Malware Analysis Report

2025-01-19 05:19

Sample ID 240825-nkh7tssape
Target c0a52b8d9918b63e45d879bd94485643_JaffaCakes118
SHA256 ed9b8486ef7139900343757cc864efa787c64e54704af8e3e2836366c3d69e6e
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ed9b8486ef7139900343757cc864efa787c64e54704af8e3e2836366c3d69e6e

Threat Level: Likely malicious

The file c0a52b8d9918b63e45d879bd94485643_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 11:27

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 11:27

Reported

2024-08-25 11:30

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

148s

Command Line

com.equq.ylbf.dnxd

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.equq.ylbf.dnxd

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.equq.ylbf.dnxd/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.equq.ylbf.dnxd:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 59.82.122.127:443 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.equq.ylbf.dnxd/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.equq.ylbf.dnxd/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 55bc2461eebaf8fa8eb396539aa79356
SHA1 724059a2ce3edf2f15efaea5324c63ada17478f9
SHA256 4c4143ac4b80bb58fa61d313211a3d2b838efdc5c8a6c028b84313a9644e2557
SHA512 cd93c0e0c9edcde6b1701afc2f797f8c8dc6a3b52dea6e390bac1601d577183564144d17e4fa3d329caf334124de4c0e85de542f81080ee4d977e74afea62d0a

/data/data/com.equq.ylbf.dnxd/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.equq.ylbf.dnxd/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.equq.ylbf.dnxd/databases/lezzd-wal

MD5 ed5650568bb451a8927b50b0b492ecbc
SHA1 443123a8bc85d0ed1595ee94e256342d7302b99b
SHA256 2c7e528719e0d9a39d081a674badeedeb9b2c9b4fe1f0462c453785fd2af4e83
SHA512 0eec9f7781b96774f4f3281d8e80882923f347644ade4bff19c3406f15d3c6b425c235d70d5225ce21c01c7eea2e29967088426ae4e6589bc6cc2a06cdac1a53

/data/data/com.equq.ylbf.dnxd/files/umeng_it.cache

MD5 3a267be31467c9a2ceb149c45f6f55c8
SHA1 79eada03839c99723821a9e450f07dfe528b4859
SHA256 596c4cd32996221f157b16aaf2a75dd4b4e8f349fd27e5d082c9077eed83187f
SHA512 421bbad6b6764c57312b84e82c1ad04dd0557b75bd770bfdcbb3a8c96e27603ce99909aeedee3348ac1c844be390f45e81aaac4e755acf6cda02e7013dbdca07

/data/data/com.equq.ylbf.dnxd/files/.umeng/exchangeIdentity.json

MD5 b765fc76da8ee8f49cb0b3d58c45d3f8
SHA1 b8a832181423cc4f5400657f95541d61e98764be
SHA256 57b5eae37a0e4e4728c7104e54de3fb4ae5f31cc27e38344c7e78284ee8e775d
SHA512 709a43696af2d842c87b4735b7128204b557fee60f76d6b93d7b3f5e3e057e36f3e23f2a2abb51f5ffa33438cadc93cf1fdb54b64496e9241004b3059d0188a7

/data/data/com.equq.ylbf.dnxd/files/.imprint

MD5 6b035848f343565776aa465ae1d65fc6
SHA1 79731da618f499238d6d8304ac6b8e602c24e97d
SHA256 ed7ff0e9efc827f66453509e8fb6cd699b13e5176c0824625a45e0c9808ad577
SHA512 98025b07f25c176c0765dfdfaa9811af72ccc4242ce3d9e9b790cb1e0c9f053df48c974aa36a20fde3343cb124e9dfb85f50467da404d667c2c687ae546e3297

/data/data/com.equq.ylbf.dnxd/files/umeng_it.cache

MD5 03c89e950be105004091650c21e012ec
SHA1 185be672f25ab9d9786e33c2866bfe5745cabd07
SHA256 59efb5fea1bfbd03256e92bc731652a2e0b66db98146dc81f10a5002ae444520
SHA512 29e86a9eb140360bb879a622de6182523e02b985ecc3b7c739f57b015a7d166bb32b7a1e8ed4fb54578d48896ba9bb5a0850003b17fbc226efdb050efd9f2db3

/data/data/com.equq.ylbf.dnxd/app_mjf/oat/dz.jar.cur.prof

MD5 189dd954b93d7010fc7c0114751fd8f5
SHA1 419340a0d41bfbb02fe9fec46d78e701c1dd1816
SHA256 69fa20601dbfbfdb6b37593c21dcc2b13c3627f9542c4ac67fcd50a3a4ddbf01
SHA512 4f92599dc829d197c6a8c04c4b6bb7d1120127ce698b5de862928238e4b771a2efe10adc8215f1393569960561b851b466cec04a809648bad87c9a1b1549e3be

/data/data/com.equq.ylbf.dnxd/files/.umeng/exchangeIdentity.json

MD5 6582902c3ce09baaf8743238bbc34668
SHA1 997bf8cf4fe68f865a110e9455ac567c90252635
SHA256 e66ecf79fb02f1ce86d98188d8dd36b8b8a3619bccf7f7e63444698cada5b6b2
SHA512 19502dfa1bf5da6b97d887cba06014badb07faffa988925d08a4fd27aaea966bd7027f73aa84a9343613e6ef12bb3e5377ab50136f2c357f4d2ef4c127b0f011

/data/data/com.equq.ylbf.dnxd/files/.imprint

MD5 23d162aa3e787ccf6a4984985ee72fc1
SHA1 41d8cd579b8b25dccbd1e11b4a1e88dae2ec3a62
SHA256 59c5405b19c6c7e8900d561209b06d99357f2ad93f312021c8e8b1f1b73ecf03
SHA512 c6b1d0493d0b29c422b9df3d894a2c7c8b563595eaefbfcfb2eeac7095779d9bfc122aa45da05ae31d880aa909e463bd2a8d565ba6435763fa57809e3abfd7a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 11:27

Reported

2024-08-25 11:30

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

151s

Command Line

com.equq.ylbf.dnxd

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.equq.ylbf.dnxd

com.equq.ylbf.dnxd:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 59.82.122.127:443 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.109:80 alog.umeng.com tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp

Files

/data/data/com.equq.ylbf.dnxd/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.equq.ylbf.dnxd/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 58683b467126a98bbcef2440b83a5220
SHA1 8de888630a5a42c2f16795502218c98e51804d82
SHA256 c049b0035db81a5b949e3e7e11022aac4a68f564c34ef8b7c9cd5fead1ef44f9
SHA512 365f3fcc1f8ee787a293b100e73ae40a95dcb565a8016999ad0e8095e5b8daa9dfe2dba1ef46e2754704f393b262a2a0efb4f0d2e24796d2d123b7493465bf69

/data/data/com.equq.ylbf.dnxd/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 7ac198ba4a140dcebb3512255b853bd7
SHA1 d6235a680cb74c8ddf3eb543cd44176ea021da98
SHA256 89d434eaa15e96c680d2e586fbcb8e3bd5408a842a9b78252e0099ca3a953490
SHA512 f475d6f83b3e9039ffc71118c670fdf0be20d085e35166eb9dd614964700c6c921c0b1fb4f703f2fc05ba9859dd301a73643be0cadaf50826d1b3c61cbb38fec

/data/data/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 ae85e106292d66ea89e6cafe0d4f396c
SHA1 6324f7843c887ba680466e0159f05abf2b1f264b
SHA256 664f10713c466d835ec1f31e47d6946336f5317b95a9b1ad527964ed174ed041
SHA512 afb3fe2049da3d7fb369a7539a0034dc3c82c0640d736ffc5103a64ffae0a989b208df698b81af84fcb2b17072fa3b80d04dffc5f53906a6ce1583c851da6d80

/data/data/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 1afa9eaa477f6067469819bc3da81be4
SHA1 4173de2f4a80cbdd3454b941586471f66eb26ca2
SHA256 cea03e404b562c689d78b4ff30a9cceb67cd7e1aa5d530f116024ae7e79be1cd
SHA512 77cfedb49e077a217e9b3d368f290a87b507feddd5b3d0639c724b7cd186978950234bbc2c9411cff07de698dfe846edf87e6255353c248c22e5bba7825685fa

/data/data/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 29c86702d28c9d194d247516faff56f4
SHA1 22a30fd1d5fb8734afb758970de88148df4ffd71
SHA256 f11a07ccd01a703dc33dcad27e5cd3e88464cf491335c4b115115c34b5fcad29
SHA512 ec583489faf682b50f585596889a2112d7587f6f666e12dfa422f348fa7167af374073c25177255bcdb17bed93a8271125eba77edd425bf325ec22da9c0428ce

/data/data/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 f962eebf88042f81fc536455c140c3e7
SHA1 aae51ebd52df4cb620e98e6591363e67afeb3352
SHA256 6abd77bc234d7ab10b482e78a8f7474b3434a50200bbd03e38a018a6db170dae
SHA512 b0197bade278daa280cd658a9dbb90a3b82c619568c6a1c664d005065cd44c19746808a1bcbdc7c667022e3db29bebc0b5cef2a7eb710feb9406528157a25cde

/data/data/com.equq.ylbf.dnxd/files/umeng_it.cache

MD5 93a2ae1e67b2e1b07aea8ef6e83fabae
SHA1 0b27a248a0d3484d48c43b0f818b9a1a7324fc66
SHA256 8375e0b367344ba0ca8207080203fdbee14909fd2005647dcbb6364cacc4c530
SHA512 1e36104435a321153f782a0890dbfb94c60807682ceca0403b2f341e56b1d16ac13a159d3ecb9e409fdb70903d2076e6f6b8c004ce0e8d5364633bd5b5f0ff07

/data/data/com.equq.ylbf.dnxd/files/.umeng/exchangeIdentity.json

MD5 6f232352ba2b2dc56d4b43ef9c3e4b1f
SHA1 6aacf75ec26770f7516e85435e687ff3429adba2
SHA256 ac596ef54c2df9f3a0bd30fcbb2e0a283579afb6c032cbbb63b7dd48a9b4bbf9
SHA512 aeaee38fe58980cf1a565fa394dc109898a2e35a8c228a38e9f0a96c8025b5fb2dd2b3c41d7a819d5f607fff56fd6d1f5a9e0596072b35f85d8ac9ee31825145

/data/data/com.equq.ylbf.dnxd/files/.imprint

MD5 198c9831baa960c824afbcb27c29f79b
SHA1 af01766ebb27ea8d968b3453f33eb67cc0e40d64
SHA256 de9ea40f8edf22fd989b7de9dd8246f6dc69f59d4a7f34044340abda10ee501e
SHA512 5e77995bd9b1de3e4b95606731133c2b4b2697ef8d12678f155a6250926f1eaa3e1eb008b32391b3a3562cfea5e9ec0412959360a32dc7aaf71d235aea759213

/data/data/com.equq.ylbf.dnxd/files/umeng_it.cache

MD5 0120e4ed83d662623c88250b97c60d7e
SHA1 3cdcc29b7888e76dc9df03d0fb7577d24d275b4a
SHA256 bcca9ff93048cd741270b01e402a4794489199b0866a32bdea40571bd347ecd2
SHA512 e57048427dff00248e0cfd2747b70cc7d0a4787129665bf9c1ea4c4045aec26e881b75fb1128989c09d11c844c6a00eef818686a146210027cfad068f3106857

/data/data/com.equq.ylbf.dnxd/app_mjf/oat/dz.jar.cur.prof

MD5 8c54b19e64c99daf3c2b4af0920224bb
SHA1 0c37c0cca228c4ac20ad8e4c895c67472d050e47
SHA256 b06f48bfa8f14c6bbbcc66e4a4ef016684b1153a4493bf9caecacc376f765319
SHA512 3b6142ff0bc7842739bd899823e49fa4053747be947ff5fd7bd0d96f4d0a5acdd7b50b2280f7592183afb7f9085be150584764dd425a6d11b2099397d436a394

/data/data/com.equq.ylbf.dnxd/files/.umeng/exchangeIdentity.json

MD5 0360fdc84f5a87a6965efb71ef2c1101
SHA1 6a4a207b06a6afa20d29c4a4b37b01f84d9bddf6
SHA256 ea01d39061e39286ffabdfc7dc2cef9630c1988add6c27181b07d360af8a0660
SHA512 c57758fc63eeb96daebc20afcf8dc0f1dbefb6e0c503523088031926e04fc0032323e4baecded8f023f62659bc2c4f89b116335abe22f60dec2855a33547fbd6

/data/data/com.equq.ylbf.dnxd/files/.imprint

MD5 a005870f0373598e65c0a97d3f9e6ef3
SHA1 a4f07b6b33acec0ebbde2d9627ac3400998a9ada
SHA256 c3569226f580436975ebb4db8a426797684410cf75c5abccedaa8fe4f0c03c7e
SHA512 047fc5c7f17a55d895fea0d9e7312d59eb8c3a16187d0959102a2975ce0fd6e1fa69b169412ac94539f104cfbaf2c5ae9747792d47e6bd4965d1409456676845

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-25 11:27

Reported

2024-08-25 11:30

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

151s

Command Line

com.equq.ylbf.dnxd

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.equq.ylbf.dnxd

com.equq.ylbf.dnxd:daemon

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 59.82.122.61:443 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
CN 223.109.148.177:80 alog.umeng.com tcp

Files

/data/user/0/com.equq.ylbf.dnxd/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.equq.ylbf.dnxd/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.equq.ylbf.dnxd/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 d3ae0c1225566ef4aef354ac9ca06d22
SHA1 834622157b952ba0d61387c028df0f69789c6e3e
SHA256 b53e2e6c88939fdc25b1f98b517fcd3606b2dc1e816d57dc674b9fe9710ea03f
SHA512 15c419c83640743beb3d1f349113822f2c9d875bdc0a1f8c5b2e2e35ceca70ef198e51acc34c277526b5c7fabdcab85b857fe2506c58656e67897313fd8e497a

/data/user/0/com.equq.ylbf.dnxd/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 7686810645c4021405e1f89b0f20f1a3
SHA1 e6174f36f698370d25007de254ad3efa4118e1e1
SHA256 4ff830a47ec048922692f02f16aa0e84d9437042418024766d29f11698e1a209
SHA512 2c6cb17963b1cea10a2e8f15d1dbcc29f29aa4d6a5b54398aba21a8d5102cbd4bae526ecfcec13108b01190e0d8b7b420e95478236086b56fbd904a276dc60a3

/data/user/0/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 08b6fe6758f255cf447ec79bf5a7ea64
SHA1 9890d050075b2b413a0822af2c886d594232a1c7
SHA256 d325fcef2564c62563954c5ce647feeeeca0db020d081007176a380585205abb
SHA512 cad514c557a1628c0e303cd69c1f5764f6f8419d91bef152a531a6e05cf93817d5dcb52274e7ef8d197b60680cbd5b7c943e7d32efbb7ba56a362f38e8d8b923

/data/user/0/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 557364b3216f90aaec7178b1fd06019b
SHA1 80a6ca0f92cc8dee2084babc76dedcb02a7a994b
SHA256 ed603d22d74fe6bfcfcd2211f2fbe78ca7bee009d309198fc3686ff18e47a4c9
SHA512 b8bd412635e4a7257576c600056a6a41a087f46fcd4d121fedaf6f0e1824bf5fbe68f33c17f20c8f80f4d895a050ef9df845c95215db701445ca8145dba0ba20

/data/user/0/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 bdda744fb1fe634559a13056eb6c76b3
SHA1 c789ab25f61833e911fad1d00780be1aec616c61
SHA256 7afbe488efa312ab270c1a6f900a80d2c1b27cb7699c836d1f27d90046069664
SHA512 b3c0b90b5dc5db823119e197db3aa61a00376f3f44aba511579089a02c723c47a7803fe6304993ad3361b289dcad673e4244d192e5ded11b58ab159749e4c71c

/data/user/0/com.equq.ylbf.dnxd/databases/lezzd-journal

MD5 3f44b4c3b4c2a85dc24947f5c43986d7
SHA1 7636be97cf61987333f5ddfda9cfd64eac363169
SHA256 7385cb8e6a976bd1327e9b1b302c4d86498cbdd247423b80e13128fcbc1289a8
SHA512 30e044a216dc6aee582909b4d159231b056c76498b797f05b9cb878b989f54ba67fc8e14ce343160e7bbf70fdda7a1d91cb80fd15b24e3cd09a4de9febb92660

/data/user/0/com.equq.ylbf.dnxd/files/umeng_it.cache

MD5 eb0424631db5d9128b54b21efd1ad046
SHA1 9f3f3976d2aba2cde1a3b0ce2e145de308e5eed0
SHA256 86106e2ec3aa5328b7fd15ba184ec6eb41e7c723ec8b8a2adcc902dd95b7d81f
SHA512 f67b5cbe4dc987ac341268392edf18bc5605c6595572cfc0c1fa4fa28653314737a3c959d941c244ae68cdb311d812b2b1a48d88b9f280016240cdc8ae944b76

/data/user/0/com.equq.ylbf.dnxd/files/.umeng/exchangeIdentity.json

MD5 fcb26291eccdd3bcec5b87848bbcf74a
SHA1 0ca2bf9d3005b9c31344e164caf3ec81ad0ea7ac
SHA256 5c1d7e606ffc0589cdbff173a4ef2052612944846421c5193b183f65e8db113c
SHA512 fb95571c5b49261265aa4c62c8a6f683be07eea562ec0ce9fd36b8a510b28d8140cec76a8f2a724c389a471278b4e7d4e6980ca8a8bfa8737782a302ded7846c

/data/user/0/com.equq.ylbf.dnxd/files/.imprint

MD5 e95d0a09a5575cf6bb541c26c7143c35
SHA1 60d406a85815ab2acc1b47a8d25d6417bd644e9e
SHA256 159943802cc77cec05c00cc314f66fc79186c950231dc72bb9185b409266f45c
SHA512 870bbdc4413290eb4d4de8aba3249320175177f529ec5d159cc8c604f0d9ed7306b68a6042988367c3d902bc45f967a77214d80c6dd3054f175fd68a74d920c0

/data/user/0/com.equq.ylbf.dnxd/files/umeng_it.cache

MD5 820ef0cb92ddd4d050e8635f96829e93
SHA1 d2d49d15e2439025afe193e2ae524d05c31f5732
SHA256 7045e0811f3ad176708f0f2aefd2199e5400c22e011cbc9f978fbae674827a83
SHA512 7fd9d7c335a8e802663c700a76fdc4c377ca15adb3bdf0829a94d483496d30c4190743111fad82cc1181e40024a0c374a83776c83589c90040010ab946103788

/data/user/0/com.equq.ylbf.dnxd/files/.umeng/exchangeIdentity.json

MD5 18822c9b12b9ec6baa6717df5d41621a
SHA1 a063d4ddac14031f8714766b7021aa532dcdc75c
SHA256 4e7285c485a395607a8a44ae54b1c4d3423e1ca5dc0970ac271268be33ae3957
SHA512 a72c3d8a25c32ac3000d0980e819c2e503d429d5c3acb9b5ecc0fcfbfea74b3d66c4cfd1703a6fec32c7993348dd5266785d98f743e19b5913b9690bbdaffe1f

/data/user/0/com.equq.ylbf.dnxd/files/.imprint

MD5 29252ee85c0e289f3159d6dabc638cc8
SHA1 39866006dc8639d8cc1d2eebc8341a217d742500
SHA256 fc956a42579c574b25b7a1041d3e7fbca59b4c5bebe4ae311f17b5b63a76cbeb
SHA512 39223c01c8c0268974a31c03720a8bd726a6257377ae80364223b10371fa5fb7eae9e329d610f1a2a406a784fe99f5127a2c6ab5d151aea77bbb5681c8075bb9