Malware Analysis Report

2024-09-09 13:32

Sample ID 240615-jnqc4awfpq
Target ad6690376c647d1f00778276b8367398_JaffaCakes118
SHA256 e714e8adda00db5053bd11f6fc33792137e05fdc851fd3401dc90a957e9a13a9
Tags
banker collection discovery evasion stealth trojan persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e714e8adda00db5053bd11f6fc33792137e05fdc851fd3401dc90a957e9a13a9

Threat Level: Likely malicious

The file ad6690376c647d1f00778276b8367398_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion stealth trojan persistence

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 07:49

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 07:49

Reported

2024-06-15 07:52

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

181s

Command Line

com.rffa.ymba.clil

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rffa.ymba.clil/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.rffa.ymba.clil/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.rffa.ymba.clil

com.rffa.ymba.clil:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/user/0/com.rffa.ymba.clil/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.rffa.ymba.clil/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.rffa.ymba.clil/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.rffa.ymba.clil/databases/lezzd-journal

MD5 d33c35e888b984ac6f66a883fb740bc8
SHA1 ce8ad0ba0a2c5a7b20fa952ad4f4d807c697f009
SHA256 b0d2400cbd8d48170e5f0e317d65e0db598252db9cc665050d3179e5f8c45dbb
SHA512 5579e03a93fa9cc78524869fe9841fc8cf6a28af3af2a8007fb6c98be5cb398c7aa6a607dd5d3a0ced3017d147544e6284377976251a997043bc782346c09bac

/data/user/0/com.rffa.ymba.clil/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.rffa.ymba.clil/databases/lezzd-journal

MD5 d4e85655f9754a12b23637e859fb4eb8
SHA1 6b4528be2f80597d8213fc1ebc057f46fa04d9d7
SHA256 615839a800186c71d4e9859f3b7c79d73530c96e2f3b603f303cd7737e2d837c
SHA512 d7f8f037f592abfa43363810f08d128abf4002a694804731bbf0665d606fd22088767540d3f594f8c1624c042716682601132e3b08f7e8468e47ed8bbacf14b3

/data/user/0/com.rffa.ymba.clil/databases/lezzd-journal

MD5 129bf6b9944763209abb274b4be590d6
SHA1 7d97b50d50c2dac6c079e703f7f2750da9b03a32
SHA256 5755b24e7dc605a4a2360dc0261ade31a8b2e33f4f7cfe33812437c2e606123f
SHA512 17fe93c3ea23f5fc5d6fad5807616da07f3481583183e3d381a267da2af800d7986eb93e56f1493c66a48b01b81f9068d59eca470204c7f17fa2811da5f6622b

/data/user/0/com.rffa.ymba.clil/databases/lezzd-journal

MD5 df4dd7e66c74bc8c40f1fea6d44765de
SHA1 93bf27c783aaf3021a80450b2569899c75479491
SHA256 f056765f2843d39a32688d18211e155e610c54b410fb44953402d656d44a6f1d
SHA512 1c3a4424c149a5d2dac2a21a02c37f31901d4113334911ee25fa112b46c9e6903a07426dfb9a5985c4bfb43ff2ba3d76b5f9cc45084a0b7101a1d743e4799a89

/data/user/0/com.rffa.ymba.clil/databases/lezzd-journal

MD5 acd221b5f7b7c128d1b86fe50f09dda7
SHA1 308aa17a3f75a5bda1b71f90326e4c6d3f2db662
SHA256 025ef62a47816420e725ca51934a5b70a0a1d736cfd1c7f56c31dfaf0839b56a
SHA512 e2a609e2a6c094c5f8368bacf31f3b0b9913b3cf855528977a2e1762ec9d7188cbc254743d21f5c4ad6477d4283b6d1cabf20ff2c4499d756ed0319a96e2e7fa

/data/user/0/com.rffa.ymba.clil/databases/lezzd-journal

MD5 f024c607d7dd20cdf0b996e3a94171a7
SHA1 f15395e06c812564e77aa93934631c91124b5109
SHA256 afa13fba22210d5812c304f6830a0d79483a6d5da5937752be6a4d97192f20f8
SHA512 96c15c07003935a8046dd854e465351c734735a4fec54759bd9c7590a0ce3d2f67534dc18c29d97d92a26833bb6ce046b2365e65cf2d47df3c2ed2113f6e3716

/data/user/0/com.rffa.ymba.clil/files/umeng_it.cache

MD5 b27e58b46c607b731b7b5481d6aae23e
SHA1 ffc5f69b7447465adfe90f4e987c331e72e82e42
SHA256 031d0e884dceca265b550484b807d8ac2f2d658cad08744acb9db46688ac062b
SHA512 f05e0870aac37fa18223c46fcd248066c80ae79a66b99927e07f8fa1ba507c1c00b79ac208d24472b14b87aa8c325761d8fd4238d27347277d9718ef0ee13855

/data/user/0/com.rffa.ymba.clil/files/.umeng/exchangeIdentity.json

MD5 aecb6e6da79fd9f8af272146582ff630
SHA1 f409aab7ee5dfa563ab68368f8baa10a8cf63aa7
SHA256 843ba5d2973ed65d0c5048f06bd36dce147d1e806788e1728636463c276cb61d
SHA512 e637c00eed7c9e195333131f7feb82ffd1a10be6c18fb8d59c91ad11b75a055f770939dccad3e5b152d04c852c55a383cb7af185a931a1a053a42ecc695dc07d

/data/user/0/com.rffa.ymba.clil/files/.um/um_cache_1718437870750.env

MD5 155c9b2db5177e1b4411c84ed74e8833
SHA1 f0f5156a6b77518349ccde8b2d911ee139f8df09
SHA256 d2c0c94093ff112021b74658e63dd5228b3c5a354bde0d892cf48d0e23bb173d
SHA512 63c3606a5a0b605dad5b1cb1dce1f1aa86cafa5f7f29b5f778ad6560090fa5ddd726aac6c64ca5ae1774cface8a7695c2a76673e10a0d355aa9d9a989f422a56

/data/user/0/com.rffa.ymba.clil/files/mobclick_agent_cached_com.rffa.ymba.clil1

MD5 0c93e11c2c95c90f3991ea0f19e10ffb
SHA1 89c5aec3e7c65f9a534af377f003426ae98892d0
SHA256 5146a6e36ab7136e40708b794c7174193ed7190921c66d4407bc8d81f2d5f67f
SHA512 8eb774c19c0f83ffa0b372b9c39681e781e86cb2fd696fe8c2044d8a291d8ac68af284d02c3b797072862a55647f64516c97409f2e2016f68a87c1830b0ad45f

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 07:49

Reported

2024-06-15 07:52

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

158s

Command Line

com.rffa.ymba.clil

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rffa.ymba.clil/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.rffa.ymba.clil/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.rffa.ymba.clil

com.rffa.ymba.clil:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.130:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.130:80 ip.taobao.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 59.82.122.130:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.rffa.ymba.clil/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.rffa.ymba.clil/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.rffa.ymba.clil/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.rffa.ymba.clil/databases/lezzd-journal

MD5 4f2aa6c08abf3126b92fa981ca9371b2
SHA1 7d8ebcb41c657bf89f714755d0dfcb25ab7c4d9d
SHA256 0fe3bb012c36fdf1af9a3acac33ee7e2ca81b1ef6f29ad16f93a2fd812bb37d3
SHA512 d2a921820159ec333b7fd28efc441238915db3f85a09137a81340f94f44382cc828aa4d6cc5de372b1043f5df276684d80ecafb28315293d169e6d75323ea591

/data/data/com.rffa.ymba.clil/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rffa.ymba.clil/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rffa.ymba.clil/databases/lezzd-wal

MD5 87a3d4c51302798ea6f737c05581840f
SHA1 9391ac24d5b9aa0e52ae3289a9768171d5f9c60a
SHA256 b4fac65d16203336aaac9b398510e042ed81af0f98d28e393bc5ac9ad758485b
SHA512 0aa4140a785e3c826f0dcaefe3a0bccaa9ccc2cc7ca2f2fb66c237a22f0cda88cee888d8dbe4725935d6b689bf2d57a7c83f52fbf545c5e93804f59328ee9ff2

/data/data/com.rffa.ymba.clil/app_mjf/oat/dz.jar.cur.prof

MD5 5e93ed868d629325cec45c2e3a9852ac
SHA1 1d996829dbef107daed2018a49d5c1f0ebef6b77
SHA256 3570f268f6b19eab88e7ca72096c4c628dfad6f2cbf414b2728ce5f9bf61dfc7
SHA512 70736033b5d0c5129ce8a0810abb307103f4859db510d21318f70c3d66bb41838a501a3f29bf3b121f9c0ce7edd5aeafc776970ddfe06e262d652f06922b825e

/data/data/com.rffa.ymba.clil/files/umeng_it.cache

MD5 72f2a2533f5447ab72576405018e8d3d
SHA1 f98dd48e4271611f85a30f9e6e22289371129297
SHA256 a7751222a6743aac8ead5a18aff5e1afec5c8b753e190a2320f36806ae885598
SHA512 95b377bd43c0061f55aab346835cb2a9a8a3baef489882dfffda5f3dc6478047105b0d13a582f791e0e834e085c0c16146ec656ffcf80c76079ed8582c4cc2f6

/data/data/com.rffa.ymba.clil/files/.umeng/exchangeIdentity.json

MD5 ef962b2420dbcb7749a8a150f6451999
SHA1 c5c3511c07d04b7e5144f4950ad4de81b828aafe
SHA256 055ce3ce02e6864ef0ae35302003c39e0b7c7783e294ccdc6b0c875737371c81
SHA512 77467e65893832d5d70007c44cdf8462810be2e86a7d3d478ba2c10824a5b8451eba7f0f57cf026207e16454dc71c1189b0b591aef0aac949512de61c0f608dd

/data/data/com.rffa.ymba.clil/files/.imprint

MD5 7f8cef2b46738772599635dab779c1ad
SHA1 cb719832b080732029a5e91d0eb0b540d0848dfd
SHA256 0016f0b78fb80ae28cd5a7e41c6eb681dd34bc60bfc9ddc0089eb3dfd4839ac2
SHA512 fad97ba13ebe767a7a1e8efa3ee2fccf5d117c0b94f4343e7c43f41a30276d8b8e68eaf7165ac91fe36c10f2b575203b4477f739d115058a45d017df42a13eda

/data/data/com.rffa.ymba.clil/files/umeng_it.cache

MD5 bbd41f29ee9d7bda7f14440e29e0b6c2
SHA1 f20abd9fc701c9eee872ac571c25c57078bb50eb
SHA256 4ede2f0defb931c2cdb4d79cd86a9ca1d983d8ec25486e7292ecc8732d39c870
SHA512 165aac57d1dcfd256e4e6b674713a684b8c3627a17b3dfa37bb553aec6997baf59e93741dc15447e2a821cab544fdec55dead795d331c4957b95c0cc045a2c18

/data/data/com.rffa.ymba.clil/files/.umeng/exchangeIdentity.json

MD5 e9143e1d825295aec39e527684c26cfa
SHA1 1472819f241015b99c1abf88bb12b2e8707be019
SHA256 87cc5c11b069ae0b7efd713897888e90a18323f67616c8bbeaf2305b5ad0c526
SHA512 1a586f48a4a73c13f8ac838ace216515b1b4a5a533b540f21f1327b50caa7205d62f7c8f075716ddb7c1c4b794ce0e6e8afa48bb35d120be760e00ade0572947

/data/data/com.rffa.ymba.clil/files/.imprint

MD5 17029180b30fad24054d8ac6cf141378
SHA1 0b0cb9e559d3e5506c9bc69c0cc7aa8fa5a2b1f4
SHA256 8b5429a7507da6dac1018da31c69264a55142eade004ffdb6d556c95ed245ccb
SHA512 ee2d6f352fff6416e14f68298d021eaf871734736a8d5381f8a8cd0cf39a2583fdfa26db6d75628c0b1933cf76d06f27118cc9c8d38e5789be8111b39e3eb903

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 07:49

Reported

2024-06-15 07:52

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

180s

Command Line

com.rffa.ymba.clil

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rffa.ymba.clil/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.rffa.ymba.clil/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.rffa.ymba.clil

com.rffa.ymba.clil:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
GB 216.58.213.14:443 tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/data/com.rffa.ymba.clil/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.rffa.ymba.clil/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.rffa.ymba.clil/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.rffa.ymba.clil/databases/lezzd-journal

MD5 317c13773aad4855a0c86a4ca0d4796e
SHA1 7a019434adc7d7488bf6616ded969fdc6b33b80b
SHA256 592c31fbcb9b3df437ecbf282b715edbb45fc72aabaa9a72b2d3fa5285e71c61
SHA512 d9a15192695cb6a6c45c8327abcb4d218251a799264e9502ccd6f7a1cec72957a70175772447c9e7a6b3ec3e0a615ca24831bb60abb628fe9d134057438c5da4

/data/data/com.rffa.ymba.clil/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.rffa.ymba.clil/databases/lezzd-journal

MD5 25fb494a65b98b62da1107ff22043974
SHA1 669009b1217b4e0cf5ee189fd61c5d37ef2eb77d
SHA256 81fc1b85c557ebf2cf113839c102506ad474b7196d37ecc3fa2f628694dd73b2
SHA512 0123d239efcdf4fb31b1501c557bb612d76c05cd53dffd953bcf97f68e20e564c47b088ab25ddde37d396711410a0b1be2db79a3c1b218b4e9f27874b1fe9daa

/data/data/com.rffa.ymba.clil/databases/lezzd-journal

MD5 2e0fcdcd47c2dda79384c3efd9170694
SHA1 b737fb0b228838134af3ebd6dcca151ede63a27b
SHA256 8b85d051e6cb9133956ab66f96ad2b4020b29bd9129e6bc65c4d4faa02ac1e31
SHA512 fb93dab4f44e1719cfe327f1752075118d85fe2dbd38c02ec6b8f627ea1c55812349e9ab6cfb1aafb83e0b0c68bb97bbd95aa8ec425dba8a6851307a6c17a823

/data/data/com.rffa.ymba.clil/databases/lezzd-journal

MD5 33076fbaf82fa041f24733e06bfed7c0
SHA1 a67bc0ac46778a282414b1d9bab91548f936b958
SHA256 3f159dffb83be3289047e50f546c1118c15cc1186ec24d07e5027cc68a8309ca
SHA512 ef92b6ba28f5679292dfd6cbfb9925e1381243994255ac65237b5d32dc444e2882122d812e1bbac20f4040d98918816d9429f12a9649223829ad0d9fa8d1dd75

/data/data/com.rffa.ymba.clil/databases/lezzd-journal

MD5 fcbc0db8746547111c1be396bf8dc472
SHA1 1f00f47ecef014c116e6d2dcbb7d2bb5357c22f1
SHA256 25fd10bf8fee967f374f489e2a784f33e8c73fd452ea69d66b959bda191f8e8d
SHA512 70f1bc667fdb5fbaa5ce6c6da9654ce7a093bea2f4c669ba9a8c047ef772ef47ea67f2c4774ad3e0a21172a879f03b414705eddf5c908c8a67107a3f82378d2c

/data/data/com.rffa.ymba.clil/databases/lezzd-journal

MD5 bfa25fd5951628a8375a5bb303c7b988
SHA1 e183ebe70fdd0ac2da3b1fb94814c633fda1f273
SHA256 788ec6822d7136e1895d582bc86126dc61ff910d679fd884db299e59460a6160
SHA512 aba3f008c0ceb1c893958b804f4ae286f9677a784d5cfca91c5106a1ea1cd71ae2bdf17490a1d39189d3c396f1ebf93a6f2a7c3f5a438f1be6403866bccef4a7

/data/data/com.rffa.ymba.clil/files/umeng_it.cache

MD5 8b50dd3d287dd5df56593be412de02a3
SHA1 122c9b319fa2f37f178e738d907acfe47a27ae8b
SHA256 2813bf9e0bd5830ec017fc557ae48f4c09928e782305d3b6704c72e029a480ff
SHA512 083c19b274fda6a401d50b964d2132349dc515938ebe7f1f6570856be098ac69ff32bf012eb64ce8c39461ce4153c06947af4d0172d81e2981149b9792565a23

/data/data/com.rffa.ymba.clil/files/.umeng/exchangeIdentity.json

MD5 fdcd8e2ddbf998b63a2149227499f24f
SHA1 b18991fb2de97418361230fb50c6802d06873435
SHA256 37f906dbe7529ed1255c021bb3a8d77cf11f6610b9695dd6f60ed6467a2050b2
SHA512 2204eb8fd3464f1e2d206cae3300c1b6f4e5202c8682fe30f5971033083a6d17f9927ec93f8864ebec6568d81efbc1c49345007852518508b588fed902888bdc

/data/data/com.rffa.ymba.clil/files/.um/um_cache_1718437869904.env

MD5 6420a3cf0a40e3f935155e17e70f017c
SHA1 fc89b82b6af5f852c23225efb6f22455c8944002
SHA256 dda4d83fb79c0219a4c8fea6d5a46a640de9b87d9980c4f9169332296bfc7011
SHA512 b52eda6431abf1347ce363c7ca83ff9a32a9f0b289437e36b99d278c0b732071db18ed1de908587aa3979e7fd260f2efd7c032a4cfa0868bcae49a26836d7f99

/data/data/com.rffa.ymba.clil/files/mobclick_agent_cached_com.rffa.ymba.clil1

MD5 845263f72997884b1156b63ce4239f5d
SHA1 81220eb11d0d0968bddac07ef9c0b9637d3d8010
SHA256 13103414afa4b5a57973929be7dd75eb024d36a2bc2a5c5b99644bb7d309bace
SHA512 abe874fc56b84dd7c41fe894a59907115f0f4d99268ebbf103662275b313d18ae5b0cfc598296145755a7ac7a2b9bafad841200a0c64cfb906ca335e56d2cbaa