Malware Analysis Report

2025-08-05 10:12

Sample ID 241016-21pw7syajd
Target 4f803c0f655f011d0a158bf56b56043b_JaffaCakes118
SHA256 57334e1f8ce5938776ff5ecd89a4466f920b4fb8323579be0395f59e57c29e96
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

57334e1f8ce5938776ff5ecd89a4466f920b4fb8323579be0395f59e57c29e96

Threat Level: Likely malicious

The file 4f803c0f655f011d0a158bf56b56043b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries information about running processes on the device

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Reads information about phone network operator.

Queries information about active data network

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 23:03

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 23:03

Reported

2024-10-16 23:05

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

155s

Command Line

com.qavx.nfqi.mmuk

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qavx.nfqi.mmuk

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.qavx.nfqi.mmuk/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.qavx.nfqi.mmuk:daemon

Network

Country Destination Domain Proto
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.qavx.nfqi.mmuk/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.qavx.nfqi.mmuk/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 9ec9c620e619372f9bfd17d6b3f0850a
SHA1 a9d6c43ac635ef1aee68325d3746266845117858
SHA256 2cfbe1f1459e76038155ea1a6aa820bd7cdb65565a2ece322c8953a8dd6fcd3a
SHA512 8e9032fabdfb6b962de80ac54ff811f92b2773f6198472fdc1708f3d56d3afa060e8eed068b998309fd52b78e5880a7a4f0dbfd21013a123f2b391a6eb7b4055

/data/data/com.qavx.nfqi.mmuk/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.qavx.nfqi.mmuk/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.qavx.nfqi.mmuk/databases/lezzd-wal

MD5 fced1a2353c7a308f38afe78748c47e4
SHA1 fe96f0f147890506e5689c7c4c45aef03df80e4f
SHA256 924f32fa1fe8ccd600d907308025d92aa11d02bf824383bc89a2f26a6f813a5f
SHA512 6e431c8644af3662075390884f696911622ba442f015aaeb8cdd783850a2c9ef3602fecbf1f44f9f8cb568418ebbfe80ce58b8a378e706a2b4663512e6fe195e

/data/data/com.qavx.nfqi.mmuk/files/umeng_it.cache

MD5 010775763554b49008b618cfb13d807f
SHA1 87ee4430da13e633764bb75d81b6078372d8d9ed
SHA256 3e556cc6f46260290b914e56a287eeea89b5cba58d91be42586190ab60fbeba6
SHA512 af363251315af286731c628fe60a4ae6c74bfb0929d9907872d9ff1cf0b3ba3faa66a27b582969ce2cdbca76fee348cea247697df2e1411c99aab319c148eba4

/data/data/com.qavx.nfqi.mmuk/files/.umeng/exchangeIdentity.json

MD5 00ae18155a004828558e38d4bb443500
SHA1 3090017c4019719b88a938dcbaf584670c71ca25
SHA256 aa7ae1c5e55e1d17b52b0d7784b94bf7adcad4bd45ef6cb19939bad0335cb3c9
SHA512 194980d69b9cea850a51bdf1ed959ac2243db4bcd48369943111cca52055a3889b6f77aaf51968b991ad180a4a1b003f6bcf205c5f0220fb13ce2303f9e0387c

/data/data/com.qavx.nfqi.mmuk/files/.um/um_cache_1729119908624.env

MD5 f4761fe9226e23e6eed6e1dadc5dbcd5
SHA1 8613ccb46f924acd8766c82acbd0eff3719b30ab
SHA256 99576a1db8756981e782e5e9263b61a75ce2c79351d1a38b30273294e3455a86
SHA512 f45236f21d9e9cece1c35e7f895f2ac38c0ee1bfe4095b8042d2b45ac4934ed7c91dd2c3dd7bde5aca0beee605a20fbc73e579f6cf67e393fd96a96446035a5a

/data/data/com.qavx.nfqi.mmuk/app_mjf/oat/dz.jar.cur.prof

MD5 528f2f767c538aef2266d33a65f6e99e
SHA1 6123f2d250d9ca6458517f50f2c7d9b24cc86946
SHA256 18a3f5f662cf4d782b3a7cd4104e8577657b971138d56863693e8d1c96ed2e60
SHA512 936969f9a5981f5978e033f35631de7aa80e9cbcaa9108d0e37e3895ba2e064759e6e9f0a2065a35104d8ec8c399fb85ef70e41d2d5fc8797c99639eda86e1b8

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 23:03

Reported

2024-10-16 23:05

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.qavx.nfqi.mmuk

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qavx.nfqi.mmuk

com.qavx.nfqi.mmuk:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.qavx.nfqi.mmuk/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.qavx.nfqi.mmuk/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 084c753c06a17442c2544f1a4be81370
SHA1 10d0e74838f7bb2c4672086e43b3439745066828
SHA256 c3e7efb89f87ae154508ce062db1e6ea67b950c878fc98361db6441d56a65a0c
SHA512 5c98f34f39939438af06ab4d763544cf0c154163e4ebbb318d7b563b60291a34b6aada51a99c215437a6caf2abed36c8a39d72e7a7ff3e766dfcaa1e158d8cc2

/data/data/com.qavx.nfqi.mmuk/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 a94af3d3b7c282265cd05e738dd08e25
SHA1 60aa527ea0516fb6a1a5098543dda107873f7e8c
SHA256 fe4e741d1bf7363df1c443e7d5ca3d066d5070d8cf6607f7d83d27f661eda069
SHA512 00465bd8447032faeee9d807f6764a9671419e347c01f2f62a66641c05e51daa112060e4567cbf8f889f159074ce2a7bb83dc20053c0ac932348bd4208b62605

/data/data/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 4489d8a40f5cc883e77e508c3761d4a2
SHA1 a38c6852e3e344f286ff356866ff0d8a1ae94770
SHA256 e36342e7e94a941540b56f41fc75d1e48c852f3a75b6754e8175e358f1faad2f
SHA512 bb9145cfded850c6acb698f2d3721d645c747730835c9417599d740a08d35685c6a7ac613c4b9e4603bf014c1f8b75e8b16757d969725a686600a72359c27baf

/data/data/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 57590d15cb9b6ab6790c66fe16b64a23
SHA1 44a1baf867a5e6171a9c1c4867b40fb99d5b3cac
SHA256 c9e932437fcae9cd1edc7baf49555f8816a6ed3bc16a6db02afa7609f63aa6ed
SHA512 ee9eb40d4e1bd07ff3ef82bf40185afe5104ed7d618c091ff1921e7fe61f0b8839e77e8e7c7edd3c403ce3b099bfba7bca6c113a3830a5f0f507cff339522fe0

/data/data/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 75c1bf4fe7c1b4f5c145dc3c7077b792
SHA1 2b7e5ef5492459f5a3dd6b608b92c4733628270e
SHA256 bd16b7c47418fe72e2f9d6ed3ab0b24da30be18a1cfef2835fed5e42305a7ed4
SHA512 b1897ac5788d7564c551f7e0e65df4d35fdefaa6a358a7d744d000624fcb1b02c44e026ced8fc1367e5fc76d7389b32d94a0caae5cb61799c74fba90bd543b35

/data/data/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 b5a1539b5aea829be5f380a70c4714b1
SHA1 96299e81c1b93aec09df2ffb2d0655858450c79c
SHA256 ab85a89d8ce8d791cc24e23e50eb179a194f4e89fd91ff018146f022465e38a2
SHA512 933afbe98a5dc1778596379b10e39ac1000242edc487c7d0ac47ed19278ced17d91cdcf4aae38e3b05ab7ee07f5a8c7efd77f7a684beeca03dd19d302bc1cff9

/data/data/com.qavx.nfqi.mmuk/files/umeng_it.cache

MD5 0b48aca5f5c67d1df59dec287aceac93
SHA1 d780f99df73cebc2dc7cf733e6a50f48ef461afa
SHA256 68846f70b193f203e265ac6788a77def9c3fc2813f7934a0dfefcea2232a2e08
SHA512 5488f39510a3d110497396e2fc95fe565a0a2d06063b521ac8df6d8fb4268a2e3fa567ea88f73d67121fd891d54854a9080ffe2c3bc446d9ec348007575c6586

/data/data/com.qavx.nfqi.mmuk/files/.umeng/exchangeIdentity.json

MD5 f238cbbf526e176e22eb7bde91948256
SHA1 5b9b8451ac2df0434cba62c93d8f93961851de85
SHA256 be8fd0d7b9b1bdf061841928fd516c6a8a2cede9d0d3c18ccca243646d457aef
SHA512 3608fd8a67cc9c9dee4b1f382d2b99e1a55aaadebb24cdd0ec0de798da87c4a6420b26810d2a699df224c55e0dc0a79f1f1944a2f45368d9117784105486831e

/data/data/com.qavx.nfqi.mmuk/files/.um/um_cache_1729119907213.env

MD5 45112f49a96f56ac0462fedf897264a2
SHA1 9f0525d32bac72314ddf93fbf61b7b3bb7b02137
SHA256 0a818303f3bba39c85703eddc844c17120d9ce0f1a17ec6552b2564a26237bb0
SHA512 e79d62dee795fb7f5a83417070d4c315ce9742a555ac4472beabf67cd4abb32f5aa4c4cd7384955bb687a43c6b9f514a2b7c59836dd8ceef4be554811d419354

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 23:03

Reported

2024-10-16 23:05

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

154s

Command Line

com.qavx.nfqi.mmuk

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qavx.nfqi.mmuk

com.qavx.nfqi.mmuk:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
CN 59.82.120.37:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/user/0/com.qavx.nfqi.mmuk/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.qavx.nfqi.mmuk/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.qavx.nfqi.mmuk/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 9f3431e3283f91b56c4517daa262631d
SHA1 42e7ec9793ba7ba92439c968f704a0af257c5f8e
SHA256 e194847832d2f94b31a7ab195a177dbbabf4251318624355765022a4fc3cdbbf
SHA512 bedaea4bbecdd8d4f04e1e9ef38178e08d17d8b87e855f25fdefb8db69774ee89f47e3dad7ed12ed2fc75c34fcc74fff3a98aec17ffb7d53772bc2da077b78f7

/data/user/0/com.qavx.nfqi.mmuk/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 47d8e552277d346fd4dd1311b37b8e07
SHA1 2805f90ee5e41db3bca56d75cfa2646626286190
SHA256 c59fd25212c29ce46f77161b2bd6285094a58ae1393820e386b7863de53070c6
SHA512 3e30070601cedadb3df318ef4fba83c711935990c85ebd4990b735aefa67c1a4aef24c3e2d1284567c0ff00b9dc101ea1780cef62348a3f157f271db729e5336

/data/user/0/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 8bbaa3619e7ef1b33ec684e4bcde5fa9
SHA1 8c31f447f3267b89c8ac4dee21588b496591c475
SHA256 04b8354b4e36afb17037c92cdd79c0c78716bcff77f6a196404c48f2296cbe7c
SHA512 53e7feddac2ffbbfa88d0c129fb895b843087a3580f145cc46235daafc2c176b57458c3ec6227522cc83e960fdb4fb20cf434a92b8c2a50f87e44a689b04e148

/data/user/0/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 fd7e31e199f73beb4f8148dbec8ae153
SHA1 2f37ff9b7fdd3b9f60f18898da8851411745dc62
SHA256 d08904cd8d07883519e6c7f7d841711d8a7ca513ecfdd7852813d66a957e63c8
SHA512 f8143e8b5fd8084e68f192841a65bb513783071d6ecd5a3189689dca75d90a09b2e18bac41eb9d7f18caa43333c58ea075553f482890ad2198fe6c3b418d333c

/data/user/0/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 5ed0f927941c46f009ea9048b9db52a7
SHA1 62498467374a4703c8070fb53ee1b89252861551
SHA256 caf6aacc2c2dadc5c0dd220167d6127be72ed5988ca086a6dcb941ead4bf24de
SHA512 a7734457250d8c7547a274abeb2a0763cbde47e29c5d4f97160fe22f19604c2a9615ff3e9088c670f9138b2b7b259b7cc07684c2d8ffc31d4e89ca59a3e14ff7

/data/user/0/com.qavx.nfqi.mmuk/databases/lezzd-journal

MD5 c00a97fdf7ae806114535b119cfef247
SHA1 57a561c6cbcbdcef1f4caedd7a2fb7b5f8e07efb
SHA256 876b7288cfac23496df8a76cabdcac696d37737dc23ae3327220815ba16f8bb3
SHA512 93c5355a6cf22e3f056f6a588a10f991236ccd62f7ce72bf4fedd28d213142bba4175f2ec01461b0b976e5a5e7a6fac3d4e98d9e17eca3d068e7814b83a9bbe1

/data/user/0/com.qavx.nfqi.mmuk/files/umeng_it.cache

MD5 c43983aae296f47e374cb46702148852
SHA1 ac94e0c5d6545ad6448ccbab89f6c0c6d1850e95
SHA256 9f7f7054d8aca8d7d68a2df4ee9ff16b6e4d4c02de88098729b8377e7d1b7844
SHA512 753f44c947d7907a348ff262f82f8debee74aabdec67e21c12672efe9632b2bb678acb89a44a5980af9a358488cc1c8c97cf3c8d25733dca67a2a477bbcc5cae

/data/user/0/com.qavx.nfqi.mmuk/files/.umeng/exchangeIdentity.json

MD5 5db33f5b2b156a5add9973c2960559ad
SHA1 43a0c0db56e0b9252f87c7e22f0cbab13fe6ac4d
SHA256 45b2225bfe546c65069e5582b7f2f57b4baa4a740f9a89631aefaa271f1cc60e
SHA512 ddb9ce1d7ee8e96194bbf13e65f03c5198d42c30dce4d0456adb29e7a9eb8b18f538e13254772167fd7700cdce23a5a03a8ffb45143f1e218e236c6b6217647b

/data/user/0/com.qavx.nfqi.mmuk/files/.um/um_cache_1729119907551.env

MD5 ebb84c926719ced582eed54f071efe05
SHA1 a0afcffa1baa7b40edc6f34ed948d98b1fb69194
SHA256 76042a8a190c02cff16f8d0ce7d11af2780ae0ea1c9ddf1486243e4eb7d5d04d
SHA512 23e627f8ac7989a7fcd637c93d05e04b10157fb3231753be6374a8a27bc3ad7e70ba90328b54ce5009711d900df1c0f729100c3a317bbe185e777d258306f8ae