Malware Analysis Report

2025-08-10 13:11

Sample ID 241016-dyre9avaql
Target 4b355c6f124e5f6454109c2d58d21ae3_JaffaCakes118
SHA256 c6ee0d569566c76f6b7e11c615e51a5056e07ae618eb930b82923738614fc5ba
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c6ee0d569566c76f6b7e11c615e51a5056e07ae618eb930b82923738614fc5ba

Threat Level: Likely malicious

The file 4b355c6f124e5f6454109c2d58d21ae3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries information about running processes on the device

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 03:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 03:25

Reported

2024-10-16 03:28

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

153s

Command Line

com.clul.ifoe.zzhm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.clul.ifoe.zzhm

com.clul.ifoe.zzhm:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.clul.ifoe.zzhm/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.clul.ifoe.zzhm/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 98579996f89df3114e1303ad1f3d37fd
SHA1 f4c8a7ee0f2eea1af3687546d9e6732d3e40abfb
SHA256 858ecfb7aa1ce29a820dbcd0803a6d76dbfce868473db591f1e81a278f2d2643
SHA512 473270fa33519159a71985f3f41dbb55019c89a0618a4db6a573f81b687dde43f8e224c3a1a1365e7be740474ad2cae4f5324b4de23c897a60c5a558d35beee6

/data/data/com.clul.ifoe.zzhm/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 e1d523eec3dc92ccf91ac0dbb2723da2
SHA1 ad7aa21324798acbcf4cae77b1c8cdfc657973ba
SHA256 d17c642e7ecdb466f2a636492305ec14f075dd151058153eddf8b4733a36e8cc
SHA512 e5e42c452720e05a845fdb45b1971a9e4becc4cae511640abf5cd10c02b015ea3bb26bef44cb83ead974f55d953b014e0b1b15e6ded42d823e6cf47ea5524ab4

/data/data/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 2c84e5b720ddb85475ec5fd961790b44
SHA1 e3b3752263c066474e5e6fe7328a38b28911ff89
SHA256 648640ee3c8a909295424ae6a392ba6cdbdd4e29afa37348709e7ff12ea0b34d
SHA512 8ae16f0a1c5093116e5339add6df3d9d00e95261517e9f946a0b75cf1b4991eca57b3a4200e4805bd775f37c58c279f4f6d32629eef84f8bc5fa6ee8596d27a0

/data/data/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 6fedd15348bdfae21fb587ba65010da6
SHA1 d4f82f0e50f414d6c814ddb256c8064baba49270
SHA256 8759624e7f51b5f2399232f67754e7813432933e8d9af34ab31a72eaf3db4213
SHA512 341616837030353b02431a382d9cfa7a5a9ce74c113d3eb1d23e53f153a71f22cafb5a34ef84bca3d09291de3454207b88d0d41363342232356b98d44ab6c265

/data/data/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 f39218578039e9402cc3577afe360b62
SHA1 700c7b20d5984ea39235eb2d9d11539130da385b
SHA256 862d744980f9350db07bb7e8f9b274b9517f2c9ac3d64186cd3e1805f96553a9
SHA512 f4085b5c7c82bf655068e0a0df694651c58b328269ba2af259ceff07523e016166a7a5e7b8f07d78cf9eedc2c7e8c72f73c0064c9fc3e18f61ce777047fb051f

/data/data/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 d35b5aae20bf43da0b2e23e2a00b3a16
SHA1 9a98c0ad65f59bd0e312a035f6d15a60905e6997
SHA256 7297cca6d5bf353578793a229f8a4e8b3c4e17ba60f909c7af593edaf6d2dfc7
SHA512 dc361e15c7392e66ff17290c6c4c7feb962a4e4fe8895886b76dad8e2534dfe02087b9b3d83b5614740ed7c304210d6c424923fe30e9df8eb31f566e5dd7c8a2

/data/data/com.clul.ifoe.zzhm/files/umeng_it.cache

MD5 4b85c678dc2af1bdf6212669cfaf154b
SHA1 ba8577c1fc27468eaed8858794f917efdf84b4b2
SHA256 105a640cfc3ce5a5759bc1c4d9c7a2a56524500a5a883df8fe690642993ab4f2
SHA512 5c34d5848c721c429253246a89a0ce52e614cd1b5627ca0f50e674010624b306197f6b9f58a82676b539acd238d6c9d635d27b1649b5acbbf9fc4be03df4d693

/data/data/com.clul.ifoe.zzhm/files/.umeng/exchangeIdentity.json

MD5 52fa577473f7f3dfd832c7cc1028ec46
SHA1 2db02d25c00425cdd2e9bd3b996ca44b17debdf4
SHA256 f3d6df2ba5f1a62165d2e5ae0dc1bedfd7dcd16ce9df21daea4d2b3dcd797652
SHA512 ca5539c7c4da1343a9238e084b7583521baafa532336bc8e370438454594dea554ab8bd3d294011c63cf12bcdaa7f0bbc695f6d435090acb3a8d9b8e9a41727e

/data/data/com.clul.ifoe.zzhm/app_mjf/oat/dz.jar.cur.prof

MD5 9dc503c7935bdd7da5f66e4f5068e6af
SHA1 ca334b02a7cdf7807edc910e736850dd720f722f
SHA256 3c318264ce89d9a7a286a44549177a4641c3d8f261d52756f08cf751c7204433
SHA512 f53f3f9429053f5f25158205b2fab8f497c0e19be5b0fa1d521b71759188ff734629fa568a6ce9dec9f834156be2a48b8ce90bf6739210d6f21f197287508c7c

/data/data/com.clul.ifoe.zzhm/files/.um/um_cache_1729049238646.env

MD5 81b8d511851dea091b86e19f3e502d61
SHA1 ef934c6352490737efdfd28cdf54259c9e78a14e
SHA256 543466d7bb099b2bf7ffb42d57163c78aa89f2d616b1ffb56068223526c48e65
SHA512 e2c0df02754c7a0cdffd342fd6a88bc2f05b596ae3748abd0de2caa57654358e55c3ffe8c22418a8303a5bd2673486e26175e6ab7ee090a2c25fec17a8ece3ac

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 03:25

Reported

2024-10-16 03:28

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

154s

Command Line

com.clul.ifoe.zzhm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.clul.ifoe.zzhm

com.clul.ifoe.zzhm:daemon

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/user/0/com.clul.ifoe.zzhm/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.clul.ifoe.zzhm/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 a8dc6fe37742476993df793697893906
SHA1 f7490525f5e96499a6218027e5a556586b0048f6
SHA256 bb4dec56d2d955cd4ef50d66c2437acec861f2d9dcc1a4aa4c299f26332a4549
SHA512 b1da1d4c341498d4862f0ce8afb52c24f700887661d97b902d64bcb8d1ed661b95b705cf1187be49f79ba585e658467a4ce7735cf93a7af118ea784facaa807f

/data/user/0/com.clul.ifoe.zzhm/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 2357940868ab27e23e88298e08590c2c
SHA1 8f962d630d567018de21dd4034938c77b124c8cc
SHA256 051d46024ea2fe1c57d2c2805f72a02e76bd40915b610dc3ea1b04c20218388b
SHA512 78bef62cf4c6b5589470baa89bf8e6849c891247cca43d2e6b9f955bc64499c7ac79b1c9d55364c0448f14969bcb713afafd3946615ec3db2c3b43c9abe8a789

/data/user/0/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 daa2dc1d510aea705c9683b48b84c762
SHA1 71ee61eaddad17c54904dfe8a8416a6b9837d8f9
SHA256 d160271a3e271cd7cbacbb16fd41d5b2cfeed643429a7c386adb2f35d0175602
SHA512 fd16cb7b68805149abcc822111f0cb5030acdce9e503af1cf13a5188c52ce4513773612e413a46bb3fd6825aea63c8e61833b9dc9ca7f07f9cf61d992fdf9d1f

/data/user/0/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 58bc66dce6cdac091794cf25e6d8744d
SHA1 eac17436d6bff9d51ce0f4cdfa6a39b2868020b8
SHA256 df0a688ee2f966a071ca3b45897488949fff975e1be075141a4aabca0f678f10
SHA512 7c379f4b58c50c5d7961916874cb1e917a9e02b720d6f5ee9539430ba9cb332ec31a73226c9a1be3ac2eb8f7c7a5ba5f8140c848ae3d624c73a40f742506d15d

/data/user/0/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 e9f21fe02e27151f0b13324e33c5fb05
SHA1 3adb5e83c899e466db614b4dce45ba42dbe7e5b4
SHA256 55b7ae6d5c7bbd0f54cd7ab8d47817dcbcdbe85ea84f4c44ae78e880a2988753
SHA512 92dce9d981300193ff3e116dd1c2cefc5f6af86f97842b418f1979d09823440b62154e5d43920520788969429f2a682bfee009de57b4b658d35d9b1c62a432c9

/data/user/0/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 60682df074efea5e1628150b39f94abc
SHA1 43507508f28447dc6d13d45c6bca2bed2679a1b4
SHA256 356b33a04df8d8ea77c0682849789c7de49ab8825c25c446cc7ebb4ee3a0dcd8
SHA512 acf6d3988318b3cd540b3ab93581b880266de61c53347de160d4434c2dddac1956bd767f78d8b78e8aa8f4b55f3e56f1da3d48dc516d4979c4a8803167df565e

/data/user/0/com.clul.ifoe.zzhm/files/umeng_it.cache

MD5 63a6c97d62629e45cd348fd6541e1357
SHA1 9dd2c02b55176bb70bb8e2f70123b4b5d540abc3
SHA256 32136481071b80a9f3268ecc2b6fe3be6c4c7e49acf0ee2f658116edf8285f4f
SHA512 fbb5cb41b6cefc30c48dd5571559244747e4ed8110e0289b530a8c84a102a26f6db1c35f212212ee7434d03b70b58bb541b184fef4a2a79725f43b8734385ab7

/data/user/0/com.clul.ifoe.zzhm/files/.umeng/exchangeIdentity.json

MD5 01f2a7ad15a2e1293cde4e043f35832f
SHA1 1b6b6e18ecf47f796b40afe8385298f6df39124b
SHA256 3a7c980ef74b87db7cb79a20dfa2a6eff10153237b537ac8af96524077b21835
SHA512 4686e7437bb32cedb010b5f2c2805169b08fecfb0d1ee441fcfcf4b7b147f8e15bd26fc4e8eab204d9f79dd909ab8f5964697e21c98fc0847af2ba989fb3b0b9

/data/user/0/com.clul.ifoe.zzhm/files/.um/um_cache_1729049240728.env

MD5 437333a36a60eb01645b6ef75660ae67
SHA1 4956294a7b841b827c334a645802e215a9e7a79b
SHA256 016c1a5bfec9b524ed38afe6b96ba4b95a3cfdf0ac7b102de09bc1cf77f83347
SHA512 84fff3a816f7dd6a59865ef8ae3c76745173830b06595756a0c71f3516121e5b945cc8e265fe944bcc941d51de19fbfeeda93665a5768d44e4e87635a6002379

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 03:25

Reported

2024-10-16 03:27

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

131s

Command Line

com.clul.ifoe.zzhm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.clul.ifoe.zzhm

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.clul.ifoe.zzhm/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.clul.ifoe.zzhm:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.109:80 alog.umeng.com tcp

Files

/data/data/com.clul.ifoe.zzhm/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.clul.ifoe.zzhm/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.clul.ifoe.zzhm/databases/lezzd-journal

MD5 3a5be57cb69b4768bd5432b0b3c24b69
SHA1 b1fc6e80b424b0a0a921ce70b93e511dc41f40bd
SHA256 f02bce3936ee33cc6b02016c59037143660f5297e38d8c3d1cabd57fa0d76e64
SHA512 73fdb889d29e60ce0b7f23fdfb434597d9fd4bed2920691e8c89d8a52996fca7fcf1598f0a5ad639a8e6673ba4ab51953b506e039e216a2da701fa43c721af8b

/data/data/com.clul.ifoe.zzhm/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.clul.ifoe.zzhm/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.clul.ifoe.zzhm/databases/lezzd-wal

MD5 0af5fa09d1c1d4b07144c5eaa59fec07
SHA1 2af0ffaa8fd20c73ee11a18006845d30ac68b2bb
SHA256 01dc7e1407b540e44d07bb2a251d462d9e605b6d461e70652d688e3867f6b4e1
SHA512 5e029964d253f68520e5355ab649b459e0d53724c4998265dc57b30f89db3a0693e229ec217f5c10e561a34b5b39bdeca3a908c63ed0b44755539896fc7cff58

/data/data/com.clul.ifoe.zzhm/files/umeng_it.cache

MD5 80e5559afcf0b4f6afc6f90a7eedd085
SHA1 2c290f39fccc7b4297272e05d76f729abe009840
SHA256 c1f197660121a8862bd7d0aef792eccbd0783c131cd35af3a9259175bd52ff26
SHA512 ff2e8a8276cf322df5d36e9cd46b337919cc5da311cf6f2fffd93275cb09c94b12d413bd44bd49490d3d8ed7a71cc9e4ab88aaac78768c3427dd59ff6b677540

/data/data/com.clul.ifoe.zzhm/files/.umeng/exchangeIdentity.json

MD5 878de65f9e54d04a762d036ba7df8b3e
SHA1 a392a0236f85c2e7aeae0d9b15aa8eafb4e6d6be
SHA256 1115be7d040059ca6fe97c06f9995711d5ab6c1bdf1f165242a42eea9f11bafa
SHA512 b467fc76e38bac7f3a58103a703d44aa70f91b9c5f920333b7eaa29ba266c1b91514184511e11883e70998081a1ea404b7d8a89b84ff9bae1428f570901b03e2

/data/data/com.clul.ifoe.zzhm/app_mjf/oat/dz.jar.cur.prof

MD5 33834f64a4eed6154c0b6f34b9f99d4f
SHA1 4bb3fb9abd4f9bdc2c87a494a1ae659a92d97b24
SHA256 070daa997f56545956cfa5ebaa857a03244e4d43d8550b34c74126266888d28a
SHA512 e603e1c3d4a731f43ff5b8482b5b130e27f2ea3257f54eedda4e20c68b14dea4f836a11779d0deaf3540594e4c8e62c3a8be4ee338579da1437b381d499c5bdb

/data/data/com.clul.ifoe.zzhm/files/.um/um_cache_1729049239667.env

MD5 dc95f395a3aa2be0fa9bdc3de2d97e30
SHA1 ba354196c3446468d2166026e395045b488c95a9
SHA256 d67bd8cd681bdfb71991418891945b746b060db40c01ae04ba355b9207e3b085
SHA512 fe69ee2db551a7b72f134774d8863bc5431b3712d93c8d488a44b907dfce1a17a2de24b82fb87d41f91bf5096459fc1bf307902677e37fea729222ab5251a586

/data/data/com.clul.ifoe.zzhm/files/.imprint

MD5 1cf833ad0c5f50b93d57e0d0c031cbb9
SHA1 21b134f24ca7ebf1d8cf7a77bbf2cc6cbc89e23a
SHA256 92f0a0317a43e0fdd60a00825f6ad08a958daa4dbdff99f655f23f9d9e9d4e2a
SHA512 776a2f28d32541300f41a345f5bd7a52d70a51b8d0300198bb41fb3b3daf8ba6db6a1024388d40ea206ef2ba516464dde9627d9f992fa49f3e3ea0919827fca8

/data/data/com.clul.ifoe.zzhm/files/mobclick_agent_cached_com.clul.ifoe.zzhm1

MD5 06b20b6b92ef24d5fda384d7677901b4
SHA1 340e31f93bacec41c2698e0ecea87706be18346f
SHA256 9181a39660485b69e581ca0acdf8713fcfab2f3fecb27c94a09752f31dbb51e7
SHA512 572b16ce08d7bff47d7c96b4934dc2bb659cb9711418a789ace631a49fdb22df798d1a2fa8501204812ee3ef963b41543afec4a373bde5b86acc115eb246c9f0