Malware Analysis Report

2024-09-09 13:24

Sample ID 240616-3et5gaxejp
Target b5bc38a8e8dd14e5ab191f463c8dff01_JaffaCakes118
SHA256 97dfbc2165590884197f81b271e4e5707d7411c72d27a40febe47a6a626a93b2
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

97dfbc2165590884197f81b271e4e5707d7411c72d27a40febe47a6a626a93b2

Threat Level: Likely malicious

The file b5bc38a8e8dd14e5ab191f463c8dff01_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:26

Reported

2024-06-16 23:29

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

178s

Command Line

com.pixj.kkwn.hsoc

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.pixj.kkwn.hsoc

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.pixj.kkwn.hsoc/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.pixj.kkwn.hsoc:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.pixj.kkwn.hsoc/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.pixj.kkwn.hsoc/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 611a91692aeefea9a71fdde4320e3e1e
SHA1 d96d3fda97ca1e335af6e203bf013ac83d46d46a
SHA256 5c05ff868f28c809b26ea5abb176400b3060ae379273b0744a1ed04c806b92ec
SHA512 4b835363b1b2188911b2ff4a81ab01b93fe43bf3044a3fd6563d13193bb446947c64947fa3f03fc05a097065e569560dd3f66323f4f5e7e4c3a2a60ca508a3fa

/data/data/com.pixj.kkwn.hsoc/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.pixj.kkwn.hsoc/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.pixj.kkwn.hsoc/databases/lezzd-wal

MD5 91a0ba149dfbe068d299dd49b1db9da8
SHA1 4bba39f696b4d7c63a9befccb428aafe946260a8
SHA256 8b2508910e0c85ce437d648cba57c36c00f205984c3a23156b04cf511a1e7119
SHA512 eda507c1315aaa0371ef2da0a1cae8a30813359183f7b3359d6217e30d9666ccad930a7d263062155a892e5665cee19488e0053ab951f0edb60c0f34773a8442

/data/data/com.pixj.kkwn.hsoc/files/umeng_it.cache

MD5 04cb48cf79ad3a67623ab4fb2831119f
SHA1 797808dbf81ef34a0815de74733b3bfd19f571b0
SHA256 70321ac960b1ff256dfc857983786fa3fbc89dd098d8f76cc94430ddfba505bf
SHA512 75734de9a73b07672951fa06db6b08fa78e8bef72167a426ed1997b337efc9156faa130badc3fbce36a6b773f5637f124f98950bdcde6ad29b26eda4ba8d28d6

/data/data/com.pixj.kkwn.hsoc/files/.umeng/exchangeIdentity.json

MD5 71773604a2712d50cc1d35077814a57d
SHA1 ff9fe19e731349f0b9228cdd2a31c97215eb6c21
SHA256 adf09920780dc01f42dbacb34eebbe83cd343e25b209935272a886ba32efcd98
SHA512 b83d3e709e01e455fbefead814475f857ce3663e0a2ed587965bf3d8095088c1bc5ac3b0396d845e7a049d983c8c4c75bcf8d0181a7bbe2305d0255179c876f7

/data/data/com.pixj.kkwn.hsoc/files/.um/um_cache_1718580486169.env

MD5 d8b1fde10404c22f34bd19561319f653
SHA1 28452238c358b0a754bacdf6a6b5dc2c6428b667
SHA256 deb6358c7fab314c8d952d703d45e240d5bf14b5603d7523e6efe178f6a6ed0e
SHA512 0f576a20b30a6f82268ffe3e6c4906fae98c7a082897a752b33ca90458fb35a03b80fcbd8ccc488f923d9a6d3330bfa6db5276c64615f7815c945bcd1694a68b

/data/data/com.pixj.kkwn.hsoc/app_mjf/oat/dz.jar.cur.prof

MD5 c7f36e1bc2589465a2ec77773e1106f8
SHA1 edd65966d5ae6a3a2d048eb179fdbffbeaa357b5
SHA256 199c1674d649a16d867ffc61ace04d71ec600e4d01569172152a3d30f1b5f6f6
SHA512 3d6975220c970dd25f55751462624a4d09a3a33cbe3b0f2b707674b09a6faac2c610d9ad3886e8fc244ab39411654aefd10ad6669a3d27bb0fe232032264a75b

/data/data/com.pixj.kkwn.hsoc/files/mobclick_agent_cached_com.pixj.kkwn.hsoc1

MD5 d70a4edb06a7abf5e4a20c8369a97d5c
SHA1 371ca72e28837516eeaba6aea9ac870aa7d7e38f
SHA256 8d5500293e706fbca63707641959d0b1aa987a5e48ffc8bf5383d03b33e1f9b7
SHA512 4b19f8c8ae0c0550f0fbc649df7de31788e61617fa9237427e9b1951e54e413e3251001320ea52a33ed573e9f28227f3d8a230abf03e79877e6a0ad1d202b7a0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:26

Reported

2024-06-16 23:29

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

178s

Command Line

com.pixj.kkwn.hsoc

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.pixj.kkwn.hsoc

com.pixj.kkwn.hsoc:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/data/com.pixj.kkwn.hsoc/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.pixj.kkwn.hsoc/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 8323fca0edfed7edf210a9aa3ded7b00
SHA1 70863f8913afa94e90d16c292a3373c738dde940
SHA256 77b0a562f5f0f36fd006880e0b2b0559c3caab5137b441d4245a14a8c532cdce
SHA512 49dc27000f5e11033f046e027e46904744ac5e3086c8cd0dcf50940786076ce274a695735cd825a1f9cf048529fbcfd913a9219fe8d2ab0c486ac41b892762c7

/data/data/com.pixj.kkwn.hsoc/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 48ec97e842f995202c1f5297d2adcd77
SHA1 3cf7b70c732bfb6ad78ab5aca74651d04e815424
SHA256 9a656852551f5e395f1e7d628e00dee7c14acd117e18fe007d5d528975c7796a
SHA512 e7eec64124e2f967d48c9e6cf2dbf690012e5cb10b93e3dd1aa89e85fe54f28047da6dabd8687488817812a76eba89b839bcf1714d1fa786846708d095e27bda

/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 2da4f7590474d85a6a9028977d629dc0
SHA1 0a62eb5b4b95afbf3dd0acf41ec4987b372a5f29
SHA256 dc691acd373d1393c06e84be7a205c858f1b23c009cd9aed6121620e786d3675
SHA512 9ede820850543870b231ae8a5d6eacf0536275976bef5d750e99a7d38320a0c70fb52dd89cbdb690654e500534febc7109249d24f98bcce7f9665b80df84f5d0

/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 5bfe5cdaa6b7935b3017499a037ac29c
SHA1 58ee722582a65ee428be7dae6ac44ed29b472bd0
SHA256 7b8d1b6ebe16f3e86fd47b9a029918249d516ae4eb11dd4648a4e01b949ce4a4
SHA512 c7b31b49f35547de8998b7979dcf0523bffd9e3fb4caa3d83e7a3a71e3888f8901414eedfb0740b1a93aaa304bb191582166400f357e4430cd7f458400ea0ed1

/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 a5af80c9aad4093c0ad30a49e4db394d
SHA1 ea3710a154e96b174499b3be4a1437da909769de
SHA256 641c0dc2a25c5dab08d17927c68e902d95eb27458f8b09246f6a0ad9aa454513
SHA512 34c5beaf7bfd940b6073db73378b48ac2525285283a150bdde4dda7d26771aaf68d5a507564f8db7577b86a8be03bbe335660582c61bf932612633908235881d

/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 a542e32b3582514d037a7ed15145aae3
SHA1 6bf08512b718cdbe981c1f647fa40792ac323962
SHA256 7d66352df22cc1634d5a90bd0abfa17f1e1e023354a887a8abf4717e5251ec5a
SHA512 2183bbb96781d417f39a0c457d82edeece9d124900be37bd59c13587b7e6c0b8b02fe8981e02f780ab925d7d080ea2e3c523879600d17314a7123da4796c0364

/data/data/com.pixj.kkwn.hsoc/files/umeng_it.cache

MD5 9142f722776e88933e0d80e10c997c08
SHA1 e76a00e77c95ef9c8c3e76c101592e68deb36ee0
SHA256 98d9132c1ddb5409ff612737db15e98404667d679d5fa714c7656324f7195b56
SHA512 bc0ba89d8d2fdaff12b869672570d5a175d97c4270bbf79222e8acdfb8caed60a9f16000acda0479d5cc68b1e124c62d6570b4afd98dff5f082761a4bb459595

/data/data/com.pixj.kkwn.hsoc/files/.umeng/exchangeIdentity.json

MD5 d07068d0344a6c5cc543fd98e2f9958a
SHA1 f82e5be2956293fc4044b31a32e054994eb39bb4
SHA256 34bd76ee0b4686e531cba1f99e8c66d9d21cd666e0790c186d1de99f1304981f
SHA512 eacb8542eaababca31c82d230b974b02f1ad37f986759bb21fb4c19c67c6c75fee6d489b2f572d4100be40ea4d3872c546c7919e7c50aa3e9c1e62492f04fe47

/data/data/com.pixj.kkwn.hsoc/files/.um/um_cache_1718580485086.env

MD5 d806acc679fcd88a44dd1d1a3c146b75
SHA1 5127dacd12efc0a8504f6e3160d00bb7e61bb547
SHA256 35dd3796dc61c315fc759c921f1e0d1379a5a58650d6a4bf239645871fe5afee
SHA512 95e6e72095b0306fa7e7c7c40139df95a2437dad422849e8eb190ce421d56d5845a3b249d29735d890155133cdc67ebf4b1c6c55284bd3df69339abc7b139e4a

/data/data/com.pixj.kkwn.hsoc/files/mobclick_agent_cached_com.pixj.kkwn.hsoc1

MD5 b77b65856ea0d04edd5f4a5d59152d0d
SHA1 d1ea166dcdc17ca05a18b9fad42c1a63ea7f5c52
SHA256 7e95e9b8ba1345dc07bfd7ed255fea3faca239d6b61c1fd78df5dc5476834d32
SHA512 430941e4a8b20110a99b158ce1786897f859fba8bd366d33e4384cb568d01aafc828abe286605341f9acf52b7f837538a26e9d37174e1dbbd1e1f843956a982d

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 23:26

Reported

2024-06-16 23:29

Platform

android-x64-arm64-20240611.1-en

Max time kernel

178s

Max time network

181s

Command Line

com.pixj.kkwn.hsoc

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.pixj.kkwn.hsoc

com.pixj.kkwn.hsoc:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.pixj.kkwn.hsoc/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.pixj.kkwn.hsoc/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 ad4558fedda9a9e83079a7221a63343c
SHA1 600e935f4557b3332df49399b00faf31adf1560b
SHA256 be7d02a78a1ad03a73a0f29ec5c2df55e14909e311468f93542b4c2a223e0804
SHA512 0d5f181d661133e02fb10bbbd44cdac3713ec2cc0b5de71a899e32e62a02b011d0dd7b5847a4fa922c88682aa697857a369e9a9e36b5456b9de57688bf89381c

/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 685f8d1398112fa9f66de4d9575b8c68
SHA1 775872c0e5f5edc7963079125c7730250437b11d
SHA256 7e52c5b3197190534db188c429e5771e3078553a563d54883e4c6c76db0023a0
SHA512 d30bb72db7fd8ad9921f9b19a82c93182b3c66d31456f25f9d2020d5404ed483b3add382687675106588fe08778b0fca8b2aa846e03bd3dca8988f099c7bb215

/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 440816e2ec9ef5fe43d7be8e3fcbfdcc
SHA1 655bc4917d48407266fb12e3c4e251311e20c0ae
SHA256 6537e55d0e05c87f1ebdde6628781c89d6bddd34bb165b4590c80f14f779d88a
SHA512 a2a5027231c0ae775d9c5dd11cb5a4ad04874786a5665b209cf66c73cabbf03e2ba1727b42cb3f590a380d9fd4eecbada8ae7c481b670fc14da743236e9cdae4

/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 2916625552f013ab854ba983e39e6095
SHA1 beb7020e6745bb63e4859495eb716484647029a2
SHA256 3390ef1eb7c4a5cfb2dc024e8f88076dbf1741dc3ac3c4d08ccf3f6141b30366
SHA512 d23283d9e32acad4e90bb1b9c6ca00fb3563cab437eebc9221c56853d48ab3e80adb78f2a02d17185237486924058d4481fc9b9a4d65ab19b52173b1baf0c2dd

/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 37f9f9cf1012d1eb253d5cd62b0c8212
SHA1 5576b2cdfe07c757104b384895a73252fb0fc62f
SHA256 8e584e246ba443d32ca1a296974da744615dcb0bf72647abb1a04f1478c2a1d2
SHA512 6e7c03ed0485877c524a408fe4ce75bd56e366bef34957f2cc8ce7e4df567f171637f903c960fddbe510c1fb23c0b5cb099170df59baab1c526510daf9efe242

/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal

MD5 b29653795dd653ac192e05ab1c5ecc03
SHA1 eff5d0026fc80f37437777b18d83e803cb221d34
SHA256 9477e244e9bbc2b8d55d90492e1fa365896d7cb1ebd05d5a180fbd24329ea0d0
SHA512 53195c3b13ce812fc3801bdd4aa57c09cab290f797e4923f71929642144c383aa43f6cd072379408f6e89ed578f40f491b6c765a176e96a064907695c54f09f6

/data/user/0/com.pixj.kkwn.hsoc/files/umeng_it.cache

MD5 a2ba7287b8eccb8fd2219041aa3331f6
SHA1 bb372df68a6f07463c682c4ed3713627aebf6286
SHA256 bdff72bd1bd3c23f3c661318778a57ca970c1ecdda240984b1fa8d9c8f356595
SHA512 b3b526d7d02b56b1af29739522d6646a29ac48b0b7e87df97ae76e81461783af75af5027d9e6cc40413ef955b293826fa9f3ec9a9dae564f06d22ab869efe54c

/data/user/0/com.pixj.kkwn.hsoc/files/.umeng/exchangeIdentity.json

MD5 2d914e13e9febaf4029445e609e6aabb
SHA1 1ff0f9ac912fe89ad44ee4589e04a979e5f7ec1f
SHA256 e260a9e220aa82a5dcf856b21e891af415b1428333d7b0897a53e5767d94a707
SHA512 aac771a85a88be16418ea1580a1120ad439ad20c7e2a4ec5564bae2dd614d87cf4c401370de6a26453dd11866b45aa7c535c0c3fb45fd4388464b26a157822da

/data/user/0/com.pixj.kkwn.hsoc/files/.imprint

MD5 aef30e783c88fd1b9b68122cda2bec5c
SHA1 643319e0e878482b29a9f5869528646798e56e8b
SHA256 51642e4e28a5ffe073000117d2b0b773b66907b485fde619b9034c75d9c0e390
SHA512 2cf301ed00b874e152751f1827a5f9e4435e8e136170d6648af495e0de427ff91930dccce629ff3dfa6e0b57c7efbdde14d7db1d8dfc4b688e730dbb3990c5c9

/data/user/0/com.pixj.kkwn.hsoc/files/umeng_it.cache

MD5 32aa87a7b4c98d93c9fbaf598d39ca3f
SHA1 cfd66339020096e9b6fd2e714716a30adbe31486
SHA256 94c6c8d162cf45c9814fd2d2e298f308f464eb2d738a303af33d2f796eb82bea
SHA512 c30aa0e4f6148ece10d75c3601b7da25c7f93014b3e5c6879692263a8a565142d50f577f6cfb1022ecaa32f2cc7afb3c06486672b12324970b91e62055e5ce38

/data/user/0/com.pixj.kkwn.hsoc/files/.umeng/exchangeIdentity.json

MD5 b4f590cfd089b11cd999dd8867fd4671
SHA1 c1ce6704fd687566d30a6a49bf994ad56facb9a0
SHA256 3c718409bc5d38c86037a2eb14bc5922921ea511480165c24dd7b51b093be546
SHA512 64c1e60628b4fae6ddcb3f113ceac301137331539451b96e4785aeeb8092a5090b8e5195aa13d95c1ea1ab366a9dd47ec6c253f4258732ff8eae78c472dbdb4d

/data/user/0/com.pixj.kkwn.hsoc/files/.um/um_cache_1718580545142.env

MD5 96b212ccd8711962cf353daa5b6733ea
SHA1 eb5fcd6fe556e389afd514d8f553fe2b8b4256ca
SHA256 6b851a97aeb7872b9bb38e741ccbd1c70b44a1a2b5820c44858278ffbe44095d
SHA512 c06a444f1f9676343e3428f0244e030e136e6f6949059c99cbcfa4edcdcd7634d9229c1eadf1932bb1199ddb54dbacdb92867032ff4ff2080a143cda7b4444fe