Malware Analysis Report

2024-10-19 13:10

Sample ID 240618-retm6a1cnp
Target bc578bab172b8aae0329657e187d4a8d_JaffaCakes118
SHA256 91844369cbb17d85a82f1da9d422d89e54332f661edbd3ce0dd0c4b25784471b
Tags
collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

91844369cbb17d85a82f1da9d422d89e54332f661edbd3ce0dd0c4b25784471b

Threat Level: Shows suspicious behavior

The file bc578bab172b8aae0329657e187d4a8d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Reads information about phone network operator.

Queries information about active data network

Makes use of the framework's foreground persistence service

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 14:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to add voicemails into the system. com.android.voicemail.permission.ADD_VOICEMAIL N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:10

Platform

android-x64-arm64-20240611.1-en

Max time kernel

177s

Max time network

131s

Command Line

com.duowan.wdsjgl.mctools

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.duowan.wdsjgl.mctools

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 sdk.e.qq.com udp
US 1.1.1.1:53 mi.gdt.qq.com udp
CN 43.141.43.110:80 mi.gdt.qq.com tcp
CN 113.108.27.88:80 sdk.e.qq.com tcp
US 1.1.1.1:53 api.yiagu.cn udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 113.108.27.88:80 sdk.e.qq.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/update_lc

MD5 dce7c4174ce9323904a934a486c41288
SHA1 e117797422d35ce52f036963c7e9603e9955b5c7
SHA256 0c030586945fe504b604ecc2e875c38ede400cd5cd73da9730302162e6b02c6f
SHA512 d570ab6a8f4a7b54d426b0481219074b5277ace37d88438d87ab97eb387938eca1cf7b09fa42d596c56ada860710d2a7385d2a96e1cedff58ad6ed8900f1b143

/data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/update_lc

MD5 0bcef9c45bd8a48eda1b26eb0c61c869
SHA1 4345cb1fa27885a8fbfe7c0c830a592cc76a552b
SHA256 bbf3f11cb5b43e700273a78d12de55e4a7eab741ed2abf13787a4d2dc832b8ec
SHA512 91972aa34055bca20ddb643b9f817a547e5d4ad49b7ff16a7f828a8d72c4cb4a5679cff4da00f9fb6b2833de7eb3480b3b4a7c7c7b85a39028de55acaf2d8812

/data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar.sig

MD5 d720f5a76da8fd9c88b47bcc424a6ea8
SHA1 7d0d284268fd188d36ca806dbed0fdeef6a2a4bb
SHA256 2fec1104f18fc9cc1e801bbe61642ee704a149248de06330ff141ca5238dd51e
SHA512 02c34b3dea7d40c4d30052126cdcc2f8ae359d742fe25f87ad101dc1bd8f80330f149abe2e114663c53e47de9b70d2c3de8b7903d0ea22d2e1ce89cd52a901a9

/data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar

MD5 9c9416e5b583e395df107443deab01e6
SHA1 9d7188b483bfe3dddc3d057a89a7f980006f26a9
SHA256 340df5c81b4b9ac9154746fdb9a88ebfc4046b72b28951dfefb85f1ab2faf358
SHA512 93f690db06ed593061e634c6a4316ab1bf466806a6f3cf0ff971521664cd379d249642549e04c899edd0749a6fe524109fbd1cba51d96dd9d50aa40d23b2ffa4

/data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar

MD5 fb9bbe1555d1e51bc6b68f73306cb5e8
SHA1 fb58a0adb1de330045ed2a7488f7512dd39e6e84
SHA256 269761b21873b1eb7f433b5b8233e13b54d499765413edd555a115e154884a1c
SHA512 10fd4b83b3b20333d1e54005342d5fcc50f83e3bd967a7b04c0991244a6e7f0bc0eabc74c19a4f746d34db7ece76f4b083101963ebe351c27b4b68c5259a55a6

/data/user/0/com.duowan.wdsjgl.mctools/databases/GDTSDK.db-journal

MD5 7cb9a8a42d7bf5f373f46f2fad9ffd5a
SHA1 556c893dc88d4afe366c7fc2d105f4ef235e8c96
SHA256 75025eeb1227b8b21c0ec2c07cfc55c9c9ddb29e682d1791e5ab1315b6669eb0
SHA512 75c054157e1da3e67af918470626164420b1bf614e317da50021bd589bda29b1c8355758a05fdbb943a5c02dc0a16b887d1f563f9aede3c6dba7ce82290c5770

/data/user/0/com.duowan.wdsjgl.mctools/databases/GDTSDK.db

MD5 d9546e7529040098de5b03ef296970a1
SHA1 7781f0f230dc2bd574bbea97194d0033431d350e
SHA256 585184ebd52cf769be667e0b871dd9324197f21e37152fbd5fe1cefa5f523ccf
SHA512 acf1935480b8b99c231fff1b1de32b7456094853cdf0d7819c57302100d608ae884bc2d44ad3ef3ff8c2cbf2d4d66ec8d77827e6c9605ebda1f31cfc522b542a

/data/user/0/com.duowan.wdsjgl.mctools/databases/GDTSDK.db-journal

MD5 962c16c1a296ce0336f3dd0b30ecd2d2
SHA1 9c9b73942718401172885d2fb8b6a749bc4636cd
SHA256 56aaef17ac448c70d431059bbdd82ade63f664a5084102748ecaed4d8cd814bc
SHA512 60ab76b6942a41530803a60c3a605a663b7d6e777d9188ed49689246ff7d9c6e1f9f7aa135966ef11ad781b38102bedbfbd1b245432d1bc5005021223b28f26c

/data/user/0/com.duowan.wdsjgl.mctools/databases/GDTSDK.db-journal

MD5 485c1d3d0f44d1d2b4387d4325cdb8f4
SHA1 94a44e48796de832ca107f6d0700e9762e86ec69
SHA256 14d95b9e302d84e10b36e9d7d4c6638a776a5d80be250f0fe87c484710d525e1
SHA512 721ddb45415c74fe44a8b16452b5e4af6122ff9a59959832946d3a4d95464d21cd9553040a2304ba27fa431541a9d3cc2d3e38c76ad2a4735f0f7155572a7a42

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:07

Platform

android-x86-arm-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:07

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:10

Platform

android-x86-arm-20240611.1-en

Max time kernel

175s

Max time network

187s

Command Line

com.goyourvafly.classcial

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.goyourvafly.classcial/files/sdk.jar N/A N/A
N/A /data/user/0/com.goyourvafly.classcial/files/sdk.jar N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.goyourvafly.classcial

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.goyourvafly.classcial/files/sdk.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.goyourvafly.classcial/files/oat/x86/sdk.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 121.42.157.151:8080 tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 112.124.37.167:9321 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 121.199.50.100:9321 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 114.215.110.10:9321 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 121.199.50.100:9321 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 112.124.37.167:9321 tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 114.215.110.10:9321 tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 121.199.50.100:9321 tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 114.215.110.10:9321 tcp
CN 114.215.110.10:9321 tcp
CN 121.199.50.100:9321 tcp
CN 112.124.37.167:9321 tcp

Files

/data/data/com.goyourvafly.classcial/databases/classInfo-journal

MD5 ec2682bc8adf0cfd2381314d3f0615ab
SHA1 edc90cb93b80ae9e2a2512871f282b070aa4acb3
SHA256 3a87bdf0cdf824cf3313fb440be2d6b89ec31943d7334c0e3265122ab46088bb
SHA512 192a3655aec157234b8e558ebc26e6bcedcf8d7a8b755e15fee6a67554108ed33058c560a4af0d51403936fc5ef2e894ea665e9eb20f9c6f16975ddd47db6432

/data/data/com.goyourvafly.classcial/databases/classInfo

MD5 5713265f216e44e95dbf7bab00f903c7
SHA1 f53c88ec4be513808469dc8769d769dc4372c2e7
SHA256 68c56ac305205828c6519a5b7b1a81e147c608e2f01f7650eb54e0a6d725f23e
SHA512 511aa9b22a9091f0d4f9926abfd1464ae8e354211a4a85f0d57fb2f0ab82ccbfdb283e9038cfaa07558040f26a4ec8b3c42244caa51a5b81589fc46cdcf716f5

/data/data/com.goyourvafly.classcial/databases/classInfo-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.goyourvafly.classcial/databases/classInfo-wal

MD5 d2352444620d94f2b607b237a51de0a4
SHA1 1adfa325d3cb96f51fe5a5902160cee022b78cfc
SHA256 8f55875de90f9b0e88b9abc6d350d0cb857db0817649122ac4024be5422e002e
SHA512 655a92cf4b1b13ab9ef008e85d01aad0e359f0537aead622787399cace5c7518989bd8b1a848dbe09bb01d87027eb180db4f8557a16f1ca4b02e625bd86316d9

/data/data/com.goyourvafly.classcial/databases/Notes-journal

MD5 23f3c613c086b87ac3ffe932cf943cdf
SHA1 867be0541aebb68f477830f25813311168bc03f2
SHA256 9321843754c7c8e5d9535137634dcfa023c9cab2582ae9d72a782c971edf3446
SHA512 55647a73ba21e305a091bc9bf045905cdba4a2b46302469671c9f953b6714abf074d1bec1cc1aa5fb129995351e72bfa05c73e570bf9955898470fcfb9701b75

/data/data/com.goyourvafly.classcial/databases/Notes

MD5 1685ebbbaba07b2ce6e4c5285484eca8
SHA1 71c1a9a25146e816933ba6f5b52417b32b5643de
SHA256 0c72774d8a6a9c9323d215419551d225d21aaf73afc250ec853220507cb27e0a
SHA512 9306742681b53f830b859765e35d892333e78d6010aabe0c9f6331a36dd87c78f28d2cefbd408452fbca6329b2718ca2d3e42499a87cf6a0394b45aea408284b

/data/data/com.goyourvafly.classcial/databases/Notes-wal

MD5 f1d0d3fbf7dd72dd8e2802cf9f3088d0
SHA1 0a09ad2ec3b1c33a8d9d3d6f97004551dedad7b4
SHA256 dcf2b2c7d21c4ff10747b03aa874c7a621155968b013ba5ffcd71c10a75a3418
SHA512 9f1112423fdf3ece2b8a2f143aeb6786dc5cb1a615be1ccf172928be35b3314cb43c811bc36ccb11b98f3b526261784efd96552c664dd820ebfb86333561eaf5

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 26a37c2df126c8ee8a68dba2a5559fed
SHA1 2c56c8c0a2dab27d2af0d0ed07f9e71b29ea8edc
SHA256 6c79c167053f766d1674cf9c41d7b9863091064246916492749922e03be80bfd
SHA512 5b4130a26695857b8662121bbed3e0fc6f612b3e4eb185c581e4e00440742a423f411d18a2704482b0563c9b241d7172c89013cfdd1e3d4c3767affab81f32f7

/data/data/com.goyourvafly.classcial/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-wal

MD5 aa446e07a0190f6efa09cc782734764c
SHA1 ecc35c0c3bfc3b2dc3e5d8eb224aa48343ddf225
SHA256 6632672b9997cac01665513311ad84414338297d3071549d4f7a07fd3a05a6a4
SHA512 24b2dd6d5c7ba18f5265c760a643d68797a6cdbcafcc8dc45a0b44febe66d87800d0cd68d16bd7fd2f3e54dfa845ed3ab132209f24be5b9e8a7bac5af401cd18

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 2d58f6466f6db00aa199230ae0b83406
SHA1 eaf2deddfeee57d12a888a0c849239ab41da72e2
SHA256 8094c40707e1f3f1f84679c6c35e7ab93dce7ae5df300908191518db74dcac4f
SHA512 fb8078ce94fa70b7dd2e949462aec2b2d3d1774b5206455b75fe2d05a26afe323097267dbcd6d5eb6b3278128f0261eb89b69eded05ae910ef39666f378150fc

/data/data/com.goyourvafly.classcial/databases/ua.db

MD5 b9f1d4d352a7a2d4d0eabc4da77b576f
SHA1 fe9b865b43239764e0f720eab82a1a4d1a91ef37
SHA256 6b2f2238d0579d223d9bfc87726e33d86e619193edf62032f507faa952061095
SHA512 cb284764948b03cfd3cbced684c918571c4c18c402bd4818f6db1e8b58ff0b57effb0c3b94f85c97de7b35cf90e54f163f61b47982c4a9181829ed071a585481

/data/data/com.goyourvafly.classcial/databases/ua.db-wal

MD5 2e9397ac8ceedb8acc5bd7dfe4ed73f1
SHA1 5e234202137efc1fe4e1d3cd13e803ccb7265d63
SHA256 9f887c5a847be63866f408de29dcb5c3a0009005ec6563360c07919d50d97e43
SHA512 58edae88af1f506797d145691963b43c231caaec3840c58f70d9114e978c41e267c6d0a9d315b86781975569f32c9ab3538803834b081f5186cd2fd0f268f0b0

/data/data/com.goyourvafly.classcial/files/__local_last_session.json

MD5 3b39a4c3091af151c956d55a675ed55e
SHA1 6b90059a054d440571a5605e54ec5b77d09db588
SHA256 53369c6427c5d8c1b8b6b01c72a51f80e0988f984cd348350621ac8a7fa79bbc
SHA512 0ba7636780c529573dfbae212d1487dfbf8e117752a773e98d6ba35811d4d0290478d807cd8691197a71fb3d76e01f93ec6f08b466a0f5e0c3053f560fd0d65b

/storage/emulated/0/baidu/.cuid

MD5 a1d984fdbd7df5f56899ae1b85888e4c
SHA1 df0717352ee5313fc6bf6bbfc1ae64325d7311f3
SHA256 60c1f13c5c9de8b2e0c70caf1fe0d350ae4f1d1d042ad1073877706065b4bf04
SHA512 cf80ef656469c72087af751a457df1c828cb17cc95cda908e11edf1b18b1657af98a46aaab9cafd4f32fb63eb0e54f62d621f23ed07acdae9992afa8348c6d6c

/data/data/com.goyourvafly.classcial/databases/ua.db-wal

MD5 ca0cad7c86e083cb39cd7b00d5ac6436
SHA1 e0375b798440c09fbcab1b0d961e69f74c690dc7
SHA256 93449c0d66055c72a43618ecca7dd37c4ffcd43d3e89f8c406c3811c4ff85243
SHA512 1d6f1f37bf0464207c2311ee9fa60f18b6c4f076e1a40759b48a8830bcc84c36f2bd19876fa19d32d680a52f12a2f6e6e346369bce0f0450b808d8426c00ae44

/data/data/com.goyourvafly.classcial/databases/ua.db

MD5 c5d1f74c6e74cbf22547ec7eb4909c90
SHA1 6113218a25d8490923a1cade998d42491f4065c1
SHA256 3b64a0949048f630c52c49e8e20d99f8be7d15da0d7fc56bbb53921951f86086
SHA512 1e5bdb35460380dd6814f9c572a7b486f0100edb94ea7453cde3414b1ec14003e36110dfb62f6064fba5d67096eb8f203c927ffab7f275e0b195c3c8173844dc

/data/data/com.goyourvafly.classcial/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 cb77d4574b7e5988c9c9f0726f945b30
SHA1 ab992c7eed1d6091be0ce009b29a406ee03f3773
SHA256 f40b010e6d63445b3241466095d58ba74409e0e79b30a30b1d838d2d83739b45
SHA512 d8bf39fb99770e3e0e4f0e8ab57910aef0fcce9381c3e005fddc7af4499e1fd89db1bf1ad35c1416416611b4e346efbf9a1b001c5d5fe58a40a9d6fbf04a4367

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 a79aba56c56523ac521079f818327658
SHA1 168aa2400d877bd56388869229ef9de861514c06
SHA256 fdcbe9d8f430c6172b38c6855b38437404bd8b5464b90be3eda47f9c153c1dfd
SHA512 927281cf8535ab50fc61a9cada02ff91fef0f82559b6283a51e02173ea3e5919bda055f6af533c6c398643abe01f25712b0cf75753fbc36804bec252277c6a54

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 c6b00761c410dd01a878ecfb895c8d30
SHA1 ebe8719cadf2f0cd82fb7394e0058ec7d72a8014
SHA256 a16ec9a1bc4218f3e5a3722c291b4afc3d41b38bf58d9e24bf66408ebeb93d37
SHA512 621c80391679105ebe2a479dfdedbfcc05b4fede5e274f3c88e1668c4086c5227a376f5dca29a95233204a37702fdff0e3af556ec94a9546c6e3996fcef15561

/data/data/com.goyourvafly.classcial/files/umeng_it.cache

MD5 7b35252babfb93f9aa73da80fc375e4a
SHA1 852edb2190f476836fc9c710ed2cfbca9250fd05
SHA256 88286b79fbe4c9b3ecc4a1b4ae05185a1a240fbcd99b04ee5e3fd6c5bf48a1b6
SHA512 6a307fee9ee0aac821873394c10d3dc5fde3fb07e8e2aa56b58a89284e6d745e4fe06a94b2b0e3531a186f308fee9cd0c96cdfa07c63ed24ced48598d9e59bee

/data/data/com.goyourvafly.classcial/files/.umeng/exchangeIdentity.json

MD5 4c842115f455d1ab5f2490613c0dde76
SHA1 f5735c664467fc3a5132dfef0c0712870b11dd15
SHA256 e61a3ec6577d8144604c4eb481d321411c04194a7b3a4f2efa61b01666485c14
SHA512 bf36abaa6f5c80b141427220f1d463d0d33d9e744b5fc2c7786fc56abf91a87abfa6a3efe8c8ff222efb4a4366437ea6a25eca7de24b456aa27484cd6780bd9a

/data/data/com.goyourvafly.classcial/files/exid.dat

MD5 3d919c18fe9a2770f48bd99153a75cd8
SHA1 47542cd22f2b21e5a7378a4de83dd6f4a3872878
SHA256 82e70ef64007805905abbf9656362a0913bf0b38673268ef867291408f7cd2d9
SHA512 62f67ece2829265c250ccfe479c5121cc4badace7637a35186377c3f2632dd2f617e77749ab1b78abf22012ed8d2e1a7e008c5b969554ff4cbe50efb2e6a0b96

/data/data/com.goyourvafly.classcial/databases/ua.db-wal

MD5 2a3d88b316422aff3ac59a41c3f621d2
SHA1 f3e25a2dd9fa15cc223df459e6d3208b58dae328
SHA256 d1a927da14c56bd9638e3bdfefb2eebbc2ba7079ccc7558bc70d54f09cb70898
SHA512 34e3e2bcec8e806a827dc3fbd9e7d2006df6510a9df5ccaa0ed9c5335696de30e8b67e5b08c2b94b4a91eb45147814f4562abfecb62d349595c858d2902cd22e

/data/data/com.goyourvafly.classcial/databases/ua.db

MD5 d604a3bf1f8d992cc320ea5b1f7609bd
SHA1 247f88df0b55c7d523ea5398637711a0e4a483a4
SHA256 329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17
SHA512 67e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-wal

MD5 b3374053a3add2c5845c7bcb5d70f0de
SHA1 102f3255cbec5bed63a2cd3ae15dc4e9642a48c0
SHA256 a0bec2dbe5230be100f8eeba95b96ab17fd479289f112a6d32aeaf46f025b948
SHA512 aba248c235d301aa166226c10f337ae320e93f66cd952986bc2231351b94b9377e51dde8ab2ddf61b76ad82f52ddb2cafa1beb73c983bf8274a9be42b71ac0c6

/data/data/com.goyourvafly.classcial/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.goyourvafly.classcial/files/sdk.jar

MD5 1987b208f452541244146779edf99b53
SHA1 d4863f60abf5c03c46fd22ca97b8556291ba94f3
SHA256 90d8451f78c1f810ec6b9376fcb8047af6f2dfe89dd8320dc02486353d0833b9
SHA512 f0eb1279363a73375069d30197a368907f2cf8bf9dca25c1d43889fce738cfb1da16e3d856dcc321e1dd0d3601e2e24121446927cc53b96b032577c889cac785

/data/user/0/com.goyourvafly.classcial/files/sdk.jar

MD5 e60221130803590b5e75f1efa6a9933e
SHA1 cc527fec395bf0996934b5a92eb8827038ba890f
SHA256 46242170af1980a3ebf9440b1d5b6ab52c868cb7fea9e2f3486cf5c2d31c41c9
SHA512 603b4aa4e04a44c9415e1129415064cc3ebdbcd571c8ff35ae021a462fc7f7854f9e78a78a2015f9359b9add4ccb97d38970d6bd54df69872b91595e9ac32826

/data/user/0/com.goyourvafly.classcial/files/sdk.jar

MD5 2328a8d12ed110c06e3abfdf65953250
SHA1 791fcdce9a83c436420d70f4bbb56cb36c32a203
SHA256 be696ae19b4acadc2f61bc7af2ca621405d37014fff82d495c083f31f9dd727f
SHA512 5e42d1b99238a0292cf5417f3bd014e81368d69610dfef746ee15dd16a391c85db9147703c866e45b1fbf5556eddb1738245ed65a5979959bfd7a0553fd36910

/data/data/com.goyourvafly.classcial/files/.um/um_cache_1718719750341.env

MD5 6c1b3d5820107ee6a6351dcf6baeb3f7
SHA1 6fba15437a3cbedf131883c13c6221051f2c7049
SHA256 dcf3ddba0e1df578a7f3cd1ec1e9acc4ea15bf0b0c55302948e5b76825eda539
SHA512 5a31983c7fd3670989a9fe31b9bf038d14a84ad33aa3e8c61b0b7f403bc7308ca6f3a13b67c27dd75d7f6b28fb505dadc521d0c00a812f7484dfdc0a6e016c19

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:10

Platform

android-x64-20240611.1-en

Max time kernel

174s

Max time network

191s

Command Line

com.goyourvafly.classcial

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.goyourvafly.classcial/files/sdk.jar N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.goyourvafly.classcial

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
CN 121.42.157.151:8080 tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 112.124.37.167:9321 tcp
CN 112.124.37.167:9321 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 114.215.110.10:9321 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
CN 121.199.50.100:9321 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 112.124.37.167:9321 tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 114.215.110.10:9321 tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 112.124.37.167:9321 tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 114.215.110.10:9321 tcp
CN 114.215.110.10:9321 tcp
CN 121.199.50.100:9321 tcp
CN 112.124.37.167:9321 tcp

Files

/data/data/com.goyourvafly.classcial/databases/classInfo-journal

MD5 5c7958909ad75c1e31c95ae2d6e7af53
SHA1 65f2b479610a9c08db42f987990e6c67da8de660
SHA256 5335355fb511bcda5a93efbb7c5d178749e7b2784bdc1cdafcda56bc368a86b9
SHA512 aa03b506981dc579145b03ba6a224229ef22276c764e8188d3a6f611f36ef77d0348518c4ed3c52f969179271b8ea21028121bbeaf8523cf7fc3b3e9a623311f

/data/data/com.goyourvafly.classcial/databases/classInfo

MD5 e114ac27629c9bddad3e48db258a476e
SHA1 5cd9df67d90dfa6324d03b1362243c79e29bf0ff
SHA256 d0c5449074bfa3e6e1ed59f3306d23768a7fdd71b27c071240b376f8d5b517ef
SHA512 e87afe99a4b7671ac4c22497edf47ee91746b087cf1108c7350917ce78e6ec16170ce3907e297773289488ea1966d32e38018239aaa5c2ce9638125a835afc29

/data/data/com.goyourvafly.classcial/databases/classInfo-journal

MD5 9d86b30b6808cd52ded30b4601b6801d
SHA1 cecc220a105dc4d7aed8ba77195fb26e1ab562a4
SHA256 d16d60cf79425b85b10ce32286f74ba4d1a60fd9339d5f394f92f0d2cb7ddf4a
SHA512 1a4b7e68cf06812ef9af350f9b34376358b8f62bb231b51e928c717966f0b46dbdb66c4028d444fb79f34f6537d9e26ec5cc4de77dd7e601820041a82651645b

/data/data/com.goyourvafly.classcial/databases/classInfo-journal

MD5 9562b898c4b8cd52bedf916c82d967f9
SHA1 093d32034bc8a1f61fd9141b845a7f88d5e517c2
SHA256 810bf5d2737c5fc67a62ca4a050f5a8fe60e421040326a79385bdd07e8393dca
SHA512 28672b282f8f6e7991e695ac12ce6844d8198fde42aa8bc659005bb585cfc1e98aeee8f3394914ed9245657bfbdd6120c8a91402392da97b699aa3ad28d59f7d

/data/data/com.goyourvafly.classcial/databases/Notes-journal

MD5 61b2c866808db971a5166790b12b99ff
SHA1 ce1bf2f02907639b5af322fd7d3e3e31fe54b925
SHA256 bdbe9fa30b93522d06197dde2835913e16b2940ca9c7f157c3dab0a315c9f445
SHA512 b25fb8bc6be84dd10b1dea89ff9e417a2f1d8d415d567238a7fa5c1aab82a3fd81ef32dd0df4481d3cecaa9d594ede474180bb24b9626bcb4bf2978732be11d9

/data/data/com.goyourvafly.classcial/databases/Notes

MD5 11885e460d728500f999180f2c78fb3e
SHA1 f746a1b478b1c2ec548eeffc0255671d6367fd16
SHA256 c830279b57e72404b1a0a34b57c83f5ce49e372bb46c3f940033dcca6bfdd7f9
SHA512 ae594ff27f2e86c3fed4c20d1912eb87bf21026044a34116323325430452e96b3e6abe982e69aacf8fe52cf2ec629989dd4e6b3ecc0d5374fb635ab41f83ce3c

/data/data/com.goyourvafly.classcial/databases/Notes-journal

MD5 e4bab99f57ddd551e350d2ae94e44079
SHA1 57ca1af099248025d02bcf20ae71e8a6d4d24b5b
SHA256 12211d272df1e30e156f6f2b132b66f22861bef6bd8b1fd7b751802d04a6d6d9
SHA512 06331cd5ca738f7d6cc6585a9002e71d19694dfbe4115615f0423b2478fa6876c31234b344a7e8b615c7660f1910f31d2d29d2c21da80e48dd6624afe8b90051

/data/data/com.goyourvafly.classcial/databases/Notes-journal

MD5 39ab25e6bfc89a066d47d8d08aa72c3e
SHA1 3faf84dbe7fe6164e89380c988b54007f27eb668
SHA256 0039890d6f9329dd6f115c0f87864ae002c97641a5bc2f040b400198481d66eb
SHA512 7e8b4f84dcf32b8a55ea1d7b35e94a569ed589c55405491efc75508614e53b3a3f637c50e51daf90d129b19ab9a86cd1b8228abe5c8008aa18c170394eb1641c

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 2e28373cc293d1b885f1299cef943ba9
SHA1 2e96fcc2b944223931faffc43a83542b6d0f5fc7
SHA256 6ed66f0848804e9d4217e3283ce7e788926278a54d5acc27050f934858b1f153
SHA512 4de55408b127070399a385056e796789e1e01ea870d9e70c83feecbb19df4832f68f35ef6ffabec5e505455cc8d4c91f90706cbf8871476ce8e5c3037a2d8076

/data/data/com.goyourvafly.classcial/databases/cc/cc.db

MD5 0908e924aa236931dc7166fef6e00862
SHA1 7782648d6d8f6e835bd47058d4852932c096a467
SHA256 38f8548795ca7470b449dd1de9598c07a247ba59883c0764c9c96ff0b7d31d7f
SHA512 3c16fbc5172aed04cd206e776c46d26e911732c6e3631536410a71f1d217449475727ac9b3175e827c5ce645a1da9e05900258ee6ca27c936a9060f241361dee

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 78e776f0194fad37449289196a19d05b
SHA1 776b5be60e2837029f5a6a3bac4195ffd25ab7d8
SHA256 9a790fe222049625f5de2c269e6e528b999d04e4c6d40c8f8bc31b619e23b03a
SHA512 3555b00ea42cc9307dc0a10f133682e319f82d370c15dde1a7c89dd74b904264ee55543ee4fdc8d533dac220c512750383a9a2da4c3403756e66c4c1f6f364ba

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 315d084e54bce2508e71f090d05c1d00
SHA1 7236913d6b950bb78f3c27d182796a70d1fe7ed7
SHA256 6277d43bb9899764d32326c39965724807342a91e87261abc637e2f3920b423c
SHA512 322f3216b2e14053cdc05857b0bf604938e4c969a5035f2806af0beaca41f3444e364272f0ba4b147fd332712d51a5572d14a0c323a4dce19a1e45cdbe953d25

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 b39cca80274ebfef5195bfcd79b307ef
SHA1 2355bc49a02fc3d5d99d72c2f5fb6ab98545bdd1
SHA256 32c508851a383650bbaa81ab533bfae6d9b3f8d5931f8b40651c86346d50152b
SHA512 7019984af6e09d92bf1321dccfe05772469f32edf9c2fb3342a32870b3ef2e20cad51a7c963335f9f049b0d3997da646908482e18bedd49e31aacb39b67f26ae

/data/data/com.goyourvafly.classcial/databases/ua.db

MD5 84eeedd680bf12d0739c2e34d5d88ed0
SHA1 84e68c6cda552e18399605cb27bc5cedb2fea1a3
SHA256 383e6ce4a1dee901691e25ab71c6aebbd6dcbccb32066deb1435f1df234d8bf3
SHA512 54003ff00ca592464894ccf95e65dc84641fd40daf1cbfcf16921d5e36bcc1a3c6a7972698210aa79577ddffa802b61029ff6a1690b1f17418c12a7018091f22

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 e975b38f4a31e9fcd15cc2575ac5241f
SHA1 96f7a25683d5389c157b29698262a60374f92e20
SHA256 496b62109390056bf869699c0af6aa35117cb1b7841091f419cffc4d40681d7b
SHA512 d85d04125c965bc1dfd0be8884d25d95252852b92b9c308c615b4eb7dbc1bf95fec90fae5b117a272e3998ae4d36488fabd5e94c84d654eae9b15c53b3db9340

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 511d0ece3f411dfac7b9c6f86ef25700
SHA1 4fbc910f4399ebb2b9242f9c3f93d0524ed96ebb
SHA256 6235d8cc7cf8b5e004b845c7f800ab024492f97122fe436b5382935202d9548f
SHA512 ee6cc90666c898b0bc19fbc1ffb38ccf72613c392e99fdbfb4ae84f28668c0244f0dda093d1eaaa4b788d7ae45a1d85dc479e7d71001c24a4e1f8f2a685d6308

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 395e9ff37c2b59467c59a55445056ca3
SHA1 ea12d3881c53a8a346fca0d24b892c6e3e763a95
SHA256 9fc6128bd2447eaf4f89c806368000fd977b657b8636214c8bc4ed34e2feea3f
SHA512 cbc5f4f5b74b4358817f084299215ae175911941644cebeca677281845c4d844f7b05629b1162ae75884a882af91fde2b55ed1f1841b40b1172b1377e7b75b36

/data/data/com.goyourvafly.classcial/files/__local_last_session.json

MD5 5df31b255632726344b5f3c2b1fdbb31
SHA1 1c30f18b7eb7f002f6be8a43140628cd4f1954ee
SHA256 de770614995f1d5b7fed62a4b05a7dbe1546d1a211ce77ae05f6081176c12e18
SHA512 aebd070d66df0a963705be3409c182d4f332f91779e96af2b2efacef89ea38003eed2b1499813884d78f53dbeef208c416f1c827383296e56b5c4957cb2bb7d2

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 6d796c4dd619cd531a1ada30bfb467da
SHA1 2133acb8e280e938a5e1bc00272b08f5cc9815f2
SHA256 06bd1262026e3cdb3dcc2b0bb5e5c3faee18b5d2f504cbaa49e29a2bf329b132
SHA512 99422d5eb51fa7b96133cb28a970d8d4356fc8402d3330effd373ae8e462fe83c9ae82ea558657cd4dcfc3c8031f83cd389fca37a53d44ecd4a63ed21adf9614

/data/data/com.goyourvafly.classcial/databases/ua.db

MD5 894a65f8a6ab62f3c7c86ac70ea96d7b
SHA1 90bbb1cd66e1e3ea5df46205f36529dc00940cd3
SHA256 61fbd71474b37eef11c2160dd1e87d9a3d1acddcbaea76337c9514417a5cd519
SHA512 d2658af1ec3ac4f803c7dd5e26d523f3a6bda162aa22584ccd40d3e9f844e3966267c804bd3f3482cc9f5df297cc4a092d36de27c7085da92123374fceb06cf7

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 94b0b44ca6c89fef0b7829089660e73b
SHA1 f8d10564d26b81252acc3f026d224ff15680ada4
SHA256 0693db8b9d2d342366b4bb34dcc310072c707346f24e8e53f06f0d80418e5c33
SHA512 74d9c5c6c6c575efc1885f9d5ee8f98c5da36d22d6d550b0ea210c86b7a01263972f6177b4446f18a8494367864fdd19952892c5114b2af11ec89fd406a00009

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9e7782755a348facd8a61a4d40f567da
SHA1 8584928340b773f82b47af2e91240a6bf43e93a7
SHA256 5ad90231ab3d76ce6824e140b741499691484853af3ae7bc6cb750d65b885c19
SHA512 e581166b6a2bd28c8958e27b8c5bfd33ad1be8adde3ea3def2f5e02f47e9572fc0e0f5c073953b4b92b8740969353627e969470e638551fa3972e6f679098ad3

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 cfc8f53f512dd98b7a056c28683b0585
SHA1 177ac3c2e88d750587935b485a7da7be59d3fca6
SHA256 5bf6f9899d0244d63d679d11ca8c5376d13cce120f267a77618f71d9b758f82f
SHA512 a64ac49665c88adc25469859c349f7148d1559977ec0c539012e8218d2576386701783a80d45f46c22220a70676caddcef619959f1cda5be926a2b1c90bf1760

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 0f455246238b9455c7f726ccc22941c8
SHA1 fba733a05ccfd23f661e5a52ae752482e15f7478
SHA256 32022a73cb4ed73e470ce44f759778bef16e48d421be36deffd6d424b62368a2
SHA512 9f9bf3c1eb0902fc3286d102998c645f5726e7f0c9ccc65f4d84bd315d4b084c3a93cf3f0e418c43f8ed9d06ec74d424599bc38155f388224f7faa6eeea0d1c6

/data/data/com.goyourvafly.classcial/files/umeng_it.cache

MD5 8f896ca2856773e28f2dbae3949ad812
SHA1 95f34d61dab393d3e8f061d8cf58d441ef5ec57a
SHA256 cf85dfeb0b87c60412ed75b1a53d47d13589ed11e753a7d558d7926110f59cf1
SHA512 9913d41f535de7f6f9370d5da51339251a78ed89ef3d1ffa638fae3ce435d5aa4c2b4fcd40fbca813ea7eee07ecef26cb9908598ebc1b1107fb7ab4120bd9f53

/data/data/com.goyourvafly.classcial/files/.umeng/exchangeIdentity.json

MD5 18c0154d3e70e3df7bad3fecdc8b91f4
SHA1 5b1bea4edbf5c6db386c6f57e7a48774a2e1cf86
SHA256 b58c58cfa9b9925559534e1b76939b8eb0b8a155c643803e31e8e0dabba83cfb
SHA512 1e409b9bab93f22908e5bfdf8691abb74b49a3ef175c42a583957ac327c3e05af267e07f508203db7f0f3d6386a1dc5d526ac2b6a357bcdf38ad7c4dcb14090a

/data/data/com.goyourvafly.classcial/files/exid.dat

MD5 3d919c18fe9a2770f48bd99153a75cd8
SHA1 47542cd22f2b21e5a7378a4de83dd6f4a3872878
SHA256 82e70ef64007805905abbf9656362a0913bf0b38673268ef867291408f7cd2d9
SHA512 62f67ece2829265c250ccfe479c5121cc4badace7637a35186377c3f2632dd2f617e77749ab1b78abf22012ed8d2e1a7e008c5b969554ff4cbe50efb2e6a0b96

/data/data/com.goyourvafly.classcial/databases/ua.db

MD5 d4aa9ece6328579081b1e15d1987d3fd
SHA1 a2b5afe9c0ee7967336d55116f5d23335c453878
SHA256 fa5140568beb67357c0a441eb4decc9b64a015c2d7c4ea441d1cdc32057dc6d4
SHA512 e018c93d36712de842cdd381fc58fd16acf8e975e89338080fae903b67a2224a8081e77318a89d906e9a5f3b3c596d66c9824ec4f5f169e8eaa52fa74d587a97

/data/data/com.goyourvafly.classcial/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 0df7134d150f1aec277f129d8d1d7be3
SHA1 de11c0650542048fdacd975b9bb3fbb6f05946cf
SHA256 32686a1fd20ecd946a2b4355a3925746b0c28f47c1f399c6712babd796c3d834
SHA512 4883bd26ebaf1165304ac993e5735a098ce38332c133f103e4e53f58b68b28d9bcf4d34953242c450b749fb19524b0d1be2f5c10712f4d953e81fcd444bd977c

/data/data/com.goyourvafly.classcial/databases/cc/cc.db

MD5 67c12933d1e0e63d9801a6aa43092ce7
SHA1 b6936908554e4a1986b8eb08289e2d3545e8ff74
SHA256 abda5dd4cc2e7dbb951637c4b49d6990f9f34411fab4dee1a387dbcc8e7eed40
SHA512 db8b818daa3ff4ec7678645f84bf8b45c809bcbb758ea78b28982d071572655bba2d20e6f1ca4f0d057ab34fa655c5bc40457dc65050180351a2fc04a47175dd

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 61246eeae91784042ed8d4b58d632531
SHA1 5c1af7242f5b778aaa39b1403c1b1d4534f25d81
SHA256 5d65d4c00de5171df298578be13f271c59202cafba104854066fbaf71c0c890b
SHA512 80bbf240c3999bf419aa9bb2711706347a0755dee6d6aec497e330aa769d9e76a55354a1a1a6177f39035bf60f05645ae8a897e8e89d0860be60946bc3a71c07

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 4f9f11a22881f4f85696c69fb6e52572
SHA1 2bb24878293f896167ad58b481eef659e9ab2de7
SHA256 bf90655ffef527334bf4df0efd9f2c4aa6488c0be4b534684b2f848cc91a969a
SHA512 287fb124889163e73a28bd923d9b9cf0c00f1b7c81fcea3d674864c443f0e16edbaeb3e691e3221ff86f3a6500454263c454765ebd751c6bef9572df1278978e

/data/data/com.goyourvafly.classcial/files/sdk.jar

MD5 1987b208f452541244146779edf99b53
SHA1 d4863f60abf5c03c46fd22ca97b8556291ba94f3
SHA256 90d8451f78c1f810ec6b9376fcb8047af6f2dfe89dd8320dc02486353d0833b9
SHA512 f0eb1279363a73375069d30197a368907f2cf8bf9dca25c1d43889fce738cfb1da16e3d856dcc321e1dd0d3601e2e24121446927cc53b96b032577c889cac785

/data/user/0/com.goyourvafly.classcial/files/sdk.jar

MD5 e60221130803590b5e75f1efa6a9933e
SHA1 cc527fec395bf0996934b5a92eb8827038ba890f
SHA256 46242170af1980a3ebf9440b1d5b6ab52c868cb7fea9e2f3486cf5c2d31c41c9
SHA512 603b4aa4e04a44c9415e1129415064cc3ebdbcd571c8ff35ae021a462fc7f7854f9e78a78a2015f9359b9add4ccb97d38970d6bd54df69872b91595e9ac32826

/data/data/com.goyourvafly.classcial/files/.um/um_cache_1718719752786.env

MD5 51ef8f24c5289eff038ec279d8e3af6f
SHA1 2cb3f5a05580d2309a3be91871f25932db40042d
SHA256 8942b6e8309a6b2226b4387d49577484987fe1f3e0bbdbdb0af3dc2d4b9d5638
SHA512 f68c1fdc197c9a7641dbd40a625cb7bf1d1464fb3319be0635eae027b9f659a17d312bb9799ce4a7af1f04dff29794d2cc1b8f597e89357d66d71c6b9192125e

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:10

Platform

android-x64-arm64-20240611.1-en

Max time kernel

174s

Max time network

187s

Command Line

com.goyourvafly.classcial

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.goyourvafly.classcial/files/sdk.jar N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.goyourvafly.classcial

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
CN 121.42.157.151:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 112.124.37.167:9321 tcp
CN 112.124.37.167:9321 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
CN 114.215.110.10:9321 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 121.199.50.100:9321 tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 112.124.37.167:9321 tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 114.215.110.10:9321 tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.180.2:443 tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
CN 112.124.37.167:9321 tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 114.215.110.10:9321 tcp
CN 114.215.110.10:9321 tcp
CN 121.199.50.100:9321 tcp
GB 216.58.204.68:443 www.google.com tcp
CN 112.124.37.167:9321 tcp

Files

/data/user/0/com.goyourvafly.classcial/databases/classInfo-journal

MD5 54bbb0bdd94f2fcf57e5ba3c36d44759
SHA1 bc908fa76bf77ab9a7d69f0753622ed3ee7edbaf
SHA256 bb0b3d1849ba0e254f2e538bcba7abb8a4552d4eb7edb88ce180c143e1824872
SHA512 028ae799254bb403daf06e64a889b49a00405ab44c162beb6bb9c726cac8cfcb81288e44facfc89fb9e5c691bb4250641624ca6f871ba2b59b10aba7c6b61ec1

/data/user/0/com.goyourvafly.classcial/databases/classInfo

MD5 00adf6dbb36b9512d1901ffd6ae2c614
SHA1 0edf17a38b06b029100f46a606aa6361846920dd
SHA256 70ce8bdadc7a2746c2a7f4f8f37a4ba8527b9149e4891ab9a8b446b69a9117b1
SHA512 4e1c5660224faedcdc7194d80a0218c5d367aa49b21f3b6914dde05658058399789368ffccb529a986dd4e8af75c5540b893f93c9539521ad26292c6fa1117fe

/data/user/0/com.goyourvafly.classcial/databases/classInfo-journal

MD5 13e3233874f879800058367a1ac0e831
SHA1 85fc9f6a3bb180ab015029138d9b53d7f96b67a1
SHA256 fe73859b477464dba9d16f7031ba9e11d2c507f56591246fa1335ee9a7350f47
SHA512 c2e1ea6c7d0f7772c4c27888421a24b3c0926bd4151046678694f79510df0bc125d4c64e6748257d87f817298aa53b8746a3d2a227cc496bf69db528e2f9452e

/data/user/0/com.goyourvafly.classcial/databases/classInfo-journal

MD5 8ffdb43981c45c7bcf2eb7220e376249
SHA1 f50f780a43f62fb72b59c7ba939d633ce2d60cce
SHA256 da3bf234a104f01b1f37025fa3b4d988f37e0ae8bb5ffc0fed6bb8f6bd105c20
SHA512 37dbc423d8d3cc0dd26fcc9cec676e441be2cd21445dc303bc1f3c97079260a91a6d103486363ec5f906962c905f6719290a70061c022d0d0faeb9ddaf00b352

/data/user/0/com.goyourvafly.classcial/databases/Notes-journal

MD5 9343483535c2c7b396ddbd4629f1c9bf
SHA1 d929f27e75b83d0ef06a5ccd7fefbeaf5b807ee1
SHA256 33f901685d88a74c1cadf5b552d456308b2cbb038a1f98dbda3154cfe9141a0f
SHA512 b3b205b9446cf72efe2d9a36b7a5e28a6c9881ce869acb229098400cae6b3a4bf7c49c0755ff26b9f4d01af141669d4018b0814b85c01ee98bf3ea0dd8b5daf7

/data/user/0/com.goyourvafly.classcial/databases/Notes

MD5 7b6ffb2df85bd49ba7b861595eba398d
SHA1 49b82d7aaf9fa381811f6bda6251a61132497169
SHA256 fc6008a0920c66e7831bba43e06f50f1239d383039734ae76fbdf1c06d57f579
SHA512 56184bc1c1068b7dbc8b08c2856f878ef6872814d6f64d4b30618ecdf02d299406efc32cd9f152b269f30fefa5f817fbf113c1602aa36200c1efed827b498053

/data/user/0/com.goyourvafly.classcial/databases/Notes-journal

MD5 598582816b80f34c6f3e1dbe72d7f0d7
SHA1 8080146ef826de7bcf3bcbf7aacc6be3e2ff828b
SHA256 b98351f24a08898c96cd9653ee62ec9f5ffcc18b219b55567b98e8bbd3b6dc89
SHA512 b802a570dcd2a264139c0b256614f56148cddf49bc9a073e4d9c9f3d9d8df40d8de857d5ccdfafcd9d969c450591b6458e0d361373398a460084d2d9927f8091

/data/user/0/com.goyourvafly.classcial/databases/Notes-journal

MD5 a010a4135eb1418fa82258eb6e13c0a0
SHA1 c79940b332a66497d5011f8ce1cd930b17274809
SHA256 205677ac9b829d2e522282d35a313e155c752c064577fc7e642e506055ac417b
SHA512 f60d128a362823a8c9372abf4771a1e4b8dde35bff00ab0c02b79456f85e4ca55de4edf9f8b37d5c7b9917a7f436b302fd50f4b895216e4fa1b461fb49ebde92

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 66306f13c30c9892f3d7e95b2590e52a
SHA1 4898e6b75e3a6151919b0c31e2e508ad101b65cd
SHA256 5419988155606fd58b46525726e0fffb166ea90fd79bcd4c0a9b0617eb3e9e72
SHA512 dd0889d0223b1230b7e860700c1c2d1441c5254f8e7ea2a5c64c02d54dc0a2ea1ea48d28cce73a69af89a2c08a50b0d9d6f3d3fad483589c251f10173c88600d

/data/data/com.goyourvafly.classcial/databases/cc/cc.db

MD5 4cfe777c9f6e7859f5efe2197401d8e5
SHA1 bb3774e8879ad5f6db0c37f151c3d6bc7b4b207a
SHA256 c422190539b6414072fc3950da19a17985c0c4c2172740b2f74682b520af5231
SHA512 6be469864edaf8eaa110f618f8abd27962da92e20945dcd38073ade2b60b10f00552d54d5db9d9f75ca133213031030e71e2e30113ff033e5ef507a28fe0b1de

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 7ed0c96e68eaa006520451415438f51b
SHA1 ceaedf265c69edbc5823380c7cddb5e8858b33f9
SHA256 accdf798281fc2b9769330cf4ab6c8a66b0eddbfc2be47915026fc216930e067
SHA512 6ec90d96f2283c0577fbf3bf22a6a69fa541d92b85de6a3f343a3ae6c0e5cb718e8d1015d6a78104ad60734a9c8cb916775cb01fe8cfae9c2453f69a94cc7d03

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 4d5a34c5c707b7bfc895ccb150c44acd
SHA1 ff1eb122e3a43d30b48c1abee40b02587a657ca9
SHA256 9055406336819823160dc757c41a53f3a6d286d2a9fe267f841e37325721faec
SHA512 9b5ef97ecf6abc127f8bed763146da07542171c787f0ed25d3d0d1149c1303f8e6177224316736b3bb0a03f3ee7fca9d8433f602fcccd9be97bab8d0f03bc341

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 557e07442e0cd50aa59cc5fcf5c2e4e4
SHA1 df0222b6a34550c4883475e8e8ce0b215a5b2ff9
SHA256 f66c1c2b44dbf80ba911e17206bb4f8b04e970733782fbb0dbe5be5719d55ff8
SHA512 e66c855d43f25a408113f058a28a550819fdf450924e2d90ab93dab41de3c90baf09029398cf650a7ceebdec6f0ebdb06a689d7a67b34abc1147d75594eb811f

/data/data/com.goyourvafly.classcial/databases/ua.db

MD5 f9b800b7f1320838675f73d3b3bdde87
SHA1 2124bfc176a56aea91ec7e20d28517a17691f9af
SHA256 87717de0ca7418bdcd749eb497a45b2285abb283298e3da3eeb03f267ebeb41e
SHA512 1ab088bc6fb70c6b43e7b9f1bcb61b82f9b487f8eb593e594efdf25bfe2541db2c4275e17596a311fa3f5552b08f59e363d949bc4d53919b3a7fced869e5f051

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 c59e90431bfb0813988d022b25bf4627
SHA1 90dd63b9db11596686fee91fcae686be8407240e
SHA256 460e999adbbd5d8851e178ff99ac0ee6f85c7509bc5010876b5229a4b825c542
SHA512 6ffe46e7eb802d3e918933cb138863426347b31f5c4d67d2cf51bfc73b9b4717f71e3e9a2b619f970d71265ca9f5d5284686d6d423fc6e30b2df0abc1fc336d7

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 94b0ca1b85a6c3513e89887d81530276
SHA1 fec72e2d2a09e639eb48d9989e17a7b0c3a0ddab
SHA256 7ac1d464bcb5b5e9cfad141e4975c2b519d17e635b23f1a9df0144e7837cd218
SHA512 61987f16fe8eef2d7c8194aa2ca62fd4614c4f31c0eeb456d3b5fdb8cdee8a7a69b3e8b9200be807deb78886c98de1c4e73c38e90736a1244e1f830f941f72dc

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 367d94156083872c77a44d69d4a02a96
SHA1 b3061698a7d2ac6772ee0db666bd175d27cc3c41
SHA256 574394c8d4fa73a23c0bd3b23e218d157238d52e8121f517721335e2749f003e
SHA512 d8f97aff7dd7c4e0c854be27bd80487464204234e038c79d6d3fadd52eeaed28cc0e8e5e19c9240c63b3341665ba554f8f72dd03236c1aa97328c68411ba4059

/data/user/0/com.goyourvafly.classcial/files/__local_last_session.json

MD5 5ddb03011f2ad3706329fa5d9c70a814
SHA1 44acaa450f7161beabab98f62edd606a5116b9d8
SHA256 7c7a6510d517ae95054acbd00b8906179a030d71dd46664580c574def9e440ba
SHA512 cb54671495393ff4688b8e35c680435edcb3801cc4e587be413fe11c78524a3ea30c923b83370f7cfbb7ed958ebe5c6ef4bb9b068c25e0085112035ba5562a4e

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 c3b5372a99c00bf561433dad99bd055e
SHA1 766e3138fae68efa2f7937881cfe30b3e1e9c6b4
SHA256 dc1c76505bb7c8ff142ba55e62ce005e98915f8058a83ce7a9ca672be0c769da
SHA512 6ec0751a5115b0a7af2f24141f975bbc408f1b450ff0c7d9953a45da088a75b220d5b88a2ef4d9b5bd9e56b1215c9190dd7a83f20fb6ae55b56e7a12c05cc64e

/data/data/com.goyourvafly.classcial/databases/ua.db

MD5 647aa4427bfe804ebd68bfbb76428e59
SHA1 7f30d0dd0017a6a95c47090eaab12dcdcbb4236d
SHA256 25df9afb804fc1680242a0a397398d3813a4d310a0e92c22ef26703a4ca0957c
SHA512 517cecf7a86e5bc651e71fa2c9508ee1fa141031db65b7bdc9e54175db39bf63692c140c8eb0c5bd40d8d71d373b3cf8a56e4762a55ce22d18e6a60f1ebfea24

/data/data/com.goyourvafly.classcial/databases/ua.db-journal

MD5 265f50e9d41958dfe3e9c70c2aed1344
SHA1 fadf616ec629abaab767bcd6907de28b5b167d9e
SHA256 e289e63eb429d2d61384eb7c5ff9545f874ac512dc99c2e3065ad346562d23f7
SHA512 22ff2959118ca6d0c3a2fe6e34ac7baeb823f5524e2485f5b85ee49878151e33621399b4266231d35430dda820cf0d4a7711082392f4c7fea37d808e1c18fafd

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 41e79839cf0ff4018cda48cd33171180
SHA1 86769a2e31bcb96107f08358912bf585636f731a
SHA256 0879b94789c62b0b9b89d7c0a35fca7b948b59edca23d6d38b4927deb597f56c
SHA512 ebcc46d39eab8c90ca060f7fa21c99d7d23c4dc6fecf6ecc09fc01f65703161c11821c8606b4214817e8a041e28c8a542de38f5f642024930aa49845a79be65b

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 d31e0a3af7397909e514939d6678ddfd
SHA1 cdacc0f8abd83fe83204555395b1e27151d47d15
SHA256 ef820ea98d4077da1e78ec99583b348817a3e524c210110448c85157248d8125
SHA512 1f0bef298412f8b0db687b8a587cbd5b305af419ae9ca0dbbdbeaabc622124e1cb13b4058415de1896e399d5a70a47eeb40638594527a2e5e56c621eb05b9d1a

/data/user/0/com.goyourvafly.classcial/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 995655556fba683c47d065612d815cdc
SHA1 6a6509620889174617d39eb550100b5aece7c47c
SHA256 717d4e8ae07d173ea5ffeca8fb270a80cf334adc616397ab269d05a74f2eae48
SHA512 83d7267de3e38eb7ab735a162a629f6e7db247e3784a512b0576bf3412a1bd30f6511b24d489c7e34f4e71c5d9e9462a7c0b6f83002cb02d654d4c6d8b5a0da0

/data/user/0/com.goyourvafly.classcial/files/umeng_it.cache

MD5 b65019101a03867cbe6fb18f2deb6757
SHA1 651da21c46f3d954f817f7a18432563b8a0eb0fd
SHA256 92723ce0104c85020f25efee0e7ddd2023dcebd8d157218d9e244a2152306f18
SHA512 0f1278c929639c5ced10e02d64eb3cef8caac9d697bc116a94ac2ac1b3030c9d659ec5d1a59b4f212c694beb580cec9e75e3ab5f2473b6fb4684f66db309b9e4

/data/user/0/com.goyourvafly.classcial/files/.umeng/exchangeIdentity.json

MD5 dd1ab55a2d2e9434fbed61b1f7c01ec8
SHA1 83e7cedf5dc8e83341985b3235665b58e10c3b77
SHA256 365e53e36489b302083da248759f60ac904399bb3228325657418f8e3e24ed8e
SHA512 717e272789033989b3f3e9230f88699fabf38eae49dcacad7ddc6edd58727bedc98fa5f354dc02554e1c03e7fb2336d473a125ac3e4f2171fde7c8ee1e5a9bab

/data/user/0/com.goyourvafly.classcial/files/exid.dat

MD5 3d919c18fe9a2770f48bd99153a75cd8
SHA1 47542cd22f2b21e5a7378a4de83dd6f4a3872878
SHA256 82e70ef64007805905abbf9656362a0913bf0b38673268ef867291408f7cd2d9
SHA512 62f67ece2829265c250ccfe479c5121cc4badace7637a35186377c3f2632dd2f617e77749ab1b78abf22012ed8d2e1a7e008c5b969554ff4cbe50efb2e6a0b96

/data/data/com.goyourvafly.classcial/databases/ua.db

MD5 4cd141af5f5f1ff6416e42d1aa8fd169
SHA1 121bf46cb4857e644ebf1d78fbda4c226cc9d028
SHA256 0d025277ecc531093a863bbbf75b61f5c22997f1e70fd5f8d70f3c0ec66630cb
SHA512 c2362199eb6452beb82042280a58c7cf60143881673120f7029e461bbfeccf0c3f0b668b40cd93c5fb4b0dd2eb9a3fa41307bb19f276fe3729ccfa4db12c03b6

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 cfe80b443f8d77a0482e3c6651cd6684
SHA1 e331d77787b180ea8f4e64a76675aa54b0bc47a7
SHA256 36975d28bab6eb081984822d411c95410f15937eaefb04462ce3bbe2e4a5c5ea
SHA512 18b8dcc8089eb5715d97ece82cead57b4a48d3ba03e383d66b963f928defba6ae16e0d7678b848d7062fb44e2fd2856049f9c8fb50f22bdaad95818556aa6fb2

/data/data/com.goyourvafly.classcial/databases/cc/cc.db

MD5 86752a4be6564d8370f2f0e403995003
SHA1 29f7d50675f6e59f3b808eb6dcc8619384412115
SHA256 50484dcdc6b9c2801773018386a8143a52a5153eb2eeeaf5be8bbe46a49ca90c
SHA512 79c9435c1e0d41a3f97784be3e5a3cd8c0bd2d32ecdf326808bacb00c76d876d0447617d6e72ef04cd4b996c92eda4eb7bb200987ae7928ce2e0e7c8e807a5ec

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 ffd0b478378554145b613f5561fd17bf
SHA1 b37c0e8feb4b39f6f9725a32181123b2829d3f90
SHA256 287f6b41a399bde1c8b32e5f53976534d2beb2b2ef51095eed5ac88fe3704377
SHA512 8bbbfefbaf470ea067d4fbf45af4d1a6b83477ffbab7de88051085eccc006366b4d521074317acc8a3a2a78cf6af11e606fc901a15f8803db9387e58e26adad3

/data/data/com.goyourvafly.classcial/databases/cc/cc.db-journal

MD5 f09f02f6764764341dad947748b3d277
SHA1 e6ab96ab333d65a7d757b7d6d40b660444d83c68
SHA256 294adf42ff41ce100fd06a95bbb077dcd22c07fb89d8e4074d8bdc62d569fb79
SHA512 3e241e6fb5f9ff80b040b9dbe2f574e08089f99b68cec74f1ae9333bb5e4fc567c62d889d02d16062a003133c8590edc60cc5b3ab2c50044ae913e9abc5034b7

/data/user/0/com.goyourvafly.classcial/files/sdk.jar

MD5 1987b208f452541244146779edf99b53
SHA1 d4863f60abf5c03c46fd22ca97b8556291ba94f3
SHA256 90d8451f78c1f810ec6b9376fcb8047af6f2dfe89dd8320dc02486353d0833b9
SHA512 f0eb1279363a73375069d30197a368907f2cf8bf9dca25c1d43889fce738cfb1da16e3d856dcc321e1dd0d3601e2e24121446927cc53b96b032577c889cac785

/data/user/0/com.goyourvafly.classcial/files/sdk.jar

MD5 e60221130803590b5e75f1efa6a9933e
SHA1 cc527fec395bf0996934b5a92eb8827038ba890f
SHA256 46242170af1980a3ebf9440b1d5b6ab52c868cb7fea9e2f3486cf5c2d31c41c9
SHA512 603b4aa4e04a44c9415e1129415064cc3ebdbcd571c8ff35ae021a462fc7f7854f9e78a78a2015f9359b9add4ccb97d38970d6bd54df69872b91595e9ac32826

/data/user/0/com.goyourvafly.classcial/files/.um/um_cache_1718719753983.env

MD5 b50b28d07d922a2b1f5655e89427a387
SHA1 92889a0aa01a95539151a988f00936d1f15b0ee0
SHA256 8b211a9c0753c1a06915c8151f561927273699364063a18c88eda608fedcff1e
SHA512 e33413ebfa648950971752117c1b5b88abcbcf19d61808443724976348717bc179554930ff48187e6698ad2ca201d27a0e4a682fbe3829c6ccb4e55223aa543a

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:10

Platform

android-x86-arm-20240611.1-en

Max time kernel

5s

Max time network

160s

Command Line

com.goyourfly.classcial

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.goyourfly.classcial

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
N/A 224.0.0.251:5353 udp
CN 121.42.157.151:8080 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.goyourfly.classcial/files/apks/1.apk

MD5 b1fcb89d11d09690037e6cdef4dd16af
SHA1 663895e25a9286363cfaf5186c40343f03603053
SHA256 1281704bdec6d366e6778b74798cf21e6d9744f97396a646037cb1f1453a241b
SHA512 9259f3f74443d8cdedc010ec4ab21618f330b7521577df1579f8a66921877a87ea166fb1721479a1560214087d66f0f46c43d78f7c7935a07ac19c6b413301a3

/data/data/com.goyourfly.classcial/files/apks/2.apk

MD5 2ba0797d94fbdcd6307612b88d5fca15
SHA1 2d77b1f41d0a3231b5a1f9af1f5b2fe3750ad6c0
SHA256 78cc5e34990e20571cf2885d9f6f9d624ff9b6e317e1f71cd8986c7532117c88
SHA512 440fea9ca7db9d809fe5c7844c1a5038f6ae6948091d8b0a78f802914473938002d73e58a5ca44d5d9a7c27ad6ae931c37d005348cde312463a6089514e8e54d

/data/data/com.goyourfly.classcial/files/apks/1316_1457_119.apk

MD5 d524f8b220bd4422c6ef11e2735d79a2
SHA1 acbc69e0c8e2aae1f314dc01fcf2eda83873addf
SHA256 1ec900501a927a935e6e845444ce3b44e04d1cec2d102a9fb1eb280d0e1a5d8b
SHA512 6668cdf08fe2b1ee68cf4f2b2bca46898df887b2db045b08559eefd88ed375a05633fc3992a886c49bf5aa8b30a38afab50c78b115532aa2ebaae3e8407513a5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:10

Platform

android-x86-arm-20240611.1-en

Max time kernel

36s

Max time network

133s

Command Line

com.duowan.wdsjgl.mctools

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.duowan.wdsjgl.mctools

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sdk.e.qq.com udp
CN 113.108.27.88:80 sdk.e.qq.com tcp
US 1.1.1.1:53 mi.gdt.qq.com udp
CN 43.141.43.110:80 mi.gdt.qq.com tcp
US 1.1.1.1:53 api.yiagu.cn udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp
US 1.1.1.1:53 sdk.e.qq.com udp
CN 113.108.27.88:80 sdk.e.qq.com tcp

Files

/data/data/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/update_lc

MD5 dce7c4174ce9323904a934a486c41288
SHA1 e117797422d35ce52f036963c7e9603e9955b5c7
SHA256 0c030586945fe504b604ecc2e875c38ede400cd5cd73da9730302162e6b02c6f
SHA512 d570ab6a8f4a7b54d426b0481219074b5277ace37d88438d87ab97eb387938eca1cf7b09fa42d596c56ada860710d2a7385d2a96e1cedff58ad6ed8900f1b143

/data/data/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/update_lc

MD5 0bcef9c45bd8a48eda1b26eb0c61c869
SHA1 4345cb1fa27885a8fbfe7c0c830a592cc76a552b
SHA256 bbf3f11cb5b43e700273a78d12de55e4a7eab741ed2abf13787a4d2dc832b8ec
SHA512 91972aa34055bca20ddb643b9f817a547e5d4ad49b7ff16a7f828a8d72c4cb4a5679cff4da00f9fb6b2833de7eb3480b3b4a7c7c7b85a39028de55acaf2d8812

/data/data/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar.sig

MD5 d720f5a76da8fd9c88b47bcc424a6ea8
SHA1 7d0d284268fd188d36ca806dbed0fdeef6a2a4bb
SHA256 2fec1104f18fc9cc1e801bbe61642ee704a149248de06330ff141ca5238dd51e
SHA512 02c34b3dea7d40c4d30052126cdcc2f8ae359d742fe25f87ad101dc1bd8f80330f149abe2e114663c53e47de9b70d2c3de8b7903d0ea22d2e1ce89cd52a901a9

/data/data/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar

MD5 9c9416e5b583e395df107443deab01e6
SHA1 9d7188b483bfe3dddc3d057a89a7f980006f26a9
SHA256 340df5c81b4b9ac9154746fdb9a88ebfc4046b72b28951dfefb85f1ab2faf358
SHA512 93f690db06ed593061e634c6a4316ab1bf466806a6f3cf0ff971521664cd379d249642549e04c899edd0749a6fe524109fbd1cba51d96dd9d50aa40d23b2ffa4

/data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar

MD5 fb9bbe1555d1e51bc6b68f73306cb5e8
SHA1 fb58a0adb1de330045ed2a7488f7512dd39e6e84
SHA256 269761b21873b1eb7f433b5b8233e13b54d499765413edd555a115e154884a1c
SHA512 10fd4b83b3b20333d1e54005342d5fcc50f83e3bd967a7b04c0991244a6e7f0bc0eabc74c19a4f746d34db7ece76f4b083101963ebe351c27b4b68c5259a55a6

/data/data/com.duowan.wdsjgl.mctools/databases/GDTSDK.db-journal

MD5 a3b7659687454c1475ff8b60adf2df79
SHA1 1cc3ffadec534b5727a57e01c88dad28933ab12c
SHA256 8dabd9586ea938b07f96166c2c58f6f32cc0205f535bb643e15f5f283f05a841
SHA512 361fe2f39c4f5bee251beb09d84c08d87d0a03a167ec2c475d6aad064412144b00b5014bd3a27ba724361db3d9b8d1304930ed7aea0dce646bb57edca879c641

/data/data/com.duowan.wdsjgl.mctools/databases/GDTSDK.db

MD5 755d1d1b0599d7be973031b5a9ed3373
SHA1 3b13cffb97005729fc20cd9b9a8547e0fa32632d
SHA256 90bc14445f887f7dbff548bdcc44145362d7fd20cc8ad8568b4d5c9372ee9b46
SHA512 afbd3a1c76a41015b2d4523d1c08dc14a3a75dfea3a5082b5e0552d750a498fd316bc98055b9f0ad2992f28b820ef15254461fb5df4cd6c21573a96f17b24ae2

/data/data/com.duowan.wdsjgl.mctools/databases/GDTSDK.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.duowan.wdsjgl.mctools/databases/GDTSDK.db-wal

MD5 6ac7858a07dd8ffc987819c032ea4fd3
SHA1 db9c41e8d7d1369fcc77f52c48cf888c2014fe18
SHA256 3ddc19ff7c974f3cd3845104453f24fa7fd812d76f038f98ecbf4718cc8ea73b
SHA512 78ebf2ccc48a36327c94274e898840e161ea7a52c45537dd395025a59f5280ccae282347f939dbcc7bca76ae6bba12705a78a0d4891f0098c3cd56553a38369a

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:10

Platform

android-x64-20240611.1-en

Max time kernel

51s

Max time network

150s

Command Line

com.duowan.wdsjgl.mctools

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.duowan.wdsjgl.mctools

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sdk.e.qq.com udp
CN 113.108.27.88:80 sdk.e.qq.com tcp
US 1.1.1.1:53 mi.gdt.qq.com udp
CN 43.141.43.110:80 mi.gdt.qq.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 api.yiagu.cn udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
CN 113.108.27.88:80 sdk.e.qq.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/update_lc

MD5 dce7c4174ce9323904a934a486c41288
SHA1 e117797422d35ce52f036963c7e9603e9955b5c7
SHA256 0c030586945fe504b604ecc2e875c38ede400cd5cd73da9730302162e6b02c6f
SHA512 d570ab6a8f4a7b54d426b0481219074b5277ace37d88438d87ab97eb387938eca1cf7b09fa42d596c56ada860710d2a7385d2a96e1cedff58ad6ed8900f1b143

/data/data/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/update_lc

MD5 0bcef9c45bd8a48eda1b26eb0c61c869
SHA1 4345cb1fa27885a8fbfe7c0c830a592cc76a552b
SHA256 bbf3f11cb5b43e700273a78d12de55e4a7eab741ed2abf13787a4d2dc832b8ec
SHA512 91972aa34055bca20ddb643b9f817a547e5d4ad49b7ff16a7f828a8d72c4cb4a5679cff4da00f9fb6b2833de7eb3480b3b4a7c7c7b85a39028de55acaf2d8812

/data/data/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar.sig

MD5 d720f5a76da8fd9c88b47bcc424a6ea8
SHA1 7d0d284268fd188d36ca806dbed0fdeef6a2a4bb
SHA256 2fec1104f18fc9cc1e801bbe61642ee704a149248de06330ff141ca5238dd51e
SHA512 02c34b3dea7d40c4d30052126cdcc2f8ae359d742fe25f87ad101dc1bd8f80330f149abe2e114663c53e47de9b70d2c3de8b7903d0ea22d2e1ce89cd52a901a9

/data/data/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar

MD5 9c9416e5b583e395df107443deab01e6
SHA1 9d7188b483bfe3dddc3d057a89a7f980006f26a9
SHA256 340df5c81b4b9ac9154746fdb9a88ebfc4046b72b28951dfefb85f1ab2faf358
SHA512 93f690db06ed593061e634c6a4316ab1bf466806a6f3cf0ff971521664cd379d249642549e04c899edd0749a6fe524109fbd1cba51d96dd9d50aa40d23b2ffa4

/data/user/0/com.duowan.wdsjgl.mctools/app_e_qq_com_plugin/gdt_plugin.jar

MD5 fb9bbe1555d1e51bc6b68f73306cb5e8
SHA1 fb58a0adb1de330045ed2a7488f7512dd39e6e84
SHA256 269761b21873b1eb7f433b5b8233e13b54d499765413edd555a115e154884a1c
SHA512 10fd4b83b3b20333d1e54005342d5fcc50f83e3bd967a7b04c0991244a6e7f0bc0eabc74c19a4f746d34db7ece76f4b083101963ebe351c27b4b68c5259a55a6

/data/data/com.duowan.wdsjgl.mctools/databases/GDTSDK.db-journal

MD5 46f9970b43558c8a2a1da8ff88d3ab7e
SHA1 da9eb77a04f25731a05247049ab44fda12b0b259
SHA256 0e544df7e6de26b2fc54276c56a2ddcfd1487e5710ea425cd0f796cfa8806f45
SHA512 b50e97e80ada14c8ceff2bc5d46088354fa5d645511f43ad93f782efeac46ee6e2a7eddd5aa3d9dceffb3cc0bead1a17cdca07faa382e8f38d924ffb810bde49

/data/data/com.duowan.wdsjgl.mctools/databases/GDTSDK.db

MD5 c350d05c3d4943baaf1accd6a39a18d3
SHA1 9bea162acc14706bb032be98e7a42dbd22d3d325
SHA256 2515f5e39ad8ab880de32bd4667da927364e7f0a492876ba4f91819bded63b9f
SHA512 cf8b698adaeba68c20015b951f1cf3e8a85361c9ef7e27dcdee1cea6310023eece05519a26c95e6b9ee369f2570584c3be69ddff3fb1e4ce65b40f89a45bdfac

/data/data/com.duowan.wdsjgl.mctools/databases/GDTSDK.db-journal

MD5 f54eeaa20236c5529ecde5860a83387c
SHA1 14cd762fcc6146516cfe7ed8ecf78e2215e01b65
SHA256 bd634dddae2aa5e451a733292bee10a987b2a0383cfb87b5cca71ea7aa4d4b19
SHA512 c3cbe249c461fde34957b3500b908c0507dd87bd493ad9ca7752348234fb9231bdd486fa797912df78948d5558e23a16a3f63241b4a56fbb4528edbdee07ced4

/data/data/com.duowan.wdsjgl.mctools/databases/GDTSDK.db-journal

MD5 412bdb51143c1170509c310a3b014561
SHA1 71d7d6ff39b712a0185f87c94262ed2084d88d47
SHA256 4695d7a9ae70c153cefcd6d86223069d3f9a69a01a3c59815e0c77346a7603c8
SHA512 f6ef2d3696f604ecda1735e8295507f9bd24f8dbbaed62f152b4ee54e11ec831c78fd1f007c1b8a38b11fde4d461a7a905bbcbd63578f3a95b521a8b7b2fa5ec

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-18 14:06

Reported

2024-06-18 14:07

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A