Malware Analysis Report

2024-09-09 16:01

Sample ID 240615-f5xlystdrq
Target ad010b1026ba3bbe9042a323b34a7c54_JaffaCakes118
SHA256 8ce8c5625079961a0b82311271d052b2890712a1d90b0708ce05a7da8d2a0a1f
Tags
collection credential_access discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8ce8c5625079961a0b82311271d052b2890712a1d90b0708ce05a7da8d2a0a1f

Threat Level: Likely malicious

The file ad010b1026ba3bbe9042a323b34a7c54_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests cell location

Queries account information for other applications stored on the device

Obtains sensitive information copied to the device clipboard

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Declares services with permission to bind to the system

Acquires the wake lock

Requests dangerous framework permissions

Queries information about active data network

Listens for changes in the sensor environment (might be used to detect emulation)

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 05:28

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by remote views services to bind with the system. Allows apps to share and display views across different processes. android.permission.BIND_REMOTEVIEWS N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 05:27

Reported

2024-06-15 05:31

Platform

android-x64-arm64-20240611.1-en

Max time kernel

175s

Max time network

187s

Command Line

com.kingsoft.calendar

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.kingsoft.calendar

com.kingsoft.calendar:GTpushservice

com.kingsoft.calendar:pushservice

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 13c4c6206c95d1752fcb4d21449abb46.bugtags.com udp
US 1.1.1.1:53 hxqd.openspeech.cn udp
CN 114.118.64.119:80 hxqd.openspeech.cn tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 ks3-cn-beijing.ksyun.com udp
CN 110.43.121.249:443 ks3-cn-beijing.ksyun.com tcp
US 1.1.1.1:53 calendar.wps.cn udp
CN 110.43.121.228:443 ks3-cn-beijing.ksyun.com tcp
CN 101.126.69.5:443 calendar.wps.cn tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 register.xmpush.xiaomi.com udp
NL 20.47.97.231:443 register.xmpush.xiaomi.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 101.126.4.125:443 calendar.wps.cn tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
GB 216.58.201.110:443 tcp
GB 142.250.179.226:443 tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
GB 216.58.204.68:443 www.google.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 calendar.wps.cn udp
CN 139.9.135.197:443 calendar.wps.cn tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
CN 183.134.98.76:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp

Files

/data/user/0/com.kingsoft.calendar/databases/calendar_2.db-journal

MD5 49502654ef65a4b2fc3fd8a7827801ae
SHA1 bc2bf56919c3308882fa84776a6a9a9db426174f
SHA256 912fd6d15f0c707998ac84083486586a176cb514c9dbabae02d8636c776dba1f
SHA512 7256a5e171cf0cdb6c0d7333427770f2d32ff8b4656eedd67a868fbd6e4e5363c7fcfd22b21b21fadedfb1dd34b400c9cc35a53c8368b912160f375d57e47676

/data/user/0/com.kingsoft.calendar/databases/calendar_2.db

MD5 b7c3f78dd8b400f1efe02776820b12ad
SHA1 bf443853add4bfabcf4886cba63b5d6c19bca03d
SHA256 2e91a273f6c9ce552a3b2c531aa066af9f008e04625bcc232baeebef0eb4fb62
SHA512 4ee6368f45b0e040c27e29aa57e58234be38a8bd0d54b60a2b941a4faa5cc6420c28baf030d9f828169883f86a6b3668a25b9113b4cdc57b1ff241689a034105

/data/user/0/com.kingsoft.calendar/databases/calendar_2.db-journal

MD5 7704d9cc115b3d1762318edfa710ba22
SHA1 806355a848a5ff2317755e992b9afe11fa2c4a6e
SHA256 b050137202a108fc37158715d3b1cf28a2f422b18d3e17b175ecc11762349a2f
SHA512 32b46d0e5eeacfd7f3566a266e6b4d9a3d3cf6af980411233012b1230748889605d6280ee5b494a9a0ecb3c7bf1268760ed62d883d777a2547a6d6ecac5940e6

/data/user/0/com.kingsoft.calendar/databases/calendar_2.db-journal

MD5 7ed68d9bd74d3e805b930aec2e262a3f
SHA1 25b73beefe15e25917a413f108828d9e715df5f1
SHA256 c868403f9d24d714f160615185a0007a01b12595106593e2c05d35574549f32d
SHA512 aeef05c1ba41fe1907ff1fc6d761415a31978efc53c5f936a8db2d6098ea59280a027756ee51bdf252d6188010b1a7cdf35a786e6423e52f7f0394495427d903

/data/user/0/com.kingsoft.calendar/cache/_KStore_/cache_http_api/journal.tmp

MD5 abdeda383cfc5667e11b69f0666e5988
SHA1 d4fc4d3d4895a0c4bf09f18c55f23ee4b600efbc
SHA256 02ec6510093bc98ceb8c5a443c8e323c797e72d05584f04645ebbf7461e06ad5
SHA512 48a791ce8476fa16b6435cccff50e65f9b419945998d37854d8d7a45097ad441edd5fff6b6a9bd5e3385230b94a34790768e57e8ebd99cab7b5f150fc576d513

/data/user/0/com.kingsoft.calendar/cache/_KStore_/cache_http_image/journal.tmp

MD5 d5c47dd2e2469b2aa4bbc8547ce8ff0b
SHA1 cdfbc8810c0236e7032b29c02bc0701fd1663abd
SHA256 bc83dffc5ab78aa31a80ad8cac00978b4c319a5780c45da953f2c5e045c7aa72
SHA512 b2751b0e67f2ac630f434d5590df69b05fc57ee389e18b2079519232400ef4895006cdffcd4defa96bde7f405f10c694f5ea94a894e5afb88edc50666224a4f2

/data/user/0/com.kingsoft.calendar/databases/calendar_2.db-journal

MD5 7e3ebaf925543ad005ce3d3893a2c904
SHA1 c1440868101552c323a0ac3ec886a0d683396699
SHA256 52c324510e73f6867d6d43689e41c55109c609e79403bd749c01a7ab3b7c02af
SHA512 efc83332182b22d55a3a75f97d84b9613e1d2628f75a91efad8ac1aa0d154474a3bf9355f6e557f7a4cee70755d818816f2b930c34551c40bd58dc90e5c1444e

/data/user/0/com.kingsoft.calendar/cache/journal.tmp

MD5 7d9348b184c28f88c22ceef30edb0602
SHA1 1d9603ea1e8dc9a84a643dd06663aec3f19477ed
SHA256 2a95b2cac832f18f3d3c8c62a53118f209ce0d9af1759f4cc61cff8ee30658ad
SHA512 906fe2559a4fd5c06f786c234519648323f20977bbfeb9be3e3c26c7b363b81fa224ec10c5e904719abe4adc0b19b5616a78da9891b0490caae7c3fb6d919699

/data/user/0/com.kingsoft.calendar/databases/smssdk.db-journal

MD5 74cbc6f574b8021b722120af411b89e5
SHA1 22c4583fd22ed763976715ce0149e742d34441c5
SHA256 e611dd1d55938d9e0e519d615d415d0aefe074e41a0909528d538e8b68de4752
SHA512 359de7a8f33d80f3ad4982d14c4dc327a2623da79dba6228230f329c5d3560549585bc91e6fcea4dea43f0a0cce02fe3b768f0aa059e044bcc978971ae5efedb

/data/user/0/com.kingsoft.calendar/databases/smssdk.db

MD5 faef7626d3353ebad1af71efa42ad09f
SHA1 d32a3bce0741ba6fbdf43e8435b0f95af489f661
SHA256 eef6d3b5088e577b3aaf64a9780618c501ae7be86525be4d1cd0b9fd8b9ddda1
SHA512 d08015253d7d9926c66df59ac2cd544742f16e328206e76b2847f9331917c619673551ba7c9877eac86ffbab8e6e6c7edc628ec36256efd234164d6881dbb3de

/data/user/0/com.kingsoft.calendar/databases/smssdk.db-journal

MD5 5c56d3bd6c071db4876b3d4eb11f3213
SHA1 4792e0af5ddea2184efe2f4b29b18e64beb6809c
SHA256 14a2ee94b32b79a9ea1f30173f47201926b1ef8317da5241ac43a6c2440ab158
SHA512 2e78cbcc61d5eece86ecfa7c8baafd47b87a22ea17aab1337a2354c56e7cdc2d4c4987795cf50c7d55ff39f3e5743f286a3d635c3ab58dd9f87ac4cddded885d

/data/user/0/com.kingsoft.calendar/databases/smssdk.db-journal

MD5 490008c60a66db6eb346ba4e2d5a22b6
SHA1 49b66a4dcb470795f4be19b74b6c2a57f7828e0d
SHA256 5d090b0beef55fad7e9a0baf75a2abb1a09cd73cf9f2ca881458abe4f46fc234
SHA512 c754b054eb53515c1148f3d7f4e732afa2fa363832df9a2910060bb760d2e2122f4bdeccd3b6941b3ab232c1d6e24f5cdb9285eafd6a09a307164b23aa9bcc6a

/data/user/0/com.kingsoft.calendar/databases/geofencing.db-journal

MD5 5a573cb1500b017bde01a244b1a08dec
SHA1 bd5d3119a89393fb3012ba71fc5d3012daf9b9bd
SHA256 6a397bc15d01c92a74edb0cbc28fee52c7d71299255855c7abc084c98981a8d7
SHA512 fe5a5ebe402b9b4dcf4c82612f7339bfc34b5ac3fe4ea4a07972a15bb24aea6444efdbfd7498c8043b0506fe0c9f5c08d70c30df2812c210d4cdc0a415c00a84

/data/user/0/com.kingsoft.calendar/databases/pushsdk.db-journal

MD5 befbc5ce44b8a6d1d964662f49a29f44
SHA1 8b3e6ea0bd488c561952cecbc1a34d6a1502b6e7
SHA256 de68bc5d47074feb10dff9c96a3447bafff3d0eec8663f6b35f8cd5af819566f
SHA512 82a4382e70380d045c0184315dbdd67fa84134196ff5264e9705ef9c4b1ec35e26f50c05d5f79015aa1a44c887b5707148a67576d34fb5e53de719d139553de3

/data/user/0/com.kingsoft.calendar/databases/pushsdk.db-journal

MD5 3560a2c440692770adc899b6d8c03fa7
SHA1 c3d868c384b748d8caf16590ba73f0474ee21ecb
SHA256 9e322beb83e831005cf457201bff7bbd7cf666e87064ec13bddb5182ca6b8e76
SHA512 c3300aaf1494bdfb815fc160473c1779e805a2b8073670f66e1ae27ea06195e66d3d41a8e33abb4beb3ff66862b427539b721bda63405f3992f7b2e70d5f791f

/data/user/0/com.kingsoft.calendar/databases/pushsdk.db-journal

MD5 3259be453330a521bea953edc75608d3
SHA1 b474c3ad63126bf61f40469e39fe2471c2b835eb
SHA256 18b19635051e6f0b078b6359f1ebed5377fb31a037e4e37e18bcf5ce7875bdea
SHA512 14beaef2a430f229d9822a9c5f93e3b88830942dc294d7afbf4b365bec949ba8702ef542f65edd5e657bf1cf63b86fe40c8af8d445231d751ebd21b20bc834b8

/storage/emulated/0/libs/com.kingsoft.calendar.bin

MD5 4cfe777c9f6e7859f5efe2197401d8e5
SHA1 bb3774e8879ad5f6db0c37f151c3d6bc7b4b207a
SHA256 c422190539b6414072fc3950da19a17985c0c4c2172740b2f74682b520af5231
SHA512 6be469864edaf8eaa110f618f8abd27962da92e20945dcd38073ade2b60b10f00552d54d5db9d9f75ca133213031030e71e2e30113ff033e5ef507a28fe0b1de

/storage/emulated/0/libs/com.kingsoft.calendar.bin

MD5 28ca723d9aaea2c93bbc27d7212f4b57
SHA1 e75c3365672ef3346149ec64621127eb7fbfe2b4
SHA256 f0fe8cf5fac5f1d1afe3cf1d3e5bfd756aa15476034a5158d3aea2b705ad5ab2
SHA512 31436c69936f3cd6f1450348dcfb12f3e85edee9212f6cb42bcd2b58d7fa991a73f2aa0c6cf781119a8f9043095ab2cc50819904ee4a6a56b00b8ea121368045

/storage/emulated/0/libs/com.kingsoft.calendar.bin

MD5 9842490ca0b0e5ad929ba2f064d7f10f
SHA1 e038df5fe6c8f75685cf29629b206cb8a2570f04
SHA256 a869c0646ddb7dcb6abd423de2ad6accf1192947f02c51a262154d4731baa140
SHA512 a996d0475d08329f20726c1f11cf7e393aef7431eca630080ca36b75012e81654aded14675ff381bdfd9584b86fd20e78a7cf4b13d9bd2cdc62a1e8d7f41b2ba

/data/data/com.kingsoft.calendar/databases/cc/cc.db-journal

MD5 da235d77924b321d05e7f57deb8feaeb
SHA1 fe2d40fdaa454ca9f196814f7dc032c775085886
SHA256 2d1920f69cf0209f29f0fa68820289a80e959604484cc2cde8de56edd9f2acec
SHA512 72cc7a8824254e0566414834af871d7af98b35ccd7b94fe1e7cf4eb673272eecc481163823214134864108e9ee9e916648062ff78861913cb3c2a6732a5d9ba5

/data/data/com.kingsoft.calendar/databases/ua.db-journal

MD5 7fdf52677167b6b57f1901c2b0355dbe
SHA1 c0ea6511330edc9382a688a126bc47395dd154f3
SHA256 c1cbb182c86ef68e9b1826a962791e7a36a6c2c30b58d5404b164a719fe237d1
SHA512 23dd1e941f7c9f8e3b2132fe9ec1499a9a71ab6811c739868d9d056d9f4a825e32bd5e6a8e0244b41dd06b0823ee508f5e31728b3b43348ae86662563ef73c02

/data/data/com.kingsoft.calendar/databases/ua.db

MD5 20988123bbef39d8ca0cae8372fa7157
SHA1 ff0fc44fffa1b65ca3bc8aba83e48586a5fdbe65
SHA256 f5ce3b1b89f725328ff8a297bbee329dd71564e2105f7e563da40fcbd87dc90a
SHA512 90c8d4109180ca37261d4cc32c437dfc88c5cf349a2496a90704c9bfdad66492087199c09eb86f801af432ad2207516867ea5e0e4c6975eb6f273d2c1a56f4e1

/data/data/com.kingsoft.calendar/databases/ua.db-journal

MD5 866c315349bc6ce39a482ece9cb678b6
SHA1 6bd9f566cac15a709c0a12b542a4fb6b44ade894
SHA256 2ad974bc5223c3c3f86b7699aba8eef9bdd309533e7b849dbccfb9284e09a258
SHA512 6062e680b2c7f7f5e82501896cfdc199d38934072a6c02dcb63f3241ef855163177a0ec8f960c6735ac819478f7f4fc174456c4748aa0d140c2b127744d04713

/data/data/com.kingsoft.calendar/databases/ua.db-journal

MD5 9a54a718c1123703bac4ca8924fdc070
SHA1 edb1b6e595107286fa3e677bf07ccf2aa63d7ec3
SHA256 572c8c106aa325a6931265426c6fa87733d3891327906401d853899471bc882c
SHA512 d9d3a55f879ae5076fba876db737cd6ef88ba7bf2e55e7b227cbcfad1f914c0626ce6e02653a92db4565cd0806213eb36fdc20d0dd244bd21250dd9f9eed0069

/data/data/com.kingsoft.calendar/databases/ua.db-journal

MD5 4a263c49d871a9abbd8f8031696dcb1a
SHA1 79d132eb943e5cbdea5df380de774ea23ca4410e
SHA256 810fa6c0d29413514e6a9535cff441a2d3f454168e8ca6f91cd835544e82e600
SHA512 da261503d7898d646b61ddd3b6a741cf241db821c0c6e74fb31a06214894c9894149171351156907617cddaf977e4d3afab49d538ae3cabdec25d828a9e520c4

/data/user/0/com.kingsoft.calendar/databases/smssdk.db-journal

MD5 e7c4d67f42b5b9af38c25e25a6dc0a3c
SHA1 a19da3e62857601de39348377d53b85ead8dc27a
SHA256 fd488efedd16d38c3a60efecc70fe9162c273fb40447288f05bf32ed6a1d3ac6
SHA512 2edfab1992c41419c484dc524810d2ffbac7fba352c13589eefbce2e7c155b067f768335d77b29347fa38f5f767a492b628d041a2a4cce094ba5287be045edfc

/data/user/0/com.kingsoft.calendar/databases/smssdk.db

MD5 047087ebf48e16e40954cb82338f4cef
SHA1 311ba0bcc10d30d2f0c626b6348ccc1d89ac9fef
SHA256 d471c586ea35de6d9c7be2e1afff69430e42c8a96a31f041697d9007d513244f
SHA512 745abaa676691c302c7db0e56622736cee4a15cef3975880547cd4f80ae69f94267c490f840817dbb1e21d9ae40bf1141fec4d866d062a73d78f985cf47d6d1e

/data/user/0/com.kingsoft.calendar/databases/smssdk.db-journal

MD5 95127dcd9c8fc1f3afdb3da7fdb26dd6
SHA1 138516031ec7de8acf8635d44289d72395feee9c
SHA256 66417b545513865f837468f03e805526f3c6d922b2a6360d98342b1a8d7ca644
SHA512 4d30f6306cf8127e396c736cb198f8ec9afe629b93061272f9844298070c7cafb36f36dd536dfa973f255bf673f70907cd7d3c3931679cfba5dfb8e9b2773de4

/data/user/0/com.kingsoft.calendar/databases/smssdk.db

MD5 11b6c85c548ce1b29f0b90050dbc2913
SHA1 8ecf083ce3716b8fd984c8d688936b17484fc875
SHA256 cc708024b482d4e6039bea374786db87e2a80e16bf9541d1d5bebdbf5dda6a3a
SHA512 7fafb5e5ed1f03db90ccdecc59fca78441170692e6eece2e148123acd2e604bb0b0f41e7178473c3731e1fee72c499c746ed6ee40d0fb52746aa375e47f4df0c

/data/user/0/com.kingsoft.calendar/databases/smssdk.db-journal

MD5 ecb193aa2ec7dd97ffa6e3a31e5a5b55
SHA1 1df989fdd32e43977d6e738bb6578e2d0d5f1ba0
SHA256 01b2c1112e7888e40d69766c6c21530ab3a3475e590572c79bf6a26c34f79c07
SHA512 60ec618071e473942144bdde7e2a1ef809cbf4b30bda18d2e2ea1295be1d4961ca7d174d20eca49ff64bbe7bb5a14196912e552f6975a8bbddce37809272c3d5

/data/user/0/com.kingsoft.calendar/databases/smssdk.db

MD5 8f8a032f1e665e47f5ad0196fab285fb
SHA1 a2204bb7f75f08f3113b9e359863ccef09736616
SHA256 c87e5aae28f6d4769a301ca57d73b4a3a0c19a1501beaddf898e98425b167ca7
SHA512 5a105fccba04f0bc45e372b55b2d55bdc152fb0a85f0bb0d83675027d2ea50db1418dbb92b3c94238d4f64f806b88190ca6766e06d297577cf13a485a0801f2a

/data/user/0/com.kingsoft.calendar/databases/smssdk.db

MD5 ab83b0a8cbd2be115aaa58d970b1353f
SHA1 bc2c19a8f5ff9a8380aa776509f71785edda6bcd
SHA256 63bec0136d250fbf003d62a1ed593b30fe448f609e99e35bdce55296b02a5785
SHA512 14588233d63c0760b6bef50fdfb4fc2e6c479355dc91b41a75eaef845d3ad143cf4f10776429ba4a509774140d09cdd305aa4d89bddeeff9c0d100d396cdd2e8

/data/user/0/com.kingsoft.calendar/databases/smssdk.db

MD5 44de42346975a25c12d235991254ad8a
SHA1 b42e5c7a2093a7a2010b05e3385668f8e7ac31cd
SHA256 1170912fa134bae2ed8bad2024dc49e00679350ad8d3262ca9337f3d7187720f
SHA512 18207a6c60cd490fd7f474ac11c959bc2efe3e0cf1c6aed1fde1219d912162f78bddacd9724e4aa6873290e2fe42590b03e1f7aa789cccfcbe9a6262fcb577d5

/data/user/0/com.kingsoft.calendar/files/deviceName

MD5 0b6bd35de337944191f407f182751dc2
SHA1 1d1baf6047a02a533fa860b01d342b798e61b8f2
SHA256 979524bcf029ebefdaaa412b46073c408d8c883cdd705b0a28396733ea1b41da
SHA512 1d06561ea0dacf3b24a989b441dd6b6dc1cb7167d8987e2027d9c20810517a9772c84b710dec6cb36eea9d87defb52ad1e6eef46e6d708b5175d70cf19ade279

/data/user/0/com.kingsoft.calendar/files/umeng_it.cache

MD5 1088ec952090304c4244a6910cc04ddc
SHA1 88020eed6588e10c0ed83046ec12c79d229fec47
SHA256 1720205c2671b3696bf27069ff4c49fb5fbe43af213c1ad940229362184ca8f1
SHA512 9da51d9d1824459468300dd69899512b5329c286d4c2e57f4b8e39569f2deb16448e4a78f45680f79b62aeb11f14706911a2a37c9cef66baa34f36a305379faa

/data/user/0/com.kingsoft.calendar/files/.umeng/exchangeIdentity.json

MD5 cfb567412ef649857998ff798958c4e4
SHA1 b523e07238eed8055f6ce7e5fa3307d80d5b1397
SHA256 11fe290ab968e7e3f9401517b0b4d93619e061bae1fa71d26f0bc6924b31a200
SHA512 f811c5dc003d17df0d3e09eb0efdb8fd0c874b51e82d806f281b9d86c9dfdf105cc2e8a5b9ccac9812950463310d805b3a4ca7689e9c2c27934134119ce15e90

/data/user/0/com.kingsoft.calendar/files/exid.dat

MD5 abed38c44be4b4b4f590f49cf97ece60
SHA1 3c0fcbe4eb647211f9639781d3531abaaab0a111
SHA256 fdfe9e6893ed50b3fe211900da83431a0f9a23b723dcda22a2565757a57ccbe7
SHA512 aab565de964a27987961948cb33a5d26a01a96449eea01c76410b32e3ef1f3c6973d783706101fe2cd40ad27050defbb16b0896510f79e9fcfccb48c76d65851

/data/data/com.kingsoft.calendar/databases/ua.db-journal

MD5 85e21df1510df47e41e1a1b312649956
SHA1 ff382032352e15a7dd1569f446b463221ee1748f
SHA256 d47b69edeee42238a3454d3836ced08cfabd8b938bc7fbf6d40f6070a8003c81
SHA512 dac5e82291051e8c44a45d43279844b2efc2262d98c3d257c659d1fe4e16eec281023deba17e9a84053d51f5c2a9970cbaa2054c6ebfea38a964126b157678c7

/data/data/com.kingsoft.calendar/databases/ua.db

MD5 4cac7d31fb94d5c9581893537f64c5ed
SHA1 96bef3288546196ac3058b5eeddbe9da1d999fe5
SHA256 d1b111041f8aab3269f3da846b2ea199498d99f6905174a9d641f0faedca41c5
SHA512 0ab95e51a640148ac007d47afd5b9fd03ae5a3b9053e5e19a4f0b8089e17e41e311790ee9fe486b6752926799577bee041ed67b64d8772794e9d2329a96ce747

/data/data/com.kingsoft.calendar/databases/cc/cc.db-journal

MD5 6796014becf7817e3e6b83f8bb8dbc19
SHA1 ee8a63ae50ad9bc166dc5a48cbb267bdfb342fd4
SHA256 6472e5192f963f6811ff3b9c7ac0cb8b43d66228783decd49af58a549ed5f348
SHA512 4e91e8231ba0231fb7125db1affef0526beb2ec1218fcfae7119bfd30909451127dd42c81fc876fe5b223dcdaf8097214c7ea50797d6db5fbc479e19a61c6e9e

/data/data/com.kingsoft.calendar/databases/cc/cc.db

MD5 86752a4be6564d8370f2f0e403995003
SHA1 29f7d50675f6e59f3b808eb6dcc8619384412115
SHA256 50484dcdc6b9c2801773018386a8143a52a5153eb2eeeaf5be8bbe46a49ca90c
SHA512 79c9435c1e0d41a3f97784be3e5a3cd8c0bd2d32ecdf326808bacb00c76d876d0447617d6e72ef04cd4b996c92eda4eb7bb200987ae7928ce2e0e7c8e807a5ec

/data/data/com.kingsoft.calendar/databases/cc/cc.db-journal

MD5 ac6531696cbe74158ac73b56665e6d77
SHA1 07ddc759eb1383b35b10c3e37ddce0782cfcb71e
SHA256 e8ec183f5febd11937053daf4ee6228690ec8ac084e51c76047ade88ae69b4cb
SHA512 cce0d4959726f8b8e3c73dc98a8e90f27d81270fdf53c9e4709b61effdabd391262cb9f9b25716312387f3267d4cdec12524a9029b59530f1c481f2ebe279cd2

/data/data/com.kingsoft.calendar/databases/cc/cc.db-journal

MD5 6fe1f8bad294d06adf68ed46a5b1a4a0
SHA1 d8bdbdb19c0e52236e971cb37c9c446af39c8f55
SHA256 ced67effff4e8267d54c1d7d4982eb0b9153a316f529fa32f54aee6def1a9883
SHA512 854494c500285005adef30d3956817fca391fdf32f241f48c7eecaa6c9a8148b8fade91bcb74303233d1877f116f3f6f7149d83c446bd8aea27b2706811e260b

/data/user/0/com.kingsoft.calendar/files/.um/um_cache_1718429423859.env

MD5 5f14f600578b8b72411ffa00c5cd10d3
SHA1 288a96fcbcd345a626f4e6ac7f234153754c352b
SHA256 3722986f5b306a991867541865b9dedfa506cd6d96eb94f1336503ef3fc7642c
SHA512 8cf835afe8b353a04efcae7b7cc3331ae65e73b4493323a341593f00a73e385dbeddaf1893c05ffe78d6566561616984f000ebd6b43cc89dfd66eb3bd2ed7c5f

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 05:27

Reported

2024-06-15 05:31

Platform

android-x86-arm-20240611.1-en

Max time kernel

29s

Max time network

137s

Command Line

com.kingsoft.calendar

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.kingsoft.calendar

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/com.kingsoft.calendar/databases/calendar_2.db-journal

MD5 7faebe6dc9be9b2b07fdf73a7eab7395
SHA1 73b2f3b6a2abf28b5126e67aa050c204f0ece5b6
SHA256 1601689f06280a7cdc88306e16d3df904cdc7a538798f2f27bb743278c94798e
SHA512 9670b464fc4edd74b6ed9d7b0260df72fd5cc6e90d14c418642bff75380502c6e718b1b2889500ec8e21038ccd4a5dda971d8d4e5bc3618d03bbf17d7ab40d24

/data/data/com.kingsoft.calendar/databases/calendar_2.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kingsoft.calendar/databases/calendar_2.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kingsoft.calendar/databases/calendar_2.db-wal

MD5 31bb89e53bc7b78bddbca8827dc2fe3c
SHA1 09d9b0461bd392d58a5791dd1ed13dd3c61e17cc
SHA256 6422fa18acef349fb17caad1e3904bfc3e2656a9ab48de92290c6aaf0e1f1896
SHA512 361182dc50751fc7703d6e9d4f92d845df466ea05588d4ef6ba153c265ceb5d6dcc7300b0833d8216b7dfa7db519f0d3586989117a82675712a404af5539ba07

/data/data/com.kingsoft.calendar/cache/_KStore_/cache_http_api/journal.tmp

MD5 fa79244c9fe70f6cc813c4bece0d1bd2
SHA1 becc80a0d952cd02e9ab07408136498dbc82774b
SHA256 aafeabed5f0062912cd9016f90617308e1d8e320f09ac7dd65383498dc868371
SHA512 049bff76881d28a757bb8a573d9bd75ad15b6a93e9ece52b90cf29b433aba855bd6b0c39b5dd56bd86abeeae13654aa58c29f9e9483ace0963dbe5c7c8f05a55