46e4

/data/data/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 69d4c790b057bc129974314cadd9bbc9
SHA1 59062c5c69642663d08577dde1a61683d5e3c1e5
SHA256 c61474bb275440d7d93405a44091cb53fb569079e3257f9ca6af333b9138b412
SHA512 749af656fb05d469b1f4c312ea1c93b83c38bcb604dbf4925e6bb341097df4313ff29c8ce0fc8c781007a40d4e83dd19cb9b22d45f91bfc12af918cabcb31eae

/data/data/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 ac1a0fb16676ce8f9bcf856d4066c688
SHA1 7c2efa75b87ceb0c9684b46cf9a7385c7eb2d7e2
SHA256 0ea407a4866df11ffd29814b9ec29faff171bffc3bc0d548a579311e607b9de3
SHA512 7b1be8a15ab78d9eb4c74c60a36906c3d31e1706869a8a86fef713ea1f2b7cc10ce4b1815a812a14db661b0d41c0a325af59f0a945e1ac26688c026ae88f25d3

/data/data/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 908b4b97c7a85363b91841a4105a0054
SHA1 eda60712f5ff6dc67bedcc325af130d087d90725
SHA256 5d6ad41cd9963d78206fd3f17ce4e866e0d0c698914d405ed027b16998303800
SHA512 4adcc4e0c7785f521b7f8076abd004806f1fdac5c2f2b716ea9c62e43b3f030faa7cd178f59a38957b2aa486b7689fbae8346d96054c0606f1e03b9120399412

/data/data/com.nwto.ybch.ubum/files/.um/um_cache_1718324403209.env

MD5 0f9fe79741d74396ed196030c57c484d
SHA1 75a76981381a22bd28fe077107b5b72317257427
SHA256 52f86fc5130459e8b70453ac8c749d790bcea248ff8927efcd90b1b1d6567db4
SHA512 cab1b4fc1e02cfeaec8bda87e0937db5deba8dbd27f51bfbd9e8ef481f4fdfa6a0577c0f503f3c234f4601117acb0415ceba8564e0156113e429bb7135bddf6a

/data/data/com.nwto.ybch.ubum/files/mobclick_agent_cached_com.nwto.ybch.ubum1

MD5 35d6e33ef4a916d7237d10943086e73e
SHA1 292ec6f54df76be27fc90f32a1df412bb358d0be
SHA256 82c4323df8f056d58e1e6485f48a28f43b1190aadd839a658501fff7aa15f41e
SHA512 d91444c7d4897a1964e6e44cff01386d3f4b69db1e0832b5d0f5ea661cd5ba8a4ecfd1b9653e99f244bd7ec599ab60ee10f7d300e6a9ba29bc57168585226716

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 00:18

Reported

2024-06-14 00:21

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

187s

Command Line

com.nwto.ybch.ubum

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.nwto.ybch.ubum

com.nwto.ybch.ubum:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/user/0/com.nwto.ybch.ubum/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.nwto.ybch.ubum/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.nwto.ybch.ubum/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.nwto.ybch.ubum/files/umeng_it.cache

MD5 bd02ce2679b9e34faaee922409252d06
SHA1 b24311386df9b4fe839bff6b1a5417ca6d97aca2
SHA256 7b52d79bc99259d907ae8fa275bad9804cecd7f8679393579ff80ec5dd5f159e
SHA512 a4b93ec8491d8027c562a9025c99416f22d18d7861dd0812122d5da4f13ae15f7d9893d91a09a1bab5ae94f7ad042f782d86639aa2aa03821a0fa17d65040b50

/data/user/0/com.nwto.ybch.ubum/files/.umeng/exchangeIdentity.json

MD5 debed59558c70ba71fa5284be5111df5
SHA1 090d74477718f1899225349c2d76a68bfcd35442
SHA256 675e3e5a7a55c4dba55cc9c3c47b7f332e336d79c2f36b3346790804b80239da
SHA512 537bf5fa3baf353a78ce0d63ae406fc69fe98116eff8db9d6bccdf0e47c8a1c691c4eb721d8d8ce6bdc06af59c0755915f43b8b5d24f9d31569c5ef34a648248

/data/user/0/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 69fbc6a5c0f2178e6a0432c950a27e5f
SHA1 021472dbaa7e6b8af9e1dc467d27390fe29f0b1d
SHA256 04407d46f60f9f4b5aa0d81500215390ec8eb593decbacec03c7059c1df8db78
SHA512 03c3e9cf2957e51da5490e85ec0275a6968215f1a0bdacb235128b1daf5d14be0611392f54452415124e881b89908cf6cbff5ebdc22e3c29fe2f3e898e151419

/data/user/0/com.nwto.ybch.ubum/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 68a3f31d39dc2e9e8cc4834aaf5b8ca8
SHA1 86d0ff7d649dca4162b7ec2536d4e436c2ac9588
SHA256 4807a65075c72284bd35ccf446ba001822efb966b970793e8581fefe2e39a698
SHA512 fa07cdbdc30eed7afb3d7d77aa1d0bf178bad7e862782c44ab6068cd1e09c056f59402bfd5ba1c296d4dbf0d125961b3ef1d22d26b60fd7e6a9ac1a51f1100e9

/data/user/0/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 274f5dfd9e397c49b27ad0e90650dadf
SHA1 535b55ac52432b00593511ccd57c730ab383dc45
SHA256 b094ba6940a31bc8e442b5d1338b56c9559f3e6fcce0fbd075dbdce57382f006
SHA512 303eacd536b7d31c00fca0e073e72659f4021b2f3987c2a25a85d434ed24d0bc9288c0df51f39558f94e426e6b9222d0963b3cdbf75033a92c148d4b5e8852f5

/data/user/0/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 c72ed5d52fd5d0765f4d6316a6fc63fb
SHA1 a6dcf127b8abecc5d07ac131d42a3c30214e20db
SHA256 14aea8ddc7d80cefe472c98dc177361aa191943df84c6da3f2fb6d8c0508b53d
SHA512 4fb82eedb1c45a5ce1126420fd4d8ec0bc54c33b57d7e020efead2cec748855b423d19bd9388fbb8477f822c74076a57383bf00a02c1dc3ac3e4e5e8a33cf00c

/data/user/0/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 82e74d4fe6b0ec4f4cba2ed8ea997a39
SHA1 09507950e013dfccbab8b120e642a12c0e927b0d
SHA256 20cf258626c4fac83b04482caad1b256bebff6229470210acb3c2863c17d8da6
SHA512 e6acd1e672839f294cb92925f6d7c4c225cb4c8a2e703bd8061cc09052b9784a9ed47c49ec1a1bb999dfe141a3d413cd87ad06a50dc1b4f99183042324ffedcf

/data/user/0/com.nwto.ybch.ubum/databases/lezzd-journal

MD5 c04d08aa415d0bc2432168ac0f780bf4
SHA1 bb336253b34d3255430f4a30ed1c5014cb21ac6f
SHA256 1217e80e6fc27f4d6a76d0214cbd4c2da1e3583fc8478a01a1cbb1aa511a340b
SHA512 99fbb3b1088abe242d9a63fe46818faeb6280d8d33aa011cd703afcdd3d0d1477f201cf16c79c98e84725bcfb3e830da0d6f392eda237bef741ecbd24bb7b848

/data/user/0/com.nwto.ybch.ubum/files/.um/um_cache_1718324394820.env

MD5 22970961209f9ae7d1778b8aae28d209
SHA1 8a20647ceaa5b22cf3a1ed96e1ee21c99ede123f
SHA256 8ca7ab78e45b2789e5b0a86b1cce9af90d71261c3514045359502bef590bfea6
SHA512 468b6e2a5ff209e146ee84711b1cb2690a7f26df8b3f0c07374752b7d6b4413bbae4be78e47a5bc3f67675f0bc57da2d1ad909a88bf0dc9271a1d5d39fdb657a

/data/user/0/com.nwto.ybch.ubum/files/mobclick_agent_cached_com.nwto.ybch.ubum1

MD5 4a3a59feec91d8551d0a02098e773681
SHA1 8c8b2617e7ec6e7de135659918fe42154e590fbe
SHA256 66e371fae592af0b743b4ff34b11f5ed622edd450964e834a005b867eed473be
SHA512 a947f678f9c37a537f7801f46095896985c41e000fa22a5c0c341bf5f29e2d4215c1cb3321e6d66c501c598d2189d366b992c6574e51ddb2a3392a89b1546527