Malware Analysis Report

2024-09-09 13:23

Sample ID 240617-pt7gfs1cmd
Target b8a865ed2a6bcbe0edc5fb02701b2eb8_JaffaCakes118
SHA256 50e079b51d035e383473bba56db1d25236be67efe6497ff23fdfa1e04d9efe6b
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

50e079b51d035e383473bba56db1d25236be67efe6497ff23fdfa1e04d9efe6b

Threat Level: Likely malicious

The file b8a865ed2a6bcbe0edc5fb02701b2eb8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries account information for other applications stored on the device

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 12:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 12:38

Reported

2024-06-17 12:41

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

150s

Command Line

com.twlq.nyhu.iats

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.twlq.nyhu.iats

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.twlq.nyhu.iats/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.twlq.nyhu.iats:daemon

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.109:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
SG 47.246.109.109:80 alog.umeng.com tcp

Files

/data/data/com.twlq.nyhu.iats/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.twlq.nyhu.iats/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.twlq.nyhu.iats/files/umeng_it.cache

MD5 70adc656362afbe4ba39274b0e09b0b8
SHA1 07c9d37e33457d9910e7bf674e5ad807fc15e788
SHA256 1217037e9de03a81d2e8c46e4c49df054d4d302f077413126a7d56efba40a702
SHA512 3cc970c5a0d7ce907a3b460bcf731727af58e4573609a6a891c44b7164befd729b67c7ae22e9a558fdeff097ab38f71e7449f3b8d3365b25102f4b95b737ff60

/data/data/com.twlq.nyhu.iats/files/.umeng/exchangeIdentity.json

MD5 af7e9d0dc47aa96dae35b9a763fc7ca3
SHA1 45a505ec3bef12c0d29e5e26f10779cde214a909
SHA256 567cb47408d2204821a57c9d23d2466a1f9d6ac4985a7cf2e28c46cb3c7c86e7
SHA512 cf515959b9410bb4c4e1a7e922995b3e426b805b4e9836f1dd9b105b112b8b59110cd127b5e94aabf5693922b7b2bf18f5d3a399c00b7ae05b50e6da26d35b60

/data/data/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 925b28cff6ae19a618b730ec7fcd5bfa
SHA1 883671156a4c6145d6dda9bf54ac3c4c74c45b95
SHA256 7654194f376443e5376cf8df7791471b67aee769b649012584c86efc7f8ea89e
SHA512 51cddd053554ebec83b845d7b267221411e50af263a30cb4dddda434209869e39fe06ca622698b50f7bc8f3a6ec2be705b01a9a79c9eea63a98b42f37891ce3c

/data/data/com.twlq.nyhu.iats/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.twlq.nyhu.iats/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.twlq.nyhu.iats/databases/lezzd-wal

MD5 1387d37a42c708937c10111c0cb92bd3
SHA1 2a1b4b225ebf02e85e2780a54e4ee75c6a7a76bc
SHA256 9138a6276854a0bb0ccffc9e2b1f07c506244f0bb4ce73b4b0f5b81dc34333d3
SHA512 4cd8d52e9c92cc8c370b4b246e0704e2fef8743b82903a58b26c0554b166f088b8eb1dc8a2600d2f42ea6cb296934a609b723d38c4557d9e69363306b007de24

/data/data/com.twlq.nyhu.iats/files/.um/um_cache_1718627973881.env

MD5 4bdc51b4dc43d2aec5f3773cb4e149ba
SHA1 2462ffd6f9fbde46ef473d562579ab32a749714a
SHA256 534a31a269516c517998fe46a9350c016092e564a9cd5a3cde5791702bc1d835
SHA512 b085b55e04e31f909d08b905d08380dc43af126c1d8a7286f19bfd2f91b990f08bb14f4087587b3642e41924739a62ec9391a9ec4748770c6269eeb7b2d12739

/data/data/com.twlq.nyhu.iats/files/.imprint

MD5 9d8e82d48f15f2c860b5208663d56109
SHA1 41383598050d741ea0a68a5fceeea908b8d3048b
SHA256 522e07356091fe15b9167543388e48ff93b32d02e85167be6f8d70198a8660fa
SHA512 2b5f4f15f9c510f9145b4ce81163aea47dfc6831ae79aec061ef369b270464b0d271e34b927c8f4f924ad877075d13c6bd8d165d9020bda25a46cf65cce596c9

/data/data/com.twlq.nyhu.iats/files/mobclick_agent_cached_com.twlq.nyhu.iats1

MD5 213c1b2559cf2dc43991615f876062a8
SHA1 eb5857fdfd8063a784c7bb17c80798319a771927
SHA256 b94f3e82b497f67f419d728fb5f2946a803046c1ed648c0ec4e9cd0ae6b67c65
SHA512 bb285c5bf30f752fa57be3f0c23a83edebb5cd075a649a93cf8852bc3f7dd31510205c9dba9dc2d30381fa2d9ac5a8e69fc8fa794aa9c266a5ab5511dc775233

/data/data/com.twlq.nyhu.iats/app_mjf/oat/dz.jar.cur.prof

MD5 6f89d87c42a16fd3853caaee8f7535cd
SHA1 6c3d4fe3e7e268b284b1cd3557f45599dc4c1752
SHA256 5b1f152216ff4baeb73475517fa1a42d08eb1e5a9092d101cbc222b347cee548
SHA512 765358f645b0afed249f5066db7c10a02480a7c572915e1853c85557ca3fc436e3a5267fc0216ce8b584752df4c6615862af5583aac7bb97e4a27ace8ea41547

/data/data/com.twlq.nyhu.iats/files/.umeng/exchangeIdentity.json

MD5 e6d95869792940445ac3e451b28522d7
SHA1 66fe4e2142b17c8ae3716427267090b033cc728e
SHA256 d6aa13b20eac0ecb3f1c20cb693c2651529acf805b0aee454132594241c2eca9
SHA512 bbe209ef63d4816455d863b889c89175616e2040d3a90ac6f889f1034356ed249c4ca451bc879050e1e15aaa0419670ed6fdab49557319762b9732e6fc5885f2

/data/data/com.twlq.nyhu.iats/files/.imprint

MD5 ef0c08e74349e347d1127ba313c4745b
SHA1 ff38051b189a9a98c4c0ca96f8d9ca51b1cc4d29
SHA256 96f7689bab680c8b123d70aa11900b93af29cfb17143c751430427a9420f1f01
SHA512 012b2ccf7d32a8daeca96b239d0ebb17be6da7dd83a778434683dc913bd20542e3a57e1145b50131a6d34e0c9d76920ed9695b5f5a31c39cc58bb56bbfec883c

/data/data/com.twlq.nyhu.iats/files/umeng_it.cache

MD5 166e86cdc9c53d765390d2e37ef3a1cc
SHA1 34e7b17323b85d83bedf3272e382e69b2c30c298
SHA256 15415a05418b62728cf480ece7e85a1274fb9cb512476f808fac305101eb7305
SHA512 0c6aee5e958a55a549fc3622314245687008dea3262b46ad8733f2ddc5a7458ecd156b1f9940d9954abae92ae3b6ea31110eb16d448acf5855da86ca17742433

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 12:38

Reported

2024-06-17 12:41

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

167s

Command Line

com.twlq.nyhu.iats

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.twlq.nyhu.iats

com.twlq.nyhu.iats:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
GB 142.250.179.238:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.twlq.nyhu.iats/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.twlq.nyhu.iats/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.twlq.nyhu.iats/files/umeng_it.cache

MD5 7b7f37f54d194bf913ae3f47defa6b66
SHA1 562ef92f22d3f5636e70cf0922cf121bca97e151
SHA256 773116c1ffc36dc26176061d02accb122cccee274a294286af27e852f4d8e1f1
SHA512 4ab1ce44703e70cfb1d89a711a2acd59e16d601a4101803b12ac2046760d005d6a973165617e5087f6e0eec835f6934a3fe7a7db4da185b9d76d00b349469b3a

/data/data/com.twlq.nyhu.iats/files/.umeng/exchangeIdentity.json

MD5 e582a3dad9f41dbbe5476049e9bd3a84
SHA1 04c3da02cccf6981d6a2c7b0e7be495826360731
SHA256 af0b83a5ed2093f2cc6678d360b9c053206c9edeb10adac76aa4018d60b6c86e
SHA512 58836bddf9cd3f1345a24d15915a9ec66c9b7c3aca365811892abbcbfee42be109f2d52839a6f176357d5dfce4c992829ccd6f5b55048cc140a691c5e1de1405

/data/data/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 dfb2cc32de710f59660c446bb118c5d5
SHA1 4664af20f805555b15f8c19620a72dfeb0807371
SHA256 6585f1c07a344e7b5e79784e69c6c03f3c7c894642ea571256832c2e5d8b8c26
SHA512 4354198b0a3348607be915923f655586338ca0370539746ca799f0dc2248450bfcd80717e4fa7e5e5ee2104d0e9646b36a5a9408823f001d8f9c51557acd62dc

/data/data/com.twlq.nyhu.iats/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 feaeb8d44e14cc24ab2304570b112ff4
SHA1 5e658260df8e051ccf7f434f4ad14cae91135037
SHA256 bd0179705afe95e238d2eb2d52157155016b6ca83588005a708fd616530ceaef
SHA512 e6a3b65541400846fe204a81c4c14721d20c15729a7006c0eae72d412d2ee9b139cbffd40d7517c41aa3e7423237fc02867c8ab6ce1ddd83432657ba1af50731

/data/data/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 b167b855f3e1031b4b61c9b2badcc137
SHA1 308f1a33e2446c7adbd2e6b7943acb2a826874e8
SHA256 b7f7c2b861bce13e14ef9e8c258d9724a15447e91e20685edde29b46002383a8
SHA512 074d9d7dad242230e60c5a7c61fef474f6d0b5ceaed30d30641497e763b970d9a6dbaae013175148636daede46170e5650e4c2f6f9cabcadbb9dafbd8ebea0f3

/data/data/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 b4ea3aab3323328a54ce576fbeb82db7
SHA1 106bdd6736bccb7693f9a324239b4370bd8999f1
SHA256 98b4f539bc674a4dc3ea6c8355133e69b2dbf4da4cf54311a6f424999dcd0336
SHA512 781b36874286291074d6c7cffe0b0ae936da60e33ff74fcda4d4c340bd250a2e917cc67b3e5c07f0e842ab67a34f3f0952ca217bfd84f80877a45a43616025ee

/data/data/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 91f3a114633c9489e5bfca0bfef1eb30
SHA1 be7c44b15521a2f5caec122cd56b797274e4dd4d
SHA256 605af55e29ff3cb15f292afe84b6778816ca0e329fdaab33a5a271714e384c4c
SHA512 62400d878313b38044d726309b89c511a7628e48859d71b03a5030ccea7fca06c2bea6b1451427e6f8d5a8b6b6184a944035eb43b8e7d1ad3da155a9f9b4ebc4

/data/data/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 f4134178ef4d32601a19cbb43ef36225
SHA1 e49146e39c52a9b2b97f21d96f8ba20c3c5a9b94
SHA256 ac27d72319ebf6966d5377e041ba8bc91c2a7324a13ed35409d10f6dfabc59d4
SHA512 f2f9c1abf49671ce522b5dbf9e50238aedf718aab6d4a11436d893821ead5f95052cd8686a260e78b89710d5d696cf05563fe47bf60821afceeaddd4f8c6be3a

/data/data/com.twlq.nyhu.iats/files/.um/um_cache_1718627973481.env

MD5 2a80f0c8ba4dc865f57b2dda4b08fff0
SHA1 38cb90cabfa6980e27eb37f5fbf0c6c3d807a93d
SHA256 213812c4daf269e410e9427a3b28e395639c132bad10213ccbee2d378352609d
SHA512 532fbce02ec897e5d38f0a9a531b0249adda17c436727a171351bc6bc878c6e028e8b5cc3505dc5f4dc20627b568a1340a896ceecd3ccb735f201285203c7da4

/data/data/com.twlq.nyhu.iats/files/mobclick_agent_cached_com.twlq.nyhu.iats1

MD5 945305236377760c8a38bec0e25928e0
SHA1 790bc737e1e7240ee4775956524046e91662ca18
SHA256 1f040232b9054a7a1ad693d06fded64a072ef89a10836598eeb9272ba2c589df
SHA512 1bb1244517098ff9aaec4ca2f6973beff03c536ff18add447b3733388525af66ed1feafcb2e769c8aae982e96375de2299f86612d13443f6bb89158386a3fd60

/data/data/com.twlq.nyhu.iats/files/.imprint

MD5 a0b6e5a777d68682a4c9a5803b53af4b
SHA1 50accb7d85bd132688758e43c0d2d6d30c82c246
SHA256 41db3214f6233c2caf4630e1f127d168c72d2e9073cc2692d845489cedb29858
SHA512 6911ce79d73a024ffb6ec0c9f489df046c84ba035818aea2f4b843da07c98f7ac0df17eed4a50583949c0faae76b88f32833d77e2c51892c6ab4086bdf29a5db

/data/data/com.twlq.nyhu.iats/files/mobclick_agent_cached_com.twlq.nyhu.iats1

MD5 9b7d26ba46c409629fd7c2508cf48ec9
SHA1 f09d83717db3cf469e87934a7ae429e578b7dd1f
SHA256 4b60d8b14b9dcdb7bbcb418e4db6da8887f4521b3c690306ad9d42b48d5ec866
SHA512 80dc7f890dfeffe433ff3370045812b01be1bb5df15b4215bdf860d6cbf4e282c54e5a8cb5ffb99c0ff2609b8d8eea5cdd66779a4975cbce9c9326d6ec0904ff

/data/data/com.twlq.nyhu.iats/app_mjf/oat/dz.jar.cur.prof

MD5 f4f951705ad4f6c7ded344849e939d07
SHA1 ed0104775b2106d78c6687d1ac189d0607c89ed2
SHA256 7d214963e4eb2d2fed4efd05cf7f05440d6cacc3e760499286aadfa2e299b059
SHA512 5b6a36b0a8f0fc1dba3a554499d20116deec2ba2715ca6d8931fb4f3b543651e959d91a94de99546819d6e3c567cc095a700c98c5a2176c88e8b427d797cdbcd

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 12:38

Reported

2024-06-17 12:41

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

187s

Command Line

com.twlq.nyhu.iats

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.twlq.nyhu.iats

com.twlq.nyhu.iats:daemon

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/user/0/com.twlq.nyhu.iats/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.twlq.nyhu.iats/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.twlq.nyhu.iats/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.twlq.nyhu.iats/files/umeng_it.cache

MD5 19d0ad69739b41b1f4c51c9fe6abd0f7
SHA1 1b26476cf1565639ad6e9164e2f1b3c1a96adac9
SHA256 6bd5a507a0585b03b067838c953443fb9072b74d348806daee5b240f7cd336ac
SHA512 3ea0c8df653ff768ca5bd77a52bea804ef5c64d56fc105148466f89da6a3362cb84b140e98ddf28af24af8b7790529720c65989e6ac387210b6b513f101721b9

/data/user/0/com.twlq.nyhu.iats/files/.umeng/exchangeIdentity.json

MD5 2e6e59cd2854f84f1930ff864dea4b93
SHA1 ba9859167746491eca64b320ccbdb687104b1703
SHA256 962fe9bd29182016182bddf2c1c2309e82ef5f70471f6333b7e46a0ee2423123
SHA512 c672d7bed820c28e9e6a49625cef47ff0b70ba418b33610e7836acc479abffc5516c828d058ed41eac7b4d58b0c236e3384438785a05ea79de33ad24474bc82f

/data/user/0/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 4c07a95709c38774b969fb6bed79eaf3
SHA1 50f243db4ccdeafaeb5ee56479e325f9b92f1fd2
SHA256 ee97a53561ac12cf286388bb044f1be1f3f96861c522f8c6dcdb4581017bdef1
SHA512 692268960a2324fc6aeacd293c330c366fa368b04ed8a1483c8ace2e20451af2cf1476b861273a87d62f05de2188b6d7f32eccc581689efcac42c1c70d6f4879

/data/user/0/com.twlq.nyhu.iats/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 b112aab38b66c3866fec6b371136ec5e
SHA1 c6548b7ff97d9aae755543eb17decb7c31f86a9b
SHA256 52bb3fd84cb00bf4a5918d2cc2b4c8ca989f925f7001bf001e74e9721f35cf94
SHA512 9fe5a498b581359b06782113248e60beae423afda02c2e1f85d3b6237fc1b6ed863657f1db8a1a49278957017c1cb7c6139d18c05aced04a4e84a964ab75c306

/data/user/0/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 2e8e7823a1046cf1550386f92cb330a4
SHA1 ad6fc297400cbd4d4eabe853c556e3229e11700f
SHA256 6a7bc514f09ad8e389bc967b8c438c980f366ae12319e85fc26aa6c1d8b14e5e
SHA512 db129e5b904c5a21d83784e5c64ff31c628dd160f122e6096e176e7c3b838085cddd39dff7f743411aaa4e3fe71f2d42d4251ce1c54e291cef873f1fcf226638

/data/user/0/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 54e1eb64ee1693ede84f83df428e0e44
SHA1 85f6518bf25df06401d138ed4396c2faae217914
SHA256 4f77374e640f9258d7eb797e01a063fb2b3d99b695e8ca7ba0ea5e71f4114e44
SHA512 90e2ce739c60d3181d99d1448836ede1c9890e7f9122bb3c31959dc1d88be7839e12f957d4a8567f7030429ae7781769304bfe6e7ed274e6b832be5274aee4d6

/data/user/0/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 4f96194e688af6ebdad186ebab99b937
SHA1 c28bb50961b416c2aa375089a445c7ae23bcbb3e
SHA256 944a334ceb4cd3a9747f3911f05d269276f00fd2564de40e83b73ea63e9b75fc
SHA512 9f2cb06e136c160f81e1028e5b093d10ff680240e18cab07fca76d2f887bf4c4f211aab26526cff3497f188a7ae3bbcc90a2fecbb7079a6a86d34521d56e8923

/data/user/0/com.twlq.nyhu.iats/databases/lezzd-journal

MD5 11ee6d93c09a9276dc06302a6405bb03
SHA1 2d6025253a9a8f8b0ed5d1c96c72d0234431d3f5
SHA256 869e0168c6304a6a6cdf7d0fbe87ab39291e47e56bcefc6f3ccdfd30f5547188
SHA512 55d39acf46ebca363874d063623b51c4be55d189dd3943cb4f7d9131acfe01929b2083e83bb46ef9728d551d394a83c64220a91436b9dd82029af3eb708aba93

/data/user/0/com.twlq.nyhu.iats/files/.um/um_cache_1718627972298.env

MD5 91b1fc41fa3363e1cc98e6e4ba97e7ac
SHA1 41f9f13831146fdcdfeb20c7107a837b0cb74649
SHA256 9fe1dcbad94acb216a6e52073898c378c69dceeb63d765567fe321076fc56cb8
SHA512 0e7adfe1410daf765e9a41b22717d6dc29a818e6189ea209448694d2e434c692796baa163f7715fa6462e0c30e13d1236d474291eb47616a57e72381e104eef0

/data/user/0/com.twlq.nyhu.iats/files/mobclick_agent_cached_com.twlq.nyhu.iats1

MD5 27f86c71c7c26132e9f54267c3b9293e
SHA1 0723278e21f22de1eade6fda8ca69bb6c8bc335d
SHA256 3b33ce1d6ab13ae0609face0c2a5960777f3f7390278a74f6ddfec8cbf982e43
SHA512 786adfc10f32516c8f0534e0c63ddfac50ff77fdf08c0fd97bcfb809f2a2a51659718552dab5b87ea8b3d6f26677182182c00bed875b03158490641d6fc99e97