Analysis Overview
SHA256
e119b1bfe109244449ac662aa95452410b69071f86e71ff2d0a4869f51e09673
Threat Level: Shows suspicious behavior
The file b497283345deb9ab04ec4487e993c9ee_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries information about running processes on the device
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Queries information about active data network
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 18:33
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 18:33
Reported
2024-06-16 18:36
Platform
android-x86-arm-20240611.1-en
Max time kernel
179s
Max time network
189s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.xiaoma.xiaopa
com.xiaoma.xiaopa:pushservice
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | apps.xp.growbook.cn | udp |
| US | 1.1.1.1:53 | sdk.open.talk.igexin.com | udp |
| US | 1.1.1.1:53 | sdk.open.talk.gepush.com | udp |
| US | 1.1.1.1:53 | sdk.open.talk.getui.net | udp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| US | 1.1.1.1:53 | apps.xp.growbook.cn | udp |
| US | 1.1.1.1:53 | apps.xp.growbook.cn | udp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umengcloud.com | udp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.177:80 | alog.umengcloud.com | tcp |
| CN | 223.109.148.130:80 | alog.umengcloud.com | tcp |
| US | 1.1.1.1:53 | sdk.open.talk.igexin.com | udp |
| CN | 183.134.98.76:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 223.109.148.178:80 | alog.umengcloud.com | tcp |
| CN | 223.109.148.141:80 | alog.umengcloud.com | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 223.109.148.179:80 | alog.umengcloud.com | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
Files
/data/data/com.xiaoma.xiaopa/files/init_c1.pid
| MD5 | 5d7ea1a23af19b4340cc8d90f28297d5 |
| SHA1 | 4cfe95b23a9e98378d69c4290af81b51fbe76aea |
| SHA256 | 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da |
| SHA512 | 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b |
/data/data/com.xiaoma.xiaopa/files/init_c1.pid
| MD5 | 203bbe4303f8517a16a146630121280b |
| SHA1 | 52c7edac4785582b917129cd64596ac7310db839 |
| SHA256 | 8d92ef530022022d126085728d2c9d54fcc63a9f3e95c2acb4e7709cafffa317 |
| SHA512 | 8afce4d07744d256ea45bb995075ed981866c95c57bf87911996a9c1cc68bf3f59d804d0d2f011420d4bebee86e4398bec9d5c496ce9354994dc3b9129498948 |
/data/data/com.xiaoma.xiaopa/databases/pushsdk.db-journal
| MD5 | c953ca44ba39e87d3b5c264dafb94085 |
| SHA1 | 0f1c6e89bef97e92c972ce074bb7e7160e4b3fc9 |
| SHA256 | a63e1adcb175b7f77fcde785089772365e7548f6e2f341b0e6b1757e6e533499 |
| SHA512 | cae84ac3f4411de83cd341738d0d34b7b3dcf246dbae445a7e3d25bfb00ef212d51988893a904e61e820b6f50d53dd8c2aea174fb0fc504b7c752cf18b7cc133 |
/data/data/com.xiaoma.xiaopa/databases/pushsdk.db
| MD5 | 3e43027b52181f23867eb1ae10c7affd |
| SHA1 | 56ee2068557c51e4884a56aa3b9f8443b7bafd67 |
| SHA256 | cc5281f343b6a0cf6604980515ea57067f1dcda546bb91b60a939855b62de856 |
| SHA512 | 830c8bceb924a023e7cb947c96941cb5c8ccef94046a0e77423b188bcd161adc78c8cfc41f75c442e6a5fc541db5afa3745343176af68e2e49d5beaecf88ab98 |
/data/data/com.xiaoma.xiaopa/databases/pushsdk.db-shm
| MD5 | 182e45467bcd792760f96f57ecc0b5da |
| SHA1 | 843cbd86786cc0185054b1154b6e7e12e4124421 |
| SHA256 | 4924f1f1d2a804d3deaa03206e0957c0ecaf5ae82563040eca211aff43973204 |
| SHA512 | 54a8b93c66b104b9663e395743b5214d0ec3e1104d5fe9f99dd5baacabc188e19e2cd53e6c532624a929dbcf1c42aa357cc6e6d4a6557da48b80389558960804 |
/data/data/com.xiaoma.xiaopa/databases/pushsdk.db-wal
| MD5 | 331746fcdd7c5f49d5e76fa8b2e46392 |
| SHA1 | 665037c3519a17e5d2df3af25d104d755c7fccd1 |
| SHA256 | 4094cf386944d91c7264f669ce96ad442632c22875b1cfc57b6539d018c31a6e |
| SHA512 | 12797868ab66adeea094887e36eed9bdb5c66397c54f2655df0584fab727eb982c2cc966139ecc72d4ac7a9f2d7f3d7cbc21e289d1db68f2b661524c8a324ba4 |
/storage/emulated/0/libs/com.xiaoma.xiaopa.bin
| MD5 | 1d41598870e0ccf4c1260956152f92c9 |
| SHA1 | fcff658b8266f6d92f21782d0b2c91fae721d4b0 |
| SHA256 | 5832f67a2f7b80e4bdb40318a7a1c1a03e34acfee6e7b17ee103211fd28aa813 |
| SHA512 | 1d4878dc8cabb78f13e221901848381ea9dfebbda37af266376f7a0453f0655b71c6384d007ad4f3f2b9d1cc2b17f9560797ff116d558478d8c09d55c2d2db54 |
/storage/emulated/0/libs/com.xiaoma.xiaopa.bin
| MD5 | cd40b037ecab762bbe550b602149adbc |
| SHA1 | edc29fdf93a8005ba9acdee9bf897e6fe12bb3c7 |
| SHA256 | a0b3c567c4e9da0dc7a1d91623f9e194b18f7df365229d48180254b7f89cd04d |
| SHA512 | d6cce9e2701a077a50726b9e143653291724bd446714010b9f25bb2fdbfefee17ffc2f1488cdefbc845d455d7152dd64392c00ce4755e0d0b394463588dfc190 |
/storage/emulated/0/.DataStorage/ContextData.xml
| MD5 | 9781ca003f10f8d0c9c1945b63fdca7f |
| SHA1 | 4156cf5dc8d71dbab734d25e5e1598b37a5456f4 |
| SHA256 | 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793 |
| SHA512 | 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03 |
/storage/emulated/0/.DataStorage/ContextData.xml
| MD5 | 006d2e9b584be14889e0c244827bff39 |
| SHA1 | 3db4eda98bdb24f11cfc0b6107c9ce9b3e822612 |
| SHA256 | 4a7def51587e96b4646761dbd831cbf2f9f44ccaa0ed6558afa29ce5b60598ef |
| SHA512 | f206ce7266e4904b8325af991431bd651ec2d80744c790e78b419ed1144481fa7c68aa24341f79aa9155684aec77a607d61753e1b5ddab0421fd4f1f88eeacec |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | c49420a7a56e50f45e1cba6cc4f9ba46 |
| SHA1 | 5ba819139913f7e68b34ae866f32ed2611bb047e |
| SHA256 | 29e83d09294616dfa63ae8e928db2bd4514afaf1c86f04af396ee5b91dad7714 |
| SHA512 | 8554fde992b3023c2610679fafa09b775c40ea0bcfde7594b1995a4e860ed1e4d86a792656d676fee9644a7b43e7c88f179f7da84ac288d21eb61fb1c924c4f9 |
/data/data/com.xiaoma.xiaopa/files/exid.dat
| MD5 | aa7647996e5dc6f8cc94e4e72da7c3df |
| SHA1 | 907a01b531d2cb3796d9b71ee1d9c83f86681cf7 |
| SHA256 | 88c9f7486c72b86a911e5769e5873cdab72076c82ca749d219bd3e6a0d0c823f |
| SHA512 | aa8159a43bf0d5dea689bfd12766f150217773340ca059a2816524c317a2e07a86e7b44c72af7ea9c0808a02559bc8e793cc0fb9cc8d62e6d4f74af4d61d9a35 |
/data/data/com.xiaoma.xiaopa/databases/cc/cc.db-wal
| MD5 | 2448c418c01c747b29a5131b697c3453 |
| SHA1 | 126004c0ae0cc450c165469fc1e0ff9d9d3b8703 |
| SHA256 | 3f1a10ca0725be27b251f8696185f40e3dc03886d179163bd71413ba10e27a25 |
| SHA512 | 918f91289b661a6c0454c61ae4d91b9c000bb439edef761172affc13e8b3f73393d05475283189861dc075cb2f46203134f1c48b942723603b9e3ca2a9f9fbe3 |
/data/data/com.xiaoma.xiaopa/databases/cc/cc.db
| MD5 | ce6135aa1b1fe4f2c2db2a546d2a5558 |
| SHA1 | 79b59582154017aadab783dc266fcb158c252940 |
| SHA256 | 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c |
| SHA512 | 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4 |
/data/data/com.xiaoma.xiaopa/files/.imprint
| MD5 | e1a01e9b23aad9ed3ff6efa8c6fa4b99 |
| SHA1 | ed3a5de6adcfda39afe6691bda2621be49df8032 |
| SHA256 | 027be11ffaa31c6a5f379ac35e4c2fc6698f379532255b559bd59052059d0fe1 |
| SHA512 | 5f20d936082428533b5d3443a71684d4413b7346d97552db5944cf268a0089377598b5329600ad10256af99d6fdda661a5f5726c9e0c9ec8be7d3b41f1ad746c |
/data/data/com.xiaoma.xiaopa/files/umeng_it.cache
| MD5 | 64e2ebc23a6430fb013e096795be4279 |
| SHA1 | ad3b14f5c8ab361dca5f984cfe6fa27a16bf3445 |
| SHA256 | c786a44a00fea46b722c655b5ebce598b70eb360b75b8f301b193cbdaff1bbf9 |
| SHA512 | a7ee8d5d1fc1ba15607aba019bbe1ab5c90acb681eedb599b005599538b753cd8741faa4b2708da3ce66a117d5d0828dbf20949db212408df71f62320a545b39 |