Malware Analysis Report

2024-10-19 13:10

Sample ID 240617-29ladaycmd
Target ba17ed2938afe4cf379747a953adcb7d_JaffaCakes118
SHA256 deb8026465b6d3dbc2bb68281afbb2f5dcd19b3969b15051c769a7cfdbcd4ed6
Tags
banker collection credential_access discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

deb8026465b6d3dbc2bb68281afbb2f5dcd19b3969b15051c769a7cfdbcd4ed6

Threat Level: Shows suspicious behavior

The file ba17ed2938afe4cf379747a953adcb7d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection credential_access discovery impact persistence

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 23:16

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 23:16

Reported

2024-06-17 23:20

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

190s

Command Line

io.dcloud.H52F4B3B8

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

io.dcloud.H52F4B3B8

io.dcloud.H52F4B3B8:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 stream.dcloud.net.cn udp
CN 43.142.22.58:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 43.142.67.81:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
US 1.1.1.1:53 www.iv37.com udp
US 172.67.198.18:80 www.iv37.com tcp
US 172.67.198.18:80 www.iv37.com tcp
US 172.67.198.18:80 www.iv37.com tcp
US 1.1.1.1:53 alog.umeng.com udp
US 1.1.1.1:53 tb.53kf.com udp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 159.138.20.15:443 tb.53kf.com tcp
CN 159.138.20.15:443 tb.53kf.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 m.iv37.com udp
US 104.21.52.102:443 m.iv37.com tcp
US 1.1.1.1:53 sdk.open.phone.igexin.com udp
CN 115.227.15.229:80 sdk.open.phone.igexin.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 43.142.150.110:80 stream.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 c-hzgt2.getui.com udp
CN 115.227.15.16:80 c-hzgt2.getui.com tcp
CN 124.220.154.50:80 stream.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 49.234.42.40:80 stream.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 49.234.44.193:80 stream.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 115.227.15.16:80 c-hzgt2.getui.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 115.227.15.233:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 115.159.41.92:80 stream.dcloud.net.cn tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 115.227.15.13:80 c-hzgt2.getui.com tcp
CN 150.158.157.83:80 stream.dcloud.net.cn tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 43.142.166.20:80 stream.dcloud.net.cn tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 stream.mobihtml5.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 115.227.15.13:80 c-hzgt2.getui.com tcp
CN 115.227.15.227:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.14:80 c-hzgt2.getui.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 115.227.15.14:80 c-hzgt2.getui.com tcp
CN 115.227.15.235:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.15:80 c-hzgt2.getui.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.15:80 c-hzgt2.getui.com tcp
CN 115.227.15.231:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.239:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.225:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.6:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.237:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp

Files

/storage/emulated/0/.imei.txt

MD5 294050f65087ccd046187deefc1baf99
SHA1 073fb30dccb0121e43d29ed15083c1f04feaf8bd
SHA256 7b2895058d33d26bb996576d192baa4df2cb96c89ca631005564bc69652da522
SHA512 902c4270bd8d2dc0451363a0aa9c94b2f5ca69c69ca267a1ab8163c6ff89f0c20c99835b4617bfda6b9a011a92d9b1cbe7d9081525381624fafccc366b329ef9

/data/data/io.dcloud.H52F4B3B8/files/.imei.txt

MD5 7b2d51fbe8db0e99eb48f741b91a1ccb
SHA1 3872393e99bde394cb9db7c13d08fea6f0899652
SHA256 387422b914d895282e90c39a74c7c317851b0167b53b2b66e87971e93e1c22a4
SHA512 98511d385fed4373d2f80d47eb48b901bda4553962469da797c04d3585e24bfe5848b326f5326ba46cd7b7ff5da45c67d1aeb53482e546a993c83ab70adeb88d

/data/data/io.dcloud.H52F4B3B8/shared_prefs_ext/test_app

MD5 e822ff7df26a7483241520f8a235feb9
SHA1 14a9a7c4aeb7880400f688eed978556b05170670
SHA256 16a57179f982577f57d19f13d2dc682ca583f165e3d9422ec1477495e4fdf124
SHA512 673888b74f4533c2542c5dee5d57aecc127b5416b7fbcbb819ec89662dcd795e4216c008885fab6b90695b277abafbf7d04d66befa94a222c99fca3f7f325b2f

/storage/emulated/0/Android/data/io.dcloud.H52F4B3B8/cnc3ejE6/eje3cnc

MD5 88a3203a9acd98cd67d39184dd654bf2
SHA1 6bdd49ba8ee9b2135e71aa708599b2fb904ba6fe
SHA256 da385af40d0f28ce4618f588974ac911e8828ef12ebd5d0b16a992650f0d65d0
SHA512 bb138f46ee162a6b87dc10698f2113e662f3281fb4aea44483652a302ca1ab01943f0eff863c2e410714a483c86683ba078ec620c3aa5bf3398caba4c5d3e440

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-journal

MD5 01309539b3716117019ce784e3a6d360
SHA1 7b89305ba30cc1aa224d92f4173efbd324e7b5d1
SHA256 7f3a1112d0a543eb5f35a80255401a7a3547ee609ecc7c8b992eccfcd64f5a11
SHA512 f11ed53d4c22597ce0ab4a9ff40dd1ef26f2045a7c0307c9969762182df140683fa8dfe6dbcd4e47050e3c294ba74ad24f3658524ed87de170d8df7afd5f4848

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db

MD5 3371c13b33ef7159208fa83b1550efc8
SHA1 4400281b7f071b54eae0ee1661c6a5b7fd7a1f06
SHA256 85532be942c62da94a2df002b483d573d1991904ead078d6537991c75d238401
SHA512 03a8a1576e6449000d20cd9426d4877de093871d2dd59919d4b9a21dbad42ca5e772c6344485bb21d765c750c057cc83715ff836013cf65e6c22d1285802734a

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-journal

MD5 398b0a58d49a27abf374abf1c06cdd71
SHA1 b3d01ce982202197f01b437f7bfd8b13395618af
SHA256 061dd15e685e13bc9011d1af275dd39cd76f91168181c5946dfee38980040b45
SHA512 b0df56468ff007b7f46b651cbc0f964fef45c768c0ba1269296dbeadd1917a4595d93dfe22eda51281f551b8e5d95517e9caa014c80674239c8a404bfad2c9a6

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-journal

MD5 9fce459f582b486233e862ad5048ffa8
SHA1 f6186aae8bf5abd593bdb1663222b29371f3dfc0
SHA256 501833fd0c40b1e47435e6cdc748e3f4a68342c321b4b67a9f679ca6931193b1
SHA512 0ec687c330c56df95670e5f3af59bdb23de4fde74f26ff11107eafb1ae0c3833ebe9c6e4c6b526ed4bbc4e9344ed8151964f9b60b0be075381e3f5c348ca71b8

/data/data/io.dcloud.H52F4B3B8/databases/pushsdk.db

MD5 1113f7427e92ea33716f5a07d8a3939a
SHA1 2409dd51882f0f0bc28254982044cd9439b1cc49
SHA256 ccdc3c3713daa6f1ae82beeb7e27fb422b9731a33099fb2d6df6ef81eb3302e8
SHA512 7f1ff87ef8972fdeeaf104ee7dc269b999bed328e5bece4b4ccb21871caf8430c84aa4614287fbe850ca38bbd52a7514b838236b6d71b16f74b378f53e808bcb

/data/data/io.dcloud.H52F4B3B8/databases/pushsdk.db-journal

MD5 9246de95f8eae97c892f141f55f196fd
SHA1 2788378da3a646678c857172a7be37ca7e5895d1
SHA256 b516dcb94324a4ca97372832bbc45de5723b4099bf583202236e55c774d8dcf9
SHA512 4fc47d4307db8b480bbdf7c35096bd423abf489524d7dcd07e7a33ed0bb794e708d4c99af62eaf5bb68466d5fa989ea5ced8ba111a8fc4d39d97dd6f7c553e58

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 a9b531d4846019f8737ba8cf6be97317
SHA1 68ac71daa0c9406106562d13fc0e7209516f198d
SHA256 23e6a21a43fad9468f1b89cddcbe9dd865e7a576176f5f78fcd52d6f7f904132
SHA512 83f6a823f563b6aac34cdc7f2360256ba9a9506789cfdbf5a0ae3b0e5e2607e40193d5a3860830391e8293e2208c325e286a4222986b9e2bde2be0f62c0d945a

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 14213f02e5b7d8fd603a632ae68c6fea
SHA1 851bd2a53bd193112cc186f1b687f7c7de8b5053
SHA256 1014e685ce94f5400a5c4eacd53221aae5afc1741987fbdde45deb3eca5b3c8c
SHA512 39882cafd6e06ef7ceb76dcf5d18217db53170f7b6a3c7efc58ef3e1e7f62e402b1243024fd7ce329f7a0c5402fdab28d5871efd3f885e7bf82e49d8bd76a479

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 034d94c4f90c2bdc1ac9b551500fe893
SHA1 616b0c0a10f0a821c3c69100029f4315a89d8bb9
SHA256 82950bd9e1bf74789358a6f5eb829d67e75a01c811e4df83e93f5d34e31673a9
SHA512 fe32b822c3c9ebf6727599c694d56fb8b8de0ed91af4d4336eae67392d1445de42b6e8e3ebc7949fda299d8e2d2d7d6d047fe06cf9f5ff0a46c87f32a8dc183b

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 28d88f5c5a0eea888e64f13f1b4bfbbb
SHA1 5a55a72e926192b8f14c572efb737ed3666c54f0
SHA256 476450c1fe5c2d258750097ccb62cbaa0b2d042fe61c371b779be6b7a30bd8cc
SHA512 36ebf3caca10a4e5501cf4223eb67c9d91de2e1e2180c7d741fec9f46f7c1a2ee9961c5054d5975a39060d99a6094ad112a910e8193dc03dad912ea921131b3c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 fb12fa8f6b2542fb350276e9efbcc0cb
SHA1 e650af26b58460f8d8b5d3d99e6a1c3e89f80f00
SHA256 9c1f4d1661adae8a0fc318d00cd924720ede6e9d5764d6f15c5775e9c92040f2
SHA512 dd950e9a18a77fcef88e1011024e0c0ac97ade17fe2fc8a6b532fe4aee8c90737841e98541ed7fd0c7ec258fc60047fde571463e3eb5c6e32249ac5172c6e549

/data/data/io.dcloud.H52F4B3B8/files/umeng_it.cache

MD5 1b074efdf5d7d82ac457a871d9b0da45
SHA1 016f74ef7072b28d6c72b8faac026d9f49cb1e75
SHA256 ba7724cfba4e6fdf6685e940c61d97c2c80aab9f5b771b46ea1e98ecf81f0f8b
SHA512 4e3e6773f13e5e6b07fc68845942b92380e520678d3bf87c8db51c2d9b0f9d80b69361f32c713ee263f83384c85cd02282f40d9fb4722857721e97fb32fca60a

/data/data/io.dcloud.H52F4B3B8/files/.umeng/exchangeIdentity.json

MD5 21121ce8dd507c19d73af41d753db64b
SHA1 7948ca7f67a0817ab6e04ddaf44ccbd43650eec5
SHA256 9c3b8af3a1a7c1b508886f02c5366ef8a06faf2443a201de57d812e0dc1ef3bd
SHA512 3bd049b810770cd644ca96e3e9457ab9cf0db61d647c52306f4ac1d59a3eb23a3a2b86677988e44db5c92c5258c31a3389a8fea77d4fac8b81ad95353cbf839b

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-journal

MD5 b6d3deb0cfd0031eb2720fc1a0f0011d
SHA1 1ac1c4e2eb83f66fb630d556fa56ffa9f2c1c74a
SHA256 49eda04afd3ce622d40008cca9058274ac83bb76d5a528eb8c6555d400daa1f7
SHA512 163c3a41a3689ef59baa611b555ec3dda791ae157e6ab7ae8741cc4ebca65d64265a6e5b5799fc6139d98f5c2089aa74ff8d385481cc916e4163e222eca9ee1c

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db

MD5 7c486cdf781555da50aa4c08dc30febd
SHA1 53d779c6705e7b1e42835666d969e27d0b0cf065
SHA256 dec6ab9a299e696b44657e37257427322b06f26949c3caac0c608d614c15b098
SHA512 4f30a95f0e99f85316f71ff8d0f9f65c4ff68b270ba6f47a284bcc5b7d1470ae67b394ba72f36f8d522f570cba004d15e6dd3b078c7053f6c146d2bc4167d5fe

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-journal

MD5 ee8c03f0a25fb73590c43a802e758971
SHA1 f099cf2dd0a32812d22d75c7cbff253d7a9c16ad
SHA256 a99d06b051e063306e8f54b5e73951986be456269ab324598de4bd48b064dde4
SHA512 bb9bc1febf05788a9b9fe34a50cd20ed4f5eb47d8de2ddbb401323f896fcb4645bf7b53ada49a74e5c186afc63ff896866cc3f4440cf3729a5f47a0130ff9c21

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-journal

MD5 6ac76ed6c24aef2d4e4ccec28b726071
SHA1 ef58003f274551c5281ec69a0fbb793b445bf4e6
SHA256 21f55e4060822f016e4ebd0c79801359bd9f6a0ae5bed58df7f348064eee1977
SHA512 e8c88b4753acd051ce4b155b957f6a6f8ee2bc218c7e24e33e694fe45f5fbdf01f98c3a2b50d28ba8522137023c11bc66b995379f1d5c9203f94c9041f8c583e

/data/data/io.dcloud.H52F4B3B8/databases/pushg.db-journal

MD5 d99ae876840ec113287f78c089620ae9
SHA1 9e3b82434ef0d814f814d63954457103c831763b
SHA256 3e77b8bca10a20cf4df1d4fce978a6c536922c3c7b69369c7e76b92383d78fe9
SHA512 fcd2104f4e56fdaf6a8184078898c8daa407adcbbb15e1e309ae0c6a080b848935407b3be9ed7c12cabd94c8505993cb57f8cca6833b9a38f9c56b3c2c58291c

/data/data/io.dcloud.H52F4B3B8/databases/pushext.db-journal

MD5 d2d1d78b9e65c0821a8d11ab2d97f612
SHA1 9921ca2d64e5516a38eb533ba0f669a09d872a41
SHA256 44adadd61424333a43d875afd4f3640f9fbaa7381dabdc36cf64c56cf9f49aaa
SHA512 9a27cc417aa304c0528267af1c6cbd139c81b7edf82a90d1eae0a1333323710bf1dc2e5d20ccdd824c43debaf6a289ef558b6c247cd5ea961579bbdf69851c70

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 23:16

Reported

2024-06-17 23:17

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-17 23:16

Reported

2024-06-17 23:17

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-17 23:16

Reported

2024-06-17 23:17

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 23:16

Reported

2024-06-17 23:20

Platform

android-x86-arm-20240611.1-en

Max time kernel

175s

Max time network

184s

Command Line

io.dcloud.H52F4B3B8

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

io.dcloud.H52F4B3B8

io.dcloud.H52F4B3B8:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stream.dcloud.net.cn udp
CN 43.142.22.58:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 www.iv37.com udp
US 104.21.52.102:80 www.iv37.com tcp
US 104.21.52.102:80 www.iv37.com tcp
US 104.21.52.102:80 www.iv37.com tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 43.142.67.81:80 stream.dcloud.net.cn tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 m.iv37.com udp
US 1.1.1.1:53 sdk.open.phone.igexin.com udp
US 1.1.1.1:53 tb.53kf.com udp
US 172.67.198.18:443 m.iv37.com tcp
CN 115.227.15.231:80 sdk.open.phone.igexin.com tcp
CN 159.138.20.15:443 tb.53kf.com tcp
CN 159.138.20.15:443 tb.53kf.com tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 c-hzgt2.getui.com udp
CN 115.227.15.15:80 c-hzgt2.getui.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.15:80 c-hzgt2.getui.com tcp
CN 115.227.15.233:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.16:80 c-hzgt2.getui.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.16:80 c-hzgt2.getui.com tcp
CN 115.227.15.235:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.13:80 c-hzgt2.getui.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.13:80 c-hzgt2.getui.com tcp
CN 115.227.15.237:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.14:80 c-hzgt2.getui.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.14:80 c-hzgt2.getui.com tcp
CN 115.227.15.239:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.227:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.6:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.7:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 115.227.15.229:80 sdk.open.phone.igexin.com tcp

Files

/storage/emulated/0/.imei.txt

MD5 f9158115cb3230dba9f59d282fb2e6a1
SHA1 cd4459da9322775129d452688702a5321b1f1d10
SHA256 195647e0b2372f2e010b4b725f27a683496451e1134ed8ed0e36b1501b1697f4
SHA512 74bee67950ba04c808111ee6f5bf4c2a21be634d5656dfa06d0c79f597ba2367270370bb7d53ac92178ecba1aef72b6a68c6006bd55de3ae9f747dbd55c886ae

/data/data/io.dcloud.H52F4B3B8/files/.imei.txt

MD5 621b551e858fd7065f4456dd85667339
SHA1 3b74d8e75775de58edc1eaf325db1cfc70730854
SHA256 a532781499e2f7d3440563e3d2f9575a014d714b02807676a22f77a29a91654c
SHA512 cfcb80a4aad66ede39c77ca97f292e7388181e9c132705c2b64625c44e2c0a7e6b3710e3c4aa2904b82a7168fff15d5c40cf7611a5b55e777b33ba34b640c61f

/data/data/io.dcloud.H52F4B3B8/shared_prefs_ext/test_app

MD5 b1290c9b553a718fe63b8ccfc1b6a1f2
SHA1 adc8fa4bfc4e9efd420caa1bb22da73ddaf61ac5
SHA256 7e090158c80a6ab562b80cf27929b138529c2d7d00d471ffada58ebb43929054
SHA512 3356ecac18125b5a66090fcbe16fd9e4e13dac70a18fb52784ff8a620c5db95bca285b417fc893dd8e6dc8b10adf0093b78793e00af1c969833972c059dd5d07

/storage/emulated/0/Android/data/io.dcloud.H52F4B3B8/cnc3ejE6/eje3cnc

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-journal

MD5 3cd8409260f4f0d75fd310f0fbe58ac8
SHA1 38bf50ebffc3ab8e5791886e9b69aee979b0dec7
SHA256 fdc7ef5636f13b80c1b36ac8426cdaaa09567ce43270832eff73eee412540f86
SHA512 5f500558b3f13420048b918b5cae354bf91241c2d19fccdc8235cb5431459d990c2f4ad8f4bcd937234eda3bc067f0c369d7fff35da1de66c84a6d17657573d7

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db

MD5 0bc367ac4fb1b93d0f24c97eb07d25a7
SHA1 1786e1bf7172dd5dfb159db15ea2b7e6ca638bfc
SHA256 3b7be70429ff1996130056998a2c4db0d44c5fe6fefb88a99e384d30df8e79ae
SHA512 a00f79393a1f3d046534be2c55ecb97b7aaa6ce8f7ff8fe0807fa5edbb7cfb9604f96b8095346878a03e680ef5d670c7426ee2af23cedd6adc1a96e7b903783b

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-shm

MD5 1c4274aa7a9a5cac8c6d1df71e4588c6
SHA1 abaecd685e01cc68801292e3dc7085654a22feba
SHA256 3f6cd5f480ae69859b7841450f3d032c528ba385ebf9f371b9c8fdc6eb4231be
SHA512 1adb95935798607bd36cedcd183924d3068f50097d017b278da7caee7771532b61ec3606f6189b6dec8426eb038fe40be75079ce35894b1a8e0d1d815261150c

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-wal

MD5 d1ff9786342f456ed3a85cc5c09c993f
SHA1 a3b64069abc986adc59eee828d925b657ebc913f
SHA256 e445574b1b5414c227fb971fab84d72e9d59d2ef539d265c26d3915902263059
SHA512 0c8872b87651556d8694dce966255f35efbe23627766873da9c806583bf2e8772a5452433a618f8ee13c5e40dd4b253570bd89ba01b4bfbc5fd7f9cf7eceef33

/data/data/io.dcloud.H52F4B3B8/databases/pushsdk.db-wal

MD5 42a74b7857f5521fa1572f0837883912
SHA1 dd851f6ef7c656a257d163ca7f23ec7072238714
SHA256 47de80aa755c0dbd21c010e046b287375ef99fb98fda0ba7ad0ff105a44f4f75
SHA512 ede1a6074c50770f3c9d3c60b8271e10e0cdf66b583ff2521589963f27cb0cf12979a101fbc1398e8538540a4c43fb8621c7ea92c4ebf8d5ae4615dca0549701

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 b14bc70e54078b453385cd1956e55441
SHA1 1025817a33948fea4ca6935401417451c6a183c3
SHA256 59d040cd0f9e07d127d929a830f7c3656846b02696565364cca9881e7e422b4f
SHA512 d67122905ab248f392bfb7ce8d954a8a9fac300dcc52c719d195bf7107890efbc0bebf828d48399265721b5ac47323a81854948aec3e1748e8766884555554d7

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 efa1a197dfeece2bcbe5bdcbeca057e6
SHA1 60c4f92e56fd6da7024408b5571ddb0e5e55cfd5
SHA256 dc2691748907de8ba5ef7e1e0279e89c49cfb01c0819dadaf93034217a19dc51
SHA512 e20246ff81a505aa63c1ed380ef9967c6f7f1fcf59a9bd45140c0077176d6693879ebbdd88aacb77f19179d58bf27ae4ab52b7070f367bf863ceb0b898291fb0

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 cf66905d5513b278bfb945a64635159f
SHA1 bd31438f156c2270870f5e58cd0d2580963550e9
SHA256 78335a40a3accc5de125ad8ff559d87c585c6ce6c18aace82b436fdd546e48ed
SHA512 f8a7529fa64e81ab9b8cae5b69f2131f7a6dfa8ecb0b440b60ae2c802a75f4c7527b2cc7f2ed8f178a59d590cc86b1cccbbc909a1ab1400d4a783df93c76df70

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 dd94c7d76af72fc57edeccd1db041781
SHA1 1521191a376ae61ca0be7b5c8bee91920deb5906
SHA256 29ee26c12f2db4834da115a8fea226257499a3dc7b3a4158723ba7e0dcbb65ef
SHA512 fd0776314bf7826350e438adfe157731601cec2e0abd0a60631f7078b7ecd72eb26c90fdac4a2851acab9a46c15a9d3e070c959289f9cff02df0e6dc743567d4

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 e6eb3cc78c6f0ab1f4d08bde98285bb0
SHA1 0f402e3b23cbea37e46404e9ad1cd0db6d0b5334
SHA256 97686c4557c48fcdd673b7255a2981704792e4e229aa3d822dcfbaf6e332a53c
SHA512 42f14618053ba7b0710526130a7782257f89db9c91a1f844970433289047475e09e1da3625e6709c8ac680e95e01add63c724769382215748fdfe811821859d8

/data/data/io.dcloud.H52F4B3B8/files/umeng_it.cache

MD5 98136a6376e118e652278a3bec067b0e
SHA1 79186173f58245238e5c8486775e4648fc9ff846
SHA256 75fbc03f90992a25fd06f265cdf0a4c004b7f1fc586c7ebb938942892446be93
SHA512 c72392ae70a61ded8ccc0b9ea08727135ef347df6b72d83cfd8611c6ab65772c69071e6c377841caf3afcdb0ad0f82b59f5b3cc340fc163f0484619f79359d48

/data/data/io.dcloud.H52F4B3B8/files/.umeng/exchangeIdentity.json

MD5 5bc187a8c732e534c9d1356a83f85dab
SHA1 8ae94db0a1e85ba5d09783acbbf905a6fd04f0cd
SHA256 e3dcdac22ed656cc6f17b81862e6ae864b35d055f3b9ef4d4d3c9c78bd0c6e9f
SHA512 bb429db688fcc02b85b2e8ddc3a174a34b1a8eff3605fca334691e441a9057c5acfb1b4973dbe5d6f8bf36049a1a88785449f9edb569d115c968acf1c612c66a

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db-wal

MD5 210c225de4e90f99ee8ede8083e6828a
SHA1 d3ca6496ea9657bff254eb1063c95e87227ae02b
SHA256 9d6a570ab3887158149dbce7326310824eed77f421ab32b1ecc890b5dcdbd157
SHA512 45e250060b83ebe9f8551cbe98a476e414bfb16471866cf4e8be7902e6d909cd83d4bcb8a7c5a4f61516a8435badec27f80d45e1ded6a23ca30aa86847573ec7

/data/data/io.dcloud.H52F4B3B8/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4