Malware Analysis Report

2024-09-09 12:56

Sample ID 240614-enhwssvbjb
Target a7f15f9d293a3211093f1b388a31ac1d_JaffaCakes118
SHA256 e9d6550f9fdce1860f9aa938ab310d5aba09f87e996f7ab8de83a71858ed06af
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e9d6550f9fdce1860f9aa938ab310d5aba09f87e996f7ab8de83a71858ed06af

Threat Level: Shows suspicious behavior

The file a7f15f9d293a3211093f1b388a31ac1d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Requests cell location

Queries information about the current nearby Wi-Fi networks

Queries information about running processes on the device

Loads dropped Dex/Jar

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:05

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:05

Reported

2024-06-14 04:08

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

185s

Command Line

com.xhl.yy

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xhl.yy

com.xhl.yy:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.cqliving.com udp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.92.70.140:19000 s.jpush.cn udp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 103.235.47.89:80 loc.map.baidu.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.94.137.180:19000 sis.jpush.io udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.119.173:3000 im64.jpush.cn tcp
CN 1.92.70.140:19000 easytomessage.com udp
GB 216.58.212.202:443 tcp
CN 1.94.137.180:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 139.9.119.173:3000 im64.jpush.cn tcp
CN 1.92.70.140:19000 easytomessage.com udp
CN 1.94.137.180:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 139.9.119.173:3000 im64.jpush.cn tcp
CN 1.92.70.140:19000 easytomessage.com udp
CN 1.94.137.180:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.138.15:3000 im64.jpush.cn tcp
CN 1.92.70.140:19000 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp

Files

/data/data/com.xhl.yy/databases/cqliving.db-journal

MD5 56170e675c180215507b8528d1033827
SHA1 4b9a5ca055ddacda1c4e5147b29efe7c90acd8c6
SHA256 71e0bffeb72f5f4aa84c9b2c8e6c98679b40d16a8536d3d25eb1edf8b024f158
SHA512 3f8f6c269f1553acdb61d562d4010699d84bb0d330c627f6e168ead4fb52c04bf506c91c8f09dd746c8cd994e2381d16249aeb37eb027539740d3d211fa04bf3

/data/data/com.xhl.yy/databases/cqliving.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xhl.yy/databases/cqliving.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xhl.yy/databases/cqliving.db-wal

MD5 38638fdc6b639c4647d387a62e23531e
SHA1 0d44eb1e5d47120a17cdc614e7b6fa2b896bf06a
SHA256 0bbd0d85ed89dbd9435d52ef6a61e4b9d3463088e3616cf3aaf50b9134c39df3
SHA512 1ca65e2ef6676577ee7e9830e55c1aba7d3d3ddc394897a9f5b849193bd226cb48f459a35467b67614ef4094abc12511da5111ab9382516405e141c1bf2247b3

/data/data/com.xhl.yy/databases/xUtils_http_cookie.db-journal

MD5 e6cedc7bab75870de8e750ecd4fc0220
SHA1 09aa42fff147c8ba342f866f3b46cda7aa486f3e
SHA256 bc126b3fd32cd28fda404db917370056e1b4fcea2fc75e3500c2be7c842fc0a3
SHA512 5121a5e4545d4d03cb21a0c503610cc7e23fa3ea4b8e334c6fa7bf1ddd3cf5f4a5881297f40644a64fb6eaeb66ab9b78352bf6a4cffef09825adc3e2ecb15f95

/data/data/com.xhl.yy/databases/xUtils_http_cookie.db

MD5 dc6bc5cb0c8ee6a9f907ad84f282d669
SHA1 9d0763ee54f81c7352efedbedf9dcc9e65604b75
SHA256 061265b54488ec29f1dcfda85cdfe4f20ca788b2133b51fcfa172ebfcbe57e2a
SHA512 28a82405634c775b3602bd970eb57f5ce20605ca4b2f10628071a1b2be86924cc86dc9f242f9ab7da5a7d12dd8b4056d507d0e14a3e81bd7d5d4196cc7222f4b

/data/data/com.xhl.yy/databases/xUtils_http_cookie.db-wal

MD5 2610c313047b381bdd8b44feb15c03d4
SHA1 ead82c9d8b4e86f3271245cbf3ac9435524a3337
SHA256 075c2cca5b793ec897db516ed14e71588c3d304365808f9502930829a665b90c
SHA512 fd8245ce856cef13d273d7a62b95ad21381750b666a7727e74be7c15e5add0c62733aa7952d998c28f6147856d7d2aa84fc914f360cab5efc07974c290b32a43

/data/data/com.xhl.yy/databases/cc/cc.db-journal

MD5 36b0cfc27fc60be8195c7ccf3dd5ad6f
SHA1 71a3919a8fb859170cdac4b090cf16ccb51b9af2
SHA256 427f86763796c9d880cb878ef671ed9ce81e66c326b24608d036c1c193df5786
SHA512 91c683a6f3c002c9ab20e60a9c673fa0726ab6e402f70cac807345e206483ee4a15f58e7112aed5ce971baec6517d1fb2b7e71ddc11f2fc1ebdb642f02617c31

/data/data/com.xhl.yy/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.xhl.yy/databases/cc/cc.db-wal

MD5 47c0d9474ea13c5e405a301965331752
SHA1 1e1d6d3b05848658046fdf3c0f4e25bbc9ed01d4
SHA256 71e6ec8f047705016943eb0c96f5b2194fb1efdb7b0daff09259f7656f8a05c9
SHA512 7aaa72b5f0da13623f0792967fa5848d7c7c1090a037329a5f4ff07890e2aa7a59199d1f742a8c8a5035a6108cb21a49b87a53035429a738a6d0d99c39ea762f

/data/data/com.xhl.yy/files/libcuid.so

MD5 6bfd1d80925531c8cae3087224f22687
SHA1 b7c930e4f05e8b10cd9da3e47435da0998438495
SHA256 50b09fe5b4a1631010b78bb4b401b3d657872032e719ec0d0354526f95550cd4
SHA512 6a2fc0d6ddb8bc25f0ea1ea9306ef474e118e246c0bb52e46f55adb3a0afde18419163d67a2efa674d03333a65e0855f9e8af68b44ba11c8ef8ce4539cca34a1

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 8091ffe0a150080046b9b3e08682ee87
SHA1 5a9135ced29e43484272b6f24bd6201b01c7fb2e
SHA256 e5cd2f6985bd2a87e5d712b87fe8654abf5eb0e4aeb78f454d4bd0189aa67bbc
SHA512 720b20badf72a0afdeea3ec4d61f0fc28c03c42c7f753058a440f586cfb118aeb5b90d69641a9cee8934637d7c147fc6c7d20458112a569c668d1d67a993c019

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 35900daa27ee04ddb49efee37d45fcfe
SHA1 7c5e901b55298c566cc2eb7bddab2f338c8b43e7
SHA256 9f65aea30249c80a783500e43141dc6d0def9439f0d3ac0e23a70bfc0f78d3ff
SHA512 b7b732f7b408fe2c9dbbe0de74cc6fbc3f4d0bf44c988c341fc538b47c2c931d3f955666c4d0d33717a846fa69d42ade08bae4561d948cc81d210a418378c5d5

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 de8a3c92ba0a79ba034ecabff02d4235
SHA1 9e32595c96ff75816dad391247c8aba7c32b6733
SHA256 0b02343b7443bcd8aa29ff3a13ebd7f28e6f79c3e03f134fd5063d3d091591e5
SHA512 70f335c22617878acee8a492538b5d4745454dc362677fe0bc9ce7960e3e64aafd76f762fa82ad62bca3a90431eabaa039ff0e52938be46ae937811af8d9ec63

/data/data/com.xhl.yy/files/umeng_it.cache

MD5 581296975435863c0aef5bab24dc03e7
SHA1 501c8ab6773995d28619dd40839d86a94179aa8e
SHA256 9968e79128cfbc4d4cab1415d3fe5a9976283f1fd655674a075735eb8ee79997
SHA512 1f1aedf4967c715bca34475e773d187a0cc196f58804bacfd33893990ae0c5d1a96f0db73c2cafd8bc2157ee22138a2a727ecdc1aafe85a291dca0a1f99e6df4

/data/data/com.xhl.yy/files/.umeng/exchangeIdentity.json

MD5 8bf2b9eb3c5c03573ed02d37ac92981c
SHA1 9a89af0446f44ae25b2e3fdfebb2bed1c2003d97
SHA256 72d7ca3cfcdb826e4d958a271409b3a541d425495813848bfb0ff26d13ec3e43
SHA512 1a424b48e3e0666a8bb23126b04ae956ae66e192ae5ccafa97501db33d0c68c310bd1f07f492ba183db208d0bc08359ea136a98c355416f14c92023e580829ab

/data/data/com.xhl.yy/databases/cc/cc.db-wal

MD5 027d1ad6e7cc4a42936fd24798114e01
SHA1 8af9f2c8dd8e3e432a46417f93e3a18fd0b65df4
SHA256 104f996c98ec8bb1ec20922f5b66c0616e541b95972030b985fdbe648c8614ba
SHA512 852ae741a2c6b00dd2a94e63def46151fce2076cf6a723a90d3e540b8cb7cff62e28443ff416cb6a067a6808a6eb6f8549b4f8d94e98363d83a2e3410b96cd1b

/data/data/com.xhl.yy/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.xhl.yy/files/jpush_stat_cache.json

MD5 64ba65dc349e2ffce86ca135c0b93deb
SHA1 fd0e7dbde6f4ebf04b7da449d4e08f9ce9272864
SHA256 b68df2712503cfb5c52faaed6dc092b0f1954c6d8d4e01d810bbdcc1e8f9f86d
SHA512 e741fff2e87b8201edb052cfd4a6eb9f5c1a57e4571606b4dc125baa81c7a1a9523fbfca60bc81f53a75d75a5f50fac4f278a6f75cff74a1f8c92a4ddd1b6edd

/data/data/com.xhl.yy/files/jpush_stat_cache.json

MD5 82a4f91b7bd80e44858bcae9b2221edc
SHA1 f35a6b5bb369f404a9f7f6cd6e3bec620bec3c5e
SHA256 095b86bab4f76fb70f2ab191fcf9761b7a49684a2082fb98d9b2f653a63712d8
SHA512 ac51d7efc3a084cd92032a20f010962170e03c5722d3ddb6618ee31961d157fc85e8b6e20f2e517ce0907c226736bbdcbcaae0a1c4d474744cbd58135793ad6d

/data/data/com.xhl.yy/files/.imprint

MD5 2f7a16f6659b4d30a0fff1404ebf4770
SHA1 a1811700415c29963bfe03e7693a7e6e1d50c773
SHA256 ccd82351e5f6f260a492e713c485e40c1f0d7f3bf47e66aeda448dd6fe231d31
SHA512 8828c60b72524d10cb2ded8ba0cc97465063f568b1aa703204b11a051f3067530925d65123361a7399b17c14b2c815c6c64f8241858f8a9104de28cf1c596e3f

/data/data/com.xhl.yy/files/umeng_it.cache

MD5 1154a724625a3b7fa77a173a9926d447
SHA1 01d6005c63066dd5de777827af19df21ce189d01
SHA256 753576fe9d755a9b0e572cde7365edfd8ed370997879b5e3087598c5e3514235
SHA512 ba30ebab71c37670742a8dea91cf9422dc231846d4be5b02e7fdbc4599753e2721777fd540f9e30a945c37937f9f1d49b21500a8cf2df258420a42789367468c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:05

Reported

2024-06-14 04:08

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

188s

Command Line

com.xhl.yy

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xhl.yy

com.xhl.yy:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.cqliving.com udp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.70.128.38:19000 s.jpush.cn udp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 103.235.47.89:80 loc.map.baidu.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.92.70.140:19000 sis.jpush.io udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 121.36.193.140:19000 easytomessage.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 101.37.42.211:80 api.cqliving.com tcp
CN 113.31.17.108:19000 udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 1.94.2.18:3000 im64.jpush.cn tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 124.70.128.38:19000 easytomessage.com udp
CN 1.92.70.140:19000 easytomessage.com udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
GB 172.217.169.14:443 tcp
CN 121.36.193.140:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 113.31.17.106:7000 tcp
CN 1.94.2.18:3000 im64.jpush.cn tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 124.70.128.38:19000 easytomessage.com udp
CN 1.92.70.140:19000 easytomessage.com udp
CN 121.36.193.140:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 124.71.183.120:3000 im64.jpush.cn tcp
CN 124.70.128.38:19000 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.94.9.210:19000 sis.jpush.io udp
CN 121.36.193.140:19000 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 124.71.183.120:3000 im64.jpush.cn tcp
CN 124.70.128.38:19000 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 123.60.31.166:19000 sis.jpush.io udp

Files

/product/framework/com.google.android.maps.jar

MD5 4899aca36d1ed747a447dcac0d101a62
SHA1 32e43edc0bf3e036683ea8639472e6cd31ab9929
SHA256 67a651acd867e046fb4463b31ea584c1468f7243a9d1e2efd34059e8ee2f130f
SHA512 50b23dd279a9efba566c6a6523c7537723c0cd6dd3e4871f1cbdb8d5bc355caa3ddea99452b1c8e5356802f812b3768066a9848b93d715bb8bdfa455b704285f

/data/data/com.xhl.yy/databases/cqliving.db-journal

MD5 7a1cda80b18b3ee7d912549fbe35088a
SHA1 996bb7e7fc655c20860d14c4e78adb335906991d
SHA256 5ed64bf875d1cbc12f751b076f4405e223778e8d50e4a3db54b670ac301a38e5
SHA512 f46d5b1367f1fb7203dc3426884942605594b79f18e4f12a6c8531866dc0276840aa69b3be0fd9ce9daf80ea6b40531e1095af0192337a171d09b78aa6873a1e

/data/data/com.xhl.yy/databases/cqliving.db

MD5 636b445aa3918d6f59fd032c826a362d
SHA1 feb7f56bce17b7778976ccaead70f74c45aa925d
SHA256 8f922e415a3f4666567ea37e33e4aa9e6c3a1f4d91fad7db406723c5855706fa
SHA512 4ca7852a3daf1053921abeef1142471e2d5f40706d8fd7ca39ffb5ba70c43cf5f2c81fb5d76e9139b5355031be7c09b3b2ccb465db32d3d3d7f4e6047b592261

/data/data/com.xhl.yy/databases/cqliving.db-journal

MD5 878399a62cc4fb06f78ed4899c9b26bd
SHA1 7c1988bfa4a89d9a61ea0f2f49276012b76d2529
SHA256 7f9cb01943017fb9867f3efdb4bdae7270b2bc4f60fa3e1d48ac7b7e94a1661c
SHA512 9703f90ff4c3120995cd8d12edfda64f038d5cf496170bb43097a45891febbaf6435873f86f3df51ad75bdc0dfa561bf01d11733dc17f3caa9eff55f11aa7bba

/data/data/com.xhl.yy/databases/cqliving.db-journal

MD5 cd656e96c4732ec6c5bb44e62f214359
SHA1 0998afb52cffd08a8b784e0b16bef83545069642
SHA256 0f0ba3d6faa4defa4ced8e47d8679026fa8dc8e72343de4e6b56bc9ba218b0ce
SHA512 39c143f9d83bc12676dea4145cb7b8165b34705488f2f98cf51850453dd2b4adba2b298559e0280a8aa1e0241b42d51137431f00cdbbf356ba3343f036ccec43

/data/data/com.xhl.yy/databases/cqliving.db-journal

MD5 4111a1f97be4125cd63a3a11e8806ddc
SHA1 5675757738ac27609990850ccbc5c0630a49837b
SHA256 c79c2eb6b73b8c17579031afa7214cc42259a0ce37e4fbaab263c3e485661bf6
SHA512 9cce824cec4e3d53669f8ccbc2dcf09550b5b421fc3d9a34bb4d7c1346f1491fb278cf73d3345f23954b2060c97d7a071a55afc8dc740cd9b3dea889dc3178b4

/data/data/com.xhl.yy/databases/cqliving.db-journal

MD5 dab6148175e20951391a55868459d75a
SHA1 02d729824fca1ae1a60d2e9773beb872447f57a7
SHA256 166a446e3e27fc9e782bd4d10f871681735c8cdd4c61083329e67264be907483
SHA512 9832a1ccd6ba5ee49d3eb4500df6c1f5724a47ae1561210101b238b651df6bd609f0b0dc3f2d6bf82eb170d249a1d82e14614d2b302e169c976aef3bad8e0672

/data/data/com.xhl.yy/databases/cqliving.db-journal

MD5 dfd1c0e11d86d7b902dcfce21c7399bb
SHA1 c3295d0ab089fe93f9c2df1ef8a111921d1f554f
SHA256 5ec041a4be15c39e7ad332083c2e734c8cb87f2c71713d1bb27fa594f6bc8424
SHA512 797122c0641953b66b2240cd8e03d80e14b2fac99562bb95ef5c6623e73612aa8e41dfa28da724cc26b9cc4fdb2cf1e447e393c4258bdb8b524e32f3a9b4d91e

/data/data/com.xhl.yy/databases/xUtils_http_cookie.db-journal

MD5 6712206f6c6e4c2be26eac2a472fa4b0
SHA1 1ac4988217ba6e509a95c23a84f20b678ad08165
SHA256 5fee0ca285b4bae4ed852f282b65e73e941c61b81e1092719432dc36164894f4
SHA512 db84b40b923600dd87017d8b98fdca0867dc70b8c911f5bb6e341d8a8fed2660c55eeda82712aad91367ce7cd36dc877d3de00eb623c4a4a0bce646108606cba

/data/data/com.xhl.yy/databases/xUtils_http_cookie.db

MD5 6da302a2e5fc0263420684f38a00e3fd
SHA1 9e1c35e91c3b84600dd8ebc10e072ccb91b5895a
SHA256 a9b2f6227429fd83edc4db9e62c5e3f8c45b55598f7b10c3132d6b339283c8d2
SHA512 6e91d3076e4f382a5e4119e6429b90bd4d604c858acb4914e8b67226f4ad0626e29726e09d12965f075ac6aebc49eb22faf0f5c6a286913aad9515887f91fa1b

/data/data/com.xhl.yy/databases/xUtils_http_cookie.db-journal

MD5 4e097e0d6ea26d34f11030e57b666944
SHA1 47904c884e9ad878fc1abac47886596a935a79d0
SHA256 b98512b4674bd1cddd1d6bc7ffbc49e44ce52934dc15906409fa176eaf39ba8a
SHA512 db9f02cc1ec2e272524c0214d2f97dcf58636dd13fa7633a7087add1e005fd1eb5e8483d21a05f5b6de217d34b2a89de6fdcf057753a11626e0cc0221bd54b8a

/data/data/com.xhl.yy/databases/xUtils_http_cookie.db-journal

MD5 9d91a87aadeaf847710db6125d171251
SHA1 ae9aae34752ff40ce5185a0dbd2eb818eb8a1624
SHA256 f931851df46f6903a2d6d25bb5363b82579e37c3f7900f632ec2fdc1a897b6c6
SHA512 4e8e113043c9f21edc99c5cda458929c4c060014b95eff924463a0acfbab7941ad9471c649bc4d9b0cf973c96caf17cb21a3978d1ce49d58fe760baf73d75430

/data/data/com.xhl.yy/databases/cc/cc.db-journal

MD5 e0fdbb878276981b7c9905d9115719c2
SHA1 00550d12d490b3f60afb2fccd229d8d9938f6e8e
SHA256 53c65e893ecca7099d558af3815b0c1a7172b7f796652ce11bf80370aa9390c1
SHA512 92e671587c4f87477c4f9503554b93de42591203d71190dabbcfc655be2efe5e57744d094280beef366b1a4b8763744dceea91376e3614535c7a411153ee68e9

/data/data/com.xhl.yy/databases/cc/cc.db

MD5 0908e924aa236931dc7166fef6e00862
SHA1 7782648d6d8f6e835bd47058d4852932c096a467
SHA256 38f8548795ca7470b449dd1de9598c07a247ba59883c0764c9c96ff0b7d31d7f
SHA512 3c16fbc5172aed04cd206e776c46d26e911732c6e3631536410a71f1d217449475727ac9b3175e827c5ce645a1da9e05900258ee6ca27c936a9060f241361dee

/data/data/com.xhl.yy/databases/cc/cc.db-journal

MD5 766d6c08fc7ec92d8eaf2b922e78f359
SHA1 b3ae23051f74489f5d2c60e38ea803f5b57efc1c
SHA256 5c4191d1e11e640cf52bd1109d05df194500ee80b0590ffe8d46ff36e9366391
SHA512 4034cfea70b9611bef42f3c95a89e6ce27f05d200048d0fadde9b3adbd7f88f8afd994021367af34a5a3b825e69789b8df359409db954ad7d4278f0da90de193

/data/data/com.xhl.yy/databases/cc/cc.db-journal

MD5 15b33a68e347555f8a931670734619e6
SHA1 8fbf43dbc9c71c867533c2f66997874074a88200
SHA256 ad72f3ef5fd10663be21925b81838faa28f9a528c21d711dc1342a8d0f8eee75
SHA512 ba07954bb7a7f4509f1b68341580a4c5319a35b36b0359c2e24c317acf95f67970ed153f62e831308b08494ab7dfec13fd85b2d0ed98b7d008eea4d32c4bdd34

/data/data/com.xhl.yy/files/libcuid.so

MD5 051873756843a632b86a716836520013
SHA1 d60cf3dbe88ae6723400230691803ee646cf4fb4
SHA256 549ebc827000e0c9d9a5e93c1ae15345c3c4e248c498b110fa52305257ac100f
SHA512 72397052a256998845856cddf714fcae402b792265c5eaf819a584c464fe97a2fab3d4e3a04277cad61039ea358a52d37c43b1c68d8a475e1c81f230ec336caf

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 c9811f58c52954fbf4ef25a2f7f0ae1c
SHA1 d8ea4a0038e60d688755b8a559bf89d9fd1e1a69
SHA256 e55b9cc910df1130affdb9fc62071c92d9c6d93e6107afe112dc34bc94c7a4e8
SHA512 a811bc7fb41fbbd9198ea86410ee0df2ba47e6fb1c70b5c93859eeb6d70231e5043358ddffebc90a481d53c4bf25959780b22515f8f0056f4aba41cdcb51a382

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 bb220d686d52063b375144a59850ed95
SHA1 77c4e8424e10bb4991649ae1eb70fce85fe16068
SHA256 6a1de3e1c474686996d370b715f1b569f2bb6829339479d33852abf617f13d4a
SHA512 f031925e60d86921c9820b1feb62dde35a42c2058e2dbf9fd05cf55ee83bc3dc3c05eebf3546f3c670da124a30296c9291cb37925b6e57eceb1bde221b225a2e

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 fc4a9f5bb1fe71a5a3cc9be45bb96992
SHA1 e37c442e7edf85947a4464a433541f230ce112c1
SHA256 d1d77acc4ee38ecb870c0567b9fa159d03657e49084aab94ca9e57962bcd3002
SHA512 aeb30d8d85b820408bff0dfd9172fdac58a14787fa7d84c4f2621fe78d6fefb089c97c92ec3fffd3a3afb2c86d5f81e999478e4c8f7d596e854c2f5b995e6447

/data/data/com.xhl.yy/files/umeng_it.cache

MD5 6cbdc486c15eb91b5ed699054ee1909d
SHA1 2dde372ad53cb602bd7a59f1e1fb0bf2860e559f
SHA256 b60206601477b775ff62e7f1613fdacdbed337c4748eda5305d4b67f13e9553a
SHA512 a614df3d564543982ad2390651849a73491bddc8f75d9c46e3aa21c55703b61b3aebef2571794070b4d90c8f3f64be13ef61e353e210fee759689be59a13401e

/data/data/com.xhl.yy/files/.umeng/exchangeIdentity.json

MD5 7564311efb43a1e1d5f426ad17f3f666
SHA1 1f491f85b9495c30a37b602311843fa301e95fb4
SHA256 e21eae5d24aee1cb7a8e3d7560b1b503f99683ba35283ec8480f9148b9647ff7
SHA512 860d027ca170cb3fba2f5b25b9592c333a534ccbe3dff3121770c599d766d1b3a6eaef10906970de4076bb0659ded58dfc9882011eb03f4fe5c88f3af0b2802c

/data/data/com.xhl.yy/databases/cc/cc.db-journal

MD5 7a20c74a3825828f73041f6016f2d9f0
SHA1 7b8914a68b4b24109e2acb3a4f790f92ff94b942
SHA256 def4bb4e1dbab9bcf640986aed7bc452222e309fe12e12008e7879686935ea4a
SHA512 b3cfec98636da9f0922b0873c4642af3e1222b6018416c8aa35320388e35857345629045c5c4b4fb456ae1b8d4a02f89aef80dae2751a226faf4a048d54f1a3c

/data/data/com.xhl.yy/databases/cc/cc.db

MD5 67c12933d1e0e63d9801a6aa43092ce7
SHA1 b6936908554e4a1986b8eb08289e2d3545e8ff74
SHA256 abda5dd4cc2e7dbb951637c4b49d6990f9f34411fab4dee1a387dbcc8e7eed40
SHA512 db8b818daa3ff4ec7678645f84bf8b45c809bcbb758ea78b28982d071572655bba2d20e6f1ca4f0d057ab34fa655c5bc40457dc65050180351a2fc04a47175dd

/data/data/com.xhl.yy/databases/cc/cc.db-journal

MD5 962e0a32a0e644d705a2b1aaf69d7902
SHA1 5b9781b47f76e6b3fbe935f379f61c4045455f28
SHA256 2f5ba6239832faa2d7900851150388e94446f0a0bd52f975c3ddd01f7f3dbfe0
SHA512 9b6b4f6975ca4c06e2b63cd04adfa310562d8c738caedbc178f38977bda4a6b7eee7a579337b7cbca7ec61565cfe2757cf45877848e5ec6c30a32b8ce5de7a2c

/data/data/com.xhl.yy/databases/cc/cc.db-journal

MD5 837e5d7227c69968433bd373b80c871f
SHA1 bfd92dac31afd84ef6a9ad265de43f91e332ce75
SHA256 e5a4121db527ab7eb652f83646c8e58a20be5b3767b8941a77a03ceb29061311
SHA512 48204267d8e639cf9851adafdb376ca45c67818662daec4441cd803f4f7242cb0590634213085330d2310ff6e4d3dba64e7ad401092323dc1de3fdee037ed388

/data/data/com.xhl.yy/files/jpush_stat_cache.json

MD5 280813d8869a67f7cce80fd0820c6698
SHA1 69f004015d768dd8661ab83f1dad5d84cd9e8cd4
SHA256 ca8ed2dc89e4211a2d7ee47eaf7f7cfb22ae09827aab7ade74f826137c6aa73d
SHA512 a69ff44bf0a8621f78408bf24d2ba8f6719f2990b561cc88b88fe0b111d6a038d5eca94abdc0303d9ddb20da86081bf9e79a938bd049a8a96bd255c0b11d3076

/data/data/com.xhl.yy/files/.um/um_cache_1718337997351.env

MD5 605cf7c023c38ef7fda4a4a151bfb043
SHA1 7b7f5596ff0be91fe683b0ffea3b2c19a0737bc6
SHA256 dea86e6938f59aa9979e2b1e9f6e9a05aa65b926c40f2a5c61e41ed635cfd78d
SHA512 71c04711d22b5ae264edb195c42aa11703efc8857c25f6eec58e5f1c7068b9bd0213ae7541e2925d3b0bed63fd0dc6b0d6b4932b5c8bcf458cd2229013980903

/data/data/com.xhl.yy/files/mobclick_agent_cached_com.xhl.yy2000001

MD5 3b4e03aea9399b8d9c57f4ed2e442919
SHA1 b842f7a9f8cbb45a0549cdd144678ea02ebb4195
SHA256 7c0de37a0e0df0d279f54ba219f70c0c741f61114042c53a801cf4dad7daf22b
SHA512 3b122cdbd3521c9450d89b13178af5d66c5ff2186acd1975fc976238f1dc0a5dd9e42e813f55fa8093b080eb460da65ed61f87d47857ef270b087cf4d6cf3748