Malware Analysis Report

2025-05-06 01:31

Sample ID 241103-y2yzqatfpn
Target 8d4eab297e8f4913c33932f772a0a886_JaffaCakes118
SHA256 d3655fa625d728ee9ccf7ae84024897b9d1a579faa833744b8dd46ac2935cd11
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d3655fa625d728ee9ccf7ae84024897b9d1a579faa833744b8dd46ac2935cd11

Threat Level: Likely malicious

The file 8d4eab297e8f4913c33932f772a0a886_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries information about running processes on the device

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 20:17

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 20:17

Reported

2024-11-03 20:20

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.lzfu.syek.pbqr

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lzfu.syek.pbqr

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.lzfu.syek.pbqr/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.lzfu.syek.pbqr:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 api.adcmsware.com udp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.165:80 ip.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.lzfu.syek.pbqr/app_mjf/tdz.jar

MD5 30617d6621bcd972fcea53d04f3b2a55
SHA1 a0a51f60773e3a1eea2f929c8f1df896b6d71e7e
SHA256 157b006e48d74dc023d671b5a7e9e61f96853be434db43efa8754aecba50e12b
SHA512 d7735599a3186ba6ca0c6151299fc9353495e4cb4cf1b3a8aebfe6e0901e839f1027013aebb2d168c8fe2ace65fac6bbc89b56b8316e546bda879825febd1ad0

/data/data/com.lzfu.syek.pbqr/app_mjf/ddz.jar

MD5 656eec0445b1ac574b87e1bd3a98d969
SHA1 fe3e1ee6bac338416e47e90ed249cb82aeaf6bd4
SHA256 0817449409b55007ece8d2d25f6d4b075ebea09c7feabee79636176bb0794792
SHA512 9a2737d22a9e647eadf4752513df79fe960cb69ec9563a2d7f504b3e91a95a6081876ab068355b8db49c44ea8627a33ca94c0244c2909668bec2620dc71a27fd

/data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar

MD5 18cfdb00841ddceacea677d69a13ba5a
SHA1 df15b27afa69a8f4e0e74c250e56df55e5701172
SHA256 676ca8a391c823e9a3fdd7df70a1fc30f8ebd4680db0daff3e057cc401c9ad83
SHA512 83886e59ac0462888e9b82475ebaeca79dcbabc8a2a01a6217c0ca122e41c1d373fb878bf6e5e885b8459f259e834df91f2c8bf30a2a52824e298a65d6dda86a

/data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar

MD5 daa884f34fd8ae9dd3bfb6b119ff3aff
SHA1 7de35d394619e09d959ed996ad265702cb8b8efa
SHA256 c9c157972fb88b6be615c55598c6dd7bc36a518c2b24e8b6ee5fd48f532381a8
SHA512 dc316772998f61131936b0cb6058a3ea7f144b31da11bff492408fb03ef3796604a2f887670d160e1302253d2ceac4e1621f6d26ee4293e21856a862b4f4125f

/data/data/com.lzfu.syek.pbqr/files/umeng_it.cache

MD5 da4e7678bf2fa5bd14952bf88b47346a
SHA1 f94b25bdf38c06c51634cb54749332989db57a0e
SHA256 ecd58dc68efa391fac0e5f4fa3f4c9b354f38662f0fdcbf0a79b4b132b05e463
SHA512 c82b1e7f1aea89b20eba9f6ac5e98e89d1d2f97903a64b204aefa7c6165cc500bf0577e83c443a182d92c20ca1bfee05109564e6dd1d9a91debe3e6a80aae747

/data/data/com.lzfu.syek.pbqr/files/.umeng/exchangeIdentity.json

MD5 8bc7a6129e7de57b15c84522058b07f5
SHA1 4039bd9581b14f824e05d443aebd7455405d083a
SHA256 f427b93d46b0e426805891a17731eabb6f9d16f0bc56f1ce4b81b0c2c6f35028
SHA512 ee7f318c78d5b0623bde1ed55e670fa754b9126fb528f50dfd5365d234143101254bba4f28f51e6b2f68ba1b14d20ea28c6ce3d46783c93c2fbd5bc96c12d725

/data/data/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 ed8252bc56107301cce12b6af151e15a
SHA1 2e47ef5807f68492a39b4033e23b32dc7dbf3625
SHA256 9b6c049c5b40ff1ab4fc920c8951af9d7309af0daf576a148de22c3fdaa344dd
SHA512 a8540ded15f7cdaf199ec2e65e54efa8d1a66022dbb0ea53dcba38cbb815cf42764ef93a811e44406dbf6cd3ea865ab8447d482262aa87650e00900eea6a1675

/data/data/com.lzfu.syek.pbqr/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lzfu.syek.pbqr/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lzfu.syek.pbqr/databases/lezzd-wal

MD5 1caa93a6bba9132f25ed0597dce693b6
SHA1 06ec5168572b59e04a4eddf212fe93e18f8e745a
SHA256 bacf04161c9335390eeac94da78caafa8c4792d2f32d3ad5bbaad99f1d823e9b
SHA512 ec8dc6e5e33710ba86294fd2b44f71246241531a0039c11abec419044e4b3792c72af22cc227a9d9c7c8d4206a4b0866fd6c8cc2c3e02d07979a6776dbba113a

/data/data/com.lzfu.syek.pbqr/files/.um/um_cache_1730665124084.env

MD5 2f8e5f34395a95df326d285604b50e15
SHA1 135b3bfe7da490c07e5d9ab41d173547a73ae5bc
SHA256 fff88f9bd10f5936c74f852d72ffa69397fc2350ee71a2853e3c8a3c16dc87b2
SHA512 b0fe860979b799b6c21afb350bf36141f0b812c1d145e45c10568ca74032598934b38ff1acf740f84c0184b751b72d59f232c8c8512a7932ff0dca543698246d

/data/data/com.lzfu.syek.pbqr/app_mjf/oat/dz.jar.cur.prof

MD5 b7651923c417e1746ea4abae69116ecb
SHA1 53795825a0878ea160fb8060b8a72d5809af23a2
SHA256 f5cd90f670c180875154c0d37da21da54f2bf84082f636d3f4cd434047c1726e
SHA512 bc942b59afbe61080f60577461ad3ba0c53936376eb56803030ccca1eb1ed0d26ca41c91b22fa16886bea19444c9c60e8cf920fceefa1752c932c07679d7faa4

/data/data/com.lzfu.syek.pbqr/files/mobclick_agent_cached_com.lzfu.syek.pbqr1

MD5 8b2000dcdc03ad108e62ea9a19a6d9ed
SHA1 385a5cad5f646559d43a2bdeceb25584bf8b8633
SHA256 572f9dd98668b7f139821fddef14f5af701e5393095775121fc4cdbb59f70a3b
SHA512 931f38cc2b23fc0fdd4b907260f8a90dcf1ad96b63cf3dc9dc33acea08995478ba6ff5ae63f095d417b7b7107549c4dd4058506cf69857b7895adce419f7f5f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 20:17

Reported

2024-11-03 20:20

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

156s

Command Line

com.lzfu.syek.pbqr

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lzfu.syek.pbqr

com.lzfu.syek.pbqr:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adcmsware.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.lzfu.syek.pbqr/app_mjf/tdz.jar

MD5 30617d6621bcd972fcea53d04f3b2a55
SHA1 a0a51f60773e3a1eea2f929c8f1df896b6d71e7e
SHA256 157b006e48d74dc023d671b5a7e9e61f96853be434db43efa8754aecba50e12b
SHA512 d7735599a3186ba6ca0c6151299fc9353495e4cb4cf1b3a8aebfe6e0901e839f1027013aebb2d168c8fe2ace65fac6bbc89b56b8316e546bda879825febd1ad0

/data/data/com.lzfu.syek.pbqr/app_mjf/ddz.jar

MD5 656eec0445b1ac574b87e1bd3a98d969
SHA1 fe3e1ee6bac338416e47e90ed249cb82aeaf6bd4
SHA256 0817449409b55007ece8d2d25f6d4b075ebea09c7feabee79636176bb0794792
SHA512 9a2737d22a9e647eadf4752513df79fe960cb69ec9563a2d7f504b3e91a95a6081876ab068355b8db49c44ea8627a33ca94c0244c2909668bec2620dc71a27fd

/data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar

MD5 18cfdb00841ddceacea677d69a13ba5a
SHA1 df15b27afa69a8f4e0e74c250e56df55e5701172
SHA256 676ca8a391c823e9a3fdd7df70a1fc30f8ebd4680db0daff3e057cc401c9ad83
SHA512 83886e59ac0462888e9b82475ebaeca79dcbabc8a2a01a6217c0ca122e41c1d373fb878bf6e5e885b8459f259e834df91f2c8bf30a2a52824e298a65d6dda86a

/data/data/com.lzfu.syek.pbqr/files/umeng_it.cache

MD5 e965a5b89c9d9524fab75f26c18138a7
SHA1 e193c8cfd9e35f396caaac902d24c3d0eeea9ea8
SHA256 404f7d9bd4b8398a9ac26338c7d78664e5365090a0f65c6604311d4f68e08838
SHA512 465fc5bcb801a5cad6273802fad85fd9166bc389d18aaa3b28b95302486d38ca195444f56e12505e41bb0b523223f365190eefca5480dcf13380e9c26b1c33ca

/data/data/com.lzfu.syek.pbqr/files/.umeng/exchangeIdentity.json

MD5 b2a614488c5b02983e00041091d82258
SHA1 2eb0116c9d71d187e7d1f9e11cf02b64f2aaf95c
SHA256 f8bc39734caf43fc62695e3b36b1b4de5651617cadd0b2b283dcbe88da6bc6b8
SHA512 dd728f10bb41019b863a6783e8fd5e9ff85c9a4846242b907da9450e3a2388aebfa026f5df57d20a65976beda0a37ab49ee138a05c80a6c866e03012ca84a39d

/data/data/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 efd135267d9788ffd48308a27fdb1dcb
SHA1 20302503bcd9255f4e73564d91cb936d824498a1
SHA256 ff24a965b56288f398dd008ae88c7da6f270ecaef7e2e49c70a123881ea60d3c
SHA512 47d46673d4849a6fd36b00a613af200866d7ce962783bc8f7f3890e203d6d8eb4f08a143dbe7b1514b0db21fc155e231785bcb1ec4bf15efe9d44d8d64ad32a7

/data/data/com.lzfu.syek.pbqr/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 a6fdf3f2097f5ff7ac6e931f288c9e32
SHA1 5c1fc063bf1fcaf3e6bfba185dca530eb82a505f
SHA256 a69459aab49908b794787616ce59010e2c9a39815b5703463513b01fed41ceec
SHA512 c9613b003907e9364448f6ba37a5c8544eb99a5ae32cbdee42959136f3802eb293e82382b2619931bca7136e017dc585ca96b2d80aa203559d3736166c2d414c

/data/data/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 b8f4aa14fb51657de428b8764c80fbde
SHA1 f7111fb66cb9bfda0318a6229283b177e2919f4f
SHA256 74a16907ab36b54f1cb35dd18cf8c228768ffcef51ac003c89e131d5df6c9945
SHA512 70480f1da1358b8122c89a7932f7bc39730e3a60d86478aa2d84c33e0a5d5969d6668f6bf91ad43f2ace8c14dbbe8bdd47f2665d2044efb94b4f0e60b0767df3

/data/data/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 67c00ecabe3acb4a1300a639c231e5c7
SHA1 f1a493754caef9d9c94be8e4f870a970a1130f12
SHA256 f352275265910fc73680f1aa5f667468824ce2a3e8a2ff62d906762ffe96db03
SHA512 af818058f3e56add744ef6993b6030ada2c0525ab4866a6f628e712d162ce9c72b9f189280f09b67be004ef32d1c804df33e099c3fd55f7f87c598f2cb1f0d77

/data/data/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 b7a7f55fde1ac60f954ffc26e5c42c7e
SHA1 eed98a51c3c9af1a8125e143f5fb6059aec48666
SHA256 a1d7d3889f9fac5059bc47f439f5422c3abbc1f956186304dd6b63685df27b4b
SHA512 25df7752a3f37d97a3dc5211af92f8bdf1472621ccd77a40bdde4905cf9f87ef8f574b41a07ad0157d0e49f44022752855fe32008111de03d00b74d6176e48eb

/data/data/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 27dc39633d847a3cf4a7849f2bc6adbd
SHA1 d6b64c85cdf3c525ff5c9dcf5b7692b8a2b29c22
SHA256 07aa271ca9260ea6fbb6e9b14b323c9d310890f6159d0102463f3938e8504d9e
SHA512 654fda9131eda9d76080b6f2b7493fb18f3a8b03cf7d3fbbfda6c17c56a48371944e39d2907a6bc6b2342c70f7663d91533706711d8f2c0c1980c46adfea4aa4

/data/data/com.lzfu.syek.pbqr/files/.um/um_cache_1730665124347.env

MD5 96d4c0f5e208eb7d4c4e2913d11d0ed1
SHA1 d180954ee5dc89e818faa104c459467de024e137
SHA256 9b7c73a7bbe36c9e8430d2bc5d6211e5de79daf9e281574a122e4190facc482e
SHA512 91e5cd512ce1e6d65fa94c7fc314b711592696719c7bb0a23d8e85a71c574bf80e5c990f9698b5c876df9a40384c57ba2c9ad7e112b0d7604ee5d28c901ef2a3

/data/data/com.lzfu.syek.pbqr/files/mobclick_agent_cached_com.lzfu.syek.pbqr1

MD5 f4093003a0d9c70c826f0b7ec134d4a7
SHA1 52b2bab306a725a066b618a7bbb6c147a2ad9e36
SHA256 03770990a247c328b59bdbee30b995a3d1af2bf01ab54429faacec2be7a60b82
SHA512 f02385be17adef91bb0a5e377e5d2d2930d01e384414443d0cfdf2e80d2ad53df75e18dbac8f9b35d864121d01a80f6b640fa1201e968978e979210f9fca5fad

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 20:17

Reported

2024-11-03 20:20

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.lzfu.syek.pbqr

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lzfu.syek.pbqr

com.lzfu.syek.pbqr:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adcmsware.com udp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.8:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 59.82.120.12:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/user/0/com.lzfu.syek.pbqr/app_mjf/tdz.jar

MD5 30617d6621bcd972fcea53d04f3b2a55
SHA1 a0a51f60773e3a1eea2f929c8f1df896b6d71e7e
SHA256 157b006e48d74dc023d671b5a7e9e61f96853be434db43efa8754aecba50e12b
SHA512 d7735599a3186ba6ca0c6151299fc9353495e4cb4cf1b3a8aebfe6e0901e839f1027013aebb2d168c8fe2ace65fac6bbc89b56b8316e546bda879825febd1ad0

/data/user/0/com.lzfu.syek.pbqr/app_mjf/ddz.jar

MD5 656eec0445b1ac574b87e1bd3a98d969
SHA1 fe3e1ee6bac338416e47e90ed249cb82aeaf6bd4
SHA256 0817449409b55007ece8d2d25f6d4b075ebea09c7feabee79636176bb0794792
SHA512 9a2737d22a9e647eadf4752513df79fe960cb69ec9563a2d7f504b3e91a95a6081876ab068355b8db49c44ea8627a33ca94c0244c2909668bec2620dc71a27fd

/data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar

MD5 18cfdb00841ddceacea677d69a13ba5a
SHA1 df15b27afa69a8f4e0e74c250e56df55e5701172
SHA256 676ca8a391c823e9a3fdd7df70a1fc30f8ebd4680db0daff3e057cc401c9ad83
SHA512 83886e59ac0462888e9b82475ebaeca79dcbabc8a2a01a6217c0ca122e41c1d373fb878bf6e5e885b8459f259e834df91f2c8bf30a2a52824e298a65d6dda86a

/data/user/0/com.lzfu.syek.pbqr/files/umeng_it.cache

MD5 57322e0e50feb28317f8dee350faad80
SHA1 35df229115e9fae23cb778aecab4952d30d45090
SHA256 139e382e7d269ff22cb881d82aa6cb7a53346254ed11bc89b79c2fe328a3864d
SHA512 0f9f9586aaf4dd5ee9fe098c03516971e6d173ba24194216ee2634e24ca5dc2ab8fe6260f8a9a65e74471bd7d97fcc929733bf4944e3120f8df9adf732716db6

/data/user/0/com.lzfu.syek.pbqr/files/.umeng/exchangeIdentity.json

MD5 67850f72b23b7585f0b88917afd56af7
SHA1 fc581ca11845d26cdbe57445a6004e4c57ec7eec
SHA256 13ff070db075609298508087b0d2bdab6078d54fe31f17f2f00f20a185ac51dd
SHA512 aeb42acb319d8ecfec6b3e8e032a721f66175fe2ec87dbacd93bb1a2dd62f663619588a071d10e2211e4ab1fe209652d54a8796db8df420bdbbfdcefaa592304

/data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 13c344a10ee66cf22650be273a52f2c0
SHA1 17a8fe93c9dec1b6b63d1cc1ff30b0e3dc03b24d
SHA256 dc4bfbbd45b8808dee72864841e1f9309946e46adee4899221ba48294ba5b1fe
SHA512 e98e5c1851115190a601ddaa27378d74ff88c34c0dc158a75845776d464f6467b4a90c698eb73e140b30a294b6e9c0dc6f490ecbc1160134378b620a572e3d2c

/data/user/0/com.lzfu.syek.pbqr/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 c1b07ddd510db2caeaead78e755815b0
SHA1 f54f3c507464b514ee443f7c0777c7ce75607640
SHA256 41f75ed60f75ebe524dd7c53b7c716a0dd5a5bbfc54c7ac4bbe06ce4f45ee415
SHA512 3195cbdfb8211907e99a071b382ad3a78f167298fa4e940630bc397f4bf8e3ea1a7e8ea391f48ed0f333330afc3205531f0d2e65e356d3326c76cd36b70605b8

/data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 57be8b73f2d4886f203e8e913b8601ea
SHA1 179eac413521b7a1defb1af6e4bc4372258dbca6
SHA256 843a99f48de45b7821137c2d97a8dac6a18e5c3e1a0656496e572449ea0e6bc5
SHA512 97256f25329ea7be58dbd0691561ad14f3d75149fff17e5e4168194b9a8b5931f44633e00a4430e2e21e45716404fb599a34d9e7536ed2b62eaac9f6f86431d2

/data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 52f3ba824a66ab3493c94f74138c9fcc
SHA1 31fd48a70c0726209551998c5d7a7faaf61705e7
SHA256 d5b7ceba9936e0a4cd26a3fe36d01d62914399f7b3b84a2a2ecf4288eca3ebdd
SHA512 f7bbb1f776835250263fa6d2dfebab67354b45c4bd0f639bd010d0e612503c46377ce2f9d3f5ff403258565797dda679d557dc00dc7de7f9dc4114d974e2be77

/data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 096fc2139b5a65fafe6d62950370f6ae
SHA1 e60c7b80decc97174bfe2cf05305b868968bea24
SHA256 fdeb8b8ea934eb91bb440cb5dc8f460880308ecbcc3b6917057d5da648561fb8
SHA512 0453e7c19caaa141a54b6dceadc2b1f6be9a383871b08e0fcfb771b4b0a8ed390933c16534db41879660f19cc4d270924d0f76db8c290f260fbb94f1ed8ea425

/data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

MD5 356d1fa6ec56cd9e4ef1a9731ec69aa2
SHA1 fbc4beb3a0c6bba775000521b5b50fae8101b4f0
SHA256 ddab3f6cbd9faa0838907b26d91eefc900c3985bd53b411622c4ef213a1f39d9
SHA512 8748b418f6f433586a77d68296c03db1486e7c66da3700494c45c8634895410bf00a502c746dda5ed3e0bc359b345f4c9eaf3fc1a597132f40fe26ee132bfe03

/data/user/0/com.lzfu.syek.pbqr/files/.um/um_cache_1730665126127.env

MD5 4815d175bab4a3198357647921691972
SHA1 48ebb44405d8611c5afff3eba59ffdd3615a7725
SHA256 634e893d518d88e3b47228f5c40da1ebc8c59fa7fb8022d64630003dca145122
SHA512 7d5c1d4443a0584b97b2cfb1609797bdcc852b8dad33bb384b30e09c7d2d682162f980f2483a47b17b2c5cdd48e24dbbee8b3cf086d06f9a154dd7ed5d9b66b1

/data/user/0/com.lzfu.syek.pbqr/files/mobclick_agent_cached_com.lzfu.syek.pbqr1

MD5 082b2d83953e14e03709c867d4a5df5f
SHA1 074e1a7ebdca796ebcc276bd78042fa5b4fb8606
SHA256 33191475a7e279ba872eb33730b106aeb5d141747c633cec20aea9b8ca49bbd8
SHA512 f640c866e11d9ca3f4562efc5b0a1edabdd5d37ae6a021ac5769ba4058e4d83506e52d67d6c17b2fc0525b0955effd85cc299077097903d3a28cc0741783b35e