Malware Analysis Report

2024-09-09 13:33

Sample ID 240616-ht7znaxhnk
Target b242dacd925c411494a4fca767074937_JaffaCakes118
SHA256 ae39258fabc1d1c9fecbf14f3fa89a3bc05a594232fa5834387c5da8dbde7ad0
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ae39258fabc1d1c9fecbf14f3fa89a3bc05a594232fa5834387c5da8dbde7ad0

Threat Level: Likely malicious

The file b242dacd925c411494a4fca767074937_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Reads information about phone network operator.

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 07:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 07:02

Reported

2024-06-16 07:06

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

179s

Command Line

com.kczq.yicq.anbe

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.kczq.yicq.anbe

com.kczq.yicq.anbe:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/data/com.kczq.yicq.anbe/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.kczq.yicq.anbe/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 45fe68573fd9b5c8619a8b206b469aee
SHA1 d80f3ab0c480974ea5d18de5f39dddce08ab6571
SHA256 8f79e0be56ae4b14a916d5ce2262e914de4a25861f60f8e45dc685431ae75ae6
SHA512 d0532c7317c0ea9184d630d88092f9252f7463741e761f7dde66b30eaed994f2d524004ceee79de9b0c17e6de3c94c96460f581831c032530b53807bd156a491

/data/data/com.kczq.yicq.anbe/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 c8c31dd9426d41b29d7811aeda022e27
SHA1 8e6164c6ff6b19838d47daaedaafd8b955ff0d13
SHA256 a200fce3375e5f8132b6328277e8f88dc6e6cf541c88e7aa7826e7eeddbb2bf4
SHA512 3b8d38303aaa765bacce8a2545908f8ab71b9d00acd0234e0fdb578bdf8e5fba5408f4ea1e1c1d6b131efc76859d0c854e52489ecb5f0f648fb01724cf33021d

/data/data/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 1c7aaf37676fd93dda25e04b92e81ba9
SHA1 2e4f8be08c32daed5b64d26b27b98d297a232cdb
SHA256 1bad738d951789e5d7b87a21d9573c52f57725d0f101c9a7207c7a099d1fe0c8
SHA512 e0b63bcad9766358a9e9030cf3d73003e13af37b355a664eeb39e46f129b9b58154341d1625125511157b07aa43dc1f53979f3109a220c0def5cadf6b510ba54

/data/data/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 4e18075f221f226a15c4d886875458c7
SHA1 c9300f2e560066f7b4c997793f8441a30edb6692
SHA256 a094cce04399cefab7ddc888b3d828f66f0f7f73580d93c1f1ebfee4e6890877
SHA512 b8732bb1db85e4128bdfa0ed303de5ad084d36cf2650c769e71670c629ab119fcd128ecc574ab648b016736561bf2e44b4a3a7ce664c4cf7158c887726d3cff4

/data/data/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 891ee4041ccca736d789b3ac10bf00bf
SHA1 a83f0813b765514377d4fa7cf93c2203d7dbadba
SHA256 b6fc4b9ca50632786729468798a7290f28e0bdd820eb386e25f5f59579074ffd
SHA512 d2a8997e19ab970dc623830058a52b64d4e126f244a2e9cc4b35bec92865616c7dbcd855bb4109459a6cfddbc344d359e6bb88664d26564b78e69f19f706dd62

/data/data/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 41087661c32934c6896d151ee8b41eaf
SHA1 f51e0588d91aeb6ebcb1bfc38087b9a6da44514a
SHA256 93cd7bfbe9f0ece3045d25fd468a66987070a8ee09f15996f364a95827856552
SHA512 937e1ae97f5704f2c991182bbac7df68ba49aeb831d87affe2179ee15bcf6407662c3ee73dd22dd71056b04447d881050abca8ad4f57cd9dc8f3741a46dbf0d1

/data/data/com.kczq.yicq.anbe/files/umeng_it.cache

MD5 b583f5f0ac60e5b6f97e68ebf0e99839
SHA1 c70cbc5d0d483d5518825253c378c43f30c36176
SHA256 855b04df625da03d96f9bad3cb1dc2b9bd3a34a094bb9098f11bdbd4d77f1030
SHA512 8647622c90f82c49634f2bd75f10efdce22fe6f23fec1da89fd248b4a7aed651aed192fb58be6a86b080411b568b904defa6132a28be605c62bcc22e481cc2af

/data/data/com.kczq.yicq.anbe/files/.umeng/exchangeIdentity.json

MD5 3d6f5e6a5dfd130bf3b1f742b14bd48a
SHA1 377aa690868be97dc963bedc49a51c04a2376deb
SHA256 ac818a5a091c035f3a8b3188a23de3a23ff61e097e1ab265a0a916c4d514e7b4
SHA512 b04521d211e715a7faaaaf49fb6a75cbb02c2f74731aaa24dc94b047a0119fbbb953082b2fd19b0547f32256bd5c8fde1698cc186127969b9d9599239fbdcad7

/data/data/com.kczq.yicq.anbe/app_mjf/oat/dz.jar.cur.prof

MD5 23c181a2d36eccbada96c4a58386ff94
SHA1 4cc44adf7fd391ba6474547827d07722270af8e5
SHA256 562322ecfb89a7d02c0bd6a17a66cd1f96c81ec7bbf0e322bce177358f74307a
SHA512 59429c8524df4f4d1d1e2ca1c507f41a82364f2c455aed7000dd95191b5d47da4fc8aba9cfa7439bcaf7bffdaf29f5d550efff8bc06d432e179620c95ab90857

/data/data/com.kczq.yicq.anbe/files/.um/um_cache_1718521488268.env

MD5 9eb68755e5687941cb23e4152cb800b8
SHA1 6b0d18eca99572fa89faa0834cbfa24c355d316d
SHA256 426ef94ed70663854e43415717777f5614cb2b1bd84bdbc52b429db21292cdd8
SHA512 ab262aecce3edba434edfb13a6a1564a2ec541ba65c98cdbfb40de6bb81b1b5d60127d78da4aaa3f166608ccac0dcc4fb77c48e155fc143c603fa8bc006df5c1

/data/data/com.kczq.yicq.anbe/files/mobclick_agent_cached_com.kczq.yicq.anbe1

MD5 86e11a42b99b07e334fcb64cbe439c90
SHA1 228e96e3065b9a94aafbf210f053fd8832611e26
SHA256 4d4df65777baab57c4dd6bb424ca1dbcabb1c3682f546fd4bb94314c8a241c1b
SHA512 bc93fe790fcc15bc8cc855f2d02e3b10f17a37619b5e4faf89ce60b1153bb32f078be370c822dbde53202b08ad892938d72967606c7520a5d4a810a7d56a1369

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 07:02

Reported

2024-06-16 07:06

Platform

android-x64-arm64-20240611.1-en

Max time kernel

178s

Max time network

182s

Command Line

com.kczq.yicq.anbe

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.kczq.yicq.anbe

com.kczq.yicq.anbe:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.kczq.yicq.anbe/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.kczq.yicq.anbe/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 b21d76142041db57536369aa048e3b17
SHA1 64ec68c70e71a1a38257a831eb68c5c6ce75d283
SHA256 b9670a0cdf0ec8d7b948bda61be21b13b93bf9edb906455eeacb5d3a3b0067b2
SHA512 e73111441c920b8adee11a7035c0224d1674e390675206b736c80fbafda15e149022177ed187bc7f058b0bfd27b8c1459bfdbd695303c4e5bd30c6fd5d992776

/data/user/0/com.kczq.yicq.anbe/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 c9d414d1601072c98125e679a1550c8e
SHA1 fb139c27658a7467794e2ab6d03c79e17b9b2b63
SHA256 3e824c029d4178f03041930dc51b8f26792bb80365c04dc00771245d25adb47d
SHA512 f770da9586ac5b7d853b9c25611f01518b4d60617155dc999c7157f3be2b32c0d38408e83d27cba71738c7e89d4c58f164d02de734d8175cb113711330d66f0e

/data/user/0/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 ccecc97927888af9f30eda65c7543304
SHA1 cf6ca9d2ba6511691fb5ed9db74dfbb0931ec96b
SHA256 80d661de33259c4597d84a3b62cfcb4b2eb4a85b1fdcc0a5b3a70229af137017
SHA512 483680bbe28e9bfe79b6a67a747cea30b977d9084bb03dbc261188029c55f471c7fd3e2dd478a2491a23db6853ac1008827fa7619b80addec8c1ececbda30bf6

/data/user/0/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 ea724c077a1438eee19d5eafb1311630
SHA1 628dcf1aeae3426806ee2691c6e8c008b197477f
SHA256 68d91ddc403f5fbf06ebd904c6b37fe8342bf1333c41c503d0f8ab21d4fa81f3
SHA512 8a3b416b38948a981ca5c3d59f3307fe71c679acb50548311db756d17d4baea4c0b730761054ffe05cfdd3119bd41522fff707f120ad8a48c401a97df8c2c0a5

/data/user/0/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 b66362ee7cee9fcad56bafa583514b82
SHA1 36b76090974de4cc2f6f1b63f60fc2e86766f0cd
SHA256 bfea42454a14535df3a48419c5833f621df0a9b674399605570e9cc6d1381353
SHA512 8af06c5934e31969095e865b037be0905fd69f95ded0c5b96ddb579c23916b7d5761367211bb9409c937a87784a2c93d5a4391094485d223efece5cc064fe895

/data/user/0/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 6f2766cbacf34c6fbc23cdb66aff3f0a
SHA1 1fc67919f5e978c4876dba27727172d1ea325256
SHA256 aff4805e108ebc9500b2cb482c5bab351630218d9611b6430d27622edf54fe4e
SHA512 575333e8aea122ff79174b87b080b25569480cd2c2b6f7d3f2adc8146cc49c3d201b5a4dcd720a076343121653a80f71e5f99f3ef2a5fc536253c45d798f9a6c

/data/user/0/com.kczq.yicq.anbe/files/umeng_it.cache

MD5 f16921b7e5209ba87d3f1ba15802076d
SHA1 46dc7ebaf1101312ef4111852af1838c9e452085
SHA256 9c0830279edc4f8ac1527b55495985ee004607cba7f96bd33a0b9e262ad48aa8
SHA512 cd39f56d2cd3ebe8076da30ddfe3897f0eccdf7d04ba5d764e5431c3dac38c68052d533cb2acafcc72821255d6f8d22afbd5171e8d3759ecd7ccdcf672e51b7b

/data/user/0/com.kczq.yicq.anbe/files/.umeng/exchangeIdentity.json

MD5 767bf86fcde3047804b47b0639662fc1
SHA1 aa49a1c372133e3f1199926ae6f16694c6479b81
SHA256 a12acfcf9ddabc09d94cc794609abdbf7202b482482b1c5d2abe906ec6e48906
SHA512 041c3175431cb9a693e43441e44d48af55387ff747dbc063678e1da3adb5255bbb442b84c215d1d745dc634d25363cf357c53f924852f39dac2cdd8d7a23b018

/data/user/0/com.kczq.yicq.anbe/files/.imprint

MD5 f7966d733b296f789206d7b3436fb0b0
SHA1 7aee5a00ddd469d29026a301186b9a30cd0333c3
SHA256 42e2f9868de1a1f64c7b315eb5da0a610ebb1f873cf936ff14db11a793801a4e
SHA512 9876fa0f8fd843b34b259c09d1f09a3a2d8ffed5824e9e2a919e81321378cb7b1bc988ded773794041c8509c6afa5bd067ebdae22690b981f53cd99a30740d13

/data/user/0/com.kczq.yicq.anbe/files/umeng_it.cache

MD5 46bc3ae5b4d3286e54aa67d661a9ea62
SHA1 46d249c0addf03f5efef03d3994ec92a2140ce53
SHA256 2bc25142802b148c046f1119fad0afd6abfa52d840a24783ec7717fe73028524
SHA512 7cc25fc05666fe90e31b81e88f59ef1d82617e55643291c43deee9d823dc1efa0708d1e4b23335ff9006b529f58bfdb7a32a130f3bc87a52727ec982a5a87b90

/data/user/0/com.kczq.yicq.anbe/files/.umeng/exchangeIdentity.json

MD5 01dcd71bc2da488a31dc9a46c106a3e0
SHA1 07940011cfa75b7c126b5177d93d18fd71de2775
SHA256 4cf14e9ac2f3396805b15e4d18cd13d3e01a0826e92ea920649cbac260d99c29
SHA512 abb4e39ced241b23681983203bfe380e93d19e36e209c3bc42ed7e5bf0f1cae4d152ef8916256dd4156c6649c6b7cf84d46628345617324c800061ae02a65bb6

/data/user/0/com.kczq.yicq.anbe/files/.um/um_cache_1718521549203.env

MD5 27e3bc9ba29af37ca4d9f5edd235329c
SHA1 8807ffd18769175a2a2ac4adfec77558752411a4
SHA256 6921333c9a93a6a0db0e994a7780ea8708e0f8f6ac7c8586d7b27871739c46a6
SHA512 d692e55fd44b354f5fe9fea35bc00db602ce4312c3204efc7bec28cd71c53a3c8a3e18c22d14fa4942514d4338b675ea2b4037ddca80083bcb10c8ec9dd44696

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 07:02

Reported

2024-06-16 07:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

178s

Command Line

com.kczq.yicq.anbe

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.kczq.yicq.anbe

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.kczq.yicq.anbe/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.kczq.yicq.anbe:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.kczq.yicq.anbe/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.kczq.yicq.anbe/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.kczq.yicq.anbe/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.kczq.yicq.anbe/databases/lezzd-journal

MD5 988a28cf865fdacceab3606836c632c4
SHA1 d7a95d750c7c270506ecb4cdac7c552a81768ce1
SHA256 c95b8318fec5f59fe6577dea17f9b89a34e3b1180f2717742f470042a83fae9b
SHA512 08ec61678c5ad2a57066f2a515f043de1dd776f5b0d3559f904029abfbe0007ab581cfd5e17c62734ccd11dd9de9a4011dd4b42a535f13db4ebda679746b7249

/data/data/com.kczq.yicq.anbe/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kczq.yicq.anbe/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kczq.yicq.anbe/databases/lezzd-wal

MD5 f3d1004247f484052b87198202fea3cf
SHA1 4cf1fd081b28fefe7529d0f6973f5a99239dfed0
SHA256 da8b957a131696b1d6949bd41a76d3e0ad99f00a60d2f62b1816351371e3396a
SHA512 dbb8202f1b9af922efd1f0ad35cb978c725fd52efa1d9b21648c85c4f2c4f6a83ba8e886f58bb17254a58d80d3f0c5ec7e499a4c4b28b6f8e9ae0e955b5f901f

/data/data/com.kczq.yicq.anbe/files/umeng_it.cache

MD5 b6d2e5762179a2d34ac3ba2977247fa0
SHA1 5fd9d98200e155a677e5a7fcfe25ef3c6e45a1ff
SHA256 243653cccd751d9fe05795840cf1362e6d5b1c41e7595263921efee09828ab45
SHA512 e4edb005522b8e2b2ee1bb2f90466faac40aafe07350000c9c3b7f88acaa2985f324ae444586407ae2ea7d25c73ed28172a8c9711d7f0ed91187760d13b43550

/data/data/com.kczq.yicq.anbe/files/.umeng/exchangeIdentity.json

MD5 9d6466890b93e95e30018c59498b1a2c
SHA1 a791efd35d47c73f8a429ff6e13396670687c857
SHA256 f1849b5026629b1669a5225be515906194b74bf910b57e5cabf8e327e4902be3
SHA512 9c2059d8cbd41cab39de13402a017aab411113d9ed0f4bb18b6d29f9dea0fd57b5596ad109c61c00037a55c9f7bca36c2130248530305dedeadde11731ffad4d

/data/data/com.kczq.yicq.anbe/files/.um/um_cache_1718521489145.env

MD5 ce031c5912278c3d7ec1b7895669b845
SHA1 c804db23591e024d116f35e0f077405b83416a44
SHA256 53c3b225eb85850fb15f08b28a9db9c519f32dc3a5b23ce3c666de53f84f0ace
SHA512 7b8e7fed0db9fc39845b0f6d0b96bd6fe20c09469b548c0cd40935f868f89f4cbb9d28162aac382a3585167ac5d106be9bb3d49707722015216afe8b21d3b22d

/data/data/com.kczq.yicq.anbe/app_mjf/oat/dz.jar.cur.prof

MD5 7e48a317411db9b34239c6106ff01ef1
SHA1 3c775ed7755f7493c0b4eaf27787fad978578fda
SHA256 7543320b42bfdad898cf99cfcda827bffc11aa5d88f9ee89171cd5ff67cd560d
SHA512 355d7c64d3ddb7f8d1974ea0a98d0aaee8db5657a11341f1ea750315a085d6bebc8db929b22802848f7241d17b5883925bbead9d1bc0235e93271eae7e359311

/data/data/com.kczq.yicq.anbe/files/mobclick_agent_cached_com.kczq.yicq.anbe1

MD5 68fa2c8afcb40ba2f62b2917df046522
SHA1 cfc5fb8bd588f0fb6df5ac62f85f296a411197cb
SHA256 38a5dc8b530a777d23e3f5ad0d3db201db03a4cd0eaff740c90f26f0c7e7c7e1
SHA512 345f5025843029dc4b913c55afbaccec130bfef5540b949cc49f031030775e78972f51b83e0badb18ebc3e28d824508ee76d5ee9280855aec37d08959f307fad