Malware Analysis Report

2024-09-09 13:32

Sample ID 240616-hrtn9aterb
Target b23ee7c3ca43a01810e36abdc048d3cd_JaffaCakes118
SHA256 0c89f9870d0ebd8fae3c65af56cba370de78af9399a2b04122e7b2443440da98
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0c89f9870d0ebd8fae3c65af56cba370de78af9399a2b04122e7b2443440da98

Threat Level: Likely malicious

The file b23ee7c3ca43a01810e36abdc048d3cd_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 06:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 06:58

Reported

2024-06-16 07:01

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

131s

Command Line

com.eyyk.qwit.yomo

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.eyyk.qwit.yomo

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.eyyk.qwit.yomo/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.eyyk.qwit.yomo:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/data/com.eyyk.qwit.yomo/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.eyyk.qwit.yomo/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 2a34a46ffd2d0bc74ea111496cd91cc8
SHA1 11243e75c22019f853458ccc2b15bd68496060ce
SHA256 ba8a850f5f40524cc352c9694743a51a0d4ba24cf7341b8f545564707bbda3e3
SHA512 06fce1e6eb16c25117bab7b4fccebcb26d9fe4c84a5ab52bf11b3f046fae5b3b424377f7704f96280199749a2f15eb4c43d5ee3050fa4ae494107b5a82d6aa91

/data/data/com.eyyk.qwit.yomo/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.eyyk.qwit.yomo/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.eyyk.qwit.yomo/databases/lezzd-wal

MD5 f85633db4255d25017f4c8a6fb7227db
SHA1 2622225a6329a419ca531f29213490f31b83976c
SHA256 3a8e050699a6211474bd9a9a7f6564b61fbaa132fd447b2614908e64eba920b1
SHA512 a26e3e9e8fdb2f3e42caa2aa21fe2a355cd94e638a3902197668be86033a1ddab98e128db78a2d9d7c996e1fa85915dde23ef0c05083fede53e39843078a3d75

/data/data/com.eyyk.qwit.yomo/files/umeng_it.cache

MD5 1f082410f904b5d910fd78b66b51190d
SHA1 f38af951c23580f0dd76f6e711e2dd0882a24238
SHA256 0737a60cde9b46ee193c9b9d73c62dbbaef28469770ed2c8b898a88f87fc80b5
SHA512 76c08c8324bb42176f6e02869fcd8a226a9fa87379d8ab002a42b36c19ac608974e7ecb765ed389a16ff9a3998ebda387f8ce50f4ba3642e4fcff3dcf2417c98

/data/data/com.eyyk.qwit.yomo/files/.umeng/exchangeIdentity.json

MD5 4d19fed9bab2301594decae785e9d2c2
SHA1 d603acb3c8a97d76b4aeea5e8e7911ecba247b08
SHA256 23075d06e0e625926d6dcced782cca468e27c4362296def74d76026e3e9fb192
SHA512 2b258e7701a1353a496d8d868ecb1ce26aaedb8be408427cf2ec580d4c2bc41f52303a8d118a08983dac0766af2ee7287d794ccfa589402b20251c8d704a1455

/data/data/com.eyyk.qwit.yomo/app_mjf/oat/dz.jar.cur.prof

MD5 e58aa47308fa6ce5c7a10c06b64bad47
SHA1 5cff29ebd1a5352ec4968bdab96fb33b2db8adbf
SHA256 553d35c78f543897e54d4f8ab83b5c0ca159686849044d3ff497f1a4f7aa605e
SHA512 29a787ab02e538be65368ef48b6f71ca8d62240444f1efa64a0fbedf5adbcc604d4003dfed67be99f5b5a694c43e4414e677b6aa9b279484b375329eed42124b

/data/data/com.eyyk.qwit.yomo/files/.um/um_cache_1718521240445.env

MD5 4441d6b7656aecea7d6443fb3b3ff9d8
SHA1 761cbcc9eaae6a375e67e14f1d642710bee24a82
SHA256 7b1021d692555a8b8af3853d0668393b081e2f4bdbce1a8ed1df0647dd2e1024
SHA512 1bfdd2be1231b7d77a76d515245c059af436d5a47bb829b4a8bf90da3d6c078399928e7c82f4e278b5f23bae96ced896ce3d669797d82e098d1f3bea2807d72b

/data/data/com.eyyk.qwit.yomo/files/.imprint

MD5 0c56d668031aaf1a37ed8dab5bf95962
SHA1 0ccedc959a6cc2762a92364e5ba6b1df4619ae45
SHA256 83e7f7b560325fc8aed75ea8acb019fada64fcaf4cb102528c6a5b2cc0bc240c
SHA512 9eabb71c4a4665b56c87f9bcd01365914b1f3fb518699ec751b41192d13f96b134a3c063c8b2f32735387a66be3c12c61623da639df234071323aa7b9da8236b

/data/data/com.eyyk.qwit.yomo/files/mobclick_agent_cached_com.eyyk.qwit.yomo1

MD5 44f8771d2016c2c35d5d6e88d680b5dc
SHA1 df745ee1317a259066ca0b6a8d6a9b87c982f010
SHA256 3a346159893dcc0001731832121f390c0375ee270964b2d07623015f7574afa8
SHA512 92d183f72236a2991eac2330463e1fc5b36f67e14e345556eb6620e42b79d9656257cd02fad1c2d960dc78f0856a657aa00af7a9ecfd4454855df9cef65e6b12

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 06:58

Reported

2024-06-16 07:01

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

181s

Command Line

com.eyyk.qwit.yomo

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.eyyk.qwit.yomo

com.eyyk.qwit.yomo:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.130:80 ip.taobao.com tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.130:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.eyyk.qwit.yomo/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.eyyk.qwit.yomo/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 311941fc91c98c08f3c448ab62a933d6
SHA1 c7db56eb3d75a9bcaba61ff93c3c163ea25ff32f
SHA256 b2d7b90f529a3014888d0396958432f2c53a5b88b13289ae7c1f0ae3df69f01f
SHA512 458f20f6ed0ab0ca91ceea330818dd0c72e0155cc5c583872e4c3cabf23dd74a37360c2c061da61b14a9ae1f6e12638f7543c76ae67e5f85053793558082f729

/data/data/com.eyyk.qwit.yomo/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 46bd7921f33dbbc94acb6620fc80252a
SHA1 4ba0dc19e8f072eafc0dc2fcab98f8fffef8aa99
SHA256 e7b94a6613afe04c01d1780d8c8fbc8563d54e16314a8483b8626675c95bdff9
SHA512 2ff06d154a3539891a565ae44ad82e18af73d3a0676aa2eeb8c9ef92f5e0db8a11a51e50820bd22940b564dc53ae35dc0564e1e2b424decffc1fe9434a49e70a

/data/data/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 a74409aff34a8e76c5fe85076f5edc35
SHA1 313a14f06fe7c9e9d5d79d99447f9898bc33a939
SHA256 908a43381afb6b7178dc7583b190a9649b276879751b119fa1ca45fcd0420d12
SHA512 b04aea5abd297ad0b197ce83a390c069430fed3a21e1f1d0c97855e3f2f6ee826198f7e59bbeefa78b20476de26f033e280ef22ce519360dab38e1fc9164e931

/data/data/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 ab916aa4a422df9e2958c9f5dab0d096
SHA1 dc58047a1ee0ba679f682887113fa36498547b31
SHA256 94b93e7cd9dbaae4c64ae96861e1851f3ccdb2ca53e7daeafd29f789dc6a0b0f
SHA512 fa358ef51a221c2f8cdfa18814f3e2824dc088d1a3678b016b04f58812e33f5625cda793eaed609914363448af59ec88ed89de3044fe0364445794974c826160

/data/data/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 8520f187cf37666fbbcd8f2e60e81b19
SHA1 d5325f8cd866e2465fe13383a88003f00df49119
SHA256 a73fd29aaeec259bbb476124dfc67eda944e1e07b1876795291b02ec23820f29
SHA512 6eaf846c949f44e4fe8384a8dfa43863272506e0a96c22582fcf9c477068f069fd35b650d4c961c2786e94644ffa497acb642c0f25db958c68a7a9394dff7de4

/data/data/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 286eade4091d97df15e53ea97c6b2594
SHA1 940d3a13c5a226e2d7737c4e5de6c0d6707cd29f
SHA256 fdb8f28767f6f567df461d7757cd686035555aeb92c6e32b489f0941326c8e2e
SHA512 a384fa5c9b8d3759fbfa84f3a777c6b429ada6ae03558730f963067324ab14c34679d8de8fae756e1d5fe2665be99eefd5a40cf1c9f6833a8cd254e24dc273e2

/data/data/com.eyyk.qwit.yomo/files/umeng_it.cache

MD5 907923305b00d15bdca91364e0e5b92c
SHA1 29281f46544af824643cd3b9cf5c1b99d9e303f9
SHA256 9c4ea22ab655f1702dee3d279fe334ffc5d46c8d5b47c81f615309daf3afec3e
SHA512 3e804465e49934d459326c9629f10b3aea3fbe84137ea78568ee4afbe010eb262f8b1e7785a468b5fe8ee21674d4aad2e011b65f353b37232d257675b8b718ae

/data/data/com.eyyk.qwit.yomo/files/.umeng/exchangeIdentity.json

MD5 360f462067d33f65e650d028d239043e
SHA1 d2c4b73e8f5b90254111a83faece177918abe41e
SHA256 2814697de96a9cd95e5da620fd3f0c5b77f9630199f8d98a60e3beeca55bd3aa
SHA512 ff1eac1357a11fffed8a07ad84cf4010550324e7971f58ad2d3e17155dc6073e6e31eb9d33bed62489485623d06c0dcada0d04dbb5f3803f334b515662ad52a8

/data/data/com.eyyk.qwit.yomo/files/.um/um_cache_1718521241301.env

MD5 c5ae77e0685ade75aeda74ef9a9d06f6
SHA1 eb059d759df47649b6e3ba1ecb45edbef25368ee
SHA256 0f4233244e15470b9527cd5c1c05aa189249b99cee938f66f973f1eb5a6122a4
SHA512 706bad85c9774f08cedab4a4ebc1895db67819f27dd1a8743cc44ee068996806ffbbe0b2f33ea953d243166fe58b12766795cc0ad5531a4328d60dae37cfda50

/data/data/com.eyyk.qwit.yomo/files/mobclick_agent_cached_com.eyyk.qwit.yomo1

MD5 6960b5d639721cd3180294970a32902d
SHA1 8df2c96346b2d02fd71051e70ebf2c015b26c6f9
SHA256 8fa1a992d15898e4734f0b8434d1a3643af0752cb59eae1eb265247c99983b30
SHA512 a6e1158046401cdafa6ecd3ff9a47ce4ff366fae29af41fec3a6a458246f7d8adb49502ab9e35490a5184a73c4c258214dbeabb19b1fb7424ece277eaaf3aee1

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 06:58

Reported

2024-06-16 07:01

Platform

android-x64-arm64-20240611.1-en

Max time kernel

178s

Max time network

181s

Command Line

com.eyyk.qwit.yomo

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.eyyk.qwit.yomo

com.eyyk.qwit.yomo:daemon

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 59.82.122.165:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/user/0/com.eyyk.qwit.yomo/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.eyyk.qwit.yomo/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.eyyk.qwit.yomo/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 f3a3d6ff21b4b3196f3c91e647642667
SHA1 f9a4957e0bd36313ea808f3cde84350c4b5e3048
SHA256 94034da17816183594c5d994a2969404b2094423cf0b3a7262191ba0f440a2ff
SHA512 7f4440ee35ee809751d35d75ec6cff9e623bf54cddf959cfc327653db01166f48a0399dacbb7b41c94c15afc33c4f8a951bdda61776b65386260f3ad626c0388

/data/user/0/com.eyyk.qwit.yomo/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 91bf249c91f827b5c886528f3bb5d0f3
SHA1 e18ad55c4b980becc49f62881cbb30b6b9c56d96
SHA256 7aad6624869d761265b0b42b8bfbf64febf61b9d227695dc49c12a4531de33bf
SHA512 95950bc446860e7824bfc116eee79265b9d20579a2990e434fa36667c616500a3f89ff379c2bca4341ecd193222a3c48db41359e318ee2da5afc1078df1a5367

/data/user/0/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 ee92f7151cc9acb17b9b0d3689431141
SHA1 dfe2c36d4f9b0465f285f1e97bc492a7bc005cce
SHA256 24a6e48061aa268eb7f1495edcba7ef1ef272f8b36f69c295b4e1b19ad14c05a
SHA512 27a9147e2c83f9e4d54902b0e93667f7bfe6fe502492dc80dce1468e1d9ab6b2bee235c744dde27b7a7b6006cda5af80e0b9c6de8e50c25de1354767e1b00313

/data/user/0/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 610e723ce2dcdb55e9729f62f49b9083
SHA1 de9e4965c9cc9e2a9dae21029d8a670d47c69d28
SHA256 c652d4d07b71ac790538aeb6d57910109f5b0940fa2be15f3810cb4b07077c84
SHA512 66a1ca329c5cd5f852ef0a9b8bdd2e490a2ed9f643b9fa8131d8611720e90128795937b97ad96361d4eba1134d1a0b0c9a9df6757ed3e7116bf1cfe5fa150d67

/data/user/0/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 86e3426b60a617382ab326d433137f5c
SHA1 58cfa15908bfa4f081dd2dd6411ee1b49ca84c9a
SHA256 59a7a4f666712e9761740df65a8c77f85a3d931d826123c635012d46f11740ed
SHA512 7ed491d6e794beae0f8cfd860267486633227e3d9b9fba2f4d8e35b978509c5a6fecfe57b4fd6ca2a2fcdeed3655b4862c5f508024c7af4b03a42869772fa1e0

/data/user/0/com.eyyk.qwit.yomo/databases/lezzd-journal

MD5 47a5b4e25c391d613953094e95a865f6
SHA1 a74cf2a59a942c06513789fcae705767be8d850b
SHA256 5ad60574ba9ec384767972a6e14c6ac9279351b4721e21f21b44a8e84840f596
SHA512 9546631f89c7439dd37f01c9a7b5eeb55cf26be0172a54f1a0bfa1c55a870d429621723546ec98b2c5bdad719bf8b871774b67ef3cbeda5cb7596ccf5453bcab

/data/user/0/com.eyyk.qwit.yomo/files/umeng_it.cache

MD5 c23ad7b1368b1f3faa31c962e6967830
SHA1 6fb1706ae3d42b66696f31a9103dd623d7a4863d
SHA256 7a35112a0b57ef43ce183d5d8b0be5dde784c4432ceba43a3a25918a9f948bb4
SHA512 3b5c6ee66af062f4364b5372cad6c5e2587d73f1916b7df5e736cd8aa9fce89e322a0f054e46ffaba03164b74b7fd6d294f55aae9e77264e52848e7bbbc56e39

/data/user/0/com.eyyk.qwit.yomo/files/.umeng/exchangeIdentity.json

MD5 cacb1c74083bbbfa21618a215e787c21
SHA1 985e0a2ad4fedfe7f81ba1908bad81940fb3c7f0
SHA256 8d6cf0ef595d1c25d16a913468f5b9d1693535aa83c9b262df8420be65d9f599
SHA512 a3092f926b65e847539aca9e2733695372307d7fa1e6b9f9536d626d66caad1b10ead1c414729c1d4cf3159c1b7e1563e5509b03e9d0b2959ea2beba3d1d0c03

/data/user/0/com.eyyk.qwit.yomo/files/.um/um_cache_1718521241795.env

MD5 9cd107f8210ea67f2dce3a4d432b917b
SHA1 d43d67bbd7b2b575fdabf8d7d33056b11e9feec7
SHA256 98ff40b6e8a01e96d04cd482b2bcc9a6dafb429bb184ad3ef57f9c633f65160f
SHA512 bd7e38af2d46441f323fd1781795f26169038e91a856dfbbca0327635a2ea99c2f1419323b210027e0a7f8b288da269c2c091bdb391abda1d0bdab64639ed279

/data/user/0/com.eyyk.qwit.yomo/files/mobclick_agent_cached_com.eyyk.qwit.yomo1

MD5 619a39b2a5c0d3ad289583ee6526e301
SHA1 4c707e43ca2cd9cdf4c4f691b316663d4be7cb71
SHA256 0d89e082e88d2decede22844307e0ba0ec801228b24b589f3e3d49f1e7fb7b9a
SHA512 6fa6b74d87951b82ad06ace29b64f83d50dbfd16d5b9a6e5e0ff8594d060bdbe51ced532a781c4be146a916cad3ea30e601fabd01bb4383490e016a5c6cd8f77