Malware Analysis Report

2024-09-09 12:52

Sample ID 240614-cg2dfsvfjj
Target a7ab6c931de1fbd4c51373501e76291b_JaffaCakes118
SHA256 b10a9df5bf9e7e1996be2d11511d677b2a75fd97053460bc14352b6960c11011
Tags
discovery evasion persistence collection
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b10a9df5bf9e7e1996be2d11511d677b2a75fd97053460bc14352b6960c11011

Threat Level: Likely malicious

The file a7ab6c931de1fbd4c51373501e76291b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence collection

Checks if the Android device is rooted.

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Declares services with permission to bind to the system

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:03

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:05

Platform

android-x86-arm-20240611.1-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:07

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

187s

Command Line

com.muzhiwan.market

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.muzhiwan.market/data/mzw.apk N/A N/A
N/A /data/data/com.muzhiwan.market/data/mzw.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.muzhiwan.market

com.muzhiwan.market:mult

sh

com.muzhiwan.market:mzwlogservice

getprop ro.board.platform

su

sh

su

cat /sys/class/net/wlan0/address

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.muzhiwan.market/data/mzw.apk --output-vdex-fd=46 --oat-fd=51 --oat-location=/data/data/com.muzhiwan.market/data/oat/x86/mzw.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 apiv6.muzhiwan.com udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 23.225.90.93:80 apiv6.muzhiwan.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 139.159.137.254:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 119.3.253.130:19000 sis.jpush.io udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 110.41.162.127:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 124.71.183.120:7003 im64.jpush.cn tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 139.9.135.156 udp
CN 113.31.17.106:7000 tcp
CN 139.159.137.254:19000 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 110.41.162.127:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 139.159.137.254:19000 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 121.36.205.81:19000 sis.jpush.io udp
CN 110.41.162.127:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 119.3.188.193 udp
CN 113.31.17.106:7000 tcp
CN 139.159.137.254:19000 easytomessage.com udp
CN 121.36.205.81:19000 sis.jpush.io udp
CN 110.41.162.127:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
CN 113.31.17.106:7000 tcp
CN 139.159.137.254:19000 easytomessage.com udp
CN 121.36.205.81:19000 sis.jpush.io udp
CN 110.41.162.127:19000 easytomessage.com udp

Files

/data/data/com.muzhiwan.market/databases/notes-db-journal

MD5 c8e99f2d0e3ddf61b9aa8206e39650b4
SHA1 4c2801b9e6a9d382f1ce72e874663b2529b3c31e
SHA256 8c865e0c9032d485e3a8bce399170b6dbc9965c8855b668f43b929336411e1c7
SHA512 a3027bd4c328a05edccca03f731032eb086e6e97f103e4e89c35c1f23d36bef56b6d4877f7398855b013c892faeee73aa358940d4c1fb813822010f9f4f4c6ec

/data/data/com.muzhiwan.market/databases/notes-db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.muzhiwan.market/databases/notes-db-shm

MD5 7bc525aa5cfd71cd4d2ad570fd72a906
SHA1 b411e1b345b5e9e4a0e4f603b46277278981e921
SHA256 14b68457395896d3ffe12b777f52fe2cc4182a6c9ba383555b12522c93657b00
SHA512 5f1973360665bdeb536d8dc2a9c5d2077990fbc6fd3653747de9d54c7032a776151f39986792ab57773623a143b2d65cfbb585aa53c823197485eba9e75c8e2f

/data/data/com.muzhiwan.market/databases/notes-db-wal

MD5 76544f9fd89e8c96d9c80f5c50f8022a
SHA1 347cb1f5a45a968bec0629a95f7eddb97a5bd67c
SHA256 f4734405fc992e3e4157a67d89d568ecc2264226189077bb8c4a34f69eb9eb94
SHA512 8f8e0c9bbab6c917305e7ac1582f538dcc92a0385f1d4ec559d25fc4e324b57cea05dbbe9ecd4992a43951ad800a88c0a7deb93dd9bad3342f4c9603382b4c07

/storage/emulated/0/data/.systemid

MD5 72a239b77072f4a325001408279d8756
SHA1 779ff775879ecb0b2f0778ff8311de79b67eadd7
SHA256 17adadfbe797cc54277c3236e9a84568c102dfc63c54ed64d073d02b6424e885
SHA512 9087ecc8d32faf66d91b1f10cddcc7c8cd7d28d28de9014f08413cad8904683d3b81cd75b25892f5342ff4b8f013fb46edf97bde91648ac1dd48d44db7584c7c

/storage/emulated/0/data/.systemmac

MD5 0f607264fc6318a92b9e13c65db7cd3c
SHA1 c1976429369bfe063ed8b3409db7c7e7d87196d9
SHA256 c248c629af1fe0a8c46b95668064c1d2952a9e91d207bc0cc3c5d584c2f7553a
SHA512 9dbd40b135b46c7be31b8c7d11c75b0b179af3a6550fca52ec447583aeb50aaaedb4b1e9373cf8826615149549a2efaee04efdc9a282e3a6b387c73099c13fb1

/data/data/com.muzhiwan.market/data/mzw.d

MD5 acfd36039629db181c7223e189d5687b
SHA1 cafd4fee4ffd61cceb7e5045d8d132487831639e
SHA256 3f714b68b99f85c54e47f13511f0c6cf4be5cd3be9c1418493dba36908324774
SHA512 d01d3c0a9e52ac55afc8d2ed233182a1564605f686dd89f66f19a30071ac7dc9e0661d8b40a61f43e6e6154ab25bbbdedbd1552da044d65d99e683f3001af261

/data/data/com.muzhiwan.market/data/mzw.g

MD5 da4706818ec9eafd37acb3dc9270423a
SHA1 3f14b7d9b38202d7ba023e190c666e18a910a819
SHA256 3726b4b9a8ddf49159214c4dc957bc6f0df382643f403eac068dd3168baba605
SHA512 e3a29bdf3ea93292d1318b53a7790ce37b30a2b512d636633b46a45b58e942b31ebd04d2932580555983506ba5c53966c167780ae570a3a028c628a15ea9ce06

/data/data/com.muzhiwan.market/files/install_file_dir

MD5 c9d82f757411802fd7d90701d272c126
SHA1 01fb9dccc0384095c76c828d6fcaee317701f332
SHA256 27ff605744b4666c827f460d53ac0cabdab8465dc040803ea59c6be53971957d
SHA512 9d6e51a80a01bd605a644b1177a09d292fd1dbd482b15043c6716ffa3ff51e299ddab7ff293bfbbd3a6abd2bdbe2dac4ff6bf26c37f790595b4ebb5d2c9d0594

/data/data/com.muzhiwan.market/files/install_file_dir-journal

MD5 5ed198e96b6ec5e17c2274d5b9ad6c2d
SHA1 f8bb9a186021d321cb9c1eda7aa4e3ec4a724470
SHA256 6856feec5aea147a55bab3c273df3a194760589d38661e6b07c97a415ddbcefb
SHA512 85e4e597e991f17f37dc34f521c08a520c25e33915c55f0b105d2d9593c130fe03d3851b0e5e98f33a2c4ff9621755ccff76ddb5e804a46f56fc07151389cf18

/data/data/com.muzhiwan.market/files/install_file_dir-wal

MD5 2265182ca336be7a44dc7fad3e945335
SHA1 83e31decfad710fd3ae7c4cbd4515c4e3f8c0a02
SHA256 95dd94fc97007bfbbc138629b3ac8c869f35ea9f9ca44a4001f4979366d7df28
SHA512 a42bcdd64d8fd1e5d0a3f804539ea984a4e4436f9b5e2ccfc765046bde539dbab718188c55c8fa4aa80dc589402f4fa3d98c19eae770e2181ba8c0d093b4e00c

/data/data/com.muzhiwan.market/data/mzw.apk

MD5 e65188742e10046597a4c648d045699b
SHA1 37b2f1e3e89d3b0d8683737ccae2ee725e82a312
SHA256 d0990058e5204d1a1bde2eff40893cb49d1e8972ee9b7e1b03ae35ac3cd5df8b
SHA512 3859b177492c74ec9448f7c57cf37beb7c747dca9580125cbd7c2e1f3a7761a3736072b1ec2ee14fa1f844f13df4163aa167b5cb9010e7e7fd00b2724553d481

/data/data/com.muzhiwan.market/data/mzw.apk

MD5 d1a020921eff5f91e5900a64bc558eeb
SHA1 f03fec1fb79a3b528aced885a8e95fb0a7eb01ef
SHA256 de8599fe345c0cf878b2887a98d921051edd36de036b5c1d8595a2c8f3738aa6
SHA512 17f62c1182f869511ef89424cbc51140eddfb0e84a8999a5a4da94a6d398ccd92839a2d8a2705b976ecb59efbac90ede5122d3de8470dfbb75ce606a263b8d4e

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:03

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x86-arm-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:07

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

9s

Max time network

170s

Command Line

com.dbgj.stacore

Signatures

N/A

Processes

com.dbgj.stacore

Network

Country Destination Domain Proto
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 tcp
BE 173.194.76.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stat.anquanxia.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 142.250.200.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.200.3:443 udp
GB 172.217.169.36:443 udp
GB 216.58.212.195:443 tcp
GB 142.250.179.228:443 tcp

Files

/storage/emulated/0/data/.systemid

MD5 d363b11ab5dfbfdf3ad0c1c6bbd5b7d0
SHA1 7ff19f51f182d0a8c561321acc1ea2a37f72712f
SHA256 e20816132abd5d1499aef07681ece4bd903a04b1752f5983733d9f2e4678962a
SHA512 d9c654cd18dc8fba4ae00ad01768e4e55eb9a198a0aad28d72f74e034166ccde59c5075d20f9bb99d0bde4db748274de9cf0679b299fd3e4d617800550b7a169

/storage/emulated/0/data/.systemmac

MD5 0f607264fc6318a92b9e13c65db7cd3c
SHA1 c1976429369bfe063ed8b3409db7c7e7d87196d9
SHA256 c248c629af1fe0a8c46b95668064c1d2952a9e91d207bc0cc3c5d584c2f7553a
SHA512 9dbd40b135b46c7be31b8c7d11c75b0b179af3a6550fca52ec447583aeb50aaaedb4b1e9373cf8826615149549a2efaee04efdc9a282e3a6b387c73099c13fb1

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:05

Platform

android-x86-arm-20240611.1-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x64-arm64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:07

Platform

android-x86-arm-20240611.1-en

Max time kernel

16s

Max time network

141s

Command Line

com.xd.tothemoon

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xd.tothemoon/files/stares/updates/sta.jar N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Processes

com.xd.tothemoon

getprop ro.board.platform

getprop ro.mediatek.platform

getprop ro.board.platform

getprop ro.mediatek.platform

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stat.anquanxia.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
US 107.149.163.133:80 stat.anquanxia.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp

Files

/storage/emulated/0/data/.systemid

MD5 0b08ded25cd6a04c9891ecab8968496a
SHA1 f366836c082e226d0d211522bd9bca98f76f6a7c
SHA256 59a2171fd95c8588ae8563b27d2053452846b8c8ae3b0390845cf77791ad0147
SHA512 6328c4fa65188d1442c886e390d5920e1390fd3a4dad0f98c12214ab7b40f644dc2373a1fb51caa76cbcd606dd74ed205291261ef48f369d13eb459a49a826cd

/data/data/com.xd.tothemoon/files/stares/updates/sta.jar

MD5 e1dd5bacfa75b9cf6abf6eaa1635e3c7
SHA1 96a86954d989f634798c91523712c34eab06da3d
SHA256 8dc8a08cb4af889317d11fec26e2c1058f2af5056a4dbc25deaec8707073947f
SHA512 e62c106f91d7a7202411a6938ed721fa695257f205e93772a87c59804a899a1bafd4887d48f2c9f33e5fe3ab6965227beb3fee007515ceb926e83d0e990fcc37

/data/user/0/com.xd.tothemoon/files/stares/updates/sta.jar

MD5 387e3984e552f9a4f47309dfc453f82a
SHA1 0e629acc985bb3565f33339ff04e9e1b73675cfe
SHA256 245b99a86572d6736a00b18cdd507b865df688f14bf2fe232be26ef5a6171330
SHA512 3d81d00d68b5ce7c5f91ad5086793b592d6f8658d67f74cdbdb9418c726dfb4f491a50a94030358927d8fd60c2a72534a11c13602424968e3bb99551b493dcd6

/data/data/com.xd.tothemoon/app_plugin_lib/libabcdefgh.so

MD5 042246eb7c48a8cda97de99465e6a177
SHA1 f71816c4a80fbb7b63bfd6425d98db513aecb00a
SHA256 9a712cb778e9d43f8f4ea9fa2b9f4b8cc29daf74984d04f0c938dff21c118342
SHA512 2d201619998113c5d2990c92c28c973d557872bc4bbde153b5fca39bfe0b799ef0e9bf8c29d1304847f8e6691d55649d04c6a82fe8f03e621c9e8da50c50faa8

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:07

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

14s

Max time network

179s

Command Line

com.muzhiwan.market

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.muzhiwan.market

com.muzhiwan.market:mult

com.muzhiwan.market:mzwlogservice

Network

Country Destination Domain Proto
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 apiv6.muzhiwan.com udp
US 1.1.1.1:53 oc.umeng.com udp
US 23.225.90.93:80 apiv6.muzhiwan.com tcp
CN 59.82.23.79:80 oc.umeng.com tcp
GB 216.58.212.227:443 tcp
GB 172.217.169.68:443 udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.204.67:443 tcp
US 172.64.41.3:443 udp
GB 216.58.204.67:443 udp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.muzhiwan.market/databases/notes-db-journal

MD5 5463b8405c15c954493d0a136b95bf63
SHA1 9aedc1d69acbfdab09e0aa4c1805b0aabdc3707c
SHA256 a675bd8c8a944f82a4a89b003bcc3db64826ce9dbbbe1090b0426d48bc0d52e6
SHA512 8e092587b91b68cd3863fbdccdbb63d57e039d84f1002774e5991f6b319a773a4aaf58fd8c1a6a3fb7dcf2aa42b03b036675ed75eb65345b03afe1ccf3efd6c9

/data/user/0/com.muzhiwan.market/databases/notes-db

MD5 cecd02eff55973896bd98843ebbb1871
SHA1 da145bab244f53a7fd72d6df86ed262a391baa3a
SHA256 4dc3a0a01bf2e0076f64b8e45ca34602f24fe02a59bc06cc7c6549fe4de0452a
SHA512 93ad6a78931eb7478abc2940e00bd65e9c00fafaa8d042ca76ee3462b668ec4debc0e963b15c8758f390ab7bb7c155a1e986c98d16825ac421adfb7b67330ce4

/data/user/0/com.muzhiwan.market/databases/notes-db-journal

MD5 7ca864f1383dceaff313183212273969
SHA1 013b8d6be9ec437897508c7e28cf025dac288527
SHA256 4b4b8d4a338d39f26ac857935903c505d8ccc631966e30ba026e21c830d11561
SHA512 6b4d71b38a98daf433106683fd54bd46ef0eb4cab708a7031fc4b229ad1e17e746c8b64d13a15f6754a7a33b6d49385b1f770fdf1b99a6de272ac1ffe44f98d7

/data/user/0/com.muzhiwan.market/databases/notes-db-journal

MD5 1ade3ca7208780aadfdd31dc53a4efcf
SHA1 984fcacfa7ef529d1d617d9f59edd613aaa7dccb
SHA256 657dec734fa3d4a5abbf87627eedf59f59749d1c1b7a681cc0b8e8af01bffd1a
SHA512 9864694a2c128c7e266534169b47a67107e6615f44a7467232600b6a22673c484d2eaae3e4835eae55b5a4a380172a507753f9d2b8892d9d51e013e9fc10dd3b

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:07

Platform

android-x64-arm64-20240611.1-en

Max time kernel

14s

Max time network

138s

Command Line

com.xd.tothemoon

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xd.tothemoon/files/stares/updates/sta.jar N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Processes

com.xd.tothemoon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 stat.anquanxia.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
US 107.149.163.133:80 stat.anquanxia.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/storage/emulated/0/data/.systemid

MD5 7b02acd354ced9e7430bd4bbdae87dd5
SHA1 a54c9b318f18cfc16ee71e0fe58835fca6854256
SHA256 eb3f149b3f5afe6a6d80ba37f432515b14f5ebf09cde6a25f9be0fd5e9068e5a
SHA512 fafb8326f4d899ee0fc2af1eaf19ca759f8c67967a2f2e96c666b2c9f65a7cdb9fd69e6952b262c297a5e7a21502b782d5865bfa9652cab9ad81f8c233e7f0f0

/data/user/0/com.xd.tothemoon/files/stares/updates/sta.jar

MD5 e1dd5bacfa75b9cf6abf6eaa1635e3c7
SHA1 96a86954d989f634798c91523712c34eab06da3d
SHA256 8dc8a08cb4af889317d11fec26e2c1058f2af5056a4dbc25deaec8707073947f
SHA512 e62c106f91d7a7202411a6938ed721fa695257f205e93772a87c59804a899a1bafd4887d48f2c9f33e5fe3ab6965227beb3fee007515ceb926e83d0e990fcc37

/data/user/0/com.xd.tothemoon/files/stares/updates/sta.jar

MD5 387e3984e552f9a4f47309dfc453f82a
SHA1 0e629acc985bb3565f33339ff04e9e1b73675cfe
SHA256 245b99a86572d6736a00b18cdd507b865df688f14bf2fe232be26ef5a6171330
SHA512 3d81d00d68b5ce7c5f91ad5086793b592d6f8658d67f74cdbdb9418c726dfb4f491a50a94030358927d8fd60c2a72534a11c13602424968e3bb99551b493dcd6

/data/user/0/com.xd.tothemoon/app_plugin_lib/libabcdefgh.so

MD5 042246eb7c48a8cda97de99465e6a177
SHA1 f71816c4a80fbb7b63bfd6425d98db513aecb00a
SHA256 9a712cb778e9d43f8f4ea9fa2b9f4b8cc29daf74984d04f0c938dff21c118342
SHA512 2d201619998113c5d2990c92c28c973d557872bc4bbde153b5fca39bfe0b799ef0e9bf8c29d1304847f8e6691d55649d04c6a82fe8f03e621c9e8da50c50faa8

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:07

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

178s

Command Line

com.dbgj.stacore

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dbgj.stacore/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.dbgj.stacore

getprop ro.board.platform

getprop ro.mediatek.platform

getprop ro.mediatek.platform

getprop ro.board.platform

getprop ro.mediatek.platform

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 stat.anquanxia.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
US 107.149.163.133:80 stat.anquanxia.com tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 107.149.163.133:80 stat.anquanxia.com tcp

Files

/storage/emulated/0/data/.systemid

MD5 66fae749d54d9081dd99634d07df174a
SHA1 bef83f9845622b62a7dcfa7b10519e63cc73d174
SHA256 ceb894cc91df7ca10208cc09340eff72e5f069c84ee1b51da2a8516dbf0f6742
SHA512 939aaf9b265ec1f48f5ca5985070fe0ac834880b0073ee31778f83cad19a9030fd169bca7ecf3a38d20ac2b341f11515752097400b991e120d39c9314f76b31b

/storage/emulated/0/data/.systemmac

MD5 0f607264fc6318a92b9e13c65db7cd3c
SHA1 c1976429369bfe063ed8b3409db7c7e7d87196d9
SHA256 c248c629af1fe0a8c46b95668064c1d2952a9e91d207bc0cc3c5d584c2f7553a
SHA512 9dbd40b135b46c7be31b8c7d11c75b0b179af3a6550fca52ec447583aeb50aaaedb4b1e9373cf8826615149549a2efaee04efdc9a282e3a6b387c73099c13fb1

/data/data/com.dbgj.stacore/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar

MD5 2ce516000106382c37846b2ff34de998
SHA1 bd125beb32ec40b8c63e9a3d6e73699dec0e85d1
SHA256 1e91f09b1401207e5e1fd4ddc4b5f156430679f5667165c8f400462877251c59
SHA512 0ec68af6c8ea3c2da1da8ae67f3235261b235a26bf8f4430cabd5795bec4d66c6a4a47e33989309d3b40eeee6860ed886f990b245a4374a98eedd1e27ed05c51

/data/data/com.dbgj.stacore/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar (deleted)

MD5 7a83f34ed082cd4d6ece916b524cf9b0
SHA1 89c2b30ee426463cd1694244134067e8c410efe4
SHA256 c2cdd241897544758cf5709556001622f3d56afc4993c276a996e8a530a1b949
SHA512 e06625f1ab83c178433171c6dd027b5e265d2ded917efbd8efbc81474cb748514913be482e4e326dbcdedb354b202be2ca7b8ac8674a644a9bc8bfab576f8a23

/data/data/com.dbgj.stacore/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar

MD5 8cc7485703b0e85161c8529a53fbe173
SHA1 c6cc2876379290f3020c76461e4882d23e601658
SHA256 df1e6860c0173bfcb2c256e1e8be032c54ba31c432325f0d9ac6d324b735ab08
SHA512 4e1e5eecf4660cfdb0c262ca01c0c3afc9a791a8df76630c4318f2642ab8ca7e7c483ccfaa2848ef78e466375305b12c0726abc8bd1d5b85c5dc6ca73222bce8

/data/user/0/com.dbgj.stacore/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar

MD5 8ac0f6e404323d80b3aa5d7132125463
SHA1 547b41a4d04b4448a57a26ce9a4a612743153523
SHA256 1cc33691b0bd133bf03839ada68ee4edb4e9ab3e06621e4473a4a9fc34169a0c
SHA512 50b539515417a0013b1d02d19d58721c6f0613d5009ee5d879f57454c650691cd995d9ce11c293ec95426821fcdc0f91b5a49481eb27d5e30968b87939547566

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x64-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x86-arm-20240611.1-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 02:03

Reported

2024-06-14 02:04

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A