Analysis Overview
SHA256
97dfbc2165590884197f81b271e4e5707d7411c72d27a40febe47a6a626a93b2
Threat Level: Likely malicious
The file b5bc38a8e8dd14e5ab191f463c8dff01_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Queries account information for other applications stored on the device
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Loads dropped Dex/Jar
Queries information about running processes on the device
Requests dangerous framework permissions
Queries the unique device ID (IMEI, MEID, IMSI)
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-16 23:26
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 23:26
Reported
2024-06-16 23:29
Platform
android-x86-arm-20240611.1-en
Max time kernel
179s
Max time network
178s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar | N/A | N/A |
| N/A | /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar | N/A | N/A |
| N/A | /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries account information for other applications stored on the device
| Description | Indicator | Process | Target |
| Framework service call | android.accounts.IAccountManager.getAccountsAsUser | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.pixj.kkwn.hsoc
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.pixj.kkwn.hsoc/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&
com.pixj.kkwn.hsoc:daemon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ip.taobao.com | udp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | c.ioate.com | udp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | o.pmuro.com | udp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 59.82.120.12:80 | ip.taobao.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | ip.taobao.com | udp |
| CN | 59.82.122.8:80 | ip.taobao.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 59.82.122.8:80 | ip.taobao.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
Files
/data/data/com.pixj.kkwn.hsoc/app_mjf/tdz.jar
| MD5 | 293ea5f01e27975bed5179ba79d80eac |
| SHA1 | c5b0806a537fd1cb753e11f1a9684933317716b8 |
| SHA256 | 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b |
| SHA512 | c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53 |
/data/data/com.pixj.kkwn.hsoc/app_mjf/ddz.jar
| MD5 | 23ba0b249042b7ba33e92c0199b0ea4a |
| SHA1 | 99b13ee9f7307316c2337953fceed87e9942b794 |
| SHA256 | 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2 |
| SHA512 | 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861 |
/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar
| MD5 | a54a18b58c6720991c021f433dfb2a46 |
| SHA1 | d2ffa07919f92b6e04914e39843f08fdb2a75b68 |
| SHA256 | 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3 |
| SHA512 | e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc |
/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar
| MD5 | 9b47e78a6ff90cce5755ce4742047627 |
| SHA1 | 831b24aa9e116eb8d7065efd430088d419dfd6c7 |
| SHA256 | 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae |
| SHA512 | 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | 611a91692aeefea9a71fdde4320e3e1e |
| SHA1 | d96d3fda97ca1e335af6e203bf013ac83d46d46a |
| SHA256 | 5c05ff868f28c809b26ea5abb176400b3060ae379273b0744a1ed04c806b92ec |
| SHA512 | 4b835363b1b2188911b2ff4a81ab01b93fe43bf3044a3fd6563d13193bb446947c64947fa3f03fc05a097065e569560dd3f66323f4f5e7e4c3a2a60ca508a3fa |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd-wal
| MD5 | 91a0ba149dfbe068d299dd49b1db9da8 |
| SHA1 | 4bba39f696b4d7c63a9befccb428aafe946260a8 |
| SHA256 | 8b2508910e0c85ce437d648cba57c36c00f205984c3a23156b04cf511a1e7119 |
| SHA512 | eda507c1315aaa0371ef2da0a1cae8a30813359183f7b3359d6217e30d9666ccad930a7d263062155a892e5665cee19488e0053ab951f0edb60c0f34773a8442 |
/data/data/com.pixj.kkwn.hsoc/files/umeng_it.cache
| MD5 | 04cb48cf79ad3a67623ab4fb2831119f |
| SHA1 | 797808dbf81ef34a0815de74733b3bfd19f571b0 |
| SHA256 | 70321ac960b1ff256dfc857983786fa3fbc89dd098d8f76cc94430ddfba505bf |
| SHA512 | 75734de9a73b07672951fa06db6b08fa78e8bef72167a426ed1997b337efc9156faa130badc3fbce36a6b773f5637f124f98950bdcde6ad29b26eda4ba8d28d6 |
/data/data/com.pixj.kkwn.hsoc/files/.umeng/exchangeIdentity.json
| MD5 | 71773604a2712d50cc1d35077814a57d |
| SHA1 | ff9fe19e731349f0b9228cdd2a31c97215eb6c21 |
| SHA256 | adf09920780dc01f42dbacb34eebbe83cd343e25b209935272a886ba32efcd98 |
| SHA512 | b83d3e709e01e455fbefead814475f857ce3663e0a2ed587965bf3d8095088c1bc5ac3b0396d845e7a049d983c8c4c75bcf8d0181a7bbe2305d0255179c876f7 |
/data/data/com.pixj.kkwn.hsoc/files/.um/um_cache_1718580486169.env
| MD5 | d8b1fde10404c22f34bd19561319f653 |
| SHA1 | 28452238c358b0a754bacdf6a6b5dc2c6428b667 |
| SHA256 | deb6358c7fab314c8d952d703d45e240d5bf14b5603d7523e6efe178f6a6ed0e |
| SHA512 | 0f576a20b30a6f82268ffe3e6c4906fae98c7a082897a752b33ca90458fb35a03b80fcbd8ccc488f923d9a6d3330bfa6db5276c64615f7815c945bcd1694a68b |
/data/data/com.pixj.kkwn.hsoc/app_mjf/oat/dz.jar.cur.prof
| MD5 | c7f36e1bc2589465a2ec77773e1106f8 |
| SHA1 | edd65966d5ae6a3a2d048eb179fdbffbeaa357b5 |
| SHA256 | 199c1674d649a16d867ffc61ace04d71ec600e4d01569172152a3d30f1b5f6f6 |
| SHA512 | 3d6975220c970dd25f55751462624a4d09a3a33cbe3b0f2b707674b09a6faac2c610d9ad3886e8fc244ab39411654aefd10ad6669a3d27bb0fe232032264a75b |
/data/data/com.pixj.kkwn.hsoc/files/mobclick_agent_cached_com.pixj.kkwn.hsoc1
| MD5 | d70a4edb06a7abf5e4a20c8369a97d5c |
| SHA1 | 371ca72e28837516eeaba6aea9ac870aa7d7e38f |
| SHA256 | 8d5500293e706fbca63707641959d0b1aa987a5e48ffc8bf5383d03b33e1f9b7 |
| SHA512 | 4b19f8c8ae0c0550f0fbc649df7de31788e61617fa9237427e9b1951e54e413e3251001320ea52a33ed573e9f28227f3d8a230abf03e79877e6a0ad1d202b7a0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 23:26
Reported
2024-06-16 23:29
Platform
android-x64-20240611.1-en
Max time kernel
178s
Max time network
178s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar | N/A | N/A |
| N/A | /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries account information for other applications stored on the device
| Description | Indicator | Process | Target |
| Framework service call | android.accounts.IAccountManager.getAccountsAsUser | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.pixj.kkwn.hsoc
com.pixj.kkwn.hsoc:daemon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ip.taobao.com | udp |
| CN | 59.82.121.163:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | c.ioate.com | udp |
| CN | 59.82.121.163:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.212.234:443 | semanticlocation-pa.googleapis.com | tcp |
| CN | 59.82.121.163:80 | ip.taobao.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.179.226:443 | tcp | |
| GB | 142.250.187.234:443 | semanticlocation-pa.googleapis.com | tcp |
| CN | 59.82.121.163:80 | ip.taobao.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | o.pmuro.com | udp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 59.82.121.163:80 | ip.taobao.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 59.82.121.163:80 | ip.taobao.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 59.82.121.163:80 | ip.taobao.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
Files
/data/data/com.pixj.kkwn.hsoc/app_mjf/tdz.jar
| MD5 | 293ea5f01e27975bed5179ba79d80eac |
| SHA1 | c5b0806a537fd1cb753e11f1a9684933317716b8 |
| SHA256 | 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b |
| SHA512 | c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53 |
/data/data/com.pixj.kkwn.hsoc/app_mjf/ddz.jar
| MD5 | 23ba0b249042b7ba33e92c0199b0ea4a |
| SHA1 | 99b13ee9f7307316c2337953fceed87e9942b794 |
| SHA256 | 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2 |
| SHA512 | 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861 |
/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar
| MD5 | a54a18b58c6720991c021f433dfb2a46 |
| SHA1 | d2ffa07919f92b6e04914e39843f08fdb2a75b68 |
| SHA256 | 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3 |
| SHA512 | e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | 8323fca0edfed7edf210a9aa3ded7b00 |
| SHA1 | 70863f8913afa94e90d16c292a3373c738dde940 |
| SHA256 | 77b0a562f5f0f36fd006880e0b2b0559c3caab5137b441d4245a14a8c532cdce |
| SHA512 | 49dc27000f5e11033f046e027e46904744ac5e3086c8cd0dcf50940786076ce274a695735cd825a1f9cf048529fbcfd913a9219fe8d2ab0c486ac41b892762c7 |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd
| MD5 | dae68dcffc3d522a79f98ebbc3b6d457 |
| SHA1 | 6df5dce9a50f12044a2d20b8d1742ae47b82ee03 |
| SHA256 | 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286 |
| SHA512 | 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | 48ec97e842f995202c1f5297d2adcd77 |
| SHA1 | 3cf7b70c732bfb6ad78ab5aca74651d04e815424 |
| SHA256 | 9a656852551f5e395f1e7d628e00dee7c14acd117e18fe007d5d528975c7796a |
| SHA512 | e7eec64124e2f967d48c9e6cf2dbf690012e5cb10b93e3dd1aa89e85fe54f28047da6dabd8687488817812a76eba89b839bcf1714d1fa786846708d095e27bda |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | 2da4f7590474d85a6a9028977d629dc0 |
| SHA1 | 0a62eb5b4b95afbf3dd0acf41ec4987b372a5f29 |
| SHA256 | dc691acd373d1393c06e84be7a205c858f1b23c009cd9aed6121620e786d3675 |
| SHA512 | 9ede820850543870b231ae8a5d6eacf0536275976bef5d750e99a7d38320a0c70fb52dd89cbdb690654e500534febc7109249d24f98bcce7f9665b80df84f5d0 |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | 5bfe5cdaa6b7935b3017499a037ac29c |
| SHA1 | 58ee722582a65ee428be7dae6ac44ed29b472bd0 |
| SHA256 | 7b8d1b6ebe16f3e86fd47b9a029918249d516ae4eb11dd4648a4e01b949ce4a4 |
| SHA512 | c7b31b49f35547de8998b7979dcf0523bffd9e3fb4caa3d83e7a3a71e3888f8901414eedfb0740b1a93aaa304bb191582166400f357e4430cd7f458400ea0ed1 |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | a5af80c9aad4093c0ad30a49e4db394d |
| SHA1 | ea3710a154e96b174499b3be4a1437da909769de |
| SHA256 | 641c0dc2a25c5dab08d17927c68e902d95eb27458f8b09246f6a0ad9aa454513 |
| SHA512 | 34c5beaf7bfd940b6073db73378b48ac2525285283a150bdde4dda7d26771aaf68d5a507564f8db7577b86a8be03bbe335660582c61bf932612633908235881d |
/data/data/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | a542e32b3582514d037a7ed15145aae3 |
| SHA1 | 6bf08512b718cdbe981c1f647fa40792ac323962 |
| SHA256 | 7d66352df22cc1634d5a90bd0abfa17f1e1e023354a887a8abf4717e5251ec5a |
| SHA512 | 2183bbb96781d417f39a0c457d82edeece9d124900be37bd59c13587b7e6c0b8b02fe8981e02f780ab925d7d080ea2e3c523879600d17314a7123da4796c0364 |
/data/data/com.pixj.kkwn.hsoc/files/umeng_it.cache
| MD5 | 9142f722776e88933e0d80e10c997c08 |
| SHA1 | e76a00e77c95ef9c8c3e76c101592e68deb36ee0 |
| SHA256 | 98d9132c1ddb5409ff612737db15e98404667d679d5fa714c7656324f7195b56 |
| SHA512 | bc0ba89d8d2fdaff12b869672570d5a175d97c4270bbf79222e8acdfb8caed60a9f16000acda0479d5cc68b1e124c62d6570b4afd98dff5f082761a4bb459595 |
/data/data/com.pixj.kkwn.hsoc/files/.umeng/exchangeIdentity.json
| MD5 | d07068d0344a6c5cc543fd98e2f9958a |
| SHA1 | f82e5be2956293fc4044b31a32e054994eb39bb4 |
| SHA256 | 34bd76ee0b4686e531cba1f99e8c66d9d21cd666e0790c186d1de99f1304981f |
| SHA512 | eacb8542eaababca31c82d230b974b02f1ad37f986759bb21fb4c19c67c6c75fee6d489b2f572d4100be40ea4d3872c546c7919e7c50aa3e9c1e62492f04fe47 |
/data/data/com.pixj.kkwn.hsoc/files/.um/um_cache_1718580485086.env
| MD5 | d806acc679fcd88a44dd1d1a3c146b75 |
| SHA1 | 5127dacd12efc0a8504f6e3160d00bb7e61bb547 |
| SHA256 | 35dd3796dc61c315fc759c921f1e0d1379a5a58650d6a4bf239645871fe5afee |
| SHA512 | 95e6e72095b0306fa7e7c7c40139df95a2437dad422849e8eb190ce421d56d5845a3b249d29735d890155133cdc67ebf4b1c6c55284bd3df69339abc7b139e4a |
/data/data/com.pixj.kkwn.hsoc/files/mobclick_agent_cached_com.pixj.kkwn.hsoc1
| MD5 | b77b65856ea0d04edd5f4a5d59152d0d |
| SHA1 | d1ea166dcdc17ca05a18b9fad42c1a63ea7f5c52 |
| SHA256 | 7e95e9b8ba1345dc07bfd7ed255fea3faca239d6b61c1fd78df5dc5476834d32 |
| SHA512 | 430941e4a8b20110a99b158ce1786897f859fba8bd366d33e4384cb568d01aafc828abe286605341f9acf52b7f837538a26e9d37174e1dbbd1e1f843956a982d |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-16 23:26
Reported
2024-06-16 23:29
Platform
android-x64-arm64-20240611.1-en
Max time kernel
178s
Max time network
181s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar | N/A | N/A |
| N/A | /data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries account information for other applications stored on the device
| Description | Indicator | Process | Target |
| Framework service call | android.accounts.IAccountManager.getAccountsAsUser | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.pixj.kkwn.hsoc
com.pixj.kkwn.hsoc:daemon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.234:443 | tcp | |
| GB | 142.250.179.234:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ip.taobao.com | udp |
| CN | 59.82.121.55:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | c.ioate.com | udp |
| CN | 59.82.121.55:80 | ip.taobao.com | tcp |
| CN | 59.82.121.55:80 | ip.taobao.com | tcp |
| CN | 59.82.121.55:80 | ip.taobao.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp | |
| US | 1.1.1.1:53 | o.pmuro.com | udp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 18.208.156.248:80 | o.pmuro.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 59.82.121.55:80 | ip.taobao.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 59.82.121.55:80 | ip.taobao.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 59.82.121.55:80 | ip.taobao.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
Files
/data/user/0/com.pixj.kkwn.hsoc/app_mjf/tdz.jar
| MD5 | 293ea5f01e27975bed5179ba79d80eac |
| SHA1 | c5b0806a537fd1cb753e11f1a9684933317716b8 |
| SHA256 | 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b |
| SHA512 | c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53 |
/data/user/0/com.pixj.kkwn.hsoc/app_mjf/ddz.jar
| MD5 | 23ba0b249042b7ba33e92c0199b0ea4a |
| SHA1 | 99b13ee9f7307316c2337953fceed87e9942b794 |
| SHA256 | 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2 |
| SHA512 | 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861 |
/data/user/0/com.pixj.kkwn.hsoc/app_mjf/dz.jar
| MD5 | a54a18b58c6720991c021f433dfb2a46 |
| SHA1 | d2ffa07919f92b6e04914e39843f08fdb2a75b68 |
| SHA256 | 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3 |
| SHA512 | e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc |
/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | ad4558fedda9a9e83079a7221a63343c |
| SHA1 | 600e935f4557b3332df49399b00faf31adf1560b |
| SHA256 | be7d02a78a1ad03a73a0f29ec5c2df55e14909e311468f93542b4c2a223e0804 |
| SHA512 | 0d5f181d661133e02fb10bbbd44cdac3713ec2cc0b5de71a899e32e62a02b011d0dd7b5847a4fa922c88682aa697857a369e9a9e36b5456b9de57688bf89381c |
/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd
| MD5 | fdb8a92e5060ce104e8f0faca55a47ce |
| SHA1 | 270d7ca30673e18cec1d2b9add71cba96dc426fe |
| SHA256 | 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a |
| SHA512 | ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122 |
/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | 685f8d1398112fa9f66de4d9575b8c68 |
| SHA1 | 775872c0e5f5edc7963079125c7730250437b11d |
| SHA256 | 7e52c5b3197190534db188c429e5771e3078553a563d54883e4c6c76db0023a0 |
| SHA512 | d30bb72db7fd8ad9921f9b19a82c93182b3c66d31456f25f9d2020d5404ed483b3add382687675106588fe08778b0fca8b2aa846e03bd3dca8988f099c7bb215 |
/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | 440816e2ec9ef5fe43d7be8e3fcbfdcc |
| SHA1 | 655bc4917d48407266fb12e3c4e251311e20c0ae |
| SHA256 | 6537e55d0e05c87f1ebdde6628781c89d6bddd34bb165b4590c80f14f779d88a |
| SHA512 | a2a5027231c0ae775d9c5dd11cb5a4ad04874786a5665b209cf66c73cabbf03e2ba1727b42cb3f590a380d9fd4eecbada8ae7c481b670fc14da743236e9cdae4 |
/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | 2916625552f013ab854ba983e39e6095 |
| SHA1 | beb7020e6745bb63e4859495eb716484647029a2 |
| SHA256 | 3390ef1eb7c4a5cfb2dc024e8f88076dbf1741dc3ac3c4d08ccf3f6141b30366 |
| SHA512 | d23283d9e32acad4e90bb1b9c6ca00fb3563cab437eebc9221c56853d48ab3e80adb78f2a02d17185237486924058d4481fc9b9a4d65ab19b52173b1baf0c2dd |
/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | 37f9f9cf1012d1eb253d5cd62b0c8212 |
| SHA1 | 5576b2cdfe07c757104b384895a73252fb0fc62f |
| SHA256 | 8e584e246ba443d32ca1a296974da744615dcb0bf72647abb1a04f1478c2a1d2 |
| SHA512 | 6e7c03ed0485877c524a408fe4ce75bd56e366bef34957f2cc8ce7e4df567f171637f903c960fddbe510c1fb23c0b5cb099170df59baab1c526510daf9efe242 |
/data/user/0/com.pixj.kkwn.hsoc/databases/lezzd-journal
| MD5 | b29653795dd653ac192e05ab1c5ecc03 |
| SHA1 | eff5d0026fc80f37437777b18d83e803cb221d34 |
| SHA256 | 9477e244e9bbc2b8d55d90492e1fa365896d7cb1ebd05d5a180fbd24329ea0d0 |
| SHA512 | 53195c3b13ce812fc3801bdd4aa57c09cab290f797e4923f71929642144c383aa43f6cd072379408f6e89ed578f40f491b6c765a176e96a064907695c54f09f6 |
/data/user/0/com.pixj.kkwn.hsoc/files/umeng_it.cache
| MD5 | a2ba7287b8eccb8fd2219041aa3331f6 |
| SHA1 | bb372df68a6f07463c682c4ed3713627aebf6286 |
| SHA256 | bdff72bd1bd3c23f3c661318778a57ca970c1ecdda240984b1fa8d9c8f356595 |
| SHA512 | b3b526d7d02b56b1af29739522d6646a29ac48b0b7e87df97ae76e81461783af75af5027d9e6cc40413ef955b293826fa9f3ec9a9dae564f06d22ab869efe54c |
/data/user/0/com.pixj.kkwn.hsoc/files/.umeng/exchangeIdentity.json
| MD5 | 2d914e13e9febaf4029445e609e6aabb |
| SHA1 | 1ff0f9ac912fe89ad44ee4589e04a979e5f7ec1f |
| SHA256 | e260a9e220aa82a5dcf856b21e891af415b1428333d7b0897a53e5767d94a707 |
| SHA512 | aac771a85a88be16418ea1580a1120ad439ad20c7e2a4ec5564bae2dd614d87cf4c401370de6a26453dd11866b45aa7c535c0c3fb45fd4388464b26a157822da |
/data/user/0/com.pixj.kkwn.hsoc/files/.imprint
| MD5 | aef30e783c88fd1b9b68122cda2bec5c |
| SHA1 | 643319e0e878482b29a9f5869528646798e56e8b |
| SHA256 | 51642e4e28a5ffe073000117d2b0b773b66907b485fde619b9034c75d9c0e390 |
| SHA512 | 2cf301ed00b874e152751f1827a5f9e4435e8e136170d6648af495e0de427ff91930dccce629ff3dfa6e0b57c7efbdde14d7db1d8dfc4b688e730dbb3990c5c9 |
/data/user/0/com.pixj.kkwn.hsoc/files/umeng_it.cache
| MD5 | 32aa87a7b4c98d93c9fbaf598d39ca3f |
| SHA1 | cfd66339020096e9b6fd2e714716a30adbe31486 |
| SHA256 | 94c6c8d162cf45c9814fd2d2e298f308f464eb2d738a303af33d2f796eb82bea |
| SHA512 | c30aa0e4f6148ece10d75c3601b7da25c7f93014b3e5c6879692263a8a565142d50f577f6cfb1022ecaa32f2cc7afb3c06486672b12324970b91e62055e5ce38 |
/data/user/0/com.pixj.kkwn.hsoc/files/.umeng/exchangeIdentity.json
| MD5 | b4f590cfd089b11cd999dd8867fd4671 |
| SHA1 | c1ce6704fd687566d30a6a49bf994ad56facb9a0 |
| SHA256 | 3c718409bc5d38c86037a2eb14bc5922921ea511480165c24dd7b51b093be546 |
| SHA512 | 64c1e60628b4fae6ddcb3f113ceac301137331539451b96e4785aeeb8092a5090b8e5195aa13d95c1ea1ab366a9dd47ec6c253f4258732ff8eae78c472dbdb4d |
/data/user/0/com.pixj.kkwn.hsoc/files/.um/um_cache_1718580545142.env
| MD5 | 96b212ccd8711962cf353daa5b6733ea |
| SHA1 | eb5fcd6fe556e389afd514d8f553fe2b8b4256ca |
| SHA256 | 6b851a97aeb7872b9bb38e741ccbd1c70b44a1a2b5820c44858278ffbe44095d |
| SHA512 | c06a444f1f9676343e3428f0244e030e136e6f6949059c99cbcfa4edcdcd7634d9229c1eadf1932bb1199ddb54dbacdb92867032ff4ff2080a143cda7b4444fe |