Malware Analysis Report

2025-01-19 05:19

Sample ID 240824-z9nz6azhkc
Target bf71bee5557b56179ae9db87e315e80a_JaffaCakes118
SHA256 6fbec5ca3918efb5d00eec529920e2390152d562c3cbd902dd7c8df4e1769d1e
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6fbec5ca3918efb5d00eec529920e2390152d562c3cbd902dd7c8df4e1769d1e

Threat Level: Likely malicious

The file bf71bee5557b56179ae9db87e315e80a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about active data network

Queries information about the current Wi-Fi connection

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 21:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 21:25

Reported

2024-08-24 21:28

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

179s

Command Line

com.xamd.lrjy.xtzz

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xamd.lrjy.xtzz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.xamd.lrjy.xtzz/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.xamd.lrjy.xtzz:daemon

Network

Country Destination Domain Proto
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.xamd.lrjy.xtzz/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.xamd.lrjy.xtzz/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 a1355ff9055ee480ee9de65387447f5b
SHA1 3d943b26ecbca6715624496aaf4c833e1a30eb6a
SHA256 55c8e29d29a5b6e5b44029da5572e109203b4ea8a458c6140999f934b4ee8de7
SHA512 573dd316e9ac1c02110ddae6c6e519deb20f99e53d07f8bca857a6074f0d0aacf3bc612f5f24586c873ab88053b0337e9cad6d8110c7f542d36530014550f7a5

/data/data/com.xamd.lrjy.xtzz/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xamd.lrjy.xtzz/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xamd.lrjy.xtzz/databases/lezzd-wal

MD5 02a212534741ab7bf5462113dd16cc45
SHA1 1489c5b8c351e17ce7e20601f38aa7deb55737a6
SHA256 7912bc52739c002d945e3de9ac98dc7a9c36772ec52cc29d33093303d173939c
SHA512 fc6a57dccfbae254600990afcd954f3defb94abf2e773086a106a191e261be2dc91f2e8aac57856a355bd91c9aaa0c38afaf960a9405c65386a05c82618367eb

/data/data/com.xamd.lrjy.xtzz/files/umeng_it.cache

MD5 c73ed259bfeb14e87b4cd4757af9c828
SHA1 2482a285d0f94602e205abd80f627b8c1b3c70a7
SHA256 2412a33d37f8d4ddab17efd43f005f401d493e780e411e8d9346cb8c1a388211
SHA512 1d68ab28838137651c8a0005a4a746b376773a071f800c8da0e2dfb519717eb8eb53d7a67ca75920e681d0cde09887e3d9ff9334cff016e9f2970d5c526558b8

/data/data/com.xamd.lrjy.xtzz/files/.umeng/exchangeIdentity.json

MD5 770d0a798a422fcf593bfa122898af71
SHA1 a9b09762ef29b0c84ed6b2092c2f3ef19850f866
SHA256 bcb8d29d9ee4272526d8db0d3a5503447a2c90af1d2ea1e8b1a9337ccde5d919
SHA512 631619242a1ea2499ea6842ec95b0464e702997b37e20600e125c05cc8d47fef787243fc764a41e3930a112266c53e01f0ccdd86a84db7804e099fa91d8a6324

/data/data/com.xamd.lrjy.xtzz/files/.imprint

MD5 027b85ebd6196c94ab28be0f0c085398
SHA1 d493d971476029a6c43a7017643c52fd6edf7804
SHA256 eca91229f80174c66c2a2f640ba07d5e19cf8514c9eac71f0851909494196bd2
SHA512 57f2d00eb38a7ebc0d1749c663dae169371dbd4d41e97c45ae8ed91c4315c8b59032b7fcadc842ee6cd8dd8ce6bd37ab0aca9003a3201f315d35789ee5c53a54

/data/data/com.xamd.lrjy.xtzz/files/umeng_it.cache

MD5 0cf3685b480a3af8c7c0186701e3e852
SHA1 261d9615dca1a8fb94e184d3751758188c92be09
SHA256 a175647021ff6fc6d2218bba73ca2804ba759278f314d5d2fdcd62c029ca0f57
SHA512 d82fe5273abd725afde36cc0e8ab520890d8b71aea37796ab16d773c9d75317b8e8e1b879264167b441227ef576df42d03ffd2ba9e58a8e7d0e86d3e55bddfb1

/data/data/com.xamd.lrjy.xtzz/app_mjf/oat/dz.jar.cur.prof

MD5 0759339fd053d534d9862a6a2d628eef
SHA1 3c18cda5d55d118bdd8d338495b476c86a23de8a
SHA256 195b3bcf16b9ba154c377f3ea3e932560d85f581f7d75cdfe63f690a9a0231d4
SHA512 13a68745a3f212b7dbf0e11a9e1503ffcb2dd03d00f76140dbd46d1c2c6074052e7135234f3ebeb654a89a4d05c6526335af3a2c85d4c6a721b874ca6ced088d

/data/data/com.xamd.lrjy.xtzz/files/.umeng/exchangeIdentity.json

MD5 f6b37664a1bd0739287765b653941abf
SHA1 6946607cfdab141152fd1e1a358945f693a032a8
SHA256 a835df3852567f605488d77e022ab17b1154add31f953c3ef693849593b2dec2
SHA512 b4df0a02abbfbae1d8bd57e826ed32aa35172171612a26dac5bdce3710615e052f2cb4c4c171d9f417e6197c352c0191f9165f3a02fb22fcca34b649f0e49d10

/data/data/com.xamd.lrjy.xtzz/files/.um/um_cache_1724534892699.env

MD5 16732e825b94c76c4182179db64e234c
SHA1 365d5384b001df2ce57403024ccec7db6f0473d2
SHA256 b3206931af18134d3fe2b96a8bbb1275fe58877c0d620a9a0c413e20bf4f41ee
SHA512 adf747cd5061753ce0cc01da5002fae42802e3a129b3d2446fbbe9ecaeeb2d1d713d3a68fe4a68a904353db293c028e0c6009d0674e4e6a3791c1991616c13bc

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-24 21:25

Reported

2024-08-24 21:28

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

177s

Command Line

com.xamd.lrjy.xtzz

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xamd.lrjy.xtzz

com.xamd.lrjy.xtzz:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.xamd.lrjy.xtzz/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.xamd.lrjy.xtzz/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 458d868ec888a647b89128400c5a1d9b
SHA1 fdfce876373d1d49b15aa01a6ba0d1e868beee71
SHA256 e7818b5e7392d8a5fcef983f4de5885ab3b9d511fae2a94088958657e7c0e509
SHA512 075537352fb9b0d4cff44082ff09e236972860dcba505bdfacfce1829972844626a55d7df64e19d9ca27f801b4f0d5b2b2054eba93a55a876904fe9378deb78c

/data/data/com.xamd.lrjy.xtzz/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 d7a597becd998b31296e789bc6cb715a
SHA1 cb4d3e63d8889b17ab145d5ee67621859eecd293
SHA256 c58c6e931a4577b721d1a56d24600f68eab5a7a8ee7d56ee6084aa4ef1bfcb2a
SHA512 e0b2362c2582df0f7040f98c53b6c5f55f6471083d610b03e6358ac1c6343a1378256528678959ba7a82c76dc873061f278034749b23d52598df9d3df05ad7d7

/data/data/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 59306f9633abb7d5be873f3905218f2b
SHA1 25e20a3107d18f8bca688d561866e71d7fb487b6
SHA256 07d49bb7cfa60a94ae8e928a474c8b1101e80ccc12c6c5ead0ad863d76bf5a63
SHA512 70a4b5e0cea345fe9fb0b87f97e06cba89ee1e96f69b995f9d2439fa294aa2d34d7f0a42a5b460766f758637e01e8a17cc301c6b98c086804147a47cf67873d9

/data/data/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 659b944482d727e7902c58efee6369e0
SHA1 38078ee70996526fc669f0ce56d6f478665703da
SHA256 b09e899d77146f1da79b4cf083e961a8d2945de197fa8699bdb1c974d4c91283
SHA512 508618a53418b9fa43d5f4d34efd3661fec193ade371ee8d545119c1d30aea64bf17b8d760a89cd67cdbd1b0edbf153eb1c0e7dcef12ec176aed83b1a7fd943d

/data/data/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 1baa4dbb0966d5c72239c57b7914d53b
SHA1 9243cfe0924ddc0b74ba2d86b2da3e5194760064
SHA256 1ae48e0379ec8612b100cec5e9151a7b7085c8d5cb6a596fe15410fa893fe401
SHA512 e7d4fe73c8285fced4bdfecfdf4a5639a406e3fa14b1a7cd90529f593314774034fdc73ae9826da456cf26ec140465b5a1f8f8bac27b942410b5a0a933dc4479

/data/data/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 f4b440a3d801adeb22dac3f140fbb1fe
SHA1 9056ebeca8bba6debf656d616f02070cdbf53a19
SHA256 81fcbef1cc0bbf7f02a11eb875db468037224b088af5021569fa920191ffb155
SHA512 f2391c20b09de7bf62bb544a8683ba19d672e2cdc9c9dd041f4f722054bfe4a83d8da762fcce874bc179919b9c53cc3530650bff29f36c304f3711e37585d2c5

/data/data/com.xamd.lrjy.xtzz/files/umeng_it.cache

MD5 1781674fdbec04f194c1bb5d55db78b4
SHA1 c285028f5303b7e5242cc8ae42b11101f6a813d4
SHA256 549cbbcbd25ad0b52c821bdc188bbe9a0177965e0dd6414702b2eafea00fdab1
SHA512 69b96cb5b0b8829401a4a0192f3760cd6c824b2710815b6357937d6bf3b6d51292214377454f2b509e62b3a3065303baf29cffbfa35c33dae3824442378d5b6c

/data/data/com.xamd.lrjy.xtzz/files/.umeng/exchangeIdentity.json

MD5 eb80aa1908036eca7cf408b14b446b0a
SHA1 9b6450c0ceeb3436b448afb7c1c1ebc975f8ac00
SHA256 edeaeb5309b90add39d73f35e06c80be1729b03a7c7de6cc34dff5a8e6d7fe10
SHA512 193d789b6e39fe8191d76b723eb852aee5426a465ef07190ccfbef39a748a3b7d9ab07bb2d1a9cba69889037512d0a49228c2d13ee773f816b5e2e50948ab660

/data/data/com.xamd.lrjy.xtzz/files/.um/um_cache_1724534831618.env

MD5 cc3f812e071162de19e2745a1f212a74
SHA1 25e3118274f4623ba9a8d56abbd57c771570d3b3
SHA256 9b6c719c93313b0e4d09ff5a97b34104597cdb7f73df504e72dee1bea0f3da1f
SHA512 24cbfd06a38a0b8ed7b8cbf211d3c932a06444efa1436e00fe4f60cd049b48f010741757e9682d01cffbd1decb702e873b8d99d1de53eb18042c5f98d1230e7e

/data/data/com.xamd.lrjy.xtzz/files/mobclick_agent_cached_com.xamd.lrjy.xtzz1

MD5 5916f087777a4e4db5f9be0166c966f7
SHA1 b04719365bf5d3e7352d4dc3aece5347399512cb
SHA256 96ddb1306fd227f9e28b6cf9ba64f7152d384255368b5314abf8adb59846c90e
SHA512 afa151694f2976c1797624981d06640ef46e6c696119f22a9f075e08d14a4193f286de67a4632703e5d25a94ee63446e3e20959c630468c7eb7bcc3b3c784162

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-24 21:25

Reported

2024-08-24 21:28

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

180s

Command Line

com.xamd.lrjy.xtzz

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xamd.lrjy.xtzz

com.xamd.lrjy.xtzz:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.xamd.lrjy.xtzz/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.xamd.lrjy.xtzz/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.xamd.lrjy.xtzz/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 1a0a5270afddd1eb92238ff83efae8a4
SHA1 aa80edf2afd672aad0c81b5e863228929325f439
SHA256 a5226dd92a7694253ac1abd8be37bf05440216905fe4a540c010d18a539e4810
SHA512 1be38cf9ecd2fb17717557d584b4512ebd405dcaffa13057e13da9aee6a28a96a63f52ee08da76ed406d20d125d2c13f68e3b5ce10805ff7d5d0fffd4e20b0c7

/data/user/0/com.xamd.lrjy.xtzz/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 503dccc8a6f514b268d8d99c37a506d7
SHA1 d96a2ba81ecc14447d76d856e501a6a7da43db08
SHA256 5f5802f03ed30e21ab39e3bb5edccd1c71544d2957ab668800d049020b1f7842
SHA512 5b7c370aec7572ffac0ed78613246153aef0a5acda7f178b6e811837ab412a12b4e23f296da9e2278a840f089f06c79f59533497be3d64c3ec9d31611bb3642e

/data/user/0/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 dadec633de17339765d2ed665db67a3c
SHA1 b54502f42e02db9a4d6492443cfa1e876ff36c1e
SHA256 4f1ee775ff3702ded904dae49cf373163426a6b0414ece11bbcdff6ca9b95d77
SHA512 6706fc5aea4ced0f30423da3f3f5b05140c82970c97d80e7031c6d9c3ed3a6c86fbe70320e4d0be599720545599657d4e5bec9c91303972563ad53885b15c8c0

/data/user/0/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 91da14035dce38db4b9784868358b039
SHA1 770558ea075230665bdaba2e9413f5596be2d73b
SHA256 f5286d14cde7325e6528f21becc4b26e4a2155c7fa2997b8f8deda6a55688f7c
SHA512 6e41f232035943dc2e4b697ac53a0b4abde4de91d5301858e2afed46280a9160f64572aa48500286d052633aed96601519c09894cb5b3ed744c61c88bd8a5acb

/data/user/0/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 2d75f5712585fb966efea860270a4042
SHA1 a8188d8bf0d17870d4d86298ace2a8f81a0ab434
SHA256 e4480e9fad77a3d161895056cc3d5bd486165fde01b2869a289da0b4664a659a
SHA512 bf055fe93c998f4b3ca061e21deabd57b49bf49e61a0003439ed5567aa6ed780df5496d758092109b117cd4cb65f4669b02d7e9dda782bf616385556e6e59f0c

/data/user/0/com.xamd.lrjy.xtzz/databases/lezzd-journal

MD5 4f1e574c03be306ab2baba5a5f7a4f70
SHA1 3d3bd965f6928bae6802318ec73644d7ae8856e8
SHA256 2dd6ecb4d95f427f6e643e46ff1eac39d0075f8ea414f26c09120a010178953d
SHA512 c169d37250cdf372be673fa423a2e7c60f7db9ed83f631b3f7bea279aad851facee0243ce6107951a6d6bf2a19c0a8c98ce18b6fba54083bee2e7fa321ced702

/data/user/0/com.xamd.lrjy.xtzz/files/umeng_it.cache

MD5 617dee57476dbbdac224dfbfae6d4b3e
SHA1 a67f2e91e4646ce28c0d663d71dea8e19cdd8b06
SHA256 09e8c7b632edf269826a0fbfcaf1f3805760e0134352c94e06c36364664f24d7
SHA512 5b65c58a4b9442029f8d468726e79e683d61693b24617b2b3685878c911fad282e605546304262f02bb6894808f2020f0ebfc7c152c9328d381b9bd955cb328a

/data/user/0/com.xamd.lrjy.xtzz/files/.umeng/exchangeIdentity.json

MD5 e27f6631370810e0af4bdf513fe1af2e
SHA1 761551f93b2a9efa014ef39ba27a11f042b6c7e9
SHA256 c7ae7c72ffd1f828279aa12495e238d03f86c04750233c17a925cbcd2e3ef28a
SHA512 6fa459f52f62f7aeb337aac9dbc05b0a2cdb72e48f0a0853de8220620014968a9825627a15bccb12b117c91b9bf5dffba726dc6db1dd7c38b0b90f64acca9668

/data/user/0/com.xamd.lrjy.xtzz/files/.imprint

MD5 9f89c2ffd0fdb220fbce6b6823a51573
SHA1 199b1a08723b0e517bcbae1ab3b17c13f72cfb01
SHA256 8786baff86a04ddff8485b95a85fb66a8c110942a70da999d9f22fa68e042955
SHA512 e03b95f5dac86172a7aef447544ce578cb488ae56ba0780defced2a7f5d4993661d2adba4a6b6fa1faf232b1d16341f889cbd149d0639f13ef8f5bb962782421

/data/user/0/com.xamd.lrjy.xtzz/files/umeng_it.cache

MD5 3814c1996dddc2b109c032510279a0a2
SHA1 ae330ead73820333c81f798d38d7dbf5ed1abb86
SHA256 e1dd759c3fef92b467e594d162733824eeb9618c7ea33bf5bbbfc8298f7614eb
SHA512 03efba7301cd952d1f5cdbe6c0e493ef75fb6ed87d377ba2a97073c89dc1adf8cebbd4eb2ab6f832a3eed381dcef010840380dc068e48856fcc204a2ad46d0e2

/data/user/0/com.xamd.lrjy.xtzz/files/.umeng/exchangeIdentity.json

MD5 ff4be2f17f5721644863981606ff3c33
SHA1 d66e7e28923936e03b4b5354917b695fbf2c0347
SHA256 91f24d8b08f05ef28340f02760a757e83fca504484b24e44d521135520cb969d
SHA512 473139f2427fdad49db566212036d2aa380b2bec8834dbf16a96be7a2fb353918de614164e49c1702bf2742800472242fdcfea959a98ece6c591d7e3fbc557c3

/data/user/0/com.xamd.lrjy.xtzz/files/.um/um_cache_1724534892859.env

MD5 3613bc96e713b9a29d5ea49a414c560d
SHA1 1eba3f5375dbb0fd114ab434bc27eaf71677bb89
SHA256 826c7b7231b725f9f0b622128c1438e1c61544aa6e1cb224f8be046160f0978d
SHA512 37013dd07cdc65dec5f7c8c062250e547a66484c3081274b4c2acb28e344f8ffefaaf841a2ee038b61cf8fb1db66fa4dae07c02502aab89ba358bd0017c2228e