Malware Analysis Report

2025-01-19 05:19

Sample ID 240825-rf8hpsybjc
Target c0e8863ba90e1f086ee28e43a69c19a0_JaffaCakes118
SHA256 210750dabe8e34822418d90e7e15fda6508342a9e88617297839b6137a074612
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

210750dabe8e34822418d90e7e15fda6508342a9e88617297839b6137a074612

Threat Level: Likely malicious

The file c0e8863ba90e1f086ee28e43a69c19a0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 14:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 14:09

Reported

2024-08-25 14:12

Platform

android-x86-arm-20240624-en

Max time kernel

180s

Max time network

150s

Command Line

com.cgne.vwyq.akeo

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.cgne.vwyq.akeo

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.cgne.vwyq.akeo/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.cgne.vwyq.akeo:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
US 1.1.1.1:53 c.ioate.com udp
US 1.1.1.1:53 ip.taobao.com udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 59.82.121.163:443 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp

Files

/data/data/com.cgne.vwyq.akeo/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.cgne.vwyq.akeo/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 001723e0c3dec035b6709573e6b0197f
SHA1 845a514f4dcf9b145d5631b829f1d950e139a595
SHA256 bba6edc597e65722bf13a9aa1186d6eb4d8945e127f017bb9ef0042eb7162abf
SHA512 5c4568b868163ccfd94cea76b477d3fea40e6cbf15ce326a0552e29e37e887f93c2940b482d90404c11b37201c46b2810345ff068733d7c87b13ca2e46ac3593

/data/data/com.cgne.vwyq.akeo/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cgne.vwyq.akeo/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cgne.vwyq.akeo/databases/lezzd-wal

MD5 d0689861a68fdb2e3a9c03041df6baab
SHA1 4d34f6e06f212a4f560c8cb126f37ebfa16a29a9
SHA256 7c9075c0a055e05bef993268d5a6e00c08cfff7de9be7936997be92ed593fe38
SHA512 ad1633bf9765c1c5b527931c2f1381c33a8345429de1e1f3d0db0388bbf166b293873a7eb2321131763d8dbdf24a0fb6ea33fcfe07a2db037ef284e3bd998b94

/data/data/com.cgne.vwyq.akeo/files/umeng_it.cache

MD5 053233acff12ef04a071be7cf56fec30
SHA1 ba6272bed1151da72f9551c7c226a27c1725d6a3
SHA256 0d1b268107fe8d249c0c0dd0101781e749523e099bca81764744961cbdece042
SHA512 1c9d6d49f829d01b6b00b493493a7d42c974f0eda830fd3531bffe387fdefcc178465fd22bfa14c21291670086f1dd6958698f61b83e5510249879292406714b

/data/data/com.cgne.vwyq.akeo/files/.umeng/exchangeIdentity.json

MD5 2328e42d622d2a8e9b1ec8e12389f3cb
SHA1 cfecffddcf0d88b5e5dacdaa9316da2c23b05db8
SHA256 9b1431a7c219a5f3e543df32b4b38e8b459766def606531c9989f38095c74826
SHA512 61cc258a4bdf958ff3c33fa6ad8c14ff0ccca7685fb2e723ce45c61a0fc7d2b2f265d540a231f60c581b13f2831b4f5431b8067afbd6bfd3961837c93fbb836a

/data/data/com.cgne.vwyq.akeo/files/.imprint

MD5 a631f385192d866fa951d7395a2688f4
SHA1 d135f9b13222a279c9b890d4961038d6882bba8f
SHA256 9a8ec543ea754bc4e3581d695ad976ec988121d28def99389208d9a64baa12a9
SHA512 570cf02eb3e9effca424326ba9d5a06514ed23722e037256d65a3aedd6d27cb61148d7fdb31383ea5cac5e816fe796c5387a7318dc592b0434fab060e23d7ce3

/data/data/com.cgne.vwyq.akeo/files/umeng_it.cache

MD5 77f840a7d511333d2ee4344c32854402
SHA1 28f5e5456ef223bd1739761a722193885accef96
SHA256 586d599a9e75463c2ac6520643f77861e7ec46511ba5ee0d86682e844485a134
SHA512 59e23f2995c1479a4c4037504766b841681938a36a18f03bf4646bb1c466c4f43a9bc6066d6d08ed7c07f9811a2c06fc5ee9324660ac4b74b1d58202d03d6442

/data/data/com.cgne.vwyq.akeo/app_mjf/oat/dz.jar.cur.prof

MD5 2daf4573f0e30fcbd1fee245c6670084
SHA1 92ec048d216dee496e2cda981c78ed866fe0dd0b
SHA256 2081bbdb3f259e041253a6f07d785c91bbe456892e1f535aca4b0f6cb7580944
SHA512 c3b8967df92a35805c9b488265c6e4f9b3a19f8f5311b019cc6e13ec9fa5c28feafc856184673358caaf361e2c573c585df29ce3063472aec4f47215ea17aa47

/data/data/com.cgne.vwyq.akeo/files/.umeng/exchangeIdentity.json

MD5 199c3c7cdab833d0e3e36bd0f3b43b1b
SHA1 ce52811244f08d1db9baacc4c9e5e50a09103f4c
SHA256 9fd8fdf0859963700a90d3f3b06f092354eb1eccfc16f0ff788f4ea0a179ddeb
SHA512 610ccba580880b83c7c096d7a457c928d62ecfe49fe857fcbe3e47f35622ac8b491878b2121253ed38e382f1c591c2c75f90161343f2a5b5ac177f51991102eb

/data/data/com.cgne.vwyq.akeo/files/.imprint

MD5 31ae804298114dd0dc44f69633c7febe
SHA1 bbbf5356aa266c63d6e4f77349a08740a562cfb3
SHA256 3fa02ca33504ec308e5e089a0b245be8c9d3f5003b53887c6adc56227cba5d91
SHA512 d78d4d83823b5073b40ea75c8ba53e804be60a2a0ccc73d48f10a06a833789e321fe7db6472c011818688822ff7e86d8f4ef7dfe1b512264d7fce4f9f279ba72

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 14:09

Reported

2024-08-25 14:12

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

168s

Command Line

com.cgne.vwyq.akeo

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.cgne.vwyq.akeo

com.cgne.vwyq.akeo:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 59.82.122.10:443 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 c.ioate.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.cgne.vwyq.akeo/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.cgne.vwyq.akeo/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 045186accfcde4317f3b658405600ba4
SHA1 a9ff4e4f0ac644f6ca0b3a3e2ddcfcff4847cbe7
SHA256 63edefeae511b7422028f7df8fdcc0c3397a45f5af4d38f3c3a151f3ea0b8c35
SHA512 639feaeb64ca7ebf55a88d36e0c8d00dc27560d8be4b98cd735149419d500b1f4e0e06d15915506a82b7611aeb10d96c146cf8518df9a008d862eea57da5fc42

/data/data/com.cgne.vwyq.akeo/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 eca36072b3c7a4b11d87c4ee0c52d6fc
SHA1 542f10c974b6597106c1645dc034ee48f867cd12
SHA256 d1497b2635dd1649117d0ebccf66b49818179730023535d4abfca416286bee3e
SHA512 d12db7a8e6a8922c1b9002948c4f8663901176c8a1ae53f56ffcfcb2dbf42f3051aea5502934a82bc18086df478050eba2de1e75b00aa5a733c17463f3542725

/data/data/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 f2abd72903ca3b10bba12e23d041192d
SHA1 4b08416ce39cb5d0e4dc5f12cc3825efcea44b8f
SHA256 22d50224ed16dbcf1f9ea912a86aeb91af8092c0b02d037c2b0aa8f93da08b28
SHA512 707881aaea4b2d42d751a07d1bc56099805a4d270d335c56cdc6d530d4ce6107b80a373d77941211f30626315c38b6d194381df4ceb7bd2e87e212ad7f81e257

/data/data/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 b17f4a534c0c4267776c1fcd9a71247a
SHA1 10497fd07f6df4db0d83945cd11c3f5b65e1d475
SHA256 66a856e04e93779b3e9315a133a93f0a8f93dcb08473e454607550b684821fd7
SHA512 96132cfda922cdb47932fd8a84759c9e0082b110036db7fee823fb689bf695c1287d564cb0a7c3c4c14121299d864b8d00356e30b9b9df8c8c308ae13a541d56

/data/data/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 fec23fffaa239e7c1327169a8f8fecc2
SHA1 8408eeebd5c1dd6b12969e19f84b47138bcd840d
SHA256 845e7a37ba6522915abe69a47ff4a5737ec8347491ed1dbdae40abff5fdaf187
SHA512 1258d12c3438cb1aaf13f65a0d883f598a9cd610456659437a1f37b305e5d9080a54bb4836a1f8f56058002fb81d753ed80930d3e4d1fa16b6b6885b1f27fa12

/data/data/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 cd2e0c560fb8059c28b961e686a54ebd
SHA1 0faf3dda5d7207f7ccb10b5288741d174d72effa
SHA256 67332d85274f4a976f1840b03e2a6efeeeda8d093e3cc06b5efc9299ed5e6e97
SHA512 17ccb1336d0458995a80b9fff0bbac06135c8655d47cb36791d4460225a01f60d35ec4afb3a21704c20e449e75fb366e6f95d32f9e88ce2301d592dbec94f5cd

/data/data/com.cgne.vwyq.akeo/files/umeng_it.cache

MD5 8127471387b51241190cf638f11ae810
SHA1 0587437e20abdd732db40ba5637cd51c86222915
SHA256 06f8989713f7162d8e9111aafc48438a8c09e3475db395338859cb73d3879878
SHA512 7e1f5f5eba2a512dbb33efa6ad33d23c32dc0ad02950969962ebc6a34acdb4eed35f25493bf0776339e315f594caf9fe5758a7152cf803826d7b08c4ef3c1533

/data/data/com.cgne.vwyq.akeo/files/.umeng/exchangeIdentity.json

MD5 bcc6025149f61dd0cb9b00d9166d5946
SHA1 68baf5eb3935d40fc93d9b4c1ddd7ee9a106cfb0
SHA256 3f692f47a0f1ed62e0e90ff025aa9a48807b8a08f9b069820c81f877f38ba982
SHA512 7f8db33c3bf6cc622ab8288162e6eb34a1efb6c8bb1a46c462e51a4f82324e8f5a644e7f96299c59b37780dde2c45b5f1cff27885829c138448552d311e56294

/data/data/com.cgne.vwyq.akeo/files/.imprint

MD5 9bf25a4dd9fdf41d220aa37c788f08a1
SHA1 b23e27c5c5daf2cc0042af458fe0c82dad38657b
SHA256 3865c6a2ff6099669b39dc2bfb07bf20083388c359c6a472c04891fdabf3e059
SHA512 fb11cdf0c808e18a0e7caa32e1e4a39be02645a98f7d541b2ea3f141903069ea6ea4616d43b96d4e3a498e0e0958330287718c1ce3caab9be9c808f3a5369563

/data/data/com.cgne.vwyq.akeo/files/umeng_it.cache

MD5 e4d2f55d2cc5faadc3b8f0e1dbee650c
SHA1 b90af9dd34c8c6eace61066175cbbeb832fe13e0
SHA256 064cb442834d0244f0af5a5ed96119279983cd7bf9edaf4994b25d9c92b2beff
SHA512 692f43f9d47d3ab5bedc50e2603fd639153077984e53a83c6a455016198930fd33bb357ae0c0e00d74cca606ddda7cca82180f31d7adb98ee9696789a1b2b2bb

/data/data/com.cgne.vwyq.akeo/app_mjf/oat/dz.jar.cur.prof

MD5 f012949cf75d5de805923f62db10d535
SHA1 65c920541c8bce9001e063adc34447faf43e6032
SHA256 37eae2a866b3a417c69c158638d19df32e3bd1f914274c113aa6be4fa56998b6
SHA512 5b7a0cb84f7939e1240982f15136189c37dae1d6645f4c968591e5ce082ea7462ad28cceadbc1c3d28b6315aa354cd343ded4345a6dc515dbf67dfcf993bf637

/data/data/com.cgne.vwyq.akeo/files/.umeng/exchangeIdentity.json

MD5 7f0d4fc538c9dc9529dfa3891c7673d9
SHA1 2a094621d5e0d2e44a81faf889b8ead46c80be51
SHA256 76f6f6a0e5ac3e2d4b01f20668683066242234afa9498949ef66a9d4c240f3e8
SHA512 ddd2568ed7818d43cab3cc4f54fe5a4ef95f2c8e32ca8982159f713e9397c0fe14bea83e2a4d50c29c648a21e5fd6e8df6bc2e443bb034ef961478129a4cc226

/data/data/com.cgne.vwyq.akeo/files/.imprint

MD5 43f0862abe65c4e1f40da2544cf60994
SHA1 68a11c38aa324ea445f87105a9393ed26167ab19
SHA256 19a93e4a684694bd73fbe22ea42912860ef3798e2568b825bed10bc7f1d461a1
SHA512 4742e5e6fb6b4deeb33753dade8b27df3ec1aa2d88c1d7d3d205910361dfc94bb255692851911b0275f6864ff2ebcc03c618ee98ade3e71f6d8c333dcc467a0f

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-25 14:09

Reported

2024-08-25 14:12

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

151s

Command Line

com.cgne.vwyq.akeo

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.cgne.vwyq.akeo

com.cgne.vwyq.akeo:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
CN 59.82.122.10:443 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 18.208.156.248:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.109:80 alog.umeng.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
SG 47.246.109.109:80 alog.umeng.com tcp

Files

/data/user/0/com.cgne.vwyq.akeo/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.cgne.vwyq.akeo/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.cgne.vwyq.akeo/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 7b4d98088253943b8d08c5a1a5db7389
SHA1 9138bdfbcb1bf7394c73c84962bb265448d8e774
SHA256 0a29e8172f9e11d76954b8959aa223de83c83cf9cb26cb323baaac8cc8f34b9c
SHA512 1ebec79dec53a7f228d73e3a2873a496f7c9ec44e9146395c5900f817161a64dfa2ff61660056ce0833f26b83e8f00ad1a3cb6908d31016527a87f500010d71e

/data/user/0/com.cgne.vwyq.akeo/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 ef9fac93ede58068471ff78f60de1308
SHA1 246936c974db6b035fab2f6b4495b83f457da73c
SHA256 bedc800b63e5b8facdb3400440940561fb3cd092e7b6b6e8d8bd96d862486048
SHA512 f813c18a257bbfeb139d7766dc47c238ddf54b31535d35fd699cb00919d78069723049d8b7581c3c2b1eb0eda0df75163cd6b82f659914b270f5bb3c67a98abb

/data/user/0/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 ef3ec51178f8879ab8e4470f650fa474
SHA1 e214dad8ade6889eb473daebf6bd5c557a8214ba
SHA256 5fc77e295b4dd8fde93ef96dccdc843c3885a528937e416669011c68beaba091
SHA512 c2fe84d0ef75e19a2f46e08e252b4ab99e370141ed7dcbc746e665e22d29f756cfd03546b2c8d892c9247f4fd91e2fea04cf2971befb8fcfc808003a5504d9b3

/data/user/0/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 aded77d2451ec3f260162d6827609e66
SHA1 3e0a94247cd481222ac84d8d65954e9c01400a2e
SHA256 a3d08b82f1a1ac1462f58a02cb1828d93233b2c1d1e6247dd6217a119959da35
SHA512 e978abb9982940503e63868cfcbaf9f1c4e0c2763ef2c300c62fa977dfd4c20adbf80994ec557d22e2810d64353261cb61289d24789bb6163e9660bb48d4b106

/data/user/0/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 736a84bae31d6c95e544153e573931dd
SHA1 3e157d41cacae5de1c15f84b9ed00c0a62cc3c49
SHA256 b77191476fcd35369296aacb281e2bff42c0ffb10dac60fb3215984d734f09e0
SHA512 c4bb539ae4777dd19e97f66dde440f678601b3b5742c88d765490a9d0d2e78e29fb802c5a1aaafca0623913b80a7bd1cda3a7ed79b4593da1c170f9c2dbf2018

/data/user/0/com.cgne.vwyq.akeo/databases/lezzd-journal

MD5 27b3ffa6ea39f74cf69e539f245422c9
SHA1 fd583210ec0cd571a496e3048ddc91b39f896a52
SHA256 bc498e0c0fd4f547faf60f2704d92f8371ac36e40433a661bae84e26d517f21d
SHA512 47984c69586342c87c549333b50e55fc4e4b5c9407741a15bcf5dc1ba9a005f8bf7857f5dd4b98e60df6afae9073d306b56947b1b8f5d35fc9b7623da2148af9

/data/user/0/com.cgne.vwyq.akeo/files/umeng_it.cache

MD5 579bad030da59eb78a72d0f8a4c1a4a2
SHA1 70bba5e08526ad49c7229bcb8ae3bbdcd6796eae
SHA256 444416158db0526a61c37b685bcff1a6fca1f75bdbfa61bc41abd3c0d70d9b45
SHA512 9319617821104868cc9580a02705183adedabc644246ec7a0aa44ceb8b7f65bf96d9c46a50727bdbebc6bfa39a4936e903e750b5c8e407927615fc47f31919fe

/data/user/0/com.cgne.vwyq.akeo/files/.umeng/exchangeIdentity.json

MD5 62719361ddded5840cb9346efa04071c
SHA1 af809b1482862d35f488d4f4865e0df89319a281
SHA256 0e5bd1280967f598a769f05b9514dcdeaf3cd6e810205e0af3fa635f36d0021a
SHA512 43917e29a5ccdc5308f0a6924af429b14d20a9bcf19d8c5b70e26de2f3392aa74fc475cf8ebe8bd6ae0936983387971e42450b89c80bc5ad1c210bdabe14d58d

/data/user/0/com.cgne.vwyq.akeo/files/.imprint

MD5 f0b813f9613d75eeaa69d35a46f3a007
SHA1 cad5ff3d069dbf9c0cd3a259cb1e310df5ae81e2
SHA256 b412f6d76692d2c9a35d70aeefddf2ba7bcc685fe045115be9ca7f52ffbcfc77
SHA512 e7c34f31a58de4cf03a1e1ce6b29011da27887488e5090f5b83d09715aafdff82b8509b970a75e35eab339bdc6ae2f401f46b062156645099ad1818024826ebe

/data/user/0/com.cgne.vwyq.akeo/files/umeng_it.cache

MD5 7eacbfdec9fc8a995017a28ebd701213
SHA1 d581fb1b944cfe3e486030fcc139725cb04a9be6
SHA256 fe2d833123f3727cc30c269f6c2da31136edfd0c9e89dda7de3cd668444ef8c7
SHA512 f3abdee009efa7d1b2956112624d551e7211ef60e36d7b2a3f56373f3f57ea3b403e759155017bfb88617f5f889c6a5dafa326cf75112a6a3ed3577eb1ad80b4

/data/user/0/com.cgne.vwyq.akeo/files/.umeng/exchangeIdentity.json

MD5 f86330e2eecfbb07c3be507e94e2d6c5
SHA1 4807f9757e8b819c5f693aa481ef6edbfee4bcc5
SHA256 44694576978ae32f7df854d77d885478665734a1a2a0d2401bd2769b4860c261
SHA512 b1db9dd4f8411b4f591185da31a0baf8d9dd1a92b736c5c500d80cdfa08d4542d97920dcaa5a14ddf469b116325ebef765aea515b67891a1acc82c4db02b6a05

/data/user/0/com.cgne.vwyq.akeo/files/.imprint

MD5 56954cf9044848ec99902f07c31e19ec
SHA1 0fcef9c5d8e7256414c5399244436f1e3dced7db
SHA256 939f08bd024fecb7915f4f6cfd7183c0e0ae8d91f39b41290b389fde890bd9f8
SHA512 febeb29b07fb58a4a3ea606a2d82c8549296a549313dd24886c52476725d58b1f1a7d751e8fe3c6daa9f98ccb7f187e1548098eeaf544b5202c24aa9d49eba57