Malware Analysis Report

2025-08-10 16:45

Sample ID 241014-s8zlyaseqa
Target 42f114508beb3f136d349bc2e9f9988d_JaffaCakes118
SHA256 ab0ef2e67199a36c298c87ebf4802aab32fc56ace0e0c89b45dadb02539be0f6
Tags
banker discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ab0ef2e67199a36c298c87ebf4802aab32fc56ace0e0c89b45dadb02539be0f6

Threat Level: Shows suspicious behavior

The file 42f114508beb3f136d349bc2e9f9988d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 15:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 15:48

Reported

2024-10-14 15:51

Platform

android-x86-arm-20240910-en

Max time kernel

42s

Max time network

150s

Command Line

CTuLuK.bSYl.LJsxf

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar N/A N/A
N/A /data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

CTuLuK.bSYl.LJsxf

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oat/x86/oTpiBCh.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 h5.tt-hongkong.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.196:443 tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar

MD5 da400e664ffe188af1a8b4b816b13e05
SHA1 8ea021f6b29ec591e2e405760430b9177b8d8ce9
SHA256 bebb732971c524415c51c9c26505faae9ffafc78d861b13e63eeb762aa5d8f3d
SHA512 19f79d0eadd410fa1e055cfd20c94992f59c2d69bd1e46539d197d315fd40c81e811a2a99a8fcc31c7f2024d56f0b172666774085b80f7f01a13199c332f647f

/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar

MD5 d44aeaef68de95cdf62ea164966321d3
SHA1 84baf39cb6ea7143d17aa70fb2efb2139761ce5f
SHA256 3ca53073d7e0800ba56edd33417dc8da9148975e91a3264338f64c6bd480eca4
SHA512 ba04f28a1128819c34eebc236497cf2a11ce031b3be486dff2f0d0f2987ca9fe545d142a9a9bd272657bacb4f125ac85ea29f8dee79a455cd1b175b8b3a43f48

/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar

MD5 c2c5f9faec87dacea44e31cccbbee18c
SHA1 a21fb4bf1f36fc57c89fa354f89c8786492fec78
SHA256 fa62adbb2c98ee99dcb828e5632586fbb12ffad84cf53379d4e642595b806a14
SHA512 b3ad8033c93ebc816025b340592c64d47467a5f8a543247f53eb6e99763d0d715dfa4bac6366ca6d5f35d777b6e4756aef93e63ffd366e4c7ab50bee7ee32d30

/storage/emulated/0/Download/channel_conf

MD5 51050c73c53b9b04bc45602359b3d0fd
SHA1 8b603388a6737a1185e1ddcdb7cfe6f2e7af137f
SHA256 695981c90535f94b0ca66f01cf77279600a905f12ca0ff335852ec1abf169aa7
SHA512 ee34e692bca6cda75a753d0db287e7b9a1fc256b880c4d199f2dbfb2e442d233e760b6a4b0182a6bdaf5a913fd8941051b5e0b8c29fcec1904eceba98e4528d8

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 029e1fc8e2473068666dab6942db3a86
SHA1 d61be87d83a230534406012c416f118df541c8b7
SHA256 86de87910f180cd6252b0f74a21b8fa2eb15bc4d73c2d412c100f4138d401d6e
SHA512 544747c24d795ce2cd0147e5db9841cbd50922d8b5bdab76f8e037586c7ac3654412460a0a984931e20983321c2828aed93869fc67a6a88282791faf73412e4f

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-wal

MD5 139ad3fd269f2919ce5da5970466a33c
SHA1 03c458461ec9bb127a454062d23bd1c81312684c
SHA256 333a93444dcc8516048866980a6971b55a0fb0ba64eb78c051554445ca013baf
SHA512 2c305237885a7b104f8e56d7614ebe5bdfb47974484c0ca73bf4d88bdf94b5e0755c1b67b45cbf2c95611246b8db2960973699beb575da122c77414edda4ddc0

/data/data/CTuLuK.bSYl.LJsxf/files/umeng_it.cache

MD5 14b647d2219db6b4cdabc94a3675fc6c
SHA1 35842198cc4178b6233f5f0fd54a7943ebccf756
SHA256 de216a4b05690702a82f2eed5d49da5b634f00b95a33e3ddd74a766b64fdba3c
SHA512 3d4b67ced8c958d344845871e600f97c51d88810374d4d2862058110224c58bddfb27b61150b915ff2f8857551df7f397dcfdc521b48b419f4a0c58367a04949

/data/data/CTuLuK.bSYl.LJsxf/files/.umeng/exchangeIdentity.json

MD5 1fa1efa4da241883f0a7b562253dede4
SHA1 b28043bcc598480bd8b13cee2129b7e2724ea2e2
SHA256 04c7ebeb747b59586bab73ec4728189a68e2bfeac53d20c6d960fb719ac30813
SHA512 aa294e1cf15e6cb484fa8082391513042c248b4bd83c8ec6222e41d0c57d0c37bdc3a4eca9f3b887ee0680e584c849e647fb97c3f88ea477b641644e530aba2c

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-wal

MD5 0667e90f01d11cc37306190d813adf18
SHA1 85d835eba450ec945ebab142a4f24571598dc800
SHA256 2f279b535edb999f29fc0b50c21a115c7eea5f75b6ca95a64e4d6e501b8112b4
SHA512 6dede0b474092f6463eb4397cfab3e62d07c79386c0bc20c121b818e8a5cb493b149785a5c5f93734ad741b92ad075ee83c9f5c7b338b4b6d72803a14276cc7b

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 15:48

Reported

2024-10-14 15:51

Platform

android-x64-20240624-en

Max time kernel

26s

Max time network

142s

Command Line

CTuLuK.bSYl.LJsxf

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

CTuLuK.bSYl.LJsxf

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 h5.tt-hongkong.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
GB 142.250.187.228:443 tcp
GB 172.217.16.227:443 tcp
BE 142.251.173.188:5228 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
BE 66.102.1.95:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 142.250.187.234:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
GB 142.250.187.225:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp

Files

/data/data/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar

MD5 da400e664ffe188af1a8b4b816b13e05
SHA1 8ea021f6b29ec591e2e405760430b9177b8d8ce9
SHA256 bebb732971c524415c51c9c26505faae9ffafc78d861b13e63eeb762aa5d8f3d
SHA512 19f79d0eadd410fa1e055cfd20c94992f59c2d69bd1e46539d197d315fd40c81e811a2a99a8fcc31c7f2024d56f0b172666774085b80f7f01a13199c332f647f

/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar

MD5 d44aeaef68de95cdf62ea164966321d3
SHA1 84baf39cb6ea7143d17aa70fb2efb2139761ce5f
SHA256 3ca53073d7e0800ba56edd33417dc8da9148975e91a3264338f64c6bd480eca4
SHA512 ba04f28a1128819c34eebc236497cf2a11ce031b3be486dff2f0d0f2987ca9fe545d142a9a9bd272657bacb4f125ac85ea29f8dee79a455cd1b175b8b3a43f48

/storage/emulated/0/Download/channel_conf

MD5 51050c73c53b9b04bc45602359b3d0fd
SHA1 8b603388a6737a1185e1ddcdb7cfe6f2e7af137f
SHA256 695981c90535f94b0ca66f01cf77279600a905f12ca0ff335852ec1abf169aa7
SHA512 ee34e692bca6cda75a753d0db287e7b9a1fc256b880c4d199f2dbfb2e442d233e760b6a4b0182a6bdaf5a913fd8941051b5e0b8c29fcec1904eceba98e4528d8

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 3742110b5530d747fbd6bfc5cfb3a0bc
SHA1 36a9bc79f64911daf070bad66603b9372bb51471
SHA256 181f42e376f3e4fa5014b5f75754db266ede621031f6752330eb8622cd2e1ee5
SHA512 05ded2e252f9a912b9ef19b6b5b9f548300545b0bb8c2530f2988e8a5698c124a727f148150efaf3c6aa73fcb537fc0dc0a1b52305759950cd605d8163c73887

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db

MD5 0908e924aa236931dc7166fef6e00862
SHA1 7782648d6d8f6e835bd47058d4852932c096a467
SHA256 38f8548795ca7470b449dd1de9598c07a247ba59883c0764c9c96ff0b7d31d7f
SHA512 3c16fbc5172aed04cd206e776c46d26e911732c6e3631536410a71f1d217449475727ac9b3175e827c5ce645a1da9e05900258ee6ca27c936a9060f241361dee

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 6e582579a350063a8be50a1bafa321d6
SHA1 a3a3d11c1187f9edc495a523cab16fbda4604a2b
SHA256 6a536dd0095024b4752e1fc893d642e94868f0fb0f4707a56c4e51682de70215
SHA512 47bd35e2f5d0c48d69ad310db3352adfe27e475d3662bd9fe3260650445dacb140f15d6577a7d141f2cbf51ea3bc120907609a6d2d4652ad9f743ad8832bc52c

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 5ca1f50b248f7fef73fbb0341d6a1c96
SHA1 0297246f9c4f78f2216c40a52bc629d27143122c
SHA256 c26e6715b1d7d52e08bf0bbb50d516c85dc237da8e57a9f106f99a933194d12a
SHA512 b6a6e781accc2b544ee38659c251ad7a7de3f7b3d1bdef1e83036801279af55740e97cb9759782c7669f4ae8290e10923b6b74ade0ac53c4c5efe7375a8eb23c

/data/data/CTuLuK.bSYl.LJsxf/files/umeng_it.cache

MD5 ae84c42850cf5e98b25dcb99f3539c19
SHA1 5fd0e5b0b56f75ec6c18e776b864de4795b5c29a
SHA256 61fafaf71d164e4a85e5e6cf11268a0ae5d6005a48e16726f2d456a5b7d83013
SHA512 1628982f67c0c788aa45f8a13d7fd2a1c823b0e44264dae9b2bb2f90a6acdab9a47ac36e209649b9126a901cc0ae49601dd0194623a10361fc2568ad15a5ec50

/data/data/CTuLuK.bSYl.LJsxf/files/.umeng/exchangeIdentity.json

MD5 1c65243d8cedcd12f664abc1e1eb09b0
SHA1 35d9c5007bd275063897d3045d8f731771b977c7
SHA256 28aa3de9b2e321281e0c5fb71e0617e333aca19b60993d098ce9f99eeee43b38
SHA512 73d93bf8135027574d5823a612f66d441f19f515913c29857c88af999efe4829766f0d5c578e3b8be69020357c0a5492dfe70798e54788d3d5197443fde12087

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 e43a3d1472ae785a7e9385c7922cc5de
SHA1 e6782d1dd79ed60a203e5bca68ee3a1e26b2b152
SHA256 e96a1a9633dd71a8005fb3860a19087f6d5f9da4a3d285192a1bdb2ebdd075f9
SHA512 c380cdc71ff7f9c225d942b815eab1f0ace94225c7b42daa7913636075ac03811ce8cfc197737cc663dfa011fcb7f77365d24ba57af0ac1ab32d260d6d18388a

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db

MD5 67c12933d1e0e63d9801a6aa43092ce7
SHA1 b6936908554e4a1986b8eb08289e2d3545e8ff74
SHA256 abda5dd4cc2e7dbb951637c4b49d6990f9f34411fab4dee1a387dbcc8e7eed40
SHA512 db8b818daa3ff4ec7678645f84bf8b45c809bcbb758ea78b28982d071572655bba2d20e6f1ca4f0d057ab34fa655c5bc40457dc65050180351a2fc04a47175dd

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 e77737c1e426532ac8c716cb736966e8
SHA1 8c634b1d0620dccc50cf4f47fa75f9b5c1211337
SHA256 2d60104415d7644eaca4e3210713750ac8cb614c72a67daad2e77ad504473a21
SHA512 173599e4faedca8365d6980940bff1e88f019b8494f7bd8f445b3ad4f6d3c5ddd1b8d37aa567a1aaee1634f5eaab9693a78d684aa107bbdaeddcdc11a34ce813

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 35c8a93a171cd99783b6c0835a2c547c
SHA1 43338ef61f4aefb3745d4691877147bf4fc9f818
SHA256 c43ef66e326b8c5dc06aed48d2fbf1813c6f605c683a574a74f8b636cb65da69
SHA512 09c7bb7732ed3a53223d8e5589043522dbcf4ece36558194ac90a441a6c3630575bf44fc2a04cf4818fa8372212a3aa0162fe31b640962ec790fd8e7d0d12712

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-14 15:48

Reported

2024-10-14 15:51

Platform

android-x64-arm64-20240910-en

Max time kernel

142s

Max time network

151s

Command Line

CTuLuK.bSYl.LJsxf

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

CTuLuK.bSYl.LJsxf

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 h5.tt-hongkong.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 alog.umeng.co udp
GB 216.58.212.194:443 tcp
GB 142.250.179.230:443 tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.193:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.34.223:443 tcp
US 216.239.34.223:443 tcp

Files

/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar

MD5 da400e664ffe188af1a8b4b816b13e05
SHA1 8ea021f6b29ec591e2e405760430b9177b8d8ce9
SHA256 bebb732971c524415c51c9c26505faae9ffafc78d861b13e63eeb762aa5d8f3d
SHA512 19f79d0eadd410fa1e055cfd20c94992f59c2d69bd1e46539d197d315fd40c81e811a2a99a8fcc31c7f2024d56f0b172666774085b80f7f01a13199c332f647f

/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar

MD5 d44aeaef68de95cdf62ea164966321d3
SHA1 84baf39cb6ea7143d17aa70fb2efb2139761ce5f
SHA256 3ca53073d7e0800ba56edd33417dc8da9148975e91a3264338f64c6bd480eca4
SHA512 ba04f28a1128819c34eebc236497cf2a11ce031b3be486dff2f0d0f2987ca9fe545d142a9a9bd272657bacb4f125ac85ea29f8dee79a455cd1b175b8b3a43f48

/storage/emulated/0/Download/channel_conf

MD5 51050c73c53b9b04bc45602359b3d0fd
SHA1 8b603388a6737a1185e1ddcdb7cfe6f2e7af137f
SHA256 695981c90535f94b0ca66f01cf77279600a905f12ca0ff335852ec1abf169aa7
SHA512 ee34e692bca6cda75a753d0db287e7b9a1fc256b880c4d199f2dbfb2e442d233e760b6a4b0182a6bdaf5a913fd8941051b5e0b8c29fcec1904eceba98e4528d8

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 03b204a5a1dff0fe44fa5f642a46b5bb
SHA1 a4de65b5dd4131012c94618962d7d50997bbc282
SHA256 74ea74b4d457ec6d3e6d1ce4976786f08a72ce6daaa3b03f8ca0ea133b02dc6d
SHA512 5f68169af410df8328d48c5959392f0e309da717ef41c2de1e01541854b35db921cabe085fdc496d8295b037fd862f88277b69e94b2ceedf71a6423203d57586

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db

MD5 4cfe777c9f6e7859f5efe2197401d8e5
SHA1 bb3774e8879ad5f6db0c37f151c3d6bc7b4b207a
SHA256 c422190539b6414072fc3950da19a17985c0c4c2172740b2f74682b520af5231
SHA512 6be469864edaf8eaa110f618f8abd27962da92e20945dcd38073ade2b60b10f00552d54d5db9d9f75ca133213031030e71e2e30113ff033e5ef507a28fe0b1de

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 ff24f64727861a635b890ff828e80489
SHA1 cce728e8d1ed020c130c6bec6ead0bb20f6ca5d0
SHA256 6cfe67275ce5b4be6d05bbf417eb68f4706f490dbaf70199c28f2cc0dd645052
SHA512 a4876d480a768f57efc3d73c79735be73c272e97eaa774bed4a7bfd894b58abd872409977fefde83682d5e87769693da7cb5eeec58193e7cd1d93b222ca3b66c

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 22dc821cb690f95e23b81317618ee5d8
SHA1 02f117834bac0fa91a6b4ada75a03fbedecc20cd
SHA256 69dc15ebd96c8ab6c95f71cdcbc0e9e55a8ce5b6b8360416963617802f2e16d9
SHA512 6838747aa467825ec2da9fb934f047aa3af411ec9e6710915b6b754fed3ae3000119aa5ce382c103e9ffd6a036e8d60f827b72c5fa480f81855136ff25ac5373

/data/user/0/CTuLuK.bSYl.LJsxf/files/umeng_it.cache

MD5 6415d10f7089766f0c803ecd4a53ef30
SHA1 063602cea0d1706be783bf9d128e235dd7d96b91
SHA256 6f76a3ac5c52db102c834459230dcf33d0ba1be5cf874cabf7b25722cc381f62
SHA512 1afa1018aa22a47bbd95ba4ae8a4e0b500d451c4248bfc3bb4667c96c624f4bd32594ed4e523656ff81517448274162d1fcd3cdb986360bcdfadff18dd2cc7d2

/data/user/0/CTuLuK.bSYl.LJsxf/files/.umeng/exchangeIdentity.json

MD5 481b24168d951a75ccefb74b7f217e02
SHA1 7649babc9a4f1a31fdab2b58898512e249cf772c
SHA256 4d1df4bb7b75f97add618dcdc2e8d7aba38208699655d144c51f3e77b160ccf8
SHA512 332e16e7ba9362e7f6f32dc5b06b9fe1b47dc1a3bf4e8b0b6d661e94c2c51021f63a5bdb3ffc182cd63047ff00e0cf62ca3222d031f5e5ce8a093bc42068acef

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 a843338db49f8441d640fbdb4efb0a02
SHA1 ad13ba5c849e275bda08a3315c286818cc92262d
SHA256 c784d80faa36fda31b62f4d4178f6d85b9caab503133c4670903effb47b66e59
SHA512 c825ad03d3f40294179c5bafc27154853537451e603e2b81e756ade9f43fd2db3b9763ac7e8b86beb9933860ec381bba3709390cb9173a1fac642e8530e557c8

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db

MD5 86752a4be6564d8370f2f0e403995003
SHA1 29f7d50675f6e59f3b808eb6dcc8619384412115
SHA256 50484dcdc6b9c2801773018386a8143a52a5153eb2eeeaf5be8bbe46a49ca90c
SHA512 79c9435c1e0d41a3f97784be3e5a3cd8c0bd2d32ecdf326808bacb00c76d876d0447617d6e72ef04cd4b996c92eda4eb7bb200987ae7928ce2e0e7c8e807a5ec

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 84d215b29f6df424bc233cec7d38f1c5
SHA1 f2f3cc72552534a26583ed2be2b437cb115e8665
SHA256 89c50c27f93ead7c21daf27ee1d36dc200100d33efac079d0bc1d44d27e38ce2
SHA512 4679279f1e376d8e97d4a4db985af7bf8a6f20b75c9f051360c1dc5cdda0dc3707a1d21f72a5bd64d6052af3c8bdfb6838aa687367e3e22791ad971b0f50ed37

/data/data/CTuLuK.bSYl.LJsxf/databases/cc/cc.db-journal

MD5 bab0471622bdba3086f659a6474980f6
SHA1 6f3e9f2a20f15a63faa7cc4693f4632b6656b02d
SHA256 e69904a56b7fe9c7041ab8c2bd4673b8b308aa69527ad2cc8e2af20c2d5d1b4f
SHA512 ad6dc0f1f8b0c441460fa9a410339630fd895100ab17b61179108ce008fc7114b7f8f390e3fddbdcff5dd3e4526594922d1f701b5e9cb4b26a4366119e0039c7

/data/user/0/CTuLuK.bSYl.LJsxf/files/.um/um_cache_1728920973112.env

MD5 1c3895ac5c60e5dbdd0fec6bbe26a8ea
SHA1 61f2edc890eb39ef5bed376034e84c31019b979f
SHA256 a45f311ba7e5bd597af3ba1d4d42599d5ee6bceb97272d249ce6d2755efd0a8f
SHA512 3da106ef9837df9725c01b9e68a45af51a766abdb1ef6102af1d2f7c8e27ad04e43a72a2046bb8d0112ff1898694e6ec09cd333b5055290cfc79f2034bbee21d