Malware Analysis Report

2024-09-09 13:32

Sample ID 240615-jr5l7awgpp
Target ad69d0a4f4da493a5da6445d9a0fe4f4_JaffaCakes118
SHA256 2b937dfac9d5c974a0678540e663d2289e0ad37b3af1bb2e235dcf8d7d1c1f03
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2b937dfac9d5c974a0678540e663d2289e0ad37b3af1bb2e235dcf8d7d1c1f03

Threat Level: Likely malicious

The file ad69d0a4f4da493a5da6445d9a0fe4f4_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 07:55

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 07:55

Reported

2024-06-15 07:58

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

131s

Command Line

com.qhot.gbca.ojry

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qhot.gbca.ojry

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.qhot.gbca.ojry/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.qhot.gbca.ojry:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.qhot.gbca.ojry/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.qhot.gbca.ojry/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.qhot.gbca.ojry/files/umeng_it.cache

MD5 216affa92bc6abb86120e7bf2be370d2
SHA1 13813189684b2949696d86fda4bf2229b8f31cfc
SHA256 c029c68efe41d536922cf24734aa3b73bf3d33a70dec34dd7902acbaeccff967
SHA512 41ec74c3b44abf6794fed17608ca8b6673da42f65a48668df20bf5a6d168f47cc46ec2db3f645b1d021d8b1afe2da27e4514d67ed45e1751e288d9870233c8be

/data/data/com.qhot.gbca.ojry/files/.umeng/exchangeIdentity.json

MD5 d0f9945525bc8293106b2bef1ce5553a
SHA1 b106a4fdaaa176c3ae86ee6994be7fec5b142d31
SHA256 c5e7e8ad41710074b5ec857e6100b02e49d635f11cfa146b13dadebc3fc90f7a
SHA512 752eef715b8dcb1dbf725b7b9338c0541b7b00624f4d6c2278f50eae24125992679674dfd7cec97a56a98ce804a2b5d378a451ca32313e64ca978482d0487495

/data/data/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 7f22aed3f4eba318d25bbf19a7e472ff
SHA1 16ac05050138759b05e725cdf00e7c9a3b24037f
SHA256 f48050f3dee6bf046b7b7f601bbfa7e8c297fe6dd0598d71180b6b93c51e7480
SHA512 2a9ecd601528c19297366d5e9729737ac49c2b7ab38279ce111919f6aa5a52ee79ba82e467cb925164187910ce3eaf6eadaa15f621adb1ce1d1e4fc9bb7fe338

/data/data/com.qhot.gbca.ojry/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.qhot.gbca.ojry/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.qhot.gbca.ojry/databases/lezzd-wal

MD5 3b4313c72125468889d5cdb4ec846f3b
SHA1 e1f79c0cd17afdd5687344209629f79f630e2117
SHA256 27f486d23e95866a3eb98f165daeec08b119f5c8acfe42e7340a2647bf6697b6
SHA512 372d9e8ef278ddbc02a0a85ee7bb9ca0b02956a10f8d21d2217a2ace86049a118091e42ba1829b9a45c912abc09f33b9a689b25075c4ad112134308c9e5e47ce

/data/data/com.qhot.gbca.ojry/files/.um/um_cache_1718438177860.env

MD5 2ec3c3c11a9321cc21fa0844ada42a7c
SHA1 0cfc7c9940a94e413af6020bb636464624ea033d
SHA256 1f8fd4edec864fe91379f25a57a1d91f61dd2de57ab07c44a3b926c4a3dcbf4e
SHA512 2f68b01857263e4d6dbfcf519cc2f96870ab94c5cfe1925efd61520275003c1c8c4cac0da721ff01d3f08d7069cab505ca59a847cc14e409e8acb0bcd0bcad3b

/data/data/com.qhot.gbca.ojry/files/.imprint

MD5 501ba1cb52b1df45f2f2048677073fa1
SHA1 2da4b0186564c81cd18dc7894bd3ef63d6c759f1
SHA256 8019d21efd3927feaf5a514735b4979e2d25a871428cc3aca760bf5ead0a7c28
SHA512 0d3b02e87d4f8d9897183a72da135e21eec2cef75b9fa43266ba383d3e5208879741ae883df4533c64877e15c4ab884c4a80446727b1afa961a2d05eef7bc379

/data/data/com.qhot.gbca.ojry/files/mobclick_agent_cached_com.qhot.gbca.ojry1

MD5 ccf37693ca62533493e2792a25428445
SHA1 f55b8ea6acdf1c017983c26d1ebdbd55517c6ae5
SHA256 9bbee0201eb3c5b7e867170baf46f8d52eaf694a2cb2a8a5143ff277b6135ac5
SHA512 cd44d9b10983d9708530679c3572318aafabd0921871e488b630912bc5eb9a7bbbfb214f9187ea60fab2b918c06a6f5066eee21acfb58d21b144a7b188e3f53d

/data/data/com.qhot.gbca.ojry/files/.umeng/exchangeIdentity.json

MD5 1a285b0522543e49ab120a09024161da
SHA1 fbbf1db5638c134e71ddcf1768a5380969093955
SHA256 5a845db616124a1e695ee843f9256c762d2c3baff83ab517d407c2e61de058f0
SHA512 8f602d51d915d9596681c68a8aa6060755f78255bc18b70ba9299e1cb6e696c07fab0a1f148df4f24592210664c4c0ae010929a8661d9fbc299a9980e2075795

/data/data/com.qhot.gbca.ojry/files/.imprint

MD5 a220648d110cb8ec78fafba09323406b
SHA1 49438bf9f3ffb2a5bf6bf8a7f55bf378c0e6c435
SHA256 d95229a2eedc312c132006fc161641585256c3597cb9c8df7dff4477a0ed63cd
SHA512 ae23470237dab29c720eb85b950db80f7030d6dbcc422a176eedaec1e40bb8d3256daf5f88bbee35ec7900f4dff3fd7f6236450d526c57b5b939157988e655ef

/data/data/com.qhot.gbca.ojry/files/umeng_it.cache

MD5 22fc38bb2881e0ec0aef9dd9a1ede47f
SHA1 ad7eacebe18a9a521f095fd609087c9962a41d8c
SHA256 d13eeeb13769faee7f10581dea77473fd140d1ae4b75021308ce0be8888ba957
SHA512 5e1afeb0bf4b0f28e9ede62a7f13f059fed8287eab94960a863f6332f3da0422373591050ce771aa7858750d627a0a5e925b717548ab777420681b64ac31007d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 07:55

Reported

2024-06-15 07:58

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

186s

Command Line

com.qhot.gbca.ojry

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qhot.gbca.ojry

com.qhot.gbca.ojry:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.qhot.gbca.ojry/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.qhot.gbca.ojry/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.qhot.gbca.ojry/files/umeng_it.cache

MD5 39f087be8b91e6127469d9b7412c65d4
SHA1 43fdd0c78cda9290664d7557489ec84c4def848a
SHA256 46f6faf2d564e2d80648ed0bbc0533cec47a4950d8d8836ab01c0337144eaf45
SHA512 db30566d432f1cf624e148db4b0e35d4b0ead8f1d7304d168c0ceb55b59208771a978dce5c9911b6dc31e82204143428b0d76cd32edce006abdeb786b0c67778

/data/data/com.qhot.gbca.ojry/files/.umeng/exchangeIdentity.json

MD5 dcfb2ac7ffcc42aa5077d55c34120d51
SHA1 ed42224b15b8857714c70661a745a5cbe2c19058
SHA256 8f7e705d4d9f3ba6103e7fef6e8b851200ba61de1cf799c604c505d8c3661391
SHA512 9d14a4f0dc811081ae1693449494f2c324768e9926a03040761ebe6fef45aab7c5ad4e11c216c9064f795abd4208124bdd029c11d036b13f562638500d2e0a6b

/data/data/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 2b0ba371e7987d8d91c0a4723f4eb32c
SHA1 27f4be5414b40016ea1c76083f2caa44be5d54c3
SHA256 bc01a2a0a6065098242c842ad0b39128cc78b34443bc33581594b72814fd6133
SHA512 1ab73a0b431d7d4c228575f5c2ebdc82e3d1b466ab865d6aa896f97697aeb47eb1d10402f0bccd2c3a4b5813585033b0e7d76146dceae45fe7660dc8fbfc420d

/data/data/com.qhot.gbca.ojry/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 00c0ed6750353830929647cd60bd06ec
SHA1 4be0aa1dc65bda28c8d451a39bfae75f8f3965b0
SHA256 a9042d24c745c9e5cb2ab5dda75caf60c8f1bbd805c3ec56f65ec3ea23abadff
SHA512 99e815c16a7b8d95065279820735231f78c9a9882e6d35f6e2332398df5bc09921c0dfea1e7d7fcbcc296aceada3761ec6ecb3baecc34cde6d71aedbaf5196d2

/data/data/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 ae38c344fc0bb44a414dd3f1e68f8fe0
SHA1 fc933790722a7e498eb63d8ad23e84e5d0251bf5
SHA256 d1f6c9555bd115c926a23c40727ddfc15db0b554e24d7bb553a1d9c762617813
SHA512 ec8dd5e4b3ffe6bd3e5a6c68da11972241217ea57b957507cdbe3e0dc4fa131e3cd7512fa38f96f6b3e975e168c2ad48f19433ea8de7b0f31efa89b3d7afce69

/data/data/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 e99f33aa793836691f6902197fb432e1
SHA1 6fc41576db499335fda956cda6ba8812231c9f00
SHA256 55c96aed51907708278be87953fc012e27cf307cb95983dbdc5dbbbfd131e4e4
SHA512 e0575eb40701ff4b7cc186e089ece1430bfe596ed2e7150a92e07e792ddedfcf818d2f5abc84d3e7b71c1a6ed3c13e07e5ac4130a3334303cfb0340ea0e004fe

/data/data/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 09e6e164666358f73767466440e0defe
SHA1 c800dc6756ae3f4e054eba07d953d723d08d843f
SHA256 95bc41f54e8dac4bb2a853e1c8a942020cc15a45fdd0d1a800f5dd5d42358671
SHA512 f1a6f436692da1430c5692808be4b568d8ba05cba36b52d940e90e21e08ae4d9c097fcc1ac209136e781fe435ea2b85d92842d370dee93cf5c7bdd5b4a9ed9fa

/data/data/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 da8a4356d5435ef463dbbea50ca1b4f9
SHA1 392699e4b28e96f2ccba39f6570119e05454a3c3
SHA256 c6dd2e68f032fc0e9180b4ac578ee852fc331c85018a2689bcd8c8e61a410c25
SHA512 018602201c879cdb5242779e2606abc455441060bc93ac029d9f16242329133e8ca60027c1a5fe5cc2a65a5a33761cc31541e4efe02b46be5e9a3b7a714586fc

/data/data/com.qhot.gbca.ojry/files/.um/um_cache_1718438178042.env

MD5 b87f581b69a18031605e13e6c1c9ff43
SHA1 e90f64d56c031015ed91c5df0f10ae0fa06778a4
SHA256 f6a7d1e0c1385ac4eee3316a6301582224b56841ee34f83f26f285b98da1cfa6
SHA512 d40b2b2d85bef30ac40803d9d29984d04a663421c5ffadf5299d38a3af311dbb92102ac8e2edc77c063a080747b6ad85b82824be09ca4001e423f6cc9fc0c7e4

/data/data/com.qhot.gbca.ojry/app_mjf/oat/dz.jar.cur.prof

MD5 6811f510b9625709ba3979e4c62b34a2
SHA1 f2a6abe7338c21691d20164471e83e86c29b43e4
SHA256 64a85ab4ed877635edfccd1eb5eb3167c70f0dfd38679b708b1ecb65cb7ad0e3
SHA512 61b23105087d01aa4473d8212df39ff5ca8dbc7ac04026222f1777f013f5b65bd892ee1d61551abe2d2834566e7fb69266ef592d7d9dec44ec8b3dafa8588c33

/data/data/com.qhot.gbca.ojry/files/mobclick_agent_cached_com.qhot.gbca.ojry1

MD5 766fd4fa45b34074b23179515c82d469
SHA1 cc00f9993957bee8e5561ce3972a428ffbc83390
SHA256 0dc6e59cc06d20bf51fdddeb7784b916d4539a4556a497d4f1a3202aa3d9b8a9
SHA512 4d271a1a712dc35960a5e453f7ba8f0d2f0d720016438466d78e2d71b204355f5d79dc531b61080c04d4a13491f655e88e0abccb11e2817814d89473e7e8ded1

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 07:55

Reported

2024-06-15 07:58

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

186s

Command Line

com.qhot.gbca.ojry

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qhot.gbca.ojry

com.qhot.gbca.ojry:daemon

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/user/0/com.qhot.gbca.ojry/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.qhot.gbca.ojry/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.qhot.gbca.ojry/files/umeng_it.cache

MD5 8a7e8f366beb330adf6d5254f459f3d0
SHA1 6336ded98c9e10774fe53fb03e85db80c059311d
SHA256 1500dec4ee7ef76b7b4a9d4631ec2469c7e683d01dc1ae98d23857466ac0f6dc
SHA512 44473c61cdb6b6c452f9400043ef003f9d5241042bcd4a89ebb23fc822513d35b559388a918d880cdd148998e31307f17bd704bb5081ae40d42a761807ddacb0

/data/user/0/com.qhot.gbca.ojry/files/.umeng/exchangeIdentity.json

MD5 347ebe5a4358682d3cc9b973ec00d443
SHA1 13188f26efd2b32c4962dceca20a76e5304e822d
SHA256 67c3183be1af53fea77984f5f43aa40872f20501c6db0e8e902bff7757d03e0d
SHA512 7936c0c2d2fbc415cf79b3fbb14a87ba696d1fd83e8c154ce3e2beec29e05c70e710d7dc04e5aa9920112556b72d140d48cf362aba2c4119410320b734f503a3

/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 a8023e73372a6082e51de544a25b7b5d
SHA1 b6a968956ce5d6315afc782583dfc3915fba1d92
SHA256 9864bd43cf1faa8680baacf313baa1e5980044abadf630db91c75f0e0750faa2
SHA512 3d5a6b01ae77b07184ebc0f3b5ebfa2de88116d9a99c5fcb0ecb14dc9fa301ba3f88c26d08fea2fd0555a803ad9cbd7598180d84f3c11028cc9c29fb5a236143

/data/user/0/com.qhot.gbca.ojry/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 564cd218b924e875bfdf60d7c33d7d0e
SHA1 4980d01806f2d1dd977ef4cf03cb12398c7040d2
SHA256 8bb7a4c45e43eb794f797b0caf3bd58a7d2cce29fde7fea5610a8cdb284952be
SHA512 6ba2232036159bc9dc80ae2b93476a1e8e645f713aab32319bfdbd13e56f873a95e3157f0f93072a58b87f5bcc1a74a3afb0a8742283045ebb166be383cc5c5e

/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 2b5361ba9130fffca8a3b2960ff35c6f
SHA1 6414b5c15854f843b8fa355a1d108f77c081677a
SHA256 60a8f0042afc5e2f188b1501d6a0ba956304ef3347190bec8cbe34854d3aa34f
SHA512 052d72e922b9eb84ef620966a6a17de08acbb7ee0609a3fccff0b218e30cf27585739ed303981217f43a7f077ef06752d3c9c52dcbc272db7892239e0d8927e4

/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 939d3e7370d832cf6221d67f5707762a
SHA1 317469902cdd725a066c88c4362b1bb90c947fd7
SHA256 092cbc40e3ca7cc80dbaaa966b7b28db9a739a645d7aa6ca8984b5d14aee5bde
SHA512 f724f80aeffa3a7bf8e8d1febd97ccf8442e41158af083babdf3076355854b14c696fcbd87e70781021762e4413f53f2cf2f5e29f1938a5604e9aadedef7e1c8

/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 6fa07e0646eeb6eab5746be2c9c81173
SHA1 1e36c9e85b306aa1d82edeb688380ff7395c2e71
SHA256 4ab6216e56b8ffb747999ecd9d3e72cbfd99da590fe755a319948f40e1504de2
SHA512 f254341390812f29c90bc43efb4e2cc90803e81d0837ceb177efcf6a458eaabc49557044c37c3d38ad77fa0b8c71c885e1bb2dc4d2775cd85c901bf8154d427f

/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal

MD5 3bc0ed4fd0af0cd461937fe254cb3adc
SHA1 60c2ba58f597c993aff89aa48ddcac18f70ff0aa
SHA256 44ca2bbd78ac81121add517be104966bf38e3f4a9bd93eb9a2fde8aedc4f69b4
SHA512 1416655ff9f0b40a87905d3cb02949e6ef592f11cba5ba030df3c3784b89171132c599b5e888db40b15bdd05aa9a8e9d15b2180c1ac90f79335151a76ec935a2

/data/user/0/com.qhot.gbca.ojry/files/.um/um_cache_1718438178119.env

MD5 dfdd2d377ab320ef5905e8dafaab4122
SHA1 b5599b27cf3bc018a48831ae9276e6132d33d4ce
SHA256 1cd0e3d6d4f5e53311824248e391831b3b79ed4dd6a34ccaa4a2b554082c0e43
SHA512 c80c81a97f98dd7c07f1fc6726aa13a513141f6c35db659e3e47256dfbbba277e5c52f42da0d3cd34037f99bf1bdc74f004c865fd823582d9256cb2a0ab939b8

/data/user/0/com.qhot.gbca.ojry/files/mobclick_agent_cached_com.qhot.gbca.ojry1

MD5 b29991b474293404ac9c8f7c2b9cea15
SHA1 def93cd6e5dda0f10a9785e66ad2c20d7b442807
SHA256 9a2d2007909b942026b3ec8adae9f67da78c8b5b3ae0be384930b306ef720784
SHA512 f973514a11e963ada8adba80ef882a8bcba256f247df9022b383626a5ab34cf7f4041d891195deec7c19ada759d39f435bdf27e85606fff2e06b2ca1fca3e996