Malware Analysis Report

2024-09-09 13:26

Sample ID 240617-va45wazfjk
Target b8f4dadada56478b61299fb82aed5e76_JaffaCakes118
SHA256 bb042a83b007add6b05dccd05b1afe84b50c77b9fa3593813686171d66b301dc
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bb042a83b007add6b05dccd05b1afe84b50c77b9fa3593813686171d66b301dc

Threat Level: Likely malicious

The file b8f4dadada56478b61299fb82aed5e76_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries account information for other applications stored on the device

Queries information about active data network

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 16:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 16:48

Reported

2024-06-17 16:51

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

176s

Command Line

com.hdfx.usqn.byfl

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hdfx.usqn.byfl/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.hdfx.usqn.byfl/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.hdfx.usqn.byfl

com.hdfx.usqn.byfl:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.hdfx.usqn.byfl/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.hdfx.usqn.byfl/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.hdfx.usqn.byfl/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 135d26c87936681e062ffdd3502e9b45
SHA1 aa7e15768581ad7e4b26bf2c4dde648aff73b4c0
SHA256 b6db656058977253b7a0ede8b8e29a255555fcdec246332dfe7361710ef18351
SHA512 7a91738d386bab466e425d75a52eddce3b047df88c2c344271e4985ae0e719dd245d82b5394ebabd5b1de55e159a9d0b03956a7e28e983c2fba37f82634743e5

/data/data/com.hdfx.usqn.byfl/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.hdfx.usqn.byfl/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hdfx.usqn.byfl/databases/lezzd-wal

MD5 64e7d44159e1ce8271845781c00b970d
SHA1 cfaccbc7f6c73a0fb99a5e6c6f0b4e088d31ff23
SHA256 33b078f704a8987b3b2f4dac63dfacd86755006bf778cb36b9c54758d7effa5e
SHA512 0b75d496e2c2047516650a11e60d1322c3d6ba128e4ee6f1f12a515bf63b5dcaff878ad2b0b7d4ac57af0c9308512ca7b87c6a7c34660b52ff50adf82415ac0b

/data/data/com.hdfx.usqn.byfl/app_mjf/oat/dz.jar.cur.prof

MD5 5e93ed868d629325cec45c2e3a9852ac
SHA1 1d996829dbef107daed2018a49d5c1f0ebef6b77
SHA256 3570f268f6b19eab88e7ca72096c4c628dfad6f2cbf414b2728ce5f9bf61dfc7
SHA512 70736033b5d0c5129ce8a0810abb307103f4859db510d21318f70c3d66bb41838a501a3f29bf3b121f9c0ce7edd5aeafc776970ddfe06e262d652f06922b825e

/data/data/com.hdfx.usqn.byfl/files/umeng_it.cache

MD5 8feff36654a4ba1b9bd2d69bc78ec153
SHA1 f16a77ce6cc454a24e9e5b20cc97dee1d82e1976
SHA256 c45f2b6b975c28c24a3f87b291ad370c46edf458e563b5460eb6f69a1945cd47
SHA512 c5e34a3e8f193f4264d383aef2b293f06f06f79320fc8a9966927103a054d441b4c2621d705c16197aebf33efb83123aa93e3b6dee15b84921628e6f70b58b73

/data/data/com.hdfx.usqn.byfl/files/.umeng/exchangeIdentity.json

MD5 092b6bca1332fd4cc9845171c3cad85a
SHA1 796ca22e89ecd3558952ea6d30fd90ed3445181c
SHA256 729f3bf866021d4cefc9141465e24422a5aebd89b9bd28025aaa646f25cb095d
SHA512 7324233b82b6aabb3796f0530485f63c35cf7d2fe6bd64b1c6b0b78e9d7a0ee226e16b2d13d2dcf2bedd66fcc4d7ddc880abc995aa5a7957abe41d21c8f88650

/data/data/com.hdfx.usqn.byfl/files/.um/um_cache_1718643006906.env

MD5 2601f28c1ffc4a83d2330a68f5fecada
SHA1 b2572a2013810c33735e418008f36c6de79f6bab
SHA256 c335921e52dad104d790e5e404e72eeda817431bf95f438849afd666d8a627fe
SHA512 018441ac9986f7862627c5f0018cf3b98e72a759667e3112347d15161f151f229626a3d07dcde3ddc7bea9295949a539732c83dd20bd25a96285b7accee18d94

/data/data/com.hdfx.usqn.byfl/files/mobclick_agent_cached_com.hdfx.usqn.byfl1

MD5 96d1d9e1435f6aad850da99837653cea
SHA1 cf93861ef8dde48c5e0b5aaf812b0e07eef401b6
SHA256 bb4ca8df366c98aa1aaa4ab6b37c43efc58afb41e6446717fd891a71e6eb39df
SHA512 ee3f42e9baaa9286e96e3dbb618fc8dd0090b292e9fefc8f31d7804111e58e2f1944b7983d20677b4557a5a0c153aa6646cd220fc0e7f4739313bd375a0a7098

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 16:48

Reported

2024-06-17 16:51

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

162s

Command Line

com.hdfx.usqn.byfl

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hdfx.usqn.byfl/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.hdfx.usqn.byfl/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.hdfx.usqn.byfl

com.hdfx.usqn.byfl:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 216.58.213.14:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp

Files

/data/data/com.hdfx.usqn.byfl/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.hdfx.usqn.byfl/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.hdfx.usqn.byfl/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 35fcf54d798caa443b2f9e008ab2549b
SHA1 d5879caf1ce4a61a57d5d1ec8c60614877845cb5
SHA256 c4cd08a774d82b66674aea71b8a072a6ea9159a37ca716f49b6b932e41ebea64
SHA512 0d384e76aecf409bf89a8668575d0c45b9559ccf662bcc583a1bb92d982331130665bd6fd52cb7e56f6463926b0a8ab66a78e02c3d7680aba121c73476addf4c

/data/data/com.hdfx.usqn.byfl/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 df0dd7fd39c6395540f3eb7ff93e1c4c
SHA1 95ad669acf2ea338b067bb77ae67698a657c80e8
SHA256 f94c2f2c1a8b7ef1ed4a20b8fc5cc9ff1b03ec911b16f79e3f461823e3fb0c15
SHA512 44e0936efca2defda7eb4c4c5745c9e1e93c5cb33669cdb7439cd47ae58d2f08b6094ce7a8a3592dfc1a1c973b25f3fdea394f7528b65dda8ad784c765c8c7cc

/data/data/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 e68596b7d4bbbde624c0962ce714f798
SHA1 2e82f778a85c0203bedf79ca46ee0037c3ab8050
SHA256 b32be0bc046c9ae2d18ca92e7a87dc9cf39ba059c55f7540093b04cb8684aee1
SHA512 55190abb33b6c2ad414bd298751eec16280178c6280876b588ce176bb5764ce74649019223b26f87ee792e6d0c65a27783d84a5ccf831ffa8e017cb50c6d2bfe

/data/data/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 01befe10073d7759a9e509d6561426ec
SHA1 bf0e8167c5704c288ea73e90b5e30c5d719ee196
SHA256 d9f2f92d253ca7cd647e1baf2a8cdd75ecd2a8b536f6ae065d5e9d02cf20a5fa
SHA512 68de55205c42b303531e39a21e7877f26f5d325759c05d753e27699e8ad4b15a0cc604e36cffd0a03cde423666e85dafdcc79df727a4da406e344782751b0871

/data/data/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 57965f9fd9ca03aa54f699a2c0867ddf
SHA1 850e74482d65c935bf2de00cdcbb8fbf4d01a489
SHA256 c776efc7184e1bf618a77eff2da47a46c1cb99185962ef67dee119bd12e3a612
SHA512 b66a96ed65239d3608a1b1583eb1429804b6d6350929ece7b63e277e01364519c74fce087769aa84890240a697213d63a94bb72117ea380ace97893d3ab193a5

/data/data/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 c9796dc80460ce160015680a861dc83d
SHA1 4d31f1527e8d6a482eaaa0b594d5e872321cf252
SHA256 5c25cff420b6423cfe31e292193b235d8012802f9201122d6f3e5a6e9da8d228
SHA512 28c5f73a0fad5889b78ebfe5ca8fe72fb1c0800e4d6da0e623cdc2e3542776f34ddd5ecb41c8479ab3deaee42142d7cff40a85ba5aef154131ca4ecb7afed572

/data/data/com.hdfx.usqn.byfl/files/umeng_it.cache

MD5 907aae8ac3490dc38fc1de0493fa3694
SHA1 7234451e917675de772da77bfa3276ea0bebcea4
SHA256 5ca4ecbd1796f8fd13a11a4d6574eb6086928c77048fc5870ad016d0f4f33d40
SHA512 c2e6b8307ba4623e21fac01ff14f742dba602f8401039d21e7cf39efbf818f8df70faba947b64d05c73ae4fa771b199e7954ad37084863d41716b5358b6db8c5

/data/data/com.hdfx.usqn.byfl/files/.umeng/exchangeIdentity.json

MD5 b9f93b2e5517fef12d928504295e911a
SHA1 41e8560dc93543650bd209a74f1d0a79058e0d3c
SHA256 51c7a0ec540ba34a7f9bc34ab588ca0c5b4805e639cc57949392bbd2a92de32c
SHA512 45c2c095b1d2fe2469542d32cbb1a4606166bb7e27a8f0f95c14815aec5bf49dd2cd19caffe7f60bef2a0b4e7990d5fbeb85e92a736a89629ecf3383bb651eec

/data/data/com.hdfx.usqn.byfl/files/.imprint

MD5 65ec2e0bc28085fef841440a9724ba3a
SHA1 95490d9c70d16e2b12b2d9f628d5b5f60972fcb0
SHA256 d88e01d5d9673fb329422f3a0d7c656f131f74ce6f977ec8435587deb656e5f8
SHA512 50593efdedc8e961af3b78559385ff718bed5baa2a5f10bf372be70bb1d67daa28ade7e6244ea00c6c7646457b93d1550824f35469afbae010c3497f448e2d18

/data/data/com.hdfx.usqn.byfl/files/umeng_it.cache

MD5 5d48cbcbe4ebd1b5a070cdbf13ad1200
SHA1 74aca22808ce849292268d753d8a11f00fb46fb5
SHA256 f1ccc47855b98464e3288ca5a5f175750b50b4cae17d3145d9fd22c9930a9d0b
SHA512 039869fd384eb3510af8e32b52244db8d42acdba925381b1550f4a89ede1420cf89dbe61543305dd96acf7384bce11f63f46a073dfabcda647556f9417bb2d53

/data/data/com.hdfx.usqn.byfl/files/.umeng/exchangeIdentity.json

MD5 22b9d8a662eb923014297b4fb176e757
SHA1 d48c5a35990e8a73506ee73f775e0018918ab1ee
SHA256 8272476ef8cc5978386bc8d17221b8ee943f6b0c81fb11d267a1b62631842454
SHA512 1b532a9250471da0edd23859343309e07df35e1ec81100c5820683b5b038b8e6ef3e563ba5661f52fe54105522b375e52d134613164917ac20f7c3455ec9762f

/data/data/com.hdfx.usqn.byfl/app_mjf/oat/dz.jar.cur.prof

MD5 a87dc1222e6546c25bd22b812f178fe6
SHA1 a7ff038b70956810393286e7548b0520db8b0fec
SHA256 6c57fb585b9619a0b77b41356f48ffe452d24bc8824eb273facb7952e208997f
SHA512 4fd4fc5fb5cad953ac9e1240526c3ad3f864d197b08bf98713b70992ba1d5def64aa3d104786fd16828cb5e064cd931893c11189b4f8d82bc701d01a62bb4d1d

/data/data/com.hdfx.usqn.byfl/files/.imprint

MD5 9d117aeb45d8fdc368a6c0c655842377
SHA1 805677529f6eb83fcae97655dbc0677908857918
SHA256 2f77debd21563e26f89d631ab473ff05d3c46e1fe36ee83cfa1859cf68238060
SHA512 a1f38eab5d323ebabbc09b1f2a7cf9c9068e6d93d2258ec11e849cbfe137ec5c3abc5a57592ad012921aec3c9a2fd410e7618b568c66c8fff1d6fd41a7dd73ac

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 16:48

Reported

2024-06-17 16:51

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

177s

Command Line

com.hdfx.usqn.byfl

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hdfx.usqn.byfl/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.hdfx.usqn.byfl/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.hdfx.usqn.byfl

com.hdfx.usqn.byfl:daemon

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
CN 59.82.120.242:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp

Files

/data/user/0/com.hdfx.usqn.byfl/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.hdfx.usqn.byfl/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.hdfx.usqn.byfl/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 61fdbdf35254c5dadf0281fe71e7763c
SHA1 500bec5c86dcf02c087351eca667d546b3070ce5
SHA256 33d9bfcd88ff385b6e377b5853c873061e1e9bce6211e6eda6924213e3151601
SHA512 18f80aa25467e43e9eb5d462166d6cc249b027b129175120cc8ade10a5bc7165a454617709c3dc6702b4abfd55de0deca10bbf0f43a959996d02a4a6e0f734c9

/data/user/0/com.hdfx.usqn.byfl/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 9baef1e183b32d279ad7555f18a2794d
SHA1 71942aab76aecf575ad96950ddc762ed0d4ddd6f
SHA256 1d0c58caa8bb1e0206ae66c614cd9a60b11ba806c09da8d4d783e1282746b852
SHA512 26cb73fa9ac862a3eb0dd67a79413db8e84777386e7f70ffaa8334ceee1b3e9726b536ea3fe49cd433f36cb8b4bee89de0f11cdbd847c76fd9430ba2f8a1e264

/data/user/0/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 f1eeb619aaddc5d8f31c94ff81827ca0
SHA1 f402d4101e0d38868dc70b6723c427d3ba0c274f
SHA256 fd31a84b0bb52d880f20d682e88c12b2861c747481f350b5aff347e5c4ce35ec
SHA512 3964a2fe5ea0184fc02193cf4d7234051a8a2b0eb5d5c6d30012dcce18dd9fe6b907632da117ec8f2f050b0d8cde097670ed0241c7b3552add208087f200b6db

/data/user/0/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 1391616904e7c26c67b425ea9d3a6da4
SHA1 baa7eefe8c1e6012e4a6bb3bab3053e4eeb92fcc
SHA256 2c6e39042e3833b80108823d74eb9360fdf6aa12e6e4f25bb8e223b83a8dda88
SHA512 74484419e2a4b63e366f35a90e658000a05eeeb7b39db2cbd4a7df630eaf7798eb8a4d042a6da38c9eb17b33e26d2e9a53ca8a8b2a169162924f16cea2d400df

/data/user/0/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 7655aebf27e613f6c020c6861cbb169d
SHA1 f585a0b7df61b79ef4e67e89b0c25cb5ba2ac2fb
SHA256 30f248d4c2f24b46fa34e6f662d621675df37c9c0c17385b335cbf5b94d3dff5
SHA512 ea03cd61e81bd4aff5d4ef9325ffbe79b2bc830e9585ce7f40527fa61098cc92a1fdb79bc7446d5ff49084dd6d14d965adbfb0b29bd747bdd52e4875f37e80bb

/data/user/0/com.hdfx.usqn.byfl/databases/lezzd-journal

MD5 fff53ac3f649761424ddf14aa3671a07
SHA1 7ff3ab54b681a46785efcbb93fd7f3b58801493f
SHA256 e8e2def5a0111c6d1403cecb7dfc888a9bc3e88bdca6a22447a7882e5329a7f5
SHA512 47f66a7dd86535bf2858e5b5ca2e90a18839b18c088bcc9ff7ab8e054dda0d9ebeebbd7719a52ed2c24deaf562d49e2eb2b99999ee62ce1b1eaa52de9c379852

/data/user/0/com.hdfx.usqn.byfl/files/umeng_it.cache

MD5 ea3a8c85fb603cb4f50d8209794018db
SHA1 8bcf0b15b5edf1d132bb6c4605a10d9ffd2f7c80
SHA256 00f52fe266795ecf28202c5d753ab14e6ad40dc89be749c9ece591b55ff0d595
SHA512 ee28d53a770fc1f278166a8ad501b6363cd16dde5c5cd2cd927cb56fdee2fb7cb2e5ec9066e5c5d9bc6fa2a205351542bb2d28b35dc5083c08188fcaeeef4932

/data/user/0/com.hdfx.usqn.byfl/files/.umeng/exchangeIdentity.json

MD5 6faa8bf196d45120b9af2824dac307ee
SHA1 46e159ee38167bb3820471b4e6e9569c320e02cd
SHA256 6af07134370df3119589ef55614296e1b287fa7357bbc70b2d853fe969b18d0a
SHA512 76519fe0f8a519e87a4204d3043768ed6ab8a1f4e8ce54590a71818052bba5d6efaea09cd79cc6baa984f9c55597f4a1f7f3a6defc34cb73603f9888ca1c0817

/data/user/0/com.hdfx.usqn.byfl/files/.um/um_cache_1718643005675.env

MD5 5d7986374b527e56b0ea4a6c2e9fb655
SHA1 ef323b941fcbfc9642ab9745b599c0f0af1baa3d
SHA256 edcf18b080a2a9c89d01dd394d189afb7d459f96dbeeda9a250132995c270735
SHA512 0f53dcd1373871bca64f5d4546d5ff92c34d336066a5e3e5047387d043d5b41fb32045c1735271098fa8c0f83418e39e3db484e778e545e7b4524103eb2d7d78

/data/user/0/com.hdfx.usqn.byfl/files/mobclick_agent_cached_com.hdfx.usqn.byfl1

MD5 93c9d73f5df8e62bcd98e942a2532354
SHA1 976fbba19db44107f4ad46d08ab4a6f80fbe0493
SHA256 6bd0e8ad431fb866b142593e20c3758ab8de257dc062a7d77381a36e7b5fbb55
SHA512 f899acc0914b78d3037099a2a14346a21d61e0267e06213526064180686da8fd0ed07673d743eee857da8f72cc6b579a93972cd4179b0e5b6ca2377a7eb2d1a0