Malware Analysis Report

2025-08-10 13:10

Sample ID 241016-dfv1qatdmn
Target 4b209fcc8728a49b303293bb3cfcf911_JaffaCakes118
SHA256 ae7d7f05f38aed97e8b18006f301a366c0a8a201241666e40a8f0f70a5c7b4df
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ae7d7f05f38aed97e8b18006f301a366c0a8a201241666e40a8f0f70a5c7b4df

Threat Level: Likely malicious

The file 4b209fcc8728a49b303293bb3cfcf911_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 02:57

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 02:57

Reported

2024-10-16 03:00

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.qogc.viql.fzaz

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qogc.viql.fzaz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.qogc.viql.fzaz/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.qogc.viql.fzaz:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 api.ehtbr.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 api.adcmsware.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.qogc.viql.fzaz/app_mjf/tdz.jar

MD5 fc1eb8c18ddc0f8727b5fb5eba8ca870
SHA1 af6d64fe2432bece4c523066a57f35be8f175a48
SHA256 7f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9
SHA512 25e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66

/data/data/com.qogc.viql.fzaz/app_mjf/ddz.jar

MD5 7f1e0fe2e6a0618b6c84d48ea0586b6d
SHA1 dea54fa91f9f431b85e8c4048244a1c3c4b16665
SHA256 4225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e
SHA512 7a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6

/data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar

MD5 789a4162427149dd5e519f917ead0e29
SHA1 d2bd738c28ec21c0441c6daaefc206a6a76f8e1c
SHA256 830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0
SHA512 b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37

/data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar

MD5 eb4b1f8a3354e8b5c30a253c771196ab
SHA1 5c721a6d50b607c91d6b900b4a21a09680f6149e
SHA256 dee0215de8f0bf8acfc41aa199e605f30178a969cb5821a977e865b69773b3e2
SHA512 a7ce9f9612de9c987392c28f2ded37dbe991f3b61022ac5ad797230c294606a69030182a62df3f8ce98ee50b42a4a38eda9bc297332cc4b46b3f478cae6fe1b6

/data/data/com.qogc.viql.fzaz/files/umeng_it.cache

MD5 26e2fe9109ca15dcc9e9571c89c8726a
SHA1 b3dd292ea474c803fdeb045ee2427045889986d4
SHA256 f93e60aec083e7b09f36da02979381c2f1363a7c823f8453b85ee3fbb80b8dd0
SHA512 28a8b7c172bee15552f5c1fa55636eb5d8180ab9c51cda37338c750c1ce22485d00594c91a0e3d47e829e25132a8d30673c87bd5902a9a8a78897953c287b3b7

/data/data/com.qogc.viql.fzaz/files/.umeng/exchangeIdentity.json

MD5 2e5ad1c759947752d61e7347946024a2
SHA1 a26812a411af95bba1bd7cec6b51ef6d4d10e774
SHA256 0c2808df1723fa478ff726d220be02cfb0800ace0707b6aef7272fb948769c79
SHA512 3df16ab38728151244eee02248be4a0d1f9ba68e3265d1dcd28764c8abff30360a1d409d2bfaa0f79b3f4a2173d848b946b8880361a79baa05d13f8841ad6eea

/data/data/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 db469a93df570d8e367ff685d762b5e1
SHA1 372e62c9a027e40d5163aabc31e3c46df45d36d5
SHA256 ae9f85a29289c928f63908f9b0066d240335487a862f978194f4ac271565629e
SHA512 07da45b327676c5dcf6274ee41fb751eafaa1e9c3c38149879c7f6191c83b67fe9b2d81ed09631476402feb69c6902811724d5ccfd209f142bb46c2bc64bc72b

/data/data/com.qogc.viql.fzaz/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.qogc.viql.fzaz/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.qogc.viql.fzaz/databases/lezzd-wal

MD5 60ff38dc7d9d0a3a4a005d5b6e2e9e85
SHA1 aafe2e6e42a8fedda223f6d9b5a847a271ba6522
SHA256 7dc7d02d4793686afc3f18a5ac8b5a7d0314c64199eacece5cfcb67af98c1401
SHA512 25cf8ff950282910687c13601913950d6e6c33294172122e1256745a7ea9fd3eaf947357969c2ec497bdb0e2d557ce5bd32c7882701e6c5996d61a15062c140e

/data/data/com.qogc.viql.fzaz/files/.um/um_cache_1729047523454.env

MD5 358670241981dc58de044b9714088848
SHA1 2df5593e4e22bab059cbefda243142f5a80d6a50
SHA256 65b06e16690976cd4a750fb3e48c0943c068f0cf990de2abceddfab12b9601d8
SHA512 8b43e902be4d1cc74b3aef7d4f7e07575073abaf1df87d0d92304e5eab78b9ff75b378f0bfb1e2f650b1fc3d024525cff00be16a9acf398c1bf0ad8170f56bd1

/data/data/com.qogc.viql.fzaz/app_mjf/oat/dz.jar.cur.prof

MD5 c5318b3f52dc8282a8329b25ae280ba3
SHA1 6a73bec60c808aad411f4b2989dcb8a245f01d0f
SHA256 41040b16dcf1255170918f86de07f81311f1f37d02aab53e811f1621325661fa
SHA512 c462557da4a767b7cd3b6306138da285dfdc756f784429c8c59828e1a57ee82bd3a208ce5fa1ecae62bb52fbed66379085b3c913959a3924088dc3c443e2e36d

/data/data/com.qogc.viql.fzaz/files/mobclick_agent_cached_com.qogc.viql.fzaz1

MD5 4fb0f9944fa6f034a7cf546ae0ceade5
SHA1 b588ca2186c40f2b1dc0ee05ea8074698a1b226e
SHA256 932c8144a5e0afa2e41983110ae7adb35102f2f9be367603b03b39c746ecccc8
SHA512 6e7cb8799453ba2deb7bceb8e246cbe75124792f860f99845715c1ae9b6bb6c4cbf35b8e93110c00395ca93a36b2c1c315dc528c3b162c65765cf42c2e551349

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 02:57

Reported

2024-10-16 03:00

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

154s

Command Line

com.qogc.viql.fzaz

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qogc.viql.fzaz

com.qogc.viql.fzaz:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 api.ehtbr.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 api.adcmsware.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.qogc.viql.fzaz/app_mjf/tdz.jar

MD5 fc1eb8c18ddc0f8727b5fb5eba8ca870
SHA1 af6d64fe2432bece4c523066a57f35be8f175a48
SHA256 7f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9
SHA512 25e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66

/data/data/com.qogc.viql.fzaz/app_mjf/ddz.jar

MD5 7f1e0fe2e6a0618b6c84d48ea0586b6d
SHA1 dea54fa91f9f431b85e8c4048244a1c3c4b16665
SHA256 4225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e
SHA512 7a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6

/data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar

MD5 789a4162427149dd5e519f917ead0e29
SHA1 d2bd738c28ec21c0441c6daaefc206a6a76f8e1c
SHA256 830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0
SHA512 b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37

/data/data/com.qogc.viql.fzaz/files/umeng_it.cache

MD5 575922091f0d7f6f49fe3b91459fc8eb
SHA1 e57a9d3fe8fccae249544d589037fdb1167efa6e
SHA256 12e04fe1c3d40d80f7d7d54e3524636b656d0951cb1d88d1c018130a4f3f8d85
SHA512 7a29a6a46113ba86b871a9474ef97dcd3452f1d6267e0b219e71bf7accb1209fd23775c8a5a0c80a7e29178bfc61d63cd8361b541c2bc2cd4ee94fc035509ad0

/data/data/com.qogc.viql.fzaz/files/.umeng/exchangeIdentity.json

MD5 a10765501e40e496fa615744f1274468
SHA1 2caef111c09a68151e31bc6a31a40fefde6cc4eb
SHA256 515e24d1c1cd90669c07796135ea38544760c57e2b75f1e4345a0acbce835c85
SHA512 5bcb3836b4ef3b46e362d157ce15d623bea86301f7849a540db54738b154e931c87757da7abd80f02a96301bda9fd5a665ff0eb79fdc2213cde8d43128302db5

/data/data/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 5cdb2634ae14f8a4c93d7637045783d8
SHA1 9e546ef8f734f6f96b0d0b9d70bc3ea2c5f4aae2
SHA256 636de90430f92fecd81566b57f141167fa0c8ca172a6a13ab7f776ae0fdd2fd9
SHA512 4c45be9dced4cb5dcfa90bbbc8bc37d0e92eb0297f0d6ca0f1498469c3e1bb8c5bf3bbd2a1105d3d118624d153eca0a79fc17f349b9de43e3601a7b7a25f085f

/data/data/com.qogc.viql.fzaz/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 63f4ed9a652f9914539d8a62bc8062b3
SHA1 41244eb30e74d340db43c085db3b7752f8d34c73
SHA256 c0600e8d0823de22a74f3dad4d805ab3416828d74f71e809a374adfbbcfd9100
SHA512 a07d6e38d1cd81890a1499ae5dff13b6a7c99afddc22fbc3d583fb6de46152419e6f4c222eca6e9a5aa246410068d3fa2116b6ceb0386dca3d97a41e3730a828

/data/data/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 1ea1f18eadaa4b4b47fdf7170345ec71
SHA1 7e6267f253737e28da00dc2c638b2243fe943dd1
SHA256 5226d59821743f2946aeedc70cd07dc733bdb81ccd250279a277276d8e8c5fb0
SHA512 ae92a8cf211a2ec9fcec362638c41cd4f315a9e25ade84ce405ac2ddd2c9272a8986b29c405d9b34ce5633c6b66aafe9658305a78c8e16d45496fdd6599e87a8

/data/data/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 a7790d444b846c0038ae61e938aea54a
SHA1 28c103703dee383f26e1a6f65f83ec9af86407cf
SHA256 f6c81ed259fdffa34a98dee5fc529d2e411e75f332208a8deacd3d34351cac02
SHA512 e3591392710e44d78704aa10eaed4d8ccdc4e749143a85b4b880f9e75009e92c3aa6560cbbeba6d99fd1338d2f7a96bdaac1717f8ffc6bc2f3559c07f1b46e8b

/data/data/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 d0169563b9394364f409dfdbc8224f95
SHA1 1364c082fb122a44285e4db9ab7eb1e4d4e10185
SHA256 723692664568f7f974224c414c93f0ef9a5216b28696ff195a1a3659c27dfe2a
SHA512 26b8a79a8ca9018ceb575b65c3a775e00ba5de18a743fff83e4acbb9ee96e286552cc81ab48a8295c4be5bfcccdebd8591a90bc828f355300bb965ce2f585658

/data/data/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 45f00f76bbebc2869e110b6cd4fba1fb
SHA1 e81702d6efc67ba28278765c9710bd581513c544
SHA256 933026c73d8e795ca7d8d4ea8653fabe4dc9dae293df4b6bf222be4ecbc785a8
SHA512 10c09584d3d23906da109a2cee5782e5182cca98176c32e07f45dd58c167d32b845713cc500ad4f584263803dbed19660b9b015ba080feb566a6372437335798

/data/data/com.qogc.viql.fzaz/files/.um/um_cache_1729047522795.env

MD5 e08e8aa955edebab073fc08ee6b37903
SHA1 d916ba49e16dad04bfcc9175a50a8dd175e7aa7a
SHA256 97cfaa929f0cc482cff5c8e72e7642f3a7131704e7fa77fa8e8507e85089df32
SHA512 fd3c6effa12f0960c586e086a21834c8b6a0a1889c7b4026eb1f6632a8b8c7f98fa321b484d61a102c8a87ddaac3e694ab0ce767a9b236da49eb26c5683b2f05

/data/data/com.qogc.viql.fzaz/app_mjf/oat/dz.jar.cur.prof

MD5 29dc5ef5c672dbd524b5846502ce9e77
SHA1 1db696acff934175f2bc31feaf64b91f904268ab
SHA256 c71291003819b4d6d61a7adbf72acbb573146ff51fde70280a69e970ad01e296
SHA512 dc4f05b508f7b7e533be9bd0eb4c4f517aee6578cb1c8d8c9727d40319fff2e57d7f9848ac996cfa4282628976b689955254e74a4c1ecaa48b5c70bf9ed7d83e

/data/data/com.qogc.viql.fzaz/files/mobclick_agent_cached_com.qogc.viql.fzaz1

MD5 3b573b8bb8cb81713535a91f125517df
SHA1 8c935d52cb4155a22d596c1ba9e85ac8fba6a9ed
SHA256 4f0de82ff1540445d9a9e86e5bf6bd52a357632c8ea731845447f73e13c33167
SHA512 302faf454142b90009f3f9f8f28f3390a239872c24b27ae9c751b3065abc18a9ae18bd4f91ff2b4c91f3aed2360ea1edf9c47661697a9670cd177268cda6a0cf

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 02:57

Reported

2024-10-16 03:00

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

155s

Command Line

com.qogc.viql.fzaz

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qogc.viql.fzaz

com.qogc.viql.fzaz:daemon

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.ehtbr.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 api.adcmsware.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 59.82.120.12:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/user/0/com.qogc.viql.fzaz/app_mjf/tdz.jar

MD5 fc1eb8c18ddc0f8727b5fb5eba8ca870
SHA1 af6d64fe2432bece4c523066a57f35be8f175a48
SHA256 7f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9
SHA512 25e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66

/data/user/0/com.qogc.viql.fzaz/app_mjf/ddz.jar

MD5 7f1e0fe2e6a0618b6c84d48ea0586b6d
SHA1 dea54fa91f9f431b85e8c4048244a1c3c4b16665
SHA256 4225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e
SHA512 7a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6

/data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar

MD5 789a4162427149dd5e519f917ead0e29
SHA1 d2bd738c28ec21c0441c6daaefc206a6a76f8e1c
SHA256 830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0
SHA512 b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37

/data/user/0/com.qogc.viql.fzaz/files/umeng_it.cache

MD5 6c11e73c1734eda6e7b551b41337053b
SHA1 4825f321c710d29e0adec458aa963ba56392e7bd
SHA256 36d92d73e7853f3886ae187bfd9315838afc470de8d3eee29667d3499159b427
SHA512 fb0c47fd2c3dbd8785f8ef37203c8f0ef8efc922d5b189fdfb33fe8242cfb97bde34ae433b6a678d33c22ab6347e615db5d132a24f8d20fff2345d93f178f202

/data/user/0/com.qogc.viql.fzaz/files/.umeng/exchangeIdentity.json

MD5 73a1530c17e9f60393d9486457fefe1c
SHA1 d43c6a725a2b92839675532ca345c421e8b6624e
SHA256 dc2bca2afb59d311f8b6a1ce45156ae2852e7387d646d15ab116769d2ef7b957
SHA512 6d57cf904f7deedcd00260eb94fefbbd885c07d0ddf41c1f197c102f229ba6a051061c28162465c83521e9a4369522370f82b7dd63fa69f684948b5383c0b916

/data/user/0/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 3cd37733a0b6f0ad01bb40d2309c6f61
SHA1 10b2f1dab32d123bea2b20aa4d3cad2465a56a3d
SHA256 2433aec8e4ddaab203d2be4837a834e305fc0b365012197fe0f350e27a69b611
SHA512 5cda2114e5f1cbff5680050e6402be861e0eaacb491a20ed166fc32903f6021b7dd2226db74c0bc2dde37c307c6d9375e8f040a995544cb2900ef0a009497565

/data/user/0/com.qogc.viql.fzaz/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 8b81f8d610f1b883b9e07a7188327bbf
SHA1 7dc5ae1fac327de9caa0093c992b6dddc3b14e9b
SHA256 e2af380d3a06b03ae28a9d5242d688a1756ca6227633116a5f64d72bd2b15d8c
SHA512 2c93fc71b0bcc152ce24505336dd561aaaa7ef18c471d363050da6ed811828a5170c723936e0a6bb8fe80b0459f901396c3c1c790b284a2075e9e8c1abf247bb

/data/user/0/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 c5fa13bf585bd70034747a8fdf3f5721
SHA1 16ed264fb9adc8d3c19c1e219f38db97d454ffa6
SHA256 f6cfce4a9758535655d873ded167fc3ca9ce2f52a741884f4a6e724cd9539d4c
SHA512 e30987ea58391f9203ab10e8d54f8411209f59318a018fc8ca93ea035de2242a8516b3d12ca5317426b70bf869a92d820b54287d9fc4c1ca4c534ed492cc7ee6

/data/user/0/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 f047e45cd1afa55cb19d1286c0ec9bbd
SHA1 1970ed58d5d7f64528629fce0ff3baa7455663fd
SHA256 d3ce7d2ead5246a12dfb95e496a2abfc0142b2a18b185c1af4d7a15c8d0c2f79
SHA512 06352d27b381b67fa325c959bee11e140a8d3e165afc7c45bd4a7c6116ec0711f9dc994b37aca94f0992ccd70f99a8c2a7df82a79c1bfe2b3e2f2a47a52cca31

/data/user/0/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 643aa17225a03f40f6726d2fdc97bceb
SHA1 fd01f363fb7caaba2742c4a6e431499b0405d40b
SHA256 c44c051fa65d81415e43115a677a9c714a4d2ae3161dc74dccca812b93279a00
SHA512 fa33c92919a8f233b43b2d5a8d60474bdae10c27e27b3163f3fdbe8a6e230052ab25f931f6a88a5706d4c11b50b3045230a87e2ed879e55e7692677ae7b2a8c4

/data/user/0/com.qogc.viql.fzaz/databases/lezzd-journal

MD5 17d5f23031231e1b109a5f3ee3f9adea
SHA1 c137403e1e472e558fb0b179d6e7dfd9b438b755
SHA256 89628401a4d401a78e8f0ef51f69be8f9ab2b0b1a064922ec0fbd236142dc6b4
SHA512 722cccf98195aff8042a6b8f5c34645743c1312c6e4573afa7a9786108b8cf74108dc1f2a50f76cdc00d08ce87c07e9deafea092fcc16f7e23b8e686c509f9d5

/data/user/0/com.qogc.viql.fzaz/files/.um/um_cache_1729047529626.env

MD5 d684e7898c8bd902c2da13b06c4f1dda
SHA1 b5da6d9873cbe1b62c956e1ac5eed87234db03ad
SHA256 bba054e23bdba1875c728e29adc61fa8d6a5c15c92f4a8eee6852d152adb9f51
SHA512 fb49ccbb3abcf5ee62fa1cc99f8fde5ce86f19fde3730d756d725c173bf3fc7c00ac9efb2f5f42aa6ace73ab2b52d3c39735e37389378a74b4e01e4c0677d182

/data/user/0/com.qogc.viql.fzaz/files/mobclick_agent_cached_com.qogc.viql.fzaz1

MD5 e2340502d156abc8ab27584250fdd92f
SHA1 5857b96f7528314f830d067bd2d9af9f254c7aca
SHA256 3185edcc1ec46ce8f095f9ffc9a59228040a10e9deb543d3916676407f373ffe
SHA512 9b2793e4c4cc101ffa08a4e0c90509d0c9dc79eac5082da696989723c430ca7a8f89d3c6cf40d90f5a226b27627523b4388a510815466353c453df1d7591e2ef