Malware Analysis Report

2025-01-19 04:55

Sample ID 240617-yyr21awgpj
Target b9d2cefbb3b2286a45a47157a46efa69_JaffaCakes118
SHA256 06322cbb3b1d3dccac6048801a0a59bb7bc655b494979f86fafe71a230e47c96
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

06322cbb3b1d3dccac6048801a0a59bb7bc655b494979f86fafe71a230e47c96

Threat Level: Likely malicious

The file b9d2cefbb3b2286a45a47157a46efa69_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Queries information about active data network

Reads information about phone network operator.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 20:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 20:11

Reported

2024-06-17 20:15

Platform

android-x86-arm-20240611.1-en

Max time kernel

33s

Max time network

173s

Command Line

com.wp.bookshelfss

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.wp.bookshelfss/.jiagu/classes.dex N/A N/A
N/A /data/data/com.wp.bookshelfss/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.wp.bookshelfss/.jiagu/classes.dex!classes3.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.wp.bookshelfss

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
US 1.1.1.1:53 hotfix-api.aliyuncs.com udp
CN 59.82.40.77:443 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 mpush-api.aliyun.com udp
CN 106.11.253.96:80 mpush-api.aliyun.com tcp
US 1.1.1.1:53 beacon-api.aliyuncs.com udp
CN 47.102.52.8:443 hotfix-api.aliyuncs.com tcp
CN 139.196.135.6:80 beacon-api.aliyuncs.com tcp
CN 106.15.83.68:443 hotfix-api.aliyuncs.com tcp
CN 47.116.84.225:80 beacon-api.aliyuncs.com tcp
CN 106.11.248.144:80 mpush-api.aliyun.com tcp
CN 140.205.160.128:80 mpush-api.aliyun.com tcp
CN 139.196.135.158:443 hotfix-api.aliyuncs.com tcp
US 1.1.1.1:53 adashbc.ut.taobao.com udp
CN 36.156.202.73:443 tcp
CN 59.82.39.0:443 adashbc.ut.taobao.com tcp
CN 106.11.253.96:80 mpush-api.aliyun.com tcp
US 1.1.1.1:53 www.google.com udp
BE 173.194.76.188:5228 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.179.227:80 connectivitycheck.gstatic.com tcp
GB 172.217.169.68:443 tcp
US 1.1.1.1:53 beacon-api.aliyuncs.com udp
CN 8.132.237.161:80 beacon-api.aliyuncs.com tcp
US 1.1.1.1:53 api.share.mob.com udp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.200.10:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.46:80 tcp
CN 180.188.25.47:80 f.gm.mob.com tcp
CN 106.15.83.128:80 beacon-api.aliyuncs.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp

Files

/data/data/com.wp.bookshelfss/.jiagu/libjiagu.so

MD5 5aea02f4e4c77fbf2e7a27f7ca9cc06b
SHA1 522db1748608e9173547b29b7aa82ddc3542c534
SHA256 5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2
SHA512 5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

/data/data/com.wp.bookshelfss/.jiagu/classes.dex

MD5 bb627bb4a0f80f9afa0450dc47329e3d
SHA1 4799d682391d208d4d98bc601e515921c53c0970
SHA256 f6188ac072f9b213811f0220d439753b49029daabb9d7053d3a1a3033e3286bd
SHA512 b7378a73f31990c1c8925efa095840a9e423c4a11454f68634f256f06dfde1ca19bc46495c8c54545aa729eb105d6f62bd44635c2e7ac057a692165271f93289

/data/data/com.wp.bookshelfss/.jiagu/classes.dex!classes2.dex

MD5 d43b5de04d54b750c013069e3305624a
SHA1 2495ecbd621de7e9a88251c486e63839a6fa8ffe
SHA256 3903946c2c6e4d478962e331afedf61339a3eff8cb4b80028da152698be9b8a0
SHA512 2383c7f85422bd5cc577fdf70af12fe04dfe4fe7bbaee12f5e5970f554a2c2336bc5233337b45e4643204ea181170de0530f40db4453e44029fe9811459c9ab0

/data/data/com.wp.bookshelfss/.jiagu/classes.dex!classes3.dex

MD5 6d1ccb46591d34c580af37a690818741
SHA1 8f64261ce243cb7624b53831f012765ad5daab04
SHA256 940e3fe8ad5a7afff5248d14314398a987465b12f832a4aec0a21517ad21d771
SHA512 f47aabb28ec711090df32dd30d240f5a49257d238aed6e6a0d7bb17b2ae031cd9a3ae5f0bfa5196dbc0f73aaa897e4386e0c46d8bf272b0c2d96fcdb48c5a6b4

/data/data/com.wp.bookshelfss/files/.jglogs/.jg.ri

MD5 57a5020c757b9f6ee521cc42d8fc7904
SHA1 8e4d23f6eaf9c5d6d520487948b74106bc34020e
SHA256 79557bb3199f4aaf89ca7abec4a9eb41bb5a138ff8a34addfab1f72a6513f9ec
SHA512 372f38f804100ad2431df0073d2414464e62ea5cd3f7a322eca27ff3484f33e5effb4523793375eaf09b370402799cd6e0b45db88923cd783e672ff4afb99d39

/data/data/com.wp.bookshelfss/files/.jglogs/.jg.ri

MD5 615c1e27f246e70c4dbd9681fb1d12e1
SHA1 5d42dffcd5267c8d657423b0b328faa189185e5e
SHA256 ed0120c63f8bc9689bab0ee57d806796db9a0381a9d6cfd21780d02d54c0c7d1
SHA512 6e3bb7086219bd316b779b1d83716175ca4611ced857d1a340d9e84c7e38df0fded49661c70ccd1d13b3be5af1806bf80cbde9938536723a2d9e9871eee52458

/data/data/com.wp.bookshelfss/files/.jiagu.lock

MD5 fd451ff9e1780a67b568c316205d60fe
SHA1 f3e86b58d4a2770f89db623f76f50ef90c5d250a
SHA256 4211ac8078899cb36bf25ae0274b36b85866e359fce9dd615c041a41f0bf6130
SHA512 a53175e20801a4e7625d10a05de0815198de5a1098c1679ae766b0a1ba2a1b0bca4a0371566e252210334fc89996cadd0aef23cb9ddb4926b26c8a3e46db620c

/data/data/com.wp.bookshelfss/files/.jglogs/.jg.rd

MD5 2f767fcbf1e2ed6f2f7b380ad4ad79de
SHA1 96fd04681ec560c1aed9b5634cc51fe4285e3fb1
SHA256 3db830506b1589b92f8dc518b0f79772cb3905248dbac0a362b8b989e2de07cc
SHA512 8b955221a77a989f4271d57307fdd37407374df33f3323d5de76d18fb12027a6b26cc2d218a68d12367e13ea579d2e64858725c706914d720067646a4815d4cb

/data/data/com.wp.bookshelfss/files/.jglogs/.jg.store.report_pid

MD5 142b5807648d74f1e7a4c18ecba0c497
SHA1 9b17c4f62497a0267a7e500a7a7d9198f622429d
SHA256 c14dad6ff06986618554180859edbd1f37d0da8c38727e58b3dd57884d6a2f69
SHA512 d2453e49a932228b35a2a81b94c0068362c9385caa44b0f34a4efd1a76711d49fa5cbb70a109d204640762c8c1be5cc0acbf4e7e4f4bdbc245d303a6e7653e1c

/data/data/com.wp.bookshelfss/files/.jglogs/.jg.ac

MD5 900f3985d4200a80dc5fdbbbca632d68
SHA1 4db398db765362edc1af01ee70719a34df864b8e
SHA256 c0fcaa64fd5e04a66741d9836943040701f1a55baa55e1579a4a7527f9bb5bb5
SHA512 28a384b9137d405b86c7a7e20d0d0f74754a09d4919211825989a88d7c8001a9e052ec8d8b0f70ad1f05fc8e514c22914d49e5f9a2449d6d8443b4335d335666

/data/data/com.wp.bookshelfss/files/.jglogs/.jg.ic

MD5 34e386f58245ce88fdd9aa29ad64f05b
SHA1 56b1a87fcacb520aa435b7819e37aae31b09ddac
SHA256 15ded14ef036a28aff0948ac2367cc0dc1a1b9e1074fc6a34e03f421ece8fd76
SHA512 a11c381f797d6c56ca853e22a5614fa5f9820de623de6a8ac6a2124aae3d65e08da9a5f3f080ee39e6e06bdcaedbfb2994e13df36b89a9db2bb50da0270f260e

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/data/com.wp.bookshelfss/files/com_alibaba_aliyun_crash_defend_sdk_info

MD5 8728d1287220b9b05ad351f7f0db6172
SHA1 8b9f067ab9f310c18fc51622646030ca21ed3b27
SHA256 493ce31f45fef58379bd7351783fd6995097bbb5a7b22a47a61279ef018261c6
SHA512 5a5ec796ebd220e8aaf2c4774db93876769189e3c7281e32e0a159830a3fbac177b9a9a88bba05777e5d458f8aeb53f473f02c112730ffd74b961544ff6cebec

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 c2bbceaf87c13fe3104355db5baf2c1f
SHA1 f96bf818904f075e3d0af0bcacf8eb934bcee62e
SHA256 fe90fd6852c279528f261a1ef6d0218cb501738e893a9b9baf80a7b1496c77ee
SHA512 a4962ac45f86d49dc2a492b87e6c4d473653431bcefbdc88322ee9394986ef0fd7c9d641285592142de561047f66dc50fc10d4e89cf41e74ad77c5244249dfd7

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 a34026d6b37199b5ccd8f52141af8da8
SHA1 3a5d06405b1e062cda9245ea3cbe749dea13337b
SHA256 4c11df7b1cb1537477c75db32ce98df798bea287ee3eed3c47ecc6dc5699ebe0
SHA512 3dd66a094b1a82b96df217ce21d9ec08ed79c43007aa40b42dc1b92a517bb0d2e48a0276b4012ffd7a441d35117a61ffe284d220eecf50fd1ce8aef90469500a

/storage/emulated/0/Mob/comm/.di

MD5 70a42cba408700f9a6c01c7941a8829e
SHA1 eab01cc2c0671538795fb0b1146017dc099d0984
SHA256 499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA512 8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

/storage/emulated/0/Android/data/.mn_410185822

MD5 f321656a466363e5192773d92000e401
SHA1 3a6abe9be1a6f4deffaa98fd27f3449c888d3c4a
SHA256 53efd5207de6ed80429ec3c7865eed2b64023a0ed66e0fd29e7f45b708a1751c
SHA512 fcf6884bf5ce8d10b3a3dd461fad96cb6cf0bc4129e01788de112551230fbc4d8ea6961b04411d1c7816e248437c4560277069d9c544e5450612abc0e2c0171d

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 a1f673291d43e7e54aadb83e12f94247
SHA1 656ea2e8ba8ec6a6a36aa9ce324d2b44ca14b069
SHA256 4dea2b098bb43d21a13648ec270b0e77bd8b6689e964ac1700f5b3b2d9bb6ac4
SHA512 ecc7404f634b603bc08bcd331cdf8c38bfa3b4376be02c0238f2607dbc40f27778a3490bfd8529c4c57e7489ca4233768e06c4d4dafafeb27466cf758aef86c5

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 fae6bf82eb4b90e6ad887081520e03df
SHA1 5264e541f55097d89b805b54be65fc080f234c53
SHA256 684a85ffe60e39b53d999a5e0d16b6421fa59aae560bff9fe83c5713ae1df4d2
SHA512 5b358da9ebcca8b13e14ed33b0901c8b8906a0c74c8acc13f99baddb3185fea3c70090e4f213f466f9dcfa238d81f21999f1291627a68a71be546e0ace10c953

/data/data/com.wp.bookshelfss/databases/ut.db-journal

MD5 13e25b8f60e87527f7e7a30c8e383c20
SHA1 eacd3b19f906d64723d29b051776b09efec85825
SHA256 cf32c22c39183c88816ec1d2baa619d827014f96e21130b148809d4bac3d93ca
SHA512 fd365cfe4a3689fb1d81b65f41b3dfcb1c196da096f4f73441781b7f460aea475cef009bb086610211fa1bde231a61f09522ef8a066cd086605b129fb1cc4576

/data/data/com.wp.bookshelfss/databases/ut.db

MD5 38616785cca0600a03205f84fe330b4b
SHA1 6ac41a6bdcae297d56dac5fdde70be5faccf0832
SHA256 b05c698d5827005da5e04b4fbdcac53cfc83405247353f8e9e145969a820a4e8
SHA512 7ff2901c032607f5fa1f24a48056ae85fe8d67b6c5649233fdad7b66950d359b2fb933344bf1e2fe6255a00c593de7bcf959d201fe8b6ad214249bb31f855a08

/data/data/com.wp.bookshelfss/databases/ut.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wp.bookshelfss/databases/ut.db-wal

MD5 483ea01f9a6062adabc31fefc2f4a0d4
SHA1 4b085843bfea3dfe7ffb240306067d8dae261512
SHA256 4b1bd4500483e453999e2fb20251f9a3c2449f09cdf7e9623cab8e67a05a55a8
SHA512 dfc2f7b7683b363161a805ead3b4ff5db33f1bf1db94e4e6b2bacdcad639f25e7b620706601a039b51fa1dc6e59325d5e60b3f1e31989212ca6e2a7536d25495

/data/data/com.wp.bookshelfss/files/umeng_it.cache

MD5 f1257ace15fc11dca423d6680ff11f31
SHA1 6aff5b7900f3867161ddd70240caaf940efc236a
SHA256 54698fcc50ae1a11e9214fc77499ae2e1928b6af89ff9e8864306721ae80e1fe
SHA512 9398102552b735aa361d33021cbb70e02472082ec5f68e8731719acf4a469695fee760a86856395a1e41e80bebbeb5a13eb2d4aabc7337d1d3d7741560b5a414

/data/data/com.wp.bookshelfss/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4NjU1MTQxNzA4

MD5 711e2adf40780dc2d48d61e4dce6f153
SHA1 c5c266b720ff18ff19ad614713d4cd0bd64aff85
SHA256 f71058f8ba1578836a5f37a1fd4cc456bd1e500b101a3e030d797358f240a372
SHA512 9c02977aa509af12f8b17b83976ab1911d4ec4ff355ee4fe9bc4a4dfd77986f490862e37b326cb27003676dd294634efb905a44951feecd41ad58d6bc7f44a7d

/data/data/com.wp.bookshelfss/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.wp.bookshelfss/cache/image_manager_disk_cache/journal

MD5 a59803c282a1c9344742210f3feff30a
SHA1 a81be425eedad0b716dcaec837f69c77b1e2db16
SHA256 cb2f1c196e114a8699ff68d317d1d604b12953f976929270f44b8155c08f63d4
SHA512 1157493fb110ded3b2997e722eadd6d7c108b285383a602c04c264e667246b3ca835f9c85e0200fdee98d5642b5c47b8110cd5ad7d0bf69e8c637a30a7d8eb54

/data/data/com.wp.bookshelfss/cache/image_manager_disk_cache/ac201a69e3ce89630e70089c24f8581ea83aeefb9246b3f9ed9ff4e912e440fb.0.tmp

MD5 7537f6ad7be8aecbce2a4e0d59df934a
SHA1 3aee72e6be404bc10531d3e171fd0fdadd168c6a
SHA256 355d7720f65e0b7286dbe2142d23bd72effb13ad60155d9eb8216ff12c67db1c
SHA512 849e3664b2fda5231599b166988407ea727093f4741de70a1830e377248b81be03883be552cc77a0482f0bc6a668d9e93bc3a347d886f27fb78930d063bc6bf1

/data/data/com.wp.bookshelfss/cache/image_manager_disk_cache/b5dbe158a9491d8ce8f8ffa6508917b30b8846c884fba27de3524971d4b97f47.0.tmp

MD5 334a24519d36e52bc009374befa819a1
SHA1 0f6836cfcfa3b130383ebbc0268d5ce05c98409e
SHA256 07dbf8399cd755edbf20b90e97abd4d91ad649785ce98c2648ce570100cd81a7
SHA512 0f1ca776734ba1f295832037452759207bb8e1f2073fa9f273669afe3dfb9729112af66fbc232defa8933becb38a54f182f06be2e6927a72e3f1fe1e249cfebc

/data/data/com.wp.bookshelfss/files/com_alibaba_aliyun_crash_defend_sdk_info

MD5 1ef6ace51c3d1b525dfb7fff1a534500
SHA1 02d7c362ba1125cb0a9773c48d45e6f6509ec323
SHA256 b39e479f868dfdf666d1f67750865b3c3cbca1fa9a5438b0413f9fd6c2c05519
SHA512 8ff959023df1d07e401ebf0534f8702fb4d03076f688017b83621e476d1c739a228070e42d04ceb7bf7f9622d22530d5d2553100310c510660b8b952c31fc268

/data/data/com.wp.bookshelfss/databases/ut.db-wal

MD5 a1c433cc7c23170c3685f86bc5580578
SHA1 158b89ffaf0e7f15f20f86f3a453f0c0f7543206
SHA256 d69ee62aff9b87b78ab421d577cf394d2f4e2353ef74452c3971ea0da588d7d1
SHA512 c6ac346b61b4f78dc7440dd4e91485a99c84a877c5d1293913509cd077dcdc2450d0afe8cc3e60ed621e8842526d4a73824c3f46ad08bde414ebdae6164fc056

/data/data/com.wp.bookshelfss/databases/ut.db

MD5 cd64c9f30b0354c9d5b92cde6c3a30f4
SHA1 fb4e6d60cc97e017bf6a7a203523d1681fb685cc
SHA256 f074e427ff4e8cc8dbda3d2693512285cad13d1312d3959d6fb7cc06dcaa0454
SHA512 362dcf68182a78081d0167e0cdc90843a6613700ac9ee1253c7a62b971244fd5991eb8ff60f286e1a97b2290d285d6c94c0a5d96cd0aa9800059630cf883f7ed

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 20:11

Reported

2024-06-17 20:15

Platform

android-x64-arm64-20240611.1-en

Max time kernel

32s

Max time network

144s

Command Line

com.wp.bookshelfss

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wp.bookshelfss/.jiagu/classes.dex N/A N/A
N/A /data/user/0/com.wp.bookshelfss/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/user/0/com.wp.bookshelfss/.jiagu/classes.dex!classes3.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.wp.bookshelfss

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
US 1.1.1.1:53 hotfix-api.aliyuncs.com udp
CN 59.82.40.77:443 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 mpush-api.aliyun.com udp
CN 47.102.52.8:443 hotfix-api.aliyuncs.com tcp
CN 140.205.160.128:80 mpush-api.aliyun.com tcp
US 1.1.1.1:53 beacon-api.aliyuncs.com udp
CN 8.132.237.161:80 beacon-api.aliyuncs.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
CN 106.15.83.67:443 hotfix-api.aliyuncs.com tcp
CN 106.11.248.144:80 mpush-api.aliyun.com tcp
US 1.1.1.1:53 adashbc.ut.taobao.com udp
CN 59.82.39.254:443 adashbc.ut.taobao.com tcp
CN 106.15.83.68:443 hotfix-api.aliyuncs.com tcp
CN 47.116.84.225:80 beacon-api.aliyuncs.com tcp
CN 106.11.243.160:80 mpush-api.aliyun.com tcp
CN 139.196.135.158:443 hotfix-api.aliyuncs.com tcp
CN 106.11.253.96:80 mpush-api.aliyun.com tcp
CN 59.82.40.77:443 adash.man.aliyuncs.com tcp
CN 47.116.84.195:443 hotfix-api.aliyuncs.com tcp
CN 106.15.83.128:80 beacon-api.aliyuncs.com tcp
CN 59.82.39.254:443 adashbc.ut.taobao.com tcp
US 1.1.1.1:53 mpush-api.aliyun.com udp
CN 106.11.253.96:80 mpush-api.aliyun.com tcp
CN 47.116.84.196:443 hotfix-api.aliyuncs.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.167.84:443 accounts.google.com tcp
GB 216.58.201.100:443 tcp
CN 180.188.25.42:80 tcp
US 1.1.1.1:53 udp
CN 180.188.25.47:80 f.gm.mob.com tcp
CN 8.132.237.161:80 beacon-api.aliyuncs.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
CN 180.188.25.42:80 tcp
CN 47.116.84.225:80 beacon-api.aliyuncs.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 180.188.25.47:80 f.gm.mob.com tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/user/0/com.wp.bookshelfss/.jiagu/libjiagu.so

MD5 5aea02f4e4c77fbf2e7a27f7ca9cc06b
SHA1 522db1748608e9173547b29b7aa82ddc3542c534
SHA256 5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2
SHA512 5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

/data/user/0/com.wp.bookshelfss/.jiagu/libjiagu_64.so

MD5 289fb443987b114ee4237b4dd97672bc
SHA1 9b898410845dfaeae3af212b5df41177ba9b8f34
SHA256 a55e9ee18285b41a4ea1bf375930a5bdb603dbfc530a3dcb224bbded14e68210
SHA512 debbf2720c9b132b5923eaa9fcb372a72a97d574bce59789d06b645925fa2d6a27473aae4c9f1e4968614d44fd98a8b0fb1eec217a595fb5c80bcfc056705508

/data/user/0/com.wp.bookshelfss/.jiagu/classes.dex

MD5 84b3c993023a259d2d2afb777e6f30de
SHA1 f87940e3e19c2bd09404ca4c8fec4912865d9d4b
SHA256 95cb046f9df86e04709e69723d16df880eea19a646a9a2a38aad43885356dc16
SHA512 f5b09817588b5fde057d5c59d993f3cb3337dffa8450d7dcd8e453d37cc5f70320b42625570c78ebd16cb49b3b3334f038335993cda9a218cfb0cccd7e41eb62

/data/user/0/com.wp.bookshelfss/.jiagu/classes.dex!classes2.dex

MD5 44b7432b8f6afbc8c26ae566d57e6caa
SHA1 a572c9d5e05ead04361cbe9d338459d31f39da0a
SHA256 d5c7b54790dab489ab0fee195d1c40de6c93aac67afaa6374589056619e237c3
SHA512 58c4097682232e88d2340c38ff1551f983eae1237b466ca260648c1b9d4d23c1cc018ce51f8946961eeda96f6ab47a9e26b2578549be5e93854350a47d5c41c4

/data/user/0/com.wp.bookshelfss/.jiagu/classes.dex!classes3.dex

MD5 a476bfcc0629bed383d683edaf58dfa9
SHA1 f2822fb0ffd10e8e7e5d00d1c846202b9d4a064f
SHA256 610c7de3000575b8a0167661623de11da59ceb573b75ae5f96b07212c87415fc
SHA512 d248c4ee8ecd2691a39d95092081cc6124380195d1b2a63c6d8d5aef36fd7d3e0ff76f4464ec9cf44288c321cd7fec39cc2cdf194a022a552a05cb6b80725f89

/data/user/0/com.wp.bookshelfss/files/.jglogs/.jg.ri

MD5 e94818b9fd3ef4dd6ac13b342fe6a973
SHA1 cb29e02256f1c94e9e0183633a00d4c49e810eda
SHA256 06948806bd6de09a60d6b5715ea53bed63e8b7a478483a39b922f0c9198d17ef
SHA512 8d82f52d43bd665f40f7c333fcf76c1af611428932bfcd2d648a5939e8bfe85b56700dfef92b0c45bbab97f9d52135ffa24a8ebe932c705d953828e321c7e221

/data/user/0/com.wp.bookshelfss/files/.jglogs/.jg.ri

MD5 d593ea0aec4b6cafb6a6c071a95867b0
SHA1 1716f74f7a3b6ee212b62cae0194eb3c79cc9fb5
SHA256 13f604419614c48a75c7ceb940c516c91a83b3bab4ab5c31abbc7e030704b58e
SHA512 2b2e16e8d554e6846f54c91a479b3c581e9e55829ccf55ecd70d0f55f163b2b9f0db06751de0ca61ffbada185dbea8a97fd3370cde9dfe1fdc0fd48e1383bfa8

/data/user/0/com.wp.bookshelfss/files/.jiagu.lock

MD5 839ff82a80dc002e5be5369cd04bc60e
SHA1 e79267810ec47462bc8f2b0b7aa5b3494061629f
SHA256 edde35ffda399b262f192856fe964c12676dcafcd81bd6705d53d7832fc6bf2c
SHA512 404d7d47d4e08d990684c189176e8eafa1cdbd5adeb9b09ebe0230dbce92eaa03f60c43d8cb3af0a8d92a0ec81d42b2d6c13a64edf209263d143dd526886d770

/data/user/0/com.wp.bookshelfss/files/.jglogs/.jg.rd

MD5 465262c952a3f192f83a436edd31df39
SHA1 0e4616bc257b59800b621c8db6435532683ac605
SHA256 54e5a350814a2d6db8cc6c2ed4e7a24a524c81752cd4c5dac00d86ffc9dd8bf9
SHA512 93e41d62ee0f612094ccb7806e26c224fb4fbb2eb7f032c2a737826db8322a2b415ef9ffa6e8830eaae175f85157f3c18751c30489c373ca09635bf7ab1b2d94

/data/user/0/com.wp.bookshelfss/files/.jglogs/.jg.store.report_pid

MD5 142b5807648d74f1e7a4c18ecba0c497
SHA1 9b17c4f62497a0267a7e500a7a7d9198f622429d
SHA256 c14dad6ff06986618554180859edbd1f37d0da8c38727e58b3dd57884d6a2f69
SHA512 d2453e49a932228b35a2a81b94c0068362c9385caa44b0f34a4efd1a76711d49fa5cbb70a109d204640762c8c1be5cc0acbf4e7e4f4bdbc245d303a6e7653e1c

/data/user/0/com.wp.bookshelfss/files/.jglogs/.jg.ac

MD5 900f3985d4200a80dc5fdbbbca632d68
SHA1 4db398db765362edc1af01ee70719a34df864b8e
SHA256 c0fcaa64fd5e04a66741d9836943040701f1a55baa55e1579a4a7527f9bb5bb5
SHA512 28a384b9137d405b86c7a7e20d0d0f74754a09d4919211825989a88d7c8001a9e052ec8d8b0f70ad1f05fc8e514c22914d49e5f9a2449d6d8443b4335d335666

/data/user/0/com.wp.bookshelfss/files/.jglogs/.jg.ic

MD5 34e386f58245ce88fdd9aa29ad64f05b
SHA1 56b1a87fcacb520aa435b7819e37aae31b09ddac
SHA256 15ded14ef036a28aff0948ac2367cc0dc1a1b9e1074fc6a34e03f421ece8fd76
SHA512 a11c381f797d6c56ca853e22a5614fa5f9820de623de6a8ac6a2124aae3d65e08da9a5f3f080ee39e6e06bdcaedbfb2994e13df36b89a9db2bb50da0270f260e

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 2b6b70ca567443677a4d66627a991ad8
SHA1 9d3502c4ad6b750c5582cdd7333abec76a2f3a21
SHA256 4ed5441307034aaed7d9699028471d377071c7af451080ef18575c9751be19cf
SHA512 b7ac7c6bf95f5650e52bba8b5c1942422185e8b203f5548cc1d3a9d949ae8f26b44ca6f8f6bd8b3e89a5add2f1763a52aff43e142c03dff83edf5d1392f264b0

/data/user/0/com.wp.bookshelfss/files/com_alibaba_aliyun_crash_defend_sdk_info

MD5 8728d1287220b9b05ad351f7f0db6172
SHA1 8b9f067ab9f310c18fc51622646030ca21ed3b27
SHA256 493ce31f45fef58379bd7351783fd6995097bbb5a7b22a47a61279ef018261c6
SHA512 5a5ec796ebd220e8aaf2c4774db93876769189e3c7281e32e0a159830a3fbac177b9a9a88bba05777e5d458f8aeb53f473f02c112730ffd74b961544ff6cebec

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 2b2c990744f2fdae6094ece1051f6661
SHA1 d8d08b335dd83405c98500243793478b625049e6
SHA256 9538df41527fc47152e4f77c08e6164bbc33112d3476dfdea9550c3ae28d30c0
SHA512 12a927d81d49e59e496401a49d3e5507b444ba72eba3de92cc70ef4565836e13aa08c6277f880aa40bf0b60f2f1fd3e97e66dc448e50ff2265fb545143c490f6

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 380fa89c0b10b72e04e16ea09af0d61e
SHA1 b9d1c294993db2fd0e9eefa8b43c15f82b85b454
SHA256 eeca9884ea42641c911b65fae598231b877c71aa923ad70758c6faf4545d1be2
SHA512 7bddfc77f5c98e89f94f7951f1a5ad3d26658a370623306ac29f2daf55db89fbb2e373a180a3aba6cda59850a7303b6f05a2d282f546578a70269a41c761939a

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 dbeb18e1fdfc9690e70dfb35c4b58980
SHA1 ad0da9657a94388f18a456d6934f2c40be817efa
SHA256 fe06f4a1ee102a21b4a4840f7db8aab06a15c024a500c9025187a1e83e172f33
SHA512 0438dd7221796e5c20946c6965f4166976ec7f157f4cc80d55c6b50e7ad6e998a08f3010aa98d325737f53373d774cf1f1f2e170e8778bbaca499d26209a84fe

/data/user/0/com.wp.bookshelfss/databases/ut.db-journal

MD5 229f54f724fc51b7a61ecb54e91da195
SHA1 fea6bd76b8c137d08a7998b18487cdeff2d17629
SHA256 1f474907eededbca10e83a4ef4b5a8ac163cbc831e2fbdd9c9b83550728f91bc
SHA512 4697badfe939c43dc32e3032501a226b0b6c743bab75fed4418e0c090973ed2a35f75cf0b61c07b8c9fef56d3dc8c96fbc2ba3d4f1af3c972a6fbadb35afdd26

/data/user/0/com.wp.bookshelfss/databases/ut.db

MD5 75694e403dbc728c85b85d55d972d357
SHA1 346ce6fb424f486cc32f7f46649649470cd57225
SHA256 ad9862b2cfa8b250817df299b073d617bba35aa05292f7f0c6cadcefd47cfaf9
SHA512 591d814f3bdba7180588ec333b554f946a977374df798bf69a352b4f1f0b43a412b5998622a059cfb3ad94eefb56d6ae62c6fe7dfefcb9ec5d47b98971bac6ad

/data/user/0/com.wp.bookshelfss/databases/ut.db-journal

MD5 068964b6a3c2a7668eca78d1da22781f
SHA1 ef6ee381087a0e0d0afd3871234e44dcf3a37cf6
SHA256 d968833316d788246e39645de352ad7474f04ba683eb0084aabe43aa15623e7b
SHA512 42b379a3820c3ec111e04b1ccb457d632be1a4e121a87e4436932d216b680b3a0730d43a464017d843f385a6b4c36562a52e7cf249b6b169c2ee2b8e640ec093

/data/user/0/com.wp.bookshelfss/databases/ut.db-journal

MD5 ca9c185027c093c3b234f806fcdce05d
SHA1 e2cff1c404d0ab6514bfc6dafd05f34dff19480f
SHA256 e4eacd91351c9327f7e9e2783fcf6ef6fc00a51fe90436e9bcfe7756f504d8a2
SHA512 ebb6b0e27e23f4f414b5152732f84d719cce513a23c52a913e4081a779d486e50ffcf026a044e2a9279901060a0c061416e7d124ed4c05a220b267b475185efd

/data/user/0/com.wp.bookshelfss/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/user/0/com.wp.bookshelfss/cache/image_manager_disk_cache/journal

MD5 2837fa006b5b3de7a6b47dd17f432a91
SHA1 341fc077bfccac4858cfd539f882191dad682e73
SHA256 2eb223d94df952600a6c73c3fb34f311568677c7d731c532e5979086c0113569
SHA512 9f071a9b44797816a1f7ccbe478ea539c950d49f832c76aa921056c09e349beb70989af3a29ec474c6b078bf957702d89241ef4de3e545e831958627dbf1995c

/data/user/0/com.wp.bookshelfss/cache/image_manager_disk_cache/ac201a69e3ce89630e70089c24f8581ea83aeefb9246b3f9ed9ff4e912e440fb.0.tmp

MD5 37ba8b2b120f838828a412e93efe3892
SHA1 9834520686bd3d294e937ea125a80b9dba651491
SHA256 7ad3021d5715bd46ef684c23ce973650ae490f3b57602892547ac950510daea2
SHA512 51053705f3ead2af86da34d4281b8b8b560077a6151810f63c9590c571ad71377500d4788df12d37c45297258bc5032624a2c945234e1ad53d7f0cc7fa03e7c0

/data/user/0/com.wp.bookshelfss/cache/image_manager_disk_cache/b5dbe158a9491d8ce8f8ffa6508917b30b8846c884fba27de3524971d4b97f47.0.tmp

MD5 54a39c805f87bc419b1f4267a98c73a1
SHA1 e1c543bc42da9a4172c3c1f3b2128c2a2aa94624
SHA256 47c029e5157073c6675313921645078dd0a2bc9a549bcf4888b7b9d730085b61
SHA512 515279e96ce88b48c606f706f9356b5bf4b8d5b3b16ba305cc087ee38ff3e6af03d812acf10dd676a6686dd2b2952b2ebec727528a8884fe90aeb1cce5bfe694

/data/user/0/com.wp.bookshelfss/files/umeng_it.cache

MD5 9d05432840286ed848684c84e0c17e32
SHA1 a6a6b08a35b585730fe1c5958d9a5f44bd9d0cdf
SHA256 2e971b653695381670fc89ffe550b86067aa881bb9e3004f590a298a9f703302
SHA512 a1ce3e7d4fba4e9426f1a1c46e713b7c7ef7b4da92391eda04cb1fdf845a52b8f7e73949ea2d8811bdef01ab1b690f42ba3ed7cd52cdd80f29430e2001d6c5ca

/data/user/0/com.wp.bookshelfss/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4NjU1MTQzNjYz

MD5 dcec8f726aa62bede2008e2d66dfd59c
SHA1 71efe8fbc5adb592a127da5adfa6bef090fd274b
SHA256 52c6c4120bf5bb332011ecb8eea8b8682b5fff3ce15bf3f4abc642fcb6c5b60e
SHA512 0208f887807b69a8d17da3d8d4c4ef4d766eddf5e128713d8f174fd6d5183a9e0d0b8d0194e79c9c5f65ca64f9fd433e68ec4976b8088e22c9c624a28228e14d

/data/user/0/com.wp.bookshelfss/files/com_alibaba_aliyun_crash_defend_sdk_info

MD5 1ef6ace51c3d1b525dfb7fff1a534500
SHA1 02d7c362ba1125cb0a9773c48d45e6f6509ec323
SHA256 b39e479f868dfdf666d1f67750865b3c3cbca1fa9a5438b0413f9fd6c2c05519
SHA512 8ff959023df1d07e401ebf0534f8702fb4d03076f688017b83621e476d1c739a228070e42d04ceb7bf7f9622d22530d5d2553100310c510660b8b952c31fc268

/data/user/0/com.wp.bookshelfss/databases/ut.db-journal

MD5 10a8b7eb70b920849f3db5d1d4627f2d
SHA1 090114e3829a3cfdc945d42a9c8217fee0b817a9
SHA256 0ff4d9a587e77e7db836a43bdf113234d19d8ce74c8b980ee46790c879792544
SHA512 f35fe56d0b16191e7504ef190b98ee33b640dd01a433deb381dcaeca03a94abbad268adfd967605eedbf8c9dcd0b799012bd29ca4a81fa6dfc2b744c327bed95

/data/user/0/com.wp.bookshelfss/databases/ut.db

MD5 65fb322f5c0def02410977c39cea771b
SHA1 d6881a615e14580483605bb10e6cff6cbd1133d3
SHA256 6fc2d66520e090b937a0f3895391efec6d4e9eac43d704ab4aa37d550924a66f
SHA512 539927c000064814bcaa5e2c6768376b21c18cba1949d9b65b6371e70ff35184b92762af2e07b061d5a36a65f84b9d8be8db474d34f07c15d32b25e5167c41f5