Malware Analysis Report

2025-01-19 08:00

Sample ID 240616-xzy19sxfjk
Target b4c6b383e262e14182ad09d91bd7e70a_JaffaCakes118
SHA256 29b48fb0b4dbddb296a29db4d170a0db8b0292bbb54d3366be692de4e6024525
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

29b48fb0b4dbddb296a29db4d170a0db8b0292bbb54d3366be692de4e6024525

Threat Level: Likely malicious

The file b4c6b383e262e14182ad09d91bd7e70a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Loads dropped Dex/Jar

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 19:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 19:18

Reported

2024-06-16 19:21

Platform

android-x86-arm-20240611.1-en

Max time kernel

56s

Max time network

138s

Command Line

com.kevin.videoplay

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.kevin.videoplay/.jiagu/classes.dex N/A N/A
N/A /data/data/com.kevin.videoplay/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.kevin.videoplay/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.kevin.videoplay/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.kevin.videoplay/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kevin.videoplay

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.kevin.videoplay/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.kevin.videoplay/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

getprop ro.product.cpu.abi

sh -c ps

ps

ps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 scyanghe12-1253323463.cos.ap-beijing-1.myqcloud.com udp
CN 106.119.171.32:443 scyanghe12-1253323463.cos.ap-beijing-1.myqcloud.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
HK 129.226.107.80:80 log.tbs.qq.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 106.119.171.13:443 scyanghe12-1253323463.cos.ap-beijing-1.myqcloud.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp

Files

/data/data/com.kevin.videoplay/.jiagu/libjiagu.so

MD5 6e8ea47d2d8500b7fb8855394fdf0526
SHA1 d3c719bda605cd787c4acf30507edb76b7fb6070
SHA256 cc3b55086867ed7136d474a21b1359f49e6afed3b74fbb4ba5f11b36ce1f4d46
SHA512 385241f905c46ead517e4e0bcaf2fe00160ba0f7f40c6926ba288bf41d46e77a8bd63ec0a97d57a5b65cf6fb1f93b5f86f51d9cb24809ae934ebdb2fd49c0b70

/data/data/com.kevin.videoplay/.jiagu/classes.dex

MD5 e35953ad80f4c415af2d91291ba183e0
SHA1 99d07afe283a5a42c29d5914614eed9504d9d930
SHA256 0277cd5e6846e76d59b9c56ca461e2f67c5d51743a5fbbafdfffd13020bead2c
SHA512 b49a118a3708229b56a7056e42f51a2f16e033ca1c0d1b8032912ef2c6f3af58b723fdd2d6733a9d1a2b5105e8116d11f875784d8305cd072fa6c32668af10de

/data/data/com.kevin.videoplay/.jiagu/classes.dex!classes2.dex

MD5 537719937e6e68ceaa123d06e4d78a04
SHA1 65ff9fc8be81f4045768c19e769e68b0225a56cd
SHA256 308f2d300f5c47210325633bdaa1454925b68bc8d293cc62307d3ff17138d4f2
SHA512 e71427cb8851982f960014bc27cf7e55eaf6e270296f97c6beb2fa913e33c24615a264b7c73fab8a81ae89a42a59aec92ae41d0f692effa9f0f7d53fb516fb03

/data/data/com.kevin.videoplay/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.kevin.videoplay/files/.jglogs/.jg.ri

MD5 c61227911f334efdcf6822be72015a5d
SHA1 0b00203e578d9d8ba2a098245e05cdb922bbcf14
SHA256 4670dbfdee9ad963cdbafde8d01994e45a8da4dde3315a85f597d26009c38735
SHA512 548da7b713b00b5aa4633fff242910cab952bef375cc57f20f3c85c49096817ffc59ef5a5d9d894892a45deb1c093a47845c9354396f936b44443374609fb84e

/data/data/com.kevin.videoplay/files/.jiagu.lock

MD5 477047c2f9e7c45f19d0066782be4697
SHA1 feb0cafbd1245e04faa3ca5e34da957ae42af4c8
SHA256 95dfe12e4c5a64908044e0ae9db887efc18aea85aa1cbecac184390370c70efe
SHA512 035e264a00b8968a665fd42ee77bd3a4c5bd7eb8437d7014f18e07a637f500f6ca54fa026baeb07d994e32309b05033d5342dfc2585f119c71de29ff6974bef2

/data/data/com.kevin.videoplay/files/.jglogs/.jg.rd

MD5 acc2318af595ebe949d9e850813517d8
SHA1 6e4b8feb8e9fb73d90ee02b512746be552962bbd
SHA256 2d1044c2d349cf6dc4756a962cfc8e439fd6dcbd8338176a074317d7d2810f43
SHA512 eaa4cfc829c664203ec63308c7abcc8cd22df5fc2b5e82fe247bc369dd40e21641946284f4b7ec962e51a4be2aa329888d201d33b1f4e8e957bf75724e965789

/data/data/com.kevin.videoplay/files/.jglogs/.jg.store

MD5 448e391c59eef34ee1defbe4dee4c41f
SHA1 df1f890987371d7d8e6963c68b787856e42bc146
SHA256 55612e17689f4bb05f27e18b4f6d06ffef92a6a8893a5cfdd3d5b99a6028b549
SHA512 ce336ce895ba861dda7da27e8869dea065eb3c3403cac55cdf1935409e5ebc95b495370f87ed7416af20af533b15615472e333ae9f2fd2713040f526835399b7

/data/data/com.kevin.videoplay/files/.jglogs/.jg.ac

MD5 1c05f0c150032ca47a982392d0303aca
SHA1 23d2dfebd80fc3a308f91685ee6af6595abb365a
SHA256 88596ff524e6eb149511d8b9b00ccbeabd835a5040bf7d01cc71b4fa3af066a7
SHA512 4071ba8f3b3e1235bece92f0532c61ba7e4322eefaf7f89f9666370aa26bdce8ca165604d4784e2510619b6180cd3621803192ed5f3b185a19740c7a37b54d39

/data/data/com.kevin.videoplay/files/.jglogs/.jg.ic

MD5 6dc46aed34fd53b969f27ad3bf9dcecc
SHA1 0de2e9f964a16ca0aeb6bf818dc5797dd9f067f3
SHA256 5a0273b0861cba688818af475fca957cc38b0ef441d97a6c26bef3d246caa953
SHA512 c966c05427771e05b24d6eb3fdea8e87fd6c716a2c21dc7365dd4e11de1e4bf8855d11c48063f94368771d90c532143cb6919b258fa2d31c1f8a42838f3314f2

/data/data/com.kevin.videoplay/files/.jglogs/.jg.di

MD5 4d304f7ed7971ce29d17470aaef65718
SHA1 010ac56cefb56398d44ec8e1ca3d83026091d0e9
SHA256 2f08713349d1257e422b6197a33873c7ec45918e2043d3fe8e2438f4f1ed65fa
SHA512 1b2d8ecb60c77a6619fc2173452fe8f501f0f404d813b2aaaf04f6eacac701b2ece4221aba86d5e7a9ca6529296feb70204b4f6b888a67ad4d7a8a97dc6d05b3

/storage/emulated/0/360/.iddata

MD5 b4627efafd7c9bceb8500e4158f7d9db
SHA1 649b7659807a927affccb9e4d0bc1fb6335a7d83
SHA256 9bd892dd6ec37ab4d3b80b786f980ffc0f41824d680bc56dbe8e55c5431e4199
SHA512 e386227f564692c672ab81d2a9c47867465d6554b4ef25cc5e86a30fd2beddc1bc3d5cb8a98c53f313ee4ba3daeae48a71bcc2a5900ac028d092ba8b92763c7d

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 e532aa977ad7048012d02fdc8fb8351d
SHA1 1b4e5e338c27786c2084a63c1f265ff474eaf928
SHA256 78855308c2df38cc389ced5574d4193ff5ee8b4ad4c5bd7eabf0cb9d582f5390
SHA512 df8bf0eb8459acc079c0c51601b04c641c95fad09f325db7c743348d998caa17a3944e00902f57c0a76ef526beaff7955df1953d32e6bdf5c7e3b935ba9a84c0

/storage/emulated/0/Android/data/com.kevin.videoplay/files/tbslog/tbslog.txt

MD5 73c1a320435139cb1b595dea2d7255df
SHA1 b39da0e0725900da307cd83e93adb0c17791f375
SHA256 ee929eefe6724d87be38ef4c2f0b0c1a9a253bfc0b9be1935316558496b3717d
SHA512 aa27663a7b95463327d1eaaa14fb17a01621a7b2a930f62077068121bfd47920108cc38219f125a17abcaf447387670ebb6309656bc2b9242138ab605055c5ac

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 f8cfbefe41792ba68314185e94fc35a6
SHA1 d3e538e88c80f0a80b98cdb77ef1dba3e4c9edd8
SHA256 d29704458ee48b14b65826a3135788120247c58f9df029951c4ba5dce7429454
SHA512 ea1e591887b2af30bfd1b5ea7b7cf637da69a127e66f2d99d50e9bca4197412a65c55a421478775e099e5b0dc933602a3afaf874358831056e9fbd12ac871f57

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA40182-0001-108D-14C84936EF4FBeginSession.cls_temp

MD5 2bade6e140912ce1df6fdb9eb5d40618
SHA1 f573556ff12c29d9ecf8aedad8de0493abe926e8
SHA256 79f543f643aaac7001f90598845da5d48f111ff01b4b84fdf7918cba89b739d1
SHA512 523d908c85e12d2ea71baf88aed513701346a4b99c7935e4253063f70590aa7a11169e6dbcd70b9880eb999cb77e752f7958e9887b2362a52336a9115768f9e7

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA40182-0001-108D-14C84936EF4FBeginSession.json

MD5 7870ffe13b24aafd958864229794ee0d
SHA1 54981bc1e2a0ecd931fab5c5a68aea897b757a9c
SHA256 d8f6c038dedcaf0bf6eb6e69f9bee4324d00c90a395288ee7da7cf628b02c70e
SHA512 52a88d579aef48c640d552d4bb9daa3156f8e67ea09f55141ad643e845f5da4935c8de571ca58171cb5c62b6ef724c14605cb69cd9be49e21f4a37600a292338

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_d7b71948-65fb-4070-b82f-0deaa242db47_1718565540731.tap

MD5 30e72b4f685fab9722c5ccf29c7899b8
SHA1 549c7b9251152b4551fa74169ec042a21f87d864
SHA256 9d762fb04707089b97c1a09d7690939966108289334e230449ddd3e05c1ae30a
SHA512 413ad314ad413102748ff2e8510eb04995c31e3d2b6ea5e4fc1d633383142efd745c4a536bb119ac5679faebfcd7b70de298e234047cc244017394a18d2fd125

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA40182-0001-108D-14C84936EF4FSessionApp.cls_temp

MD5 d759e1c261a48e4b58e930307f9f7d6f
SHA1 17aaf8a1834ea0a131369819a6b9fdeb71101741
SHA256 eca60a3b63e4bda07f7a623b53d62ab619596c2b01521e2f6e6fc28ec0386a9f
SHA512 5adea8156a916e3795ea2c945e3851c51c2deda23f22722b507092d304b7cc41375705c50b13e5726cc7af63974f1482930d37bf7d24ec1e0d8277f145e94b7b

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA40182-0001-108D-14C84936EF4FSessionApp.json

MD5 57076a5d5112f6a527d0e92be34e9b38
SHA1 2601015e57210a1ba8c2e0875946b11ea991e7d6
SHA256 9004929620a5a197b38b40f3a557d5561c72a08c2405b6e987afd00e7773b6e1
SHA512 1641dbe3dc3f5a59924d33fe6e64ce7f57126ebff60856187c9c54ea4d97e86e6f844ed9a76286a042b521954de20d3d6a71bf441dfa83201ac218f6e4cfc991

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA40182-0001-108D-14C84936EF4FSessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA40182-0001-108D-14C84936EF4FSessionOS.json

MD5 93023624eb8dff5c20050da136aaae0a
SHA1 acfd1ffed752c28fb135ba83c0c6345ddf2f6995
SHA256 968bcd7c4f1abed89a09cc0e6dadd238a81e8655e64196b39a86be49ceecd39c
SHA512 bb25dfa144d3f0e17203936c503c5fedec5f9ca710e177f99e273010ba4a682199d4bda5684151d65f3cb1549f4611b3a645ce39646d3db9a1b2c17d6b160579

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA40182-0001-108D-14C84936EF4FSessionDevice.cls_temp

MD5 cf9cb0612d588a1f71b63084cea67316
SHA1 3d035bb92fd3f8997160cf8025c40239af74d3ca
SHA256 0d37c5a64baf86735501f9044eeb926b3d46548cdcf67c2cd1f773df36624ac9
SHA512 70f000233e181e3b7c6fcf07aa04fdb570f970335837f8d1c4680a9f78af9f9e17c73a0a5646770f7a8787e338899edc4a5197b023865a4da894b1aca12bf600

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA40182-0001-108D-14C84936EF4FSessionDevice.json

MD5 75db92d50c80a89e068550028c62acec
SHA1 d78ea55f5dc682e4da456d26383249f608fe894f
SHA256 1dfc488309883b61beb3462567a9befeaf36bb475a07a7ecef2be60bedb4b5a2
SHA512 dbb81daa5fab357f087dc295e7861444f945eb4c3883a09926b47312ce526bc069266a8a24b2a5b4921fb13e797696c5824195f0a79317e279ccf7855ca2ee13

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 d55d1d2a35e2af4b3b5e0a4da66a19c9
SHA1 0caa25a62148a9d952ff84ae1d4ef0545bc5dd77
SHA256 51266e40bcca1c86bd4b7fa3c47497c0e0498b7bcd46910c6044359b30c78f42
SHA512 bf8a08bbc6d686c5676ef90a9d15e72108b117225dfb5ffbc6ecb6514541870135d7073458ce8f92ac25101a509339875b7091e6af081b4f66183da099b196cb

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 8547bddeca2edd6eb56baa42e7817e88
SHA1 574c994964872d4ae3ebf4d5c3cd15b6e7dd0263
SHA256 338f0c2cef10d7841732630bc34042a643cc4d0fb053196c375255ac5708a9d9
SHA512 98400a62b0cf5cf9813277772184cd4dda53c6317aec0530df2d886754eb5ea04835b9a9888f3df21d081957436b17551f77ae253381f341668a8ca94b7ab2aa

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 6821635dbe08604039726989b5492bca
SHA1 ba3be64493a8de47b1455408a5f3866e9730714f
SHA256 58a028fa77d415e8b64bc5a66bb87d2471e6190df5c283bcea44ef6045d95d46
SHA512 92031dfd9b3672d217d8b79a5c90f9ed3fc21f1761053fd1294a31bb29bb378723c7631ee4dd2de07b7aa38e33e2e3540eb8e2e0a7ce12264e138722efe57302

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 3f0450c64623d5b744d8bc15a7ef73b1
SHA1 589999a8d019e7725c97388ba5fddaa038304ba1
SHA256 6d0bab52f0aacf47956f57ca46980f9284f338c6af7dea52dffa3d9ee0e2fe6b
SHA512 34ab6107cba574ec7a5101a7c9f62301882d8d65c0f737b5b6009aca5cb44010109221e57be168c0db594b2f3ae310506206a1b4f8b85f5a8e48808c7992d371

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 6971dcdde66d74ddd4be74a76d9ba11a
SHA1 c37a99d1902a7849a1fea1214ef2908a081b1820
SHA256 3dc8b2ac43310cedcb9810dd28f283e3f7eff3c51f537e29432943629e48eb2a
SHA512 fa4b3f29fcdda5f655c57cabaa35e5fbd5ba35217ce3a72499f3499689ec888dc8c586f29ea7dd7d865ff1de631888af39d9bdcb642a412f7315a67e386aa524

/data/data/com.kevin.videoplay/files/.jglogs/.jg.di

MD5 38c05f22b11c90df01e497c928e3986b
SHA1 c441721c7f63722eca305de1bd4995748c470d57
SHA256 898b4465344033f08f36633fb7f0c11427f0e70ad2ada12cd35b20c1dd87d998
SHA512 838921000d266cfc64e36d8e33acd5a58f87168e38acf9d3d4fd3c0583a89456d8b9a7e050d3ec0b200a22ea3f490362c6496ff60f682f98a51fb0a6a78aac61

/data/data/com.kevin.videoplay/files/.jglogs/.jg.store

MD5 e9401c906741d820e677d6ebdf03a5f7
SHA1 53eaa064236e43fd91afab39b3a49058e3e2484a
SHA256 213f7df887c52fb83c5e513db901d6c19eccac1ead598443907342667229d517
SHA512 112c68fac4176ae81b30583b470c515ab89e3b3aa37ad092706fe19f2e5130ad42992b8d1848222bccebe0b6afaefa30a9a188b89df78d028b5beb66368ed2c8

/data/data/com.kevin.videoplay/files/.jglogs/.jg.ac

MD5 2bd73a6218967d79fe092700f01637a1
SHA1 91d914c50932fcdd719c0119bd5d2fe31dbc261c
SHA256 e19ab9ecf32821c854e497f4cda9ce8fd50735b486d989b06a564019bd667cfb
SHA512 45cc3a6f9ea76b7139764388f87b2fea771064d3667cd74ba184adbbb486f44d9e70645014cfce6eb0c346ea475fd172c47565cc0e3cb0a2c911360fc7171cfd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 19:18

Reported

2024-06-16 19:21

Platform

android-x64-20240611.1-en

Max time kernel

56s

Max time network

149s

Command Line

com.kevin.videoplay

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kevin.videoplay/[email protected] N/A N/A
N/A /data/user/0/com.kevin.videoplay/[email protected]!classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kevin.videoplay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 scyanghe12-1253323463.cos.ap-beijing-1.myqcloud.com udp
CN 106.119.171.32:443 scyanghe12-1253323463.cos.ap-beijing-1.myqcloud.com tcp
US 1.1.1.1:53 log.tbs.qq.com udp
US 1.1.1.1:53 android.apis.google.com udp
CN 106.119.171.13:443 scyanghe12-1253323463.cos.ap-beijing-1.myqcloud.com tcp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
GB 172.217.169.46:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp

Files

/data/data/com.kevin.videoplay/.jiagu/libjiagu.so

MD5 6e8ea47d2d8500b7fb8855394fdf0526
SHA1 d3c719bda605cd787c4acf30507edb76b7fb6070
SHA256 cc3b55086867ed7136d474a21b1359f49e6afed3b74fbb4ba5f11b36ce1f4d46
SHA512 385241f905c46ead517e4e0bcaf2fe00160ba0f7f40c6926ba288bf41d46e77a8bd63ec0a97d57a5b65cf6fb1f93b5f86f51d9cb24809ae934ebdb2fd49c0b70

/data/user/0/com.kevin.videoplay/[email protected]

MD5 e35953ad80f4c415af2d91291ba183e0
SHA1 99d07afe283a5a42c29d5914614eed9504d9d930
SHA256 0277cd5e6846e76d59b9c56ca461e2f67c5d51743a5fbbafdfffd13020bead2c
SHA512 b49a118a3708229b56a7056e42f51a2f16e033ca1c0d1b8032912ef2c6f3af58b723fdd2d6733a9d1a2b5105e8116d11f875784d8305cd072fa6c32668af10de

/data/user/0/com.kevin.videoplay/[email protected]!classes2.dex

MD5 537719937e6e68ceaa123d06e4d78a04
SHA1 65ff9fc8be81f4045768c19e769e68b0225a56cd
SHA256 308f2d300f5c47210325633bdaa1454925b68bc8d293cc62307d3ff17138d4f2
SHA512 e71427cb8851982f960014bc27cf7e55eaf6e270296f97c6beb2fa913e33c24615a264b7c73fab8a81ae89a42a59aec92ae41d0f692effa9f0f7d53fb516fb03

/data/data/com.kevin.videoplay/files/.jglogs/.jg.ri

MD5 7e17b9ac22b8d2c8b5a07cb5388d46f9
SHA1 ff076e2c6d2469b56259c103922588c795febf22
SHA256 b55396a86fb3f67dddc2a3b3f2b6ea10356f38652c7bbc2ff92e4f1e1e474003
SHA512 e1d60c2bcdf5348719d47818e85f1808f629d6a7265a18157cf26b9fc857ff275b93cbce7bbc45c3055c6ee23be3d18044fbdfd9361b795b2a28e03116046fa0

/data/data/com.kevin.videoplay/files/.jiagu.lock

MD5 2acb72b54bcd4ed0955a5d4fb3121d11
SHA1 0801e6bc406b755f3dfbe4140eea823300ea08d9
SHA256 0761dbf7a5f1c56bfb23b8f1a96e4baaba2709747ae919f2998076ec1d8bb43b
SHA512 959fb537c0c41ec74c1ba58c5d5222820f6f1c8df77fa78623dfda5d17b8caea5e34e082683f006d4057476666c2f85a9f26bd09945afce06cfb56d36fb81315

/data/data/com.kevin.videoplay/files/.jglogs/.jg.rd

MD5 9ccc135a3e6de847524f6da9b4337766
SHA1 59cc1d91332e942dccb23a91c73b7e73628719d3
SHA256 4d843959096ea819a5a0b07d4f7a63207758b502383bff96aa71f2c3025dca90
SHA512 1c85750a77f3c75bbc4fe9c414a81dfca950b8da2ed4c3eec3eed9a0a5b07bf559a1c3a167bb4994ead1dcb1e51a04e685a7c120af12f170a9c9b4b3fab37d48

/data/data/com.kevin.videoplay/files/.jglogs/.jg.store

MD5 448e391c59eef34ee1defbe4dee4c41f
SHA1 df1f890987371d7d8e6963c68b787856e42bc146
SHA256 55612e17689f4bb05f27e18b4f6d06ffef92a6a8893a5cfdd3d5b99a6028b549
SHA512 ce336ce895ba861dda7da27e8869dea065eb3c3403cac55cdf1935409e5ebc95b495370f87ed7416af20af533b15615472e333ae9f2fd2713040f526835399b7

/data/data/com.kevin.videoplay/files/.jglogs/.jg.ac

MD5 1c05f0c150032ca47a982392d0303aca
SHA1 23d2dfebd80fc3a308f91685ee6af6595abb365a
SHA256 88596ff524e6eb149511d8b9b00ccbeabd835a5040bf7d01cc71b4fa3af066a7
SHA512 4071ba8f3b3e1235bece92f0532c61ba7e4322eefaf7f89f9666370aa26bdce8ca165604d4784e2510619b6180cd3621803192ed5f3b185a19740c7a37b54d39

/data/data/com.kevin.videoplay/files/.jglogs/.jg.ic

MD5 6dc46aed34fd53b969f27ad3bf9dcecc
SHA1 0de2e9f964a16ca0aeb6bf818dc5797dd9f067f3
SHA256 5a0273b0861cba688818af475fca957cc38b0ef441d97a6c26bef3d246caa953
SHA512 c966c05427771e05b24d6eb3fdea8e87fd6c716a2c21dc7365dd4e11de1e4bf8855d11c48063f94368771d90c532143cb6919b258fa2d31c1f8a42838f3314f2

/data/data/com.kevin.videoplay/files/.jglogs/.jg.di

MD5 2f6e1d026dbbc3933159ece78147504c
SHA1 8d183cdc012a11f1685f1ad6bad4bd2a417a5870
SHA256 4d646572a08e1f1e5f4c63439dd786400bfc4feb6986cd3e5d445c0350bde732
SHA512 3884e68ef092fc4feeb4c2e6e0d5d44a2d1ede668af540a1d8a3ea4f090d2cd22b07638adae78e3c9fdd6ccaeb0444246d3b76016519548c254a50518f457b9d

/storage/emulated/0/360/.iddata

MD5 47e97e321471eadce7899ee4af3ba8da
SHA1 f78a675a0345b846cc24b088121f966452d5b151
SHA256 93b7da159d6547e4f6d890b95f927fb75882c74c8c429c7822200fc58a2f1fb8
SHA512 0a4c7c16e9be7fed76be52a75bd9bf294deb37deda739517102a133c0636ec84834dcf1e78697da9f07003777e7c659b21ed0cddcab39a0217ef45916dea014d

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 4033de806432b74f105dd13e6082b7c6
SHA1 c06e90cd899c531d4f07668528925b2720a1d02c
SHA256 70d12d547804728a76e7f856f979119d9b47350d3cd698762554010529e25f82
SHA512 0e43bbd334569089b9514bf89c24c7d024233c379a5202ec8a35cbf22f72d06ac142d24f803290cb3d9b63a8bee46f93606f0f71051c79bca5aeffc70607e1c7

/storage/emulated/0/Android/data/com.kevin.videoplay/files/tbslog/tbslog.txt

MD5 05a4040505666c4df276f037f5c10fce
SHA1 e4cc27b812ae6518b2ff0ae8b74accd5c28b73ce
SHA256 c0acd34348ba3ccfe695d41dcd1db06c51ed19f31f2c530a4a0880bc94d46f24
SHA512 8294fba2b056440d8024c97e1caa5d43548aefcbcb59e03c8c0514bc8f2fcd35566235c154d1469ffd1096a68feb96d29c284e3d75672e996a946ce66d8c4cf2

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA501A3-0001-1400-ECFD05EC4B65BeginSession.cls_temp

MD5 5b55191a8b95fccf9e031ac7d6fe0513
SHA1 a1b0d2d2919ec879ea1c4d85b90eec70da8fda9d
SHA256 dbb11dcc3362a74e0add194ef1404f1aaa18979ce19518709dcbabcd385d44dc
SHA512 eee2999d55984eaef37f0c87c9a5cf75d96601053f93f7c9b2cff4d070cced82e4555750916956effaba518d411011b8ed4f4ebc4be9e9bd4b96c39a04c3eb66

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA501A3-0001-1400-ECFD05EC4B65BeginSession.json

MD5 d7ad9b35bfc992c08e4b99180a8fd138
SHA1 77281885db016b542b0a30fe6ba5e388bb22e0a5
SHA256 492bb1f6f144ce69f56e1bfcda308e1e9df0a3dcd4d8fce67b43e28a66923e98
SHA512 e1af6e95e5793546046d08f21da4b3c06ad1e462e60efc1433697c150bd97d5f6cdf6b505473ef2f89ec32b5a5252ac8c3ac853c06df5ed88e1a38b0d1c14ddc

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 952256f02a07bcbbf693f02cfa2b0a88
SHA1 a151f01b508739e87249dd16e3018e311c329eb0
SHA256 f82638449834873fccf2c8eb6a25177898bfb2ffd6fb9f8075f403bbff7d13cb
SHA512 6e530a5d4d2ea799c1e1ce5167f66cc6f2c1da55d1025ddc9d3731f4f6a5bc09c522e78d32ba16f13ebfccc95775d28e64cf1f880f9cb0d7e91e18ceb411024f

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_36fad8ed-57a9-4ed3-ade9-5e6e747fb9dc_1718565542049.tap

MD5 4c110ee2a193a230dfe7914383312d22
SHA1 4f3d780edeca761f1cc9dcf53146ae0accd67173
SHA256 5df750c37d8059229d81ac3273c4347e3b5a29c9d00199df6ccffbb652aa09b5
SHA512 f67c85ff1062160a3c5e5a8a7993c4fa887798cf459e973995d454323cd32151b52d8324f46b85b53558f026fdcff15a673a7cf92c481239aa2b9a04ab361c37

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA501A3-0001-1400-ECFD05EC4B65SessionApp.cls_temp

MD5 f6002ef53da2acf27d2ce63812d74e85
SHA1 eb76ce7eebe4c8ca83b624b3d80eb401fbced3a9
SHA256 9e45de90719b1afeb38f1f6457387fbe1aefd04237ede3ad5b43c251a8f50aa4
SHA512 91584ff3c9e3acba1bd2d034806265c3b48913155e08171d443493cd79505d8e6d5b444125d13012a14ca8f7fac24e3a7e3ebbd773ef76c514ec420ac96344e2

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA501A3-0001-1400-ECFD05EC4B65SessionApp.json

MD5 77a72fe852cd8b47480b4358c40c97f6
SHA1 683be58ef7aacb7d072ff7182f3f48fd0cc3aedf
SHA256 6aea6890ae75c8400f7a22395dfb6f777529fba085669f5d83fa5446bd2c9a39
SHA512 9bb2a3ca7994eccc5d1af21097e090178e54add4dddb77fceadcedba8f73a91f5ba09663eee3c5297e0328f84178969b6397e2536278ab2f4596e553b4a8f78c

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA501A3-0001-1400-ECFD05EC4B65SessionOS.cls_temp

MD5 2566d27ce8c28d8961f082c375d7535e
SHA1 92fe585b1a2c9c523d2fa1f65ab5c1b6a1a6edaf
SHA256 5acdb54ddba2e264f6822fbdbc4e9b5158f57d43785c2f01d981956b18f7a90a
SHA512 1c70679bbd25a57f9ac02083d5af0fe72b1417cf3070a195497f03d6f492e87b1ed3f570de7ea7c814c995a1530e32610d9570f31a480648f4062e8d3287be8f

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 a694bc2f5d2d77df12ac4cdede954105
SHA1 f540b49316a2d8933c7a3b8e70fd85c47353ee6a
SHA256 5414d72b21871a20f8af65efe4163d8c1a6f8117081394f98eb4475eff28085c
SHA512 cb282f347885dfb7ba08b51c79f9ea8b919fe461da1db2e65eaa8033b9766b6d7618bfeabc1138896a313ae061addafd24cd042c01668c86f76bd654a0dc1a05

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA501A3-0001-1400-ECFD05EC4B65SessionOS.json

MD5 5caea4b68c57072f7f52a5a41720566c
SHA1 4d9712f1702c7238949da43f7d8ae6efb233a666
SHA256 3223857b618b924c2b0fbc7bfb373a1aacf300a7b5ab585e18fffcf19039f363
SHA512 fe1455d21c521aeae3292bdcc386f6d2005dc253930c03e44dbcb972f96b849670d2aba039ea59e1a5ebc0350e6315151d17bcda55c161a62987d4bb01e91f9f

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA501A3-0001-1400-ECFD05EC4B65SessionDevice.cls_temp

MD5 eac6d1474885f59437574c5c4d66ada8
SHA1 01ff3f4a28aab0cc4e573c911ef780ea4724b40b
SHA256 2a45113737b67eabf415879225bc555ce3d541ed8e3e2170a3039df7756fcec3
SHA512 eac4b3d971831de5dbb9e15adcdb4ba2d1b37db98f6c9449d73c3973bcf533f3fb654a2abb1458591b7d79735680a2ffc94194bf679fd2a0fc302c009ebe19d5

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666F3AA501A3-0001-1400-ECFD05EC4B65SessionDevice.json

MD5 7035946b6c3aee2746d9e33c794ee882
SHA1 24f8081cac43bd874d2fc52ebb8accaeb3e83848
SHA256 54f361d33ee3d44858e934e98391fff56914442e2cf83fd8091c41fe5104608c
SHA512 ea06098e819716d7017cd2736ea7d71291d9abf20435f27ae084bc3d66494b824e9f3fc35e16bcb00a6f0bc27fe5d2e44aeb4e9eefb299813e660bec5d2b614c

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 bce23881558db9ebb017640091f04d94
SHA1 4d2e6ae1069f545d5bfb815246c7bd11d0c954a0
SHA256 3c9050ccd3b021df78b282658f2058c475e36937a5add65b3810c475b2af165a
SHA512 45c1e0d61f450a993f6e8d5a555d05c151e0d2945ab0c801ed7e1d030ef703d8af675b163d4acfe10e59bef65bf62fdcba449eb567ec9150c2dcdab51cd081ab

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 7f7432ea0a03e472298ba14fc1323fea
SHA1 02b208fb80e9c5d24171919bc65b9e8484522e26
SHA256 d1f042faf2c354816475d9555bf9e9331fe41f5807307227949f75695c115dfa
SHA512 74d3f3086f2a297309de5678cced1713612f5133aa44158a154d71f63059410caefe64a7c53f7c4d077d73cb076ca855b990c9549b76bb5fec842aa7059ee23e

/data/data/com.kevin.videoplay/app_tbs/core_private/download_upload

MD5 3f0450c64623d5b744d8bc15a7ef73b1
SHA1 589999a8d019e7725c97388ba5fddaa038304ba1
SHA256 6d0bab52f0aacf47956f57ca46980f9284f338c6af7dea52dffa3d9ee0e2fe6b
SHA512 34ab6107cba574ec7a5101a7c9f62301882d8d65c0f737b5b6009aca5cb44010109221e57be168c0db594b2f3ae310506206a1b4f8b85f5a8e48808c7992d371

/data/data/com.kevin.videoplay/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 d181067a6dbab9dd0091be46535d4129
SHA1 f82ef2a2e68ff17e8257a10218abe5383a222f61
SHA256 f278f2d74cdd53ab2a439178dfcf92532db000f0ff1caa0f0a4c8e4b641b1095
SHA512 07ad65a99a5eda3ace4281d0372fb11b1e70eef030ccdd012973f352750c97e3c702a811abc10cf64abb2c00c0de5d74e1877a20efd09f31e4964ca7609c1918

/data/data/com.kevin.videoplay/files/.jglogs/.jg.di

MD5 c2321329c21ee59c030067c6bef76a47
SHA1 06eb325b4535c327a678926f961536200e99f883
SHA256 6614b762c0d75b337c2838cda1cac15d44da25614e01db032daf02fa1018fb35
SHA512 ec548137487c2cfb3424f165ed28786c534013b8bba2d7b594fff2cbbc49a81301a9d942e37c617a23e94409f01242bca1938de521da73c9a977091264e674cf

/data/data/com.kevin.videoplay/files/.jglogs/.jg.store

MD5 38e0829f817d2fc1330034f34eb5a0e2
SHA1 5afb9beed41848197e8404bb5728cc63a9d6b8db
SHA256 24a92db8be0416ccf16e956464147ea7365798a8180c363424b5789441ab3b54
SHA512 8b95c3575dbf73e503413e89ad69f35b2a6fc4b50b91c557bb64ad47f85fedce3169e7dcf15495f2b5ab860beccb522be809582c88a7606cc0f21c5227fe5039

/data/data/com.kevin.videoplay/files/.jglogs/.jg.ac

MD5 2bd73a6218967d79fe092700f01637a1
SHA1 91d914c50932fcdd719c0119bd5d2fe31dbc261c
SHA256 e19ab9ecf32821c854e497f4cda9ce8fd50735b486d989b06a564019bd667cfb
SHA512 45cc3a6f9ea76b7139764388f87b2fea771064d3667cd74ba184adbbb486f44d9e70645014cfce6eb0c346ea475fd172c47565cc0e3cb0a2c911360fc7171cfd