Malware Analysis Report

2025-08-11 06:36

Sample ID 241016-cbst5axapf
Target 4ae926450fe222ea9f2873879c78f9c2_JaffaCakes118
SHA256 e616012197daa27addc0643571f348d427112dcd93b529e79680a0e77f4cd283
Tags
banker collection discovery evasion stealth trojan persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e616012197daa27addc0643571f348d427112dcd93b529e79680a0e77f4cd283

Threat Level: Likely malicious

The file 4ae926450fe222ea9f2873879c78f9c2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion stealth trojan persistence

Removes its main activity from the application launcher

Queries information about running processes on the device

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 01:54

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 01:54

Reported

2024-10-16 01:57

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

155s

Command Line

com.efos.bxzy.syka

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.efos.bxzy.syka

com.efos.bxzy.syka:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/user/0/com.efos.bxzy.syka/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.efos.bxzy.syka/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.efos.bxzy.syka/files/umeng_it.cache

MD5 8d0ea9f34013415aec36f35e97ee4898
SHA1 b823827d9b3c374abfd1ecb3a8e4ac725be82576
SHA256 37788b8154c691d83ac15eb2d6cf81f7eb4eca3c55a967fb77635e159d3f0685
SHA512 eb5c6b539c54677a808d01adcaa7ec42d45b0dc496e6b5965c80ac2105a034606c43730dae0fb36b873f6bcbf3708e4989c6254ca5520c662c99ce6290b3ed5e

/data/user/0/com.efos.bxzy.syka/files/.umeng/exchangeIdentity.json

MD5 cbb0fb38520d7ea61ee8e0c6442ed80c
SHA1 6aee219e96c31cacca57e0016181fdab9ba3f115
SHA256 90ce8621cb8c700309f04aaf994622a93f1054b283cd3ddaf99171fd27dff6ce
SHA512 9472fc314dcf0d2d89a08e9138b1f874141fe21d41d0080bc9b2e67997b8e057b60ed0f3c867171a25618a414ac8cf78cf4f232117fa9819a2b719610882a947

/data/user/0/com.efos.bxzy.syka/databases/lezzd-journal

MD5 f41b551bda024ac85f7a857b994bb8d7
SHA1 0c2943455a6f3d40ebc6473abf5bc2ed1df08b4d
SHA256 ade9327bebe4697bf3c73af937e84a485edb5318d5f20d64fd6135480607bef2
SHA512 4304cf60f5f0d2795d8bfb210349bc8fd5ba3c0fa201007d617d15541502d3b94fbbbf0e966741d938cbf5bbd400cb020dd41929c97acc08be92fdfb0518e93d

/data/user/0/com.efos.bxzy.syka/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.efos.bxzy.syka/databases/lezzd-journal

MD5 7029b37a33e9037116411cdd19f9a796
SHA1 479dc2b954bd1727e3767ceba16eff4d2a793b87
SHA256 9a18bd75155c7454e10f869322f1b777d9133a9b90c3a18f6839326ee728e223
SHA512 84a58e95d838e93c28f001434ecc770932acd41caed92c9c7d69fef5f7385131b6e4a9387c0ac3c1ce342edb4b3d5a6062575f11f463d79b9cc25269d4411201

/data/user/0/com.efos.bxzy.syka/databases/lezzd-journal

MD5 1d34dd7828cc6c84a5f2d7e0b11729fa
SHA1 6d9dd1e181911d9edd9e0ee27c29be58718ec92b
SHA256 a9b8ba5a4c3d6a32ae7a1e5d8dc01aefe7eeb4f314920c01aeb0e84807e5921e
SHA512 abe059344a85c520900c037b8245f417595982e317454316d92e982b9d12830a8221c677121ac91e58f8e96e49e9b96912055296385ca23ee407710f3cf590a8

/data/user/0/com.efos.bxzy.syka/databases/lezzd-journal

MD5 1b36a10b1ad50cc24654beb126947b0c
SHA1 a5150bd24a191e471484c178f95f6dc1d8b89b70
SHA256 e3d60d471732d5b26c5097828883dcddc017dc0a9485a943a932cba69bf1c011
SHA512 b744921cf04cf9f87a8cad43fb2da4fc5820857a93e8b6189402f1426386615922428e6b9587590dd38d7914b2410204edeb7d6e779aa5d2123e1a2686b997d0

/data/user/0/com.efos.bxzy.syka/databases/lezzd-journal

MD5 f4e43a2b3161ad56793de04ead61c9ae
SHA1 418365200a553423937d4692c080617c8c37d1bf
SHA256 138b38a69b22017544d192906f475f93c2cfed48f9c91f8ab5c511ae23cd1d86
SHA512 fff391c04273af67a94ed0ece3032b327f5849e6f08ec29b9711a1269794c07cd2a318ff65f4d1f92967ea6cefc30bb32f74e1d8230f3af5685eea6035cd133f

/data/user/0/com.efos.bxzy.syka/databases/lezzd-journal

MD5 0a224df2d941fedf93d6aeb68eeaf49f
SHA1 c2c507740d7f97e1a08c612c62b7ea3200644618
SHA256 4fefa5a04752199614e7fd06f233a60c9f46ffc4f5f4116ab6dbc3fdb417eb21
SHA512 379e9bfe69a9e9e606eb27797b9739632fc7e49bcce2f10656fb81df4c0c4352718cf532e63de8d1840bdc371374761991867dcf28a6deded1b46ac6c8152499

/data/user/0/com.efos.bxzy.syka/files/.um/um_cache_1729043741285.env

MD5 871391079acc5c50cffdb4d198b0a159
SHA1 db06172d31e644deeb80607f398dc007ae704959
SHA256 8b60078cc2af1a0059ba2af6f9f7b3d111003aab7dc9a1b0f58a7a9f011ab1cd
SHA512 655ba8521131eb4bbde151fdcd96bca739d24a4092f632755181ce159fc32e7e115f44ba8f2b1f234a887426d2d2d1ba00c3e0a8babf929326072640d959967b

/data/user/0/com.efos.bxzy.syka/files/mobclick_agent_cached_com.efos.bxzy.syka1

MD5 ad66cde79762fb815774b132330df84e
SHA1 15e724452a926243119ac74943448b1b8e355563
SHA256 7b4dd0198bdbfcf68d65c830f5d0d95fbebc9b2a8ed9440ce953e658628e0323
SHA512 cbcc87e4f1172dcfbb5f48d787c01f9c2eb8498a6600607ed774f4da6e96efa082533ef5f1e3a6975e1660d2839f16d5772136ed42a5278346b712512bf29dac

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 01:54

Reported

2024-10-16 01:57

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.efos.bxzy.syka

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.efos.bxzy.syka

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.efos.bxzy.syka/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.efos.bxzy.syka:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.efos.bxzy.syka/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.efos.bxzy.syka/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.efos.bxzy.syka/files/umeng_it.cache

MD5 d567182f75a9db2a743ad52c241a8b36
SHA1 b8c0abcf56455506cf5e806b780a6f68caef5c8a
SHA256 aabaca503d790b8cd852373b0fe6c08514bc84ab3788260823b1fa7a493fd11f
SHA512 e6953c33416b18d7bd2fcc17a718b3d899ca9977ed3ae96241fff6fbd0633b867315fa71b5c5c9c10a68ee7550d41d80c080ca62f1f2bdb2efb5d5833661306f

/data/data/com.efos.bxzy.syka/files/.umeng/exchangeIdentity.json

MD5 f185fd74bde8680987e0234f7ee21fc9
SHA1 7ab2d315c938b7cb395196c423ecf04de0bfeb2c
SHA256 8d8950185f9ff96be2d934728f94186a0d911249264a28d3c4b6fb7cfdb6de85
SHA512 b4eda9ba513874cf33ede9fe3878a1de45573e3a4fb94fae7a224d7d5ff89da31cb0216b57937450c9826b1053800732b08cc01370db7883fc7a4142e099aea3

/data/data/com.efos.bxzy.syka/databases/lezzd-journal

MD5 67ae8b0f80590665e57d3935623a4ec3
SHA1 eea4ae9aa68422d2234c2327574ae95d6cae1fb6
SHA256 23ddebd0b9e753232e6733c8282af70f90e1b7878fe62672990a6e34a1251655
SHA512 e09b1bc255bf914c9eed12f1a7c257615f4b06a8ea3b360e6ecd1c3d3d0295ecf8405c85c06da7181be0603941ae76a0f432ba9af114ca1c5b02c99e8efe8e12

/data/data/com.efos.bxzy.syka/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.efos.bxzy.syka/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.efos.bxzy.syka/databases/lezzd-wal

MD5 731e87a8bd017ab5c061c3b94396f334
SHA1 cd0b78d7d941f459b2377123f88260d9b55d0c56
SHA256 c89250cb63e765cbc6be0f7abd240dc93974f90b454b7fbca377f33206e75ce1
SHA512 ee23d8161b1e83bc0c342a937a826bdc5d822574876522c68beb7ef564ee2367ef47e10c0c8b557eda340168d819196e51199fe7b1b96018212e9eec0557242b

/data/data/com.efos.bxzy.syka/files/.um/um_cache_1729043741344.env

MD5 64d32bd1cdfd776582d6f0c63e13e1a8
SHA1 288dd100e030258d8a93ab77a959de44fed1cda8
SHA256 58017a01632d6426c0850c89a87105f2633a36afbda1e5621bb1a0759744dbc7
SHA512 7006380f1bf4c7a40634ef967e7d47143089f06920858ec87266925432dd43af3154d25f2763e5eaa745fb77eba71e00125e79a15b87b5f8c80c204c281b95c7

/data/data/com.efos.bxzy.syka/app_mjf/oat/dz.jar.cur.prof

MD5 441f2aa4ed029b8aea5eb8736e32936b
SHA1 9b3785565bc73cdd321ae27fab6e415720c2b41d
SHA256 027fc0298823a5d55fd5b1e503d0e69bb0df2d52beaac9d2994b650209d9c4f7
SHA512 5e232ae37e38ac882782d8edd2722cdd783977f895d39d750e68055ae7ada896f308845b280bd48c8cb32db776c70fa4be558f69f3bf8e47e238c4ccde67b20a

/data/data/com.efos.bxzy.syka/files/mobclick_agent_cached_com.efos.bxzy.syka1

MD5 07775cb05210dc27cba4005df1885f0b
SHA1 d2203cee26ad383c6b10526a537985934275333a
SHA256 df96a0ea49327f129cf5d7e8a38aa04579a175cafeca405e24b97bd67659518a
SHA512 0166d9b27b83b2dedad63ceefec9c5381b8dba414a99a42f30dfef47f5bd7b4a79ea4c1c2c03bfb6b364a045809409b43853305b0ef640da20430a8e3c0f6abf

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 01:54

Reported

2024-10-16 01:57

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.efos.bxzy.syka

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.efos.bxzy.syka

com.efos.bxzy.syka:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.55:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.37:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.efos.bxzy.syka/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.efos.bxzy.syka/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.efos.bxzy.syka/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.efos.bxzy.syka/files/umeng_it.cache

MD5 cad7f4c5766eccf4d673ff943ff12c60
SHA1 e3bbfea13107aea9db42e0e35095091fbf16454b
SHA256 819d39f1bed04940932f88ee2774246c9a424bd1e07f7c841e8a10ebf368700c
SHA512 9770cd3bc99e75f0fce3877d80f3cc4afc98b4f757fa509d9c853bd4418b8dd6a465ec49b14e6c94b8a595063f2a98162a577708beac4fbc47bdbcba189dde46

/data/data/com.efos.bxzy.syka/files/.umeng/exchangeIdentity.json

MD5 8beb22014760cd7f0ff44112e082be3c
SHA1 c8c1e302418ebc7b89384e7eb789ed741f6f47f2
SHA256 c8db6825731d28e7179d5643becb87117a1fb6dac95c39c6a05523f00ce9f197
SHA512 a619e1fa37d82a166961b068084dc381dd1ca5570cf658b59bbfaec3e0bff4aab3dcc251c826b2590c87d2a127aad85c58755336853f5bb965d165d57e6b5c08

/data/data/com.efos.bxzy.syka/databases/lezzd-journal

MD5 27506088069c46f3590345f01229b3cb
SHA1 62a27eeff484d106b9a81eb0d71490b9641c11d1
SHA256 35f848565ff78053c9ff947334dd6ea41ec93d2cd853adcbaacbcdb905a61ba8
SHA512 3a346dd48293fe15884c3221c6d888c0606c2ffaa8e2b287a7ccef861d1f34b92c08c17fb5fb151a3316733b6425f79f559b868356ee839170a2073a55396dc2

/data/data/com.efos.bxzy.syka/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.efos.bxzy.syka/databases/lezzd-journal

MD5 99c0bc19e9e2ec51d91d31d32d77b3d7
SHA1 b520e6f34c282afd30d6b22b40f89c1673bd4467
SHA256 bf00aa80be6a863bf59f73c2d54ce2ca7d1093d1c90fc4d1eb9d3415652f8a7d
SHA512 858fb3b1d1392ce60b809f22bbaaceb773c476e2bee81ae78c7aa7efa940b1d42a66f8c6f825878413b2ed256d02eaa218f1de92bfcf4a6e7e076227e6bca083

/data/data/com.efos.bxzy.syka/databases/lezzd-journal

MD5 af3356bca2393f7370500b2380ab642c
SHA1 06890e91d2d6579c00b4804b9e2846a8ee01a7f0
SHA256 503d96f195f01d69020e171da0592cc19391ec394ab0407483b745ecce375973
SHA512 7c4d1c70e979c396abf75c15b85109043e500d80d1601e37fcb8e69c274beeba7b4ff9dda8a0698c481b7ef04813478727e19eb737a7c3e27ba1ad17dfa86a39

/data/data/com.efos.bxzy.syka/databases/lezzd-journal

MD5 93f00e9e7f054b09d2fb1c0f6d01fbdd
SHA1 d9c8bfd278d17603b8a0ae2cd508c3c489b15ad6
SHA256 f66f18a795b644c3f2b47f9ddf21ce61ad4b7cf7a707603af41a73a5b95ee70c
SHA512 1bdebdf4ccee2e508165e3dfe761779aecb88101a855744259db978ea72d054bbf3992f3cfaa8d6ec0f11261f08aeb331cc8e7d4049cffa886f56dbc002ac1ed

/data/data/com.efos.bxzy.syka/databases/lezzd-journal

MD5 826d36b44109f82cd7814309a2618d19
SHA1 0086f5db805f62080b8d895418db766c9d2d52b3
SHA256 846dcc11beb2c37937c1322901cc6da386fe7d8651b1835a9e765952971aaf79
SHA512 1eae302c31eec7554f958173e41fb0bb62210a74a30e85e507a409bcf5c303c5016f7d3f9eb0e972b254fa6d4b0e3547b66a2b03680906c40290ca30a43932f2

/data/data/com.efos.bxzy.syka/databases/lezzd-journal

MD5 e18e77e6274ee11443c1bab41341fe61
SHA1 d5db9dac98175e2d2ad91c70653bcad30be3325b
SHA256 d5a6b9bf973d17d0c2d6911a340518d82a430f2df5ded0de740eabc949b28d8c
SHA512 0c314faea45fb9ca935527eafffd0780aebad1d00387b451e12205f6a28b03edc0dd4b263f34d54501efe4991e69147a034e7e0d6d389eee0920642eea237030

/data/data/com.efos.bxzy.syka/files/.um/um_cache_1729043740361.env

MD5 0232ba07218c9beee50f662fb2db6b6a
SHA1 02496d45af905bb2693467bb8389ad36b4aabb3b
SHA256 b5b8300a6ff98d1a2b1d1b011b19947f7502e44d2cf972c55c9b1f03588adb06
SHA512 f30af1b006a7832e3eacc32346d6c8f266c6246795ebc3e301cefc6fb590d5c0330281f49f44ab3473323a03b506a639d082584e448b6a51243df51079623de0

/data/data/com.efos.bxzy.syka/files/mobclick_agent_cached_com.efos.bxzy.syka1

MD5 69f7490f85e10cba53c6cc3106fdc6c0
SHA1 39a81657d0f7d54bfc54f723b8e7db65a29fd7af
SHA256 c59971f1d1c5360a65bd3647047dff8d7b0130426256dbb8612e6d12b49a78ac
SHA512 e323613fac379556ee4c13536d63091050b65ddcac90a4ac021d0f550cc6213114dbd134231e6b44d5fd9617df7fb9ed67564a72266fa69db7ad86c69f10d1b8