Malware Analysis Report

2025-08-10 13:10

Sample ID 241016-epgp5asakf
Target 4b54f2170e694d6b89e0ecfd2e44ff74_JaffaCakes118
SHA256 1c3b5517a71d4610f330b94c3c8b977cd97dbdf769cad0e620e8c1cf9eec4376
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1c3b5517a71d4610f330b94c3c8b977cd97dbdf769cad0e620e8c1cf9eec4376

Threat Level: Likely malicious

The file 4b54f2170e694d6b89e0ecfd2e44ff74_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:06

Reported

2024-10-16 04:09

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

153s

Command Line

com.sixz.ewxd.hody

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.sixz.ewxd.hody

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.sixz.ewxd.hody/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.sixz.ewxd.hody:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.sixz.ewxd.hody/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.sixz.ewxd.hody/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 605f8c9f4a9b7fe88e4919af4c4e0b27
SHA1 8acec1885f45b0081be6702ac255423dc441ad57
SHA256 261336de8c3f6aef85495cdaf8c4291a2b73f636b1a1a872de97056f32dc4830
SHA512 7b24fe2bc359c31604aab2c9d3a348be2cf3b53f01fc499a056139029cc08201ee926d57d26d61cc54d3753d749491aa7682dd3a085c621185a5b5240503caf3

/data/data/com.sixz.ewxd.hody/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sixz.ewxd.hody/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sixz.ewxd.hody/databases/lezzd-wal

MD5 dc53613971aed79c3678fc0b8f0af837
SHA1 0da906048995185240b53945a4fb2fa550dac8be
SHA256 a5ee8f0a054304a92f10045ce4494da77d721667541732783ebf94220a31be3b
SHA512 9aff348794c101586b0ed50cd42b648c5dfbfe8356549bb50e0879823ce932d54112649f8ac291e6884609730fcdbecd7b1093f3270111befbbfcdbb6fc4cf26

/data/data/com.sixz.ewxd.hody/files/umeng_it.cache

MD5 c594fcb03f79d9d7f4e27339f68e49d8
SHA1 1f5f5409416d8fbf4a21224cdaa5e02d7135eab3
SHA256 9d04e96c338732cff4f597ac8af891e72004e27b961ffab86a04964cf83ac591
SHA512 406d5f799f69442a2654a029d0f7d482cc598b6ddf0cfa0f825905a36bb4433469d2da2da0064b249553f03924acca45ef3eb10678e9505a1b7177b2523da18b

/data/data/com.sixz.ewxd.hody/files/.umeng/exchangeIdentity.json

MD5 a8d0f025a1c70c02726dac50c6a13972
SHA1 b80c142a8d01823c4029cf537d13de11d325385e
SHA256 8d017cb848845e153707c4d21243a97e390af9c34137c2e6c9b77fe46e57e8c1
SHA512 c78a3248d43c37b1150f52ee41f4fcb42166c76f878f8dc628f2eb67e1cf7eaf44ad147c7011348a3f6458ce9d421005086929bd55641b121f2d904896bccd98

/data/data/com.sixz.ewxd.hody/app_mjf/oat/dz.jar.cur.prof

MD5 e11ced51cdf1758ccf6755d2a0448e26
SHA1 dfde9fe1aac36787799781712382320183811012
SHA256 e204188cfc7b969c3d074c7510b037725043cafaea5fdad8c4bab0ac78b3cd62
SHA512 53b00852dcd64750e9e9d1fb3d5e93b0c5e90a420e454191fc8c9e5ab7141de08fd94cb418ebb5d8f426c35b5dec7e6c3312bb8cde4bfd2788f00c0599841831

/data/data/com.sixz.ewxd.hody/files/.um/um_cache_1729051726822.env

MD5 0dcbc39fab54f458a01d7d13c29cfb31
SHA1 6d9feda22795c454f0f0a2d675536f916e2fa295
SHA256 13a59ff72603cc4b44a9d20e61a203fec7929f0cb00a02cf0d9e6dd5dabfedf6
SHA512 c14b03e83fb38b31d254b117c497ad1192bf85c39ea3e6c70c9cb9b3f10c12a1b69c9c26ae724b536c3a5311b089b3a1fbbeefb8e63c067fbf9551a9e53a8909

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 04:06

Reported

2024-10-16 04:09

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

153s

Command Line

com.sixz.ewxd.hody

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.sixz.ewxd.hody

com.sixz.ewxd.hody:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.sixz.ewxd.hody/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.sixz.ewxd.hody/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 288ef4c606352d225878f88c8be29d62
SHA1 a44cf94cbd07073b49d6149eb8c6388a77fd4596
SHA256 f9e12d4e6683d84216f76dcfa8578434c3ef21cb562b22a6948ae798d9b808ba
SHA512 44895b7840d7d0672e83bf8454c931864cc3bf8f29034b52321356ad5308c59280010ccea2b647dc2bc5a2236ce76987b315963c2d2236dacaadc558229a53bc

/data/data/com.sixz.ewxd.hody/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 015a2cba9c8068a37b6df0b41a48e904
SHA1 39578782c2a317673f98f6413a3330f983bf9195
SHA256 47586904fe9d080083297e158898d2d5c9873ab043b3152bf52df4e816b5ce5c
SHA512 5aa6d0290adf562ebe73f004578760934cab5882842ab595c47a1f27f83ade184862f62de09ba08059dbc5379726c3edcf63fe95f82a51f4fe4e422a2fd750aa

/data/data/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 8720ec0aa920c368374dbbf7b0428e86
SHA1 23405da8ef4fd5fbd5ddbf590afda8175df12f3a
SHA256 7f118a5d27e5d602b84afc43f1abbf44904a1072207e931cbcb5a45c65200a23
SHA512 2a08b44133c2caf1386a52132f9abf0be3f692ebdaef85ec08d85c8f784993fa337d3be9450c5b1709ba6b0294470386aa3f06fc92d1b883a6d599a6f88fca58

/data/data/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 27e4498a8167c5b595f8fa1759675096
SHA1 13d751bb874eda866ac61578af84895e2930cd69
SHA256 89bda10b961aa214937615fe95fbe10ce3041745f010dacfeaf3a03be3e5d2e5
SHA512 54b60488c34d19d3ddcb80d7c8489a5348da6128ad5dfff84658e6d11431a549cb9abdf1e3a70f617e9a4aeea93acc12177852ae245fee444292a4efe92b1a8d

/data/data/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 5133d8ac8c989e4668e983ea68b32649
SHA1 8ee2a8533c60dea9b4c6066581d347f7f9129ef7
SHA256 b2ddd2b086bc359750811d19582626ffe489db123b0ae77ac9cf25acca210f6b
SHA512 4408d72abf2926e33c29d5b22bdc8f9fce95e9f72392044b29d72909adc08d098d4ddeb417f16bf532994adb393d0eb0699f0878cae235b945df4f96710059b5

/data/data/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 86b51bb13907a4d10f484c909a3b013f
SHA1 a968def6a18ed2a8fb8a94820ded12dba816c3c9
SHA256 b2cafeb893f591b87d2f56fd4ed8bb71e7965a2ae1381e9e734221a9bb761bcb
SHA512 2af3afb05eccced3cdabe086cb75397d3f52612c602414e04c9faf180757f1bc73f495d6f884b7a4ed8dfd3bdfd7ebc633eb770737c95e132d23901289451c54

/data/data/com.sixz.ewxd.hody/files/umeng_it.cache

MD5 19c7bbfc400fcaa8edea9387e40c1e4d
SHA1 4ad1298dbff098445245a43e7785dd58e17c3104
SHA256 7527e191cacab7a2ffda0b80dcd07e716d6758bfeac954828a275373caa6f2f5
SHA512 b16593479893c9967a24cd82495752e0d512ffcd6c5091bfcef88166c87fc13036c3ca705d574da308494ba4cc87d7f711ed7278be2f6e95c9052eaecb2ef67d

/data/data/com.sixz.ewxd.hody/files/.umeng/exchangeIdentity.json

MD5 d7a0bb80feb3f96df919e3f3423715d4
SHA1 6b938b13a810ae158a5902626ae38ae5386d0320
SHA256 0f758542f872e31d1b166c0a4b8c77552093eb1f65856bffa64c015f0aabfa19
SHA512 1fbf94cbadd1986d7a805407744a00cfbba66123f299e7ddf95a399a25a26c2531ae2765f2fd10c5b457d376d76dc60c0cedcf169969dd72034ec8df86c104a1

/data/data/com.sixz.ewxd.hody/files/.um/um_cache_1729051726138.env

MD5 b47f6db91830bf1f53a319a2090dead2
SHA1 41dc0b3b65cc2055f4c51f321639984c863e593a
SHA256 d2069d8595c55d2263fc4885329c5c19c769c2e93959dbc70841dbd5b1ae700d
SHA512 36a460471efb2a8e38ca2f8edab129fddc0c784f91aa355c280a6bbdc3a22b6fabf1bc5c22e51b4e49e8af8701b1f095bfc9b7a73b5468fc214b8d65fcf520f4

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 04:06

Reported

2024-10-16 04:09

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

154s

Command Line

com.sixz.ewxd.hody

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.sixz.ewxd.hody

com.sixz.ewxd.hody:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.73:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/user/0/com.sixz.ewxd.hody/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.sixz.ewxd.hody/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.sixz.ewxd.hody/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 531e9ac00e9d01828105c7aa9a8115e5
SHA1 aa3b21c0196c01adc12519be56a6ec4e342bfcfb
SHA256 ef35b51c6fc670f7e231358ca2ccc196d05c3141e03a494fa896bd2eaed8502f
SHA512 bfb97cf89afa97bc6dd0177d81c4753bb5b2c37796fde2d038b89ce80418cfb2fb054a7b1639ada2b409c254b4ea217175273fe001b246cb02124d672487487f

/data/user/0/com.sixz.ewxd.hody/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 5e4b5dea093ec6e68010ea574aeb021c
SHA1 8ddfd50915cd389e528ee51ab058ee3f3fba870e
SHA256 7a490ed3dd0ef6c001bc6f365e711f978912a7ab872ed03e91a410151d1a6bca
SHA512 de0ef0ff8bd6223a5608df89bcb4d33cbcaa9a76e8d86593ac6e495e29d404b43278b9ef4a0a6cb6385fc99b16c52fce4f0d2f320912b1a25b81efc71993dde6

/data/user/0/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 2bf8c7aa1a3853f64cd7d0d76fce59e4
SHA1 bb5a75e08a00ab9e282cd9417eb6b76a9471ba0f
SHA256 986f94e34f5858c7973849d76d7e9246a3a3351961e29f78a251661f342d5161
SHA512 e7a7a0fa23f0d6f5731d2886c5ba0dbcf73d5e68ead8b66460c18bd52c7676e14f795926b212eb65a6d6bbb6227abac51d093d99fbe72abdf77dba51f0b3065d

/data/user/0/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 3f89ab45ca04265569312e27fab5fe30
SHA1 06b371b19e27562e091faefd16d00ef0a9bced5e
SHA256 e0fc3cfba617df349b01f20a4cf9154e58471f38ac4371cf615bcf8d65658bc6
SHA512 bacff933b40c9f2652d59f6ab6f8d83730d22954caecf13fbee16325c339a3f8cb76be8bec1dbbd9cf6135be60f7c980cfe97d0989cea73d3d32f64761970ab9

/data/user/0/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 b07e9edce6c51021a8985c836831cdbe
SHA1 72c8ad5628c4041d4bc5ba8c587b6bf7e5722fbb
SHA256 480c4ac5d4b66e63139ae71de793b075a20bffa563b5982e5fc841b8307b8a56
SHA512 d79e23d662ae89f8f4ac31aca5e1ce01dbc184b15131ef38e7406ed2ae5900dfea4f00791da07a1ab68d0f0e7fbe92faf7d949262bc36f7945f55c6047d96726

/data/user/0/com.sixz.ewxd.hody/databases/lezzd-journal

MD5 0f4709fd3fb91c69021d3d152d396ec1
SHA1 bccc3823bab60557807115ae1aed53950f95c844
SHA256 3d2bc8d8be09cd32354a31b6f758644b22b5f047a92accd2b02c6854750b0661
SHA512 cb0196614389d3b3911f3cdaa0d4e693631a03dd73d3ebc0bf656bff03d7cb778b237198f497206f0892ad9bb6dad9f8895386c3311a255eac4e1c0f03043c1f

/data/user/0/com.sixz.ewxd.hody/files/umeng_it.cache

MD5 d9dc11d5533fe5953612c3b79a342019
SHA1 b009abc9cb25d4671405a5b0f82335b4e350e0cf
SHA256 cae5b41fd472ffc13be5d3b547de199de431d51f694074073445fb6174e4babe
SHA512 97125e8d81b12994101d661fbb08f59545fd7d9ab2a3a80928dcaa25ef60fd82aae5bba549102b67267073af8321e294f6cc319972c98460331347c64244d5cd

/data/user/0/com.sixz.ewxd.hody/files/.umeng/exchangeIdentity.json

MD5 967062468effb7f0f1f6d0ceb363a493
SHA1 7d0ac754c0825cab1cbacf435d250cad61fce622
SHA256 e8610d15d5045eae8a2f4b8a8d1d8f137faba18e00c5d679ce99475642a5d70a
SHA512 53bf3ef3d0c14906d2f57a0e34c72529e96694ca0347cd60b6a649a99b7a4c12023c29f7959ba6af6c04156ae1efd9706ec1ae1e4c0cc05e89cce1876414811b

/data/user/0/com.sixz.ewxd.hody/files/.um/um_cache_1729051728066.env

MD5 3ed958917c575c743a5af45ad35e7b95
SHA1 066098475593d6e3ccaefe7f053c060a9726c5a0
SHA256 0b29029ca019579e803ca08e74f59f4f571ac262a1b5b98537c50803270884b1
SHA512 94b7fd69906851444a4508adeedfc261812d3adde5022d4af67c3b5da520aa605ff95bd895c3e936a05f538972d8b7e5fba795a86e163b49b592b45134315b9d