Malware Analysis Report

2025-05-28 18:46

Sample ID 241103-fm3egsylek
Target 89bf2bdd3cd00b7b3bed1ce7ba2ff29c_JaffaCakes118
SHA256 480994d381ca8b5bc03f38e557210ba6e48b2091f447ca8b0b57829e72a5eef4
Tags
banker collection credential_access discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

480994d381ca8b5bc03f38e557210ba6e48b2091f447ca8b0b57829e72a5eef4

Threat Level: Shows suspicious behavior

The file 89bf2bdd3cd00b7b3bed1ce7ba2ff29c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection credential_access discovery evasion persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Requests dangerous framework permissions

Declares services with permission to bind to the system

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 05:00

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 05:00

Reported

2024-11-03 05:02

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

132s

Command Line

com.aioapp.battery

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.aioapp.battery

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 graph.facebook.com udp
GB 163.70.151.23:443 graph.facebook.com tcp
US 1.1.1.1:53 app.loveitsomuch.com udp
US 172.67.137.162:80 app.loveitsomuch.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.aioapp.battery/files/umeng_it.cache

MD5 240e9a3007f338f4a5bcbb6cf5679916
SHA1 b70f640b976f75bbacf3fafc36a8c527f217edcf
SHA256 070a6077bffb57ec62b38d9d2bfdfb4de1ff857fbe2cad3c6f2220d8ae741b5b
SHA512 932ec6313111eadd5e183e50b98f42c07ceea3aa33323e369787b2f4aa1d6f381e9956c937af8a4b6c675925f4cc670d5abc7de0def2bbc01dfef1f85ca96019

/data/data/com.aioapp.battery/files/.umeng/exchangeIdentity.json

MD5 12806af9272a35f8d3914bf09baa702d
SHA1 1f393a1825d2957d987f2ff738b535c846290b5b
SHA256 286cb24a1dfc46ec56aba55939ab8c5af7a9f8eaff46befc70517e2b7854a726
SHA512 c80da6fbdeb914382ddfac0a7f318279df9d362c6b91aa5d303b915ddc2414e4c625971d44b6d6bc13419c662479239c55ee80a197fb3ce2eb45b28830481bc8

/data/data/com.aioapp.battery/files/jpush_stat_cache.json

MD5 a61faa4e347352a7b546c57345a7f8ff
SHA1 166b96c862e4945dda4122a9dbf370ff79b6f643
SHA256 928e153cae9ed2efa1b928275c8fa02266d03fa95568a2d993ed6efa40bcc99b
SHA512 7410e7eeed34188af7d8b4c84ad4b193d42bf68a05b3c294f75489840028c568448e1b948f196cfb6c104fe5bfd6162c7e19f837adbeb5e0cc8e8e428d8734e9

/data/data/com.aioapp.battery/databases/xUtils.db-journal

MD5 642eb4c174ae9d3792b750d243340624
SHA1 5d34b7e6e556d88b53a0d39651aa0114fc3143ab
SHA256 c099f559895476adacff6a62bb432749d664a204449faf9a812b6b2982120e36
SHA512 c031cca9a9a75610da9a39012e47cc59b4b55113556a816c3dfb20de78f3b111ebbd307e3284ae04f0a4a01c8ffc93f40d464fdbdd7484be184e3d75787962e4

/data/data/com.aioapp.battery/databases/xUtils.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.aioapp.battery/databases/xUtils.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.aioapp.battery/databases/xUtils.db-wal

MD5 9c9295e78d7f2497812b286725647428
SHA1 a106062c3dbc9ad845af75dad452a744da741a1b
SHA256 e92ae1d3690236e2c7f731399256fba0bacffbfdbe6a0e0e85429fe13e44d129
SHA512 a01816860daac0d85f95e028a6929e33c5981fd64a320dd4a746521a5b3b01f18a65c22f2a2a1cc705a9a52bedc9755b062b4e9ecadb439aecf3d34ee60a9a89

/data/data/com.aioapp.battery/databases/AIOBattery-journal

MD5 b772e05059e2a86f5b33b1881ac9690d
SHA1 8050bf67fb39be103b2ba226df8ee83cad22f2e9
SHA256 769b5864aaae4ec418d687e40e5aac043729e85dde822b1fdc4fbeced6cde5a4
SHA512 a2564cdfe01e01175387ad81abda2edec9e2c869734088492785646dfcb2dc4312547a3fff0b42173f024630530a6129fddf64308dda1438438cbef60163d4d3

/data/data/com.aioapp.battery/databases/AIOBattery-wal

MD5 f58c3c3eb2d8ecd82b77940f2245fecc
SHA1 f71d845ff4bac224f05b27353e000e2a82f50ce3
SHA256 da770d1c303b3e5dbff8905c0ebc4c383909a84eeb164563f151b0da4ed5ed48
SHA512 f667c945645c2c25e5705d56ab1be29d0ee2795c8de88ffe477bfce770a23d0b00ca14634145bb8a649e720150a11601e488f63cd587257b3f8b5896e487a141

/storage/emulated/0/obs.db-journal

MD5 a45db51d8beb4ebad6fe406b4601ffe6
SHA1 279aa2fa1311c6f0d5131b05b42d9efc2f25f81a
SHA256 b994bfebd868e5fc71b1c496ae2b079b8f1a9ba1cf12717bb805944db7b13f8c
SHA512 e056ec8cb9320634594d0835842ba651cd6a836bc6aae475f984c236f75119d7ab6e7ad65919092303e055b2348facf95992a281f1d85e328c67f2992e3bae5a

/storage/emulated/0/obs.db-wal

MD5 117f86298f74c154477196a07d9b20b8
SHA1 def027098087077263876f434ab147474f3778b1
SHA256 4b9e04b1db89c8fd49e1d73740f6ddeb59420d24d15a322cacbae70f44900414
SHA512 365635b11a9f4c24fbd583915ed72e42a29bffddcddfa5f6af1ccf3a2eefac74418c608dc9b01a6310876033cb9bd7ecb97834c00f8b223e51c19d034515ca80

/data/data/com.aioapp.battery/files/PowerTrace.log

MD5 a50fd48289342edbfcb04a73054c92c0
SHA1 853fd953986170e03f7a583c06df5db61a3b5595
SHA256 f2e1f83e93d224a7240af6963ae223028639fcd69cf42493d94ecdbc3c4e1b4f
SHA512 4878460194e19a4374cb71304313b448aa36cac202faff2eb81a715201f2aa0f141ab29c853f1210d4e93a54475260880b29b0265eb7cca7f887ff525a3a352a

/data/data/com.aioapp.battery/files/.um/um_cache_1730610085317.env

MD5 94d4734c87b3354fee575c07bf21cb5f
SHA1 efbaf44eaa9c85a392b93e4b37d8e5acb9ee7ff9
SHA256 6477f80e297450a64b6024d13b19643c6a2b8218d6bc4943cd7dd3c70a9159ee
SHA512 0ce44f5f7d1e1739b6d4be908638ae8f5dd7871a52a3d0995ac369dec80bfa619e267b6e935a06a3bdf70a672db6a2c1e36dd605a4a2f722256f42ac24f5e2f5

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 05:00

Reported

2024-11-03 05:02

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

155s

Command Line

com.aioapp.battery

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.aioapp.battery

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 graph.facebook.com udp
GB 163.70.147.22:443 graph.facebook.com tcp
US 1.1.1.1:53 app.loveitsomuch.com udp
US 172.67.137.162:80 app.loveitsomuch.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.aioapp.battery/files/umeng_it.cache

MD5 3477f82461bbf57f3e7c966165014464
SHA1 bf47f1e3351a2617a146cbf9febbedbb7f8de2ad
SHA256 605fb7b9a111c33608147e46bd0b370e2dfe8a3c9c4905ab45b8cc914efee66f
SHA512 82971ef68258d2dcb2495e8f98ce5012ee788894c9503e763f2459abb10a19e634164835b363170fe1a5ad631ef23a1015f07d8775d85eb535f3ba0c3789946a

/data/data/com.aioapp.battery/files/.umeng/exchangeIdentity.json

MD5 8f4e93d495b2fcecba5a788535c8ba53
SHA1 c69f04584d653bc937fc3f468edfeefc04a7ddf3
SHA256 dc6f9f5277697e75e5e87a84bd6f971c24682a3cb6341f39c61278e631ab0865
SHA512 eb3070adc2542db8870eefccccfa935f692df128d43ef9d8cd4368ea8d450a33cb40ada621167db2a46ed2032185f2779cc992a937a582c8bdc5e858d2843d75

/data/data/com.aioapp.battery/files/jpush_stat_cache.json

MD5 a61faa4e347352a7b546c57345a7f8ff
SHA1 166b96c862e4945dda4122a9dbf370ff79b6f643
SHA256 928e153cae9ed2efa1b928275c8fa02266d03fa95568a2d993ed6efa40bcc99b
SHA512 7410e7eeed34188af7d8b4c84ad4b193d42bf68a05b3c294f75489840028c568448e1b948f196cfb6c104fe5bfd6162c7e19f837adbeb5e0cc8e8e428d8734e9

/data/data/com.aioapp.battery/databases/xUtils.db-journal

MD5 57e2c49083b3534edcec19d885317e52
SHA1 b0c9cdde90fb4e019d0b8f6a11277a5bbbb31f9a
SHA256 6d33ccf177f0ff6e62c9884baa88b257cd6f37e04970da45d03b7532da5480b6
SHA512 d8ef6ae7c11db1b8bbdd251100c954430d578d9f39e4d7626940dfcef5f30cdc2d8ad6ced942a875d9d8707ccf6b94dd524e51d3695f2faefd87fd231106fbd0

/data/data/com.aioapp.battery/databases/xUtils.db

MD5 6da302a2e5fc0263420684f38a00e3fd
SHA1 9e1c35e91c3b84600dd8ebc10e072ccb91b5895a
SHA256 a9b2f6227429fd83edc4db9e62c5e3f8c45b55598f7b10c3132d6b339283c8d2
SHA512 6e91d3076e4f382a5e4119e6429b90bd4d604c858acb4914e8b67226f4ad0626e29726e09d12965f075ac6aebc49eb22faf0f5c6a286913aad9515887f91fa1b

/data/data/com.aioapp.battery/databases/xUtils.db-journal

MD5 c13772547503bdefed6e011ccb4015be
SHA1 e21e8c282291e3a6567f03562f17c7912deecf46
SHA256 48f345b89a212a417cad0e6b677383a30a0c7b191824182e8c8a8d0306079f7d
SHA512 85f64a98af3b601e3d356805a90d204d951d40da91ab51762c51beea468dd8c2f31d2c7b153eb4a9dc492e7ea8bea1a36059ff2d94aad4130868e3511e1b49a3

/data/data/com.aioapp.battery/databases/xUtils.db-journal

MD5 6f6eb98d0d53ef99a626505abe5e4ebc
SHA1 c22dbf802612f51a8c359aa17742bf7e5a5e9d93
SHA256 a2dbfd2fdc2d332e0e9d7588d5996bf7a5dcc8a897a7b64182dfa280b89a4830
SHA512 434e3d3eb22f986dd437bf1636bcb6aaf414bf8a2bae624cd2fa1de9f19a72a6d2dc2b4b468a1b1eb6cf96dfe148f5c375feff99fb607b9df6a36677371c8e15

/data/data/com.aioapp.battery/databases/AIOBattery-journal

MD5 3b5deacfcfb5a4fdfb2add62c3e6034f
SHA1 5e7d8af2cb1b63fdc5a7b3276ae2b4576916386a
SHA256 8431668dea324843819f5fe1daaaa35cb4ea98d34ae39384c24bf573b04b10b9
SHA512 2e1146741e522eefa4279b1e0574aa41e459c9df8e4fae40496bb00acf6a1baed3388a46a839532b8b6cc781d61b21376c9f10eeeb49a03d57eb6b263012ca46

/data/data/com.aioapp.battery/databases/AIOBattery

MD5 fd573c510d811268def30bb96ebbb749
SHA1 c700817a2692973ca45a01d8a37eda4be6a5d9b4
SHA256 fe19356b81c8bf1a9769da56b83eadd56316d49b8b0df6a1c3c3962e110e7208
SHA512 dfe909cfc2857aa44f1b91b98fe355b2e649ccd14e3c5bba73e8367adf14ea8ae7da0e921e082c6b9b5942862a75283514cc6fc917b3331e71a5e66db4a53831

/data/data/com.aioapp.battery/databases/AIOBattery-journal

MD5 68c8eafdc03f5a318a60ad787d1def28
SHA1 cb22ce42cd91c1166c7461a8d7fa7d21bcddc4c1
SHA256 3071d91dcd6230c9018662f34f324fc7d6f7b42cf004bf85e8214c5858010987
SHA512 7d4fe8a42029cd96c52fa14a10b129e526cd4aa7df4eb2cc7558b4a4db17c26a59afd57ef1db2d0b43769131d087b753f2003864e4dc15f06b430b5814c9dca4

/data/data/com.aioapp.battery/databases/AIOBattery-journal

MD5 0d280a75607ea594b5d1441ad8c16530
SHA1 eb58a855350f81d911e6d8ada0adac9de7a8767b
SHA256 688f2b024a6780fecede0acfc74253d7bcb98fe8436d4a08f15c5e544595a8d1
SHA512 ba80634e8293da54db104b0c3292ad86a6407fdca09b92a9f6a8e855ebd3f0917cf52ba5cc65296ad35a71f47e2b2adfb43398ec1080cdf7d98a87e426d2e251

/data/data/com.aioapp.battery/databases/AIOBattery-journal

MD5 3030dbe35ea4e68c0f856cc7469da314
SHA1 17ed64e3b5db6e043b1a3dd90e5d5d7651746ac3
SHA256 0106358f8adcb5683fbdcd4f5248a079221f021b3401f78e2ddc8cba0e46263b
SHA512 4d1625fb215eb7a892adff83d5d646cb0ef6eb4eba246348bc3cf675f648390d688b1656f80f5d26d2928de6c617bf967b91687231447961afadebf671d48b93

/data/data/com.aioapp.battery/databases/AIOBattery-journal

MD5 85732c63de554f1b0f678da8bf0f0e18
SHA1 b99548d4fdb45d6d8114f9df32fb9cc8997ee198
SHA256 386262688331b7290cfe8162c6aa8858786debcff2c621701cbad5ed629634f8
SHA512 97723e72fa1dfa703ecba86e12479811a87e3a33150f2a8c2aaf078cf6f69c527053f6f370f594851fa67fa865294ff11857edf344bcdc6b5ea0e0f7d77fd9d7

/storage/emulated/0/obs.db-journal

MD5 621b5904e3050b938ea64f2aa6869ec6
SHA1 2c403fa390beed4c166ea2d135ae7a93eb66092c
SHA256 a51bd5c14d306759b02b0085e8c00bcf3d0494a8ca43842e50d870a2394de052
SHA512 8948d2cc79f82a461500f040e4d7a884a1170fe2023724c140f7d06b5394f81b8c00e2efed3f99b8fac5f2b9147909086c2740b6081d1e4656485ae46345a4ea

/storage/emulated/0/obs.db

MD5 59eaf4f87749e4672d04ed5b5421b1a8
SHA1 f0f45874f9f31c0bde7537a08e46693bd367478e
SHA256 dbb62a8b3d509f98b8d5d6bd1b289f2a653d8821fd345d2370a45cb9e2cbcf04
SHA512 d499d39e34bf79cce4abdb55bec56806d79832f7ea92ad55e8ec6538d5ebedd177e06dd7a9bdabd33107bc7a76dcf9ad6d2f85d365c86c13dfa75d9b6e299d98

/data/data/com.aioapp.battery/files/jpush_stat_cache.json

MD5 850a7a5ae9e54b98469a70615432533e
SHA1 4d2b7a2f459f444850e709005c3ba7266e505cf6
SHA256 94216246fd620a7cc82c530cdb1c44c8047c660a569f9ac09990d66dad90a07e
SHA512 a04b1600a9108f7510f43b098fb56e794a0cbcb07d9388d2e81e936805f0deb53be303050429499e0b3fe39b968df83d7419c3d13795a4c2da5505eac2acfc42

/storage/emulated/0/obs.db-journal

MD5 72e3f10b1b8d56549361ad1d8345d603
SHA1 78404f745c3f8aeabf5736ac29f626ff57edaf55
SHA256 32d00a648b180582f00709a031b209ebd0a845821180ce8e99b43010280b5e4d
SHA512 a607f84974fe3df178bed6c562e2ea724c38eeb2acee5a5c5dd74f142f70fbe71b734864775d285a2ef9adda5a041fc30dadc64cc7a4134c5384be49d467d8ee

/storage/emulated/0/obs.db-journal

MD5 b7d76a9f1bb1cb292076be6f749f0a3a
SHA1 de5e3617e9a88658fe3024c9e90f84ec7f6d0dfc
SHA256 f5923dc8170700990c00d770f6c75f9daf1347fdb24454df6f6c0f8e010a5b02
SHA512 1197bea13ff014c11b4df7ca87a8ee84e88483413c2f88d51db50a9f85694c35560c7dd9b6a4c93444220a30e7697db08b4786592b52c6e99fe14bfca42f6991

/data/data/com.aioapp.battery/files/PowerTrace.log

MD5 a50fd48289342edbfcb04a73054c92c0
SHA1 853fd953986170e03f7a583c06df5db61a3b5595
SHA256 f2e1f83e93d224a7240af6963ae223028639fcd69cf42493d94ecdbc3c4e1b4f
SHA512 4878460194e19a4374cb71304313b448aa36cac202faff2eb81a715201f2aa0f141ab29c853f1210d4e93a54475260880b29b0265eb7cca7f887ff525a3a352a

/data/data/com.aioapp.battery/files/.um/um_cache_1730610084289.env

MD5 794de42d35a4e8707249ce79416cee62
SHA1 1b7b929475c16bfb6b3a5fc89c6f36348fed63da
SHA256 52307797a54f203088acf41fbf1c62be728f2c7a1e814e09864ba4c14d64986f
SHA512 4ea240fa3d9b9612b2cc8e1509f073d8294e80f6843a0df09f654bc13a07f52be036693ec022898eec275109d8b6b1076402b6a50f2b16e802f48fc25bf55b75

/data/data/com.aioapp.battery/files/mobclick_agent_cached_com.aioapp.battery5

MD5 f6af30f37eb123ab3579f2bcfe54ad04
SHA1 62555ab001f58c3bf3a52732184fc3c469add30f
SHA256 63d8e466c6d8a059557697e2f715d8c214c63d27ae087da8a33e90916b4d16c1
SHA512 85400077577de95da7f1df6508fab39685567e5465130fc5b643a061dd1a380365dc38f17b6d3f64268753b7c583d72d5924a6d69a12ae3c251e40c68b8e7397

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 05:00

Reported

2024-11-03 05:02

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

132s

Command Line

com.aioapp.battery

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.aioapp.battery

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 graph.facebook.com udp
GB 163.70.147.22:443 graph.facebook.com tcp
US 1.1.1.1:53 app.loveitsomuch.com udp
US 172.67.137.162:80 app.loveitsomuch.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.aioapp.battery/files/umeng_it.cache

MD5 b1fad7f3f62af01ac6ff1d97262c1471
SHA1 c8e4e76e8b1f8a5449162bdcc01aed9dca02e648
SHA256 6092db8b4bf6ab716d7f17a16fcca2d5c43ac7719d43bad1de700320d2e6e0a7
SHA512 d9b730481b58d49acd6b30dabf6e1a04d4d17702326d2e4913337e3540e53f1b580aad99ed5aace74b801594167dedeeba0e66b958854c0330a6c3706199b15a

/data/user/0/com.aioapp.battery/files/.umeng/exchangeIdentity.json

MD5 422fa3647ffeb16a06195d995adb173b
SHA1 eb2eaa6d6bf329a848dcdd398f4d566ee7b4f638
SHA256 b4034e6ffe0e845afe17319581e0d9193c4a6646c500eea92164dbc383cb7b1c
SHA512 9763b4ab51a7f92d76946aa9ccd973e6979182c01d2862f366c2515735aebb2c7337be2f386a90f5a46116014f93893b8a352d8b701652e3e98cc2d526dcce13

/data/user/0/com.aioapp.battery/files/jpush_stat_cache.json

MD5 5a594cd2172abe2899c129008cc1950f
SHA1 86b2671ebf829ee04c07786666c935a731c2154a
SHA256 a63277442c55d747ed7acdefc95e10e09da3b33c2cf618627b8b13e5fe96adcd
SHA512 7abbf305a3833995bf1246f2c9fd8c22558bdd7ed34c6c4506060f120fda1bc7a6cf04250465d2185e534db33fb43491702a8c5e3cf246a7aec0362266cf275a

/data/user/0/com.aioapp.battery/databases/xUtils.db-journal

MD5 a50ec590bc1f29a253d0807ee36a45f9
SHA1 51af012afbed26522ee0a1f4de034e333f75ea9a
SHA256 bc5e8a419dae28863163dc8912726fe65563d2f421edc1d904a99dd61be4eb72
SHA512 954f5dab3232f14dc9ef5e2856cef8184dd064174a94b972778f716202f24750a565635aa848cc630296fd51daf2e35d157c01b8b6e459fedc241bb7d3caddba

/data/user/0/com.aioapp.battery/databases/xUtils.db

MD5 2e8d2b7e3b1a8758ee427d301314b7ef
SHA1 32bcf7c03fd4934e1224feaf2114df2ae56d0551
SHA256 67b1e827a498e60301f0b57d15e0e342027c49266e8be14c7441dc7f774c299d
SHA512 2a7acd5dff858b159ad5ddd05f8392dda9a0d2185dd5b2b4b20ab660d8946bd3686cdaaaeff7317d717a23a2da1d86e5e42e0221e20e55cc020a2d9a16b0869f

/data/user/0/com.aioapp.battery/databases/xUtils.db-journal

MD5 9f97750fa2fc75edc15875320a20ebc3
SHA1 db2f90c73c0bd1fe4b1cd61c50a9be5ae2682230
SHA256 63c193bb2ac4cdfc9d9a5ed94f8fb437210774cb97e4616bcbaa7430f33fc656
SHA512 e988d888076a2e05bebf56d1368acdb0df62a3508ef88c7ccb9929901967fd6d7a6075639dd719c911b9a874c89eeb645f8a298acbc5d47e6e6891fbeae1bdb0

/data/user/0/com.aioapp.battery/databases/xUtils.db-journal

MD5 1455badff992d298d18c6fe6e5f95909
SHA1 3bfd6da27b143720deff2a6d911daa4c00bca90b
SHA256 c3f89c9b62e589d705e3a89c0fed1620b32bb7ad6bf53367649a5e22fbb843e3
SHA512 24c7872a1165af54e44c11064e87fe7c7c8ca7f8b4a17a6e211aafc7709b548819f23dcf7e88a64d7e26e73e78b6bdc5d4790eecbd502f46cf5bf1491e2a7e16

/data/user/0/com.aioapp.battery/databases/AIOBattery-journal

MD5 16016e9fbfa7ea1795539b420bc722e0
SHA1 3ce403f30255ebdf9a52eefbf721f1d8ea073b60
SHA256 b307c0bc31c433dbe0d253b7605e182b1a1a8a3613fb15156dc8daef325e513d
SHA512 fd9e00ee05c519dc2528e78f01c3735cb6d665589f84efa568659ddb521dcfefde7b80be6b934d71d89a1cfac040b61eb4eb1e5bb45d6be826432a9bc0f3c965

/data/user/0/com.aioapp.battery/databases/AIOBattery

MD5 a6011efb2d6ed2de3952c6831d18f81c
SHA1 1466408e4dde4f86487b25b333023827038c2bd4
SHA256 afd60be54d84a04130d5ee5e8f5364357c0807e32a357295b44e04ed72564aa5
SHA512 2597d1396d75dbe019da8d83dca0ec35c2c5fbcefe10dc6aa9a6cd40139e1d760749e6888c42b2425a4016f81b094a1f96f724f39ca241c7f9167536c111f8e6

/data/user/0/com.aioapp.battery/databases/AIOBattery-journal

MD5 aed2522398bbd0c8c342858311254467
SHA1 7d38d48bb1a0c126360adcfbd5a4025d26ae1bcc
SHA256 b4448f6a5fe010518fbb0e6b9bce9827d44b10bcf1e12b9e958ea033f6ad4980
SHA512 8eef41dfb125e85b3b830abe32e3c5c4abd37f68c397c91386589187dc58c4f607f1bdabf8b114b448c420346459081094a57651ccc688c8e82eaa0a464e3767

/data/user/0/com.aioapp.battery/databases/AIOBattery-journal

MD5 d9e51046e71d43d5ff2ad31629d858ae
SHA1 bf51f48484e0df5c55336b57d573651c3b60efad
SHA256 bdcea03ed77c9804fb68d65a3bf37eae1615b2fde832c401d715630dba007f3a
SHA512 9c2454ad965516fccc15889b5aba542b04a3a6b543655192fc172db9e89acf106af581eb193448010196a1d85e67263f1e2dab1ea6b5a2498e9145e6f3306b4f

/data/user/0/com.aioapp.battery/databases/AIOBattery-journal

MD5 31553e26ab79adc8afe1f35270a34dab
SHA1 c98a1afd1a17a14b08af00fffb1cf5b11c4748eb
SHA256 2d5e2fb88979a3323cc7101bb7a20e18807ad9313434a9cb7a764e1e3b51c537
SHA512 080ddbbc73f05fceeef9f6e69c8872c41c90d5d341f61cb7828fe6fa216091f8c6f42d8674ea58ec8b61c0ef750ddaafd582a71a0d1a01641de1da13bf3f7aac

/data/user/0/com.aioapp.battery/databases/AIOBattery-journal

MD5 85431fdb16584aa2048cfe87a4bd1bc1
SHA1 23bd9f337d2e0655beac3682c2531c5e4fb24338
SHA256 910bf5690cba6a9d490f28eb417175c2cf6da6dd31d21d4d078c3b6f0db481a9
SHA512 02a6571b312a89bf6c003466f6c4b401cb40d391e74fd2f23b53bd3bfe7c00e8dab120f2639bd708f386ed787748db3c136d263c7ce90f18c2257ad7e48a2bca

/storage/emulated/0/obs.db-journal

MD5 0af3677e9f6d085b45a011363b89b694
SHA1 2dfd850e6795c3ec4ddead57eff8f222b7ddb735
SHA256 2b0605cc357f4fba8dcdf2584b6f6932fccb0b24080b9919cfed4df45702cb12
SHA512 7e1facb01ca6d31702f2af353266b160ada037ac7db47fc3547d4b58b69c5b42cd27bc67b5887a9c935ec05ae31491241a641aafa980a380d210959b3be9f5fc

/storage/emulated/0/obs.db

MD5 1bdf91f9b2ceb26e156497259fb93ade
SHA1 56245bdc5e2849cd6e7b32882d26c8d9c31e7681
SHA256 6ca4da6f019f8add6b7fd5e075abe95e42f4f3643eefe930a3a564a4789a3b70
SHA512 474cdf6aa823d70a78b98dd3941ee697320459956a5cdf41f40b435d2b0bc18bef623a5d0fcc545a34ade5ee9591cf30f87efda78874f9320425d451fe8a7424

/storage/emulated/0/obs.db-journal

MD5 e48f7d79349a9727e0c2629a0f8bbb8f
SHA1 1b1c053a0ab1806271f56ea2c7513c7c722b074e
SHA256 6a1ead7db45c7316a7944159d0e8944639191b95bf676c2df170e4d994761d31
SHA512 7923c328ad904b9fe4659c369325d6990439045f5ab7601644a53a27992179a305aef79f8ebb3edc4287b83f1de5e3efcc997a01a2155a4206901390de9f85bf

/storage/emulated/0/obs.db-journal

MD5 08c15d7363a7d398e9a264d95cebfe6a
SHA1 58425f27f6bb8612eccf4462581fb72d9a850ea2
SHA256 fa2fb4cb9969d541f04aee03accdfeac33583621a61e9ddfc4bd2062c29f26aa
SHA512 4b1b281496299f776749dccb182e9df42e15641c1e64f52a5031c32dcf479fa20289ab859dced0cf60d75dfb6deb4dfc9878bd399f25bae44ff73d6330d374ec

/data/user/0/com.aioapp.battery/files/PowerTrace.log

MD5 a50fd48289342edbfcb04a73054c92c0
SHA1 853fd953986170e03f7a583c06df5db61a3b5595
SHA256 f2e1f83e93d224a7240af6963ae223028639fcd69cf42493d94ecdbc3c4e1b4f
SHA512 4878460194e19a4374cb71304313b448aa36cac202faff2eb81a715201f2aa0f141ab29c853f1210d4e93a54475260880b29b0265eb7cca7f887ff525a3a352a

/data/user/0/com.aioapp.battery/files/.um/um_cache_1730610086478.env

MD5 2d2d25451e4d154eaf45d64d8008bb1e
SHA1 245988641f3f06a2dc6371a1e63d58b8a099e22b
SHA256 9c0199a18011ec439c12485f38313174446824074c7315f4e167a39346ca3053
SHA512 bc0ff0631c0fb6f5eda957c201726af750d12cca06d70ae1cfeb274f6069b65ef8293427c09d9bf8d84945efe470203a83a2e049b28e1f1fd938a7719d2a9f30