Malware Analysis Report

2025-05-06 01:31

Sample ID 241104-a3g6laygmf
Target 8e4f0417b800a1b40aa28f0ce75a0f96_JaffaCakes118
SHA256 1b9fa7f8894a0bcb86d013827af6981fce558d8f835fd6d99508c4a3f1366275
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1b9fa7f8894a0bcb86d013827af6981fce558d8f835fd6d99508c4a3f1366275

Threat Level: Likely malicious

The file 8e4f0417b800a1b40aa28f0ce75a0f96_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Checks known Qemu pipes.

Checks Android system properties for emulator presence.

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 00:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 00:44

Reported

2024-11-04 00:46

Platform

android-x86-arm-20240624-en

Max time kernel

147s

Max time network

154s

Command Line

cn.kuwo.tingshu

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cn.kuwo.tingshu

cat /sys/class/net/wlan0/address

cat /sys/class/net/wlan0/address

cat /sys/class/net/wlan0/address

cat /sys/class/net/wlan0/address

cat /proc/cpuinfo

cat /sys/class/net/wlan0/address

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 api.m.taobao.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 mobi.kuwo.cn udp
US 1.1.1.1:53 tingshu.kuwo.cn udp
US 1.1.1.1:53 ts.kuwo.cn udp
CN 101.42.130.11:80 tingshu.kuwo.cn tcp
CN 101.42.130.11:80 tingshu.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
US 1.1.1.1:53 sdk.jinrouter.cn udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 101.42.133.54:80 tingshu.kuwo.cn tcp
CN 101.42.133.54:80 tingshu.kuwo.cn tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp

Files

/data/data/cn.kuwo.tingshu/databases/UmengLocalNotificationStore.db-journal

MD5 e342590b2a57fe9e5ec48d84bb855231
SHA1 75bead5f66f712660c072555da1708c3724ad489
SHA256 1890be60bfbf3c64fe4560db869619451da30dcef69421769b7f81a563b74472
SHA512 93c0c28ed30a803f7f0f9ac482a4d5a629a4b51512c6e06ce11e2edb95b7c725c176476e9b42318002aff7a286d67edeb7ce96f7d42387af3d07d828f58440e6

/data/data/cn.kuwo.tingshu/databases/UmengLocalNotificationStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.kuwo.tingshu/databases/UmengLocalNotificationStore.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.kuwo.tingshu/databases/UmengLocalNotificationStore.db-wal

MD5 ee3d2a73854f5b453e81b057d7372f65
SHA1 27fb0d5b339af9fe8b59a0ff49ec11bca5127d69
SHA256 2403f48639477dd6354a3b47d1dd781410198b77b5c48c2e35494828e44145ce
SHA512 8df5de78dd325e4014d5c6daa4d501e68b332620e9b0371a83fbaf287e9d28faa06abcd9a5975334078ad0f7c155c955b42511976690e86bc526287c2d8eaf0b

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 60dc77db83167847efeb5e65d5b82243
SHA1 1c73737b89b3632225598ae54bda2ce741ee9c9b
SHA256 0f2305fd31ae167e9ae3e91f3299b0f0f936220484b1b9093b9c9c5ce3d83fab
SHA512 508cf6bc887a25c0446c7457d1a3f18c892ec72c268fa449f9d4fba906aa99003b5b597c824a1459c6496c2e456a6719293f0b765adcc8303e0c2ba1774b8c44

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 396c228bfc5d02676042ffcc76a97aae
SHA1 69c5616b3ac49829f0bbe80d08cc44939094fa7b
SHA256 2d177444d373d1678ecf98a746eb58da91824413d221ad3fcc3415b8ac915538
SHA512 99353ad7f4cabc5a5398d809098d043bd49ee628925791e12933806150bd0fc86cffbcc6506eb711bb2fc62ab16ad13dbb5942c690f828257f9b5a5af1bd9898

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 f41ee7eece6403f99f22fcacfef3637d
SHA1 db6bf59cac9fff21dc36c5aea72d81dfe4eaa21a
SHA256 9cf3100d2c3254442771641ba0e87f4d1b79e52fd3f85cb62b517f54d45c78f4
SHA512 017c2e2bee56c2a1510124043328ddcb1fefd7bad9d73dc4dd712ff531dde6c52e15b8956fae90f871f371c98459b0e70767f25269a3529ba416c55911503174

/data/data/cn.kuwo.tingshu/databases/cc/cc.db-journal

MD5 749d322c1fcdbd42b84e827b91359506
SHA1 9f7bb67499aeb47314aeada94491c154150bcfc2
SHA256 65dcbe7781a54f182e579c9413a53fde2ecd8e5104000ab5bcebf95c080e9e21
SHA512 1e495738048c6141d9e6720fad0e5d7dcdb1a704ea9a51e8bf8205ef783f2081e9202bff255679f9f898ec1f0187011eae1a40d392cde1c88f37c79677d148a3

/data/data/cn.kuwo.tingshu/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/cn.kuwo.tingshu/databases/cc/cc.db-wal

MD5 f8bec6ebc133a4a5c9844ff87870f9e7
SHA1 cc95d769618865131bad792321505d200d7d0e7b
SHA256 3a1681aa7840c6afa57a6b05eedc6220fe125533fdb1222c14aa225e078c1aa9
SHA512 6d12875f47b3d0323d858d2a620032b498193deb7ce53ab85ae0a6a004c18e1cead4fccdcfbc31644c45e47d6d8c131bfef58b3eb53333cc6151f1f45f100de8

/data/data/cn.kuwo.tingshu/files/umeng_it.cache

MD5 8134b13fe757779fe106b151c6de514b
SHA1 33b5b33abb2880796d276aa7b53b2233e9067b43
SHA256 2a2ce199a412e3410b7b883e98e76c12c8cc4b714f1d27d77b9348cd7f76a383
SHA512 facc0baf0af11e65df9fed32e38d038cc9c0235216ea2d977f41bc2e3862f654b725be2dc43c5169c59cf300b682c9ce30c21685c3c8af1af427198ca58a6387

/data/data/cn.kuwo.tingshu/files/.umeng/exchangeIdentity.json

MD5 f70f04d2fdecea9744ab96a0ba61e25b
SHA1 ad15a6368597d849a5b8371ac7aad483db152fa5
SHA256 b74296d462c458f8e66a5749f669a645643274310009bc16c0c7fb2493578e0d
SHA512 dc7beb70c3c3d288e2e532c5d5b39ad2c97f28be831512b2714b2a9f664fa1071669e6d467f6a8d69613ea52107558a832398b809b0a51e1d68ae546716120dc

/data/data/cn.kuwo.tingshu/files/exid.dat

MD5 4adc8920459f83f2cbb4d03e9634fbb5
SHA1 2f14d50623b67fa2e79d439dcc526c2dfac39a0f
SHA256 2fa7ae5e0195f3e5086fa5f2911759677166f88fa164ddc05a644509c4633e8b
SHA512 750f309f40ed8cb3b00ae3f401b276f4859b478eb00faaec8543d170ee7eadfbcd6d740f4aa19c267d0d30544a295c3ed377419cfc1cbbf635033ad9e6d9dd16

/data/data/cn.kuwo.tingshu/databases/cc/cc.db-wal

MD5 3b1e36f5db171e7046554c1e29a58538
SHA1 5998f839a8ad8a84b090dd2851eb8522074a0478
SHA256 05425617e7ac5728bb9c111fe9adcfb17244f90754c8a29dc04690573dd72b03
SHA512 1a872816f580198d2be45ea354cd8621b0ff7b0b910dd9637f93fcda10ddd42aa07da75d11a5cad231a5ee84c760d8d9bfa3de1dcd1314f5457b81898855ecbb

/data/data/cn.kuwo.tingshu/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/cn.kuwo.tingshu/databases/kw_tingshu.db-journal

MD5 97a739d0f63706852daf1dbeaa079bc7
SHA1 5278fad29762b3b5bcea18fc5fa064f31c922cb4
SHA256 5d42ef882deb335409e025d56197c8b26f314cb57daf297a66bb19756a5aca58
SHA512 7f76f11ee3590fe30f068a7780bf886580c5c3837e41e5c61a3accd5a56907943708ff319a2289d4296f036d946478e66a34d24031ebc8a6c595b6781208a3e6

/data/data/cn.kuwo.tingshu/databases/kw_tingshu.db-wal

MD5 2676c91bce14322afd7c52797260dca8
SHA1 70e805a6659d4880b732ca80904bd968b94bd09e
SHA256 5d329a04e7fb9904fe15b3932d886936cc23332bb726843bd913198c49eb90d9
SHA512 f1df5969b0351a8a8c9900861118f13e46bef68bbe3917d53cf1764104b4eb563bbde4d143867b19f1de5aa52c9a67b36d44d0d23ba2683a48afc4172bb5b988

/storage/emulated/0/KwTingShu/playcache/test.aac

MD5 5bc9d569cb424f60ca236e2238f8dc16
SHA1 98ee40a9f4c5fabe8afee6a9c0025e81050de615
SHA256 a2b09fe3ea5ccc8f7d4c9a564395718cb1e0e9b993997a7d9a58f861acbe6347
SHA512 960ed83e7ddd4c9fb595600c8565a4dc8439874efde26465a4ffe81e6e0168e2db90f490b31930d5945acff29e9e5044c830537d67bd6241d6d0d3822258e9ba

/storage/emulated/0/.adm_cookie

MD5 01df832c7825e8c53f365aaaf7518aec
SHA1 1fb9ec65239019896f77e7d0612f2b75b631e18f
SHA256 6e37901044c022009a51ac828335ab2b138a68ec47a7b52ebddc5cbbcaa42787
SHA512 a0acc9a3c680dafa426f9ada46b83e1410ff41da3c99a5ec0a259b89d6e985aa4ae6ce853abd04f2fb794118ebd12494c03beb8942542a3e5fcf482279992d97

/storage/emulated/0/.adm_cookie

MD5 603b5b4c30af5bd112d0f53b9ebe93a7
SHA1 a2896502a6cc7433e3708feb856630dd82112ff6
SHA256 04c86b559526c71687df0302b2321b3ace3757bdf73b192f7584e2c1c02728e8
SHA512 29a653ce6aff5fb1604d0c97042d6f7703716c9822c5017f3f253debe8edc72e0158c545356d1ddf0c2333f7bf897dc256f159eb7ad49feed91f894ece310e2c

/storage/emulated/0/.adm_cookie

MD5 8b054c5f353b6b7fd5637c36a1efb826
SHA1 c9b27067c11874bccb9d090c93199085df306673
SHA256 fd4cff0270381e1d6015a8bd6d275fc1c815563fc59a9464842e66608b9760a8
SHA512 63480a9132626ffe80abe838d9aa07d4553e125204a340fcd7265d5a8a63174edc8ccc283f6db2335b0a5ff22027a125e5e3ea0627343d8c61352c5beb4db025

/storage/emulated/0/.adm_cookie

MD5 4ca09e1e300916eff1b66e5e28aa868e
SHA1 572f9df4d6c2ebd90880816e05bba38f002956a0
SHA256 4719504187ef143b558594f99f1aed052c6c6cdfca5f9d8f9d48ad3cdfe1c8e4
SHA512 5645aa676ce13a2c33a17c5961cf3d57de682920accf4ceea86dda80ab9d1acf1e6b7a15d44808f58fb2f2d67b5b2585db4406920603332b43157532ce824ad8

/storage/emulated/0/.adm_cookie

MD5 6b7d9db6db6bfc2ab001adbafa28c28f
SHA1 87e9d3bbe5fba0115a9286b2273aa21f7f4a6e47
SHA256 8106baf7702da9007c7794da5a77809359aeaf2372ddeadd858bd7cc79497eb2
SHA512 4892ed21ac0e9db84a9b275a07ae31167934c64a9717eb60f3a29f26a4d0a6b30caf9ef82fbadc51b31d037e13d2f48cf6c5c0551e298d71ed26a4e1f5ee4957

/storage/emulated/0/.adm_cookie

MD5 459aa4fccb51d9548bef45955dc3bee4
SHA1 79cc2a3fd6fbfbcd871a0722708b2c527ddcb0e9
SHA256 df8facf89650b76ed7228bd2b0b683b9e08f08d9fcc230e81c2a9ee2d4bafa07
SHA512 7ea1b18d32e21b8860fc4424e630ba408d4beca594e9028de2d47007552c65a28960935a8f15997b09d76903ab9ba1d7978e80e87c8bffdb3cd15526e6f77a14

/data/data/cn.kuwo.tingshu/files/.um/um_cache_1730681180672.env

MD5 71b9675d1f3ed5106de166af210aef6e
SHA1 67e78842b0d3a28f42550685c9a5f614b086f62e
SHA256 e6f2153956fddb3ea93470a515f82cd9069807575e0963cdf7eb59e8806ed16a
SHA512 deed74b53d04cd372d29ed64b4e3ce09ac99cd4c1b844464c30c76c9f3c98ebffdc2ad182137bb115d8fdb4233671a8b538f7d1c2670f06470fe16537554b297

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 00:44

Reported

2024-11-04 00:46

Platform

android-x64-20240624-en

Max time kernel

141s

Max time network

156s

Command Line

cn.kuwo.tingshu

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cn.kuwo.tingshu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 api.m.taobao.com udp
US 1.1.1.1:53 alog.umeng.com udp
US 1.1.1.1:53 mobi.kuwo.cn udp
US 1.1.1.1:53 tingshu.kuwo.cn udp
US 1.1.1.1:53 ts.kuwo.cn udp
CN 101.42.133.54:80 tingshu.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 101.42.133.54:80 tingshu.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
US 1.1.1.1:53 ts.fw4.me udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 60.28.201.13:443 udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 60.28.201.13:443 udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 60.28.201.13:443 udp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 60.28.201.13:443 udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 60.28.201.13:443 udp
CN 60.28.201.13:443 udp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 120.133.22.24:80 ts.kuwo.cn tcp
CN 101.42.130.11:80 tingshu.kuwo.cn tcp
CN 101.42.130.11:80 tingshu.kuwo.cn tcp
CN 60.28.201.13:443 udp

Files

/data/data/cn.kuwo.tingshu/databases/UmengLocalNotificationStore.db-journal

MD5 84cf1e1de8c58eab7fd80ba0eba8e667
SHA1 7d945b4aece55bf55933638434205b9d7221ca7c
SHA256 ba9786ee92ae954ba1d4e0e54ae8f770eb9a188c68c848ff19bbf2c4a7ee1edc
SHA512 187eab591f1588d9ce45ad5fbf5fc8f7eaf91807cb302d91cecc286ac2a23241f2f3833c8f2fb88181f01c458a31d17dcb07d8698e2be0ee5e3aca8746da59f9

/data/data/cn.kuwo.tingshu/databases/UmengLocalNotificationStore.db

MD5 000875e1a2106f82b0f0ead4e052747e
SHA1 5cf90b842489c3e12c9faef7ddbdf20d009a4291
SHA256 f338cd34759dc56064be9758b8f028b0013f70bb2e14baa81de9b1085842062c
SHA512 1dfdd9f99426e7592ba7958b5f37cd95c2cecd45bbcfd8823506718e5a48b73f691f5f5755618994d8fbe7118caf6c45fadecdac26763530b405be6fc39d4eba

/data/data/cn.kuwo.tingshu/databases/UmengLocalNotificationStore.db-journal

MD5 2155eb9c7a6da0a24b421ca5feb399c8
SHA1 8d738561360ab2f292253b0f1ad93534bf255850
SHA256 6bc7d40d02f3590c5cc91afb0bfa8fa5efd36dba39650a0977167d58a3480581
SHA512 c9cb6e42f2c7c64317741729735652e80210030dd662a97347303ceed1422b66b1b2e160e3ee885ac3e2b9c6d0eb1e1220b189f0abfa87e9e10b1b6d8a8b9342

/data/data/cn.kuwo.tingshu/databases/UmengLocalNotificationStore.db-journal

MD5 b50df369612123346a3169b83c88c2df
SHA1 67e4fdfbeb0cd0aca67879c1ad25ae44da8b4033
SHA256 a11fe8619119556c255d86c65563fde6f4918c8c3020e351a4d9d706ca1c46ec
SHA512 93c498520565e8548f54627456d7819400748ad48e87fd7fec36b974367011b1684745cb3827396cce373abaec1a58b31994ab4f0195e2a52cc68dee15c12eea

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 5fc75582f54fcb5dce5412a1346eaba7
SHA1 a64b018cbe96050c390e5d3c6d725d1413252780
SHA256 e632c5a98286f0fa60da3f56eafdedb941464ecfd8f3ea6ffca90276be317b87
SHA512 bb45d4c15093131cd635e3c9bd718841d409eee96f00d3f8ea17185a452fe3dffd08d6944d383891e5edb22b893f5162a6f998bc36a6e5878fad5f89457aac49

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 5864abd9604dea4bd6d2c19313b81b3a
SHA1 bc58cf68d874e1efb8d63fd1f1c36c48d886293d
SHA256 fbbfaf104ce15399a980e11f8b8f211b5f5399c15fea5650131a3fcddcb639a1
SHA512 2059e00bca3b84a70086bea842b223c968e32c17e6755870712cf304a6f6827e18dd1687777b39bd4a9673b4b4262625d715f8f75122522185f6b7f33dc2dd13

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 ae707d2819f70ec92a953f91fbd8e1fd
SHA1 1ae22be191c473b5737495d709afc4a8247745cb
SHA256 05686161c22caacb47e9ed2a232d12d49500cd99d0b180eb39c4400bc84099bf
SHA512 65d375be0faccf78a90b83bfd913ad794b0fe2acd85b9259a434260d15290344cdd21d0b4beb3e9fdcee5215a4e133e43eff9c50b11d3d6eed990cd94a410d19

/storage/emulated/0/KwTingShu/.id

MD5 07a43a5269b10cab7c33fdf11a2d760d
SHA1 60064af5fb699de20ffdb5a6ec242a8b55038936
SHA256 333f017201c02b770ec195e65bbb39aac60611729361b67c8099aedece8577d6
SHA512 66aa58c875a3c8c48c5758f6199b4fc5308f2aa7dd263b133b363c3f6403b66fa1c2a80cc674fb5a5227b1ac1b5c6d67e175bd540806b9aeaa90bec4131ab2c2

/data/data/cn.kuwo.tingshu/databases/cc/cc.db-journal

MD5 87e039f74ba60af93a1e1b163e5c1cda
SHA1 8ef472ddf30bbab9690e017ef50062caa92428bd
SHA256 76058b9d3e693af022096b0aaac78910af5387b1623074707af0bb7dcbd6d7ae
SHA512 d2dee428e4ef65049a7b6092e30192e824c74aa273880850bc42eaa25b8178609c61c5b27d42d395ecc5f83d698f45ed8d5cd33255c2d26b7510a9f4efb52dcc

/data/data/cn.kuwo.tingshu/databases/cc/cc.db

MD5 0908e924aa236931dc7166fef6e00862
SHA1 7782648d6d8f6e835bd47058d4852932c096a467
SHA256 38f8548795ca7470b449dd1de9598c07a247ba59883c0764c9c96ff0b7d31d7f
SHA512 3c16fbc5172aed04cd206e776c46d26e911732c6e3631536410a71f1d217449475727ac9b3175e827c5ce645a1da9e05900258ee6ca27c936a9060f241361dee

/data/data/cn.kuwo.tingshu/databases/cc/cc.db-journal

MD5 7d882ee2e82e92508e3b1526c9d65f29
SHA1 07c2f0176f7ea7a643e976364fcc873488e38b6f
SHA256 e2ce16857eb73f1390201d3627e51a330d221d064e5a20cf7dbde03efa766175
SHA512 f588d78a61e4c3b2ab0d483dc724e453f71af46dbcd79a03efc9466b3c4ccd790a425818c7d50a02ed51d3dddb83d744d0af4b138e131802f290cec8a26848c7

/data/data/cn.kuwo.tingshu/databases/cc/cc.db-journal

MD5 af62b1a6885180beccacfaa4e371bb74
SHA1 ebc9a655f1f0c3943b1df872a9161e5639188905
SHA256 c9addb34d75e0e66f485b1703780fabf499017d04fb1452b73c123f11023e4ea
SHA512 75cdf8514f606815b863e17dd9d698dfbed069afa82653108b9c46640350428e6d3062d52114f29182a773b1d7968e2da0035da2943c95f4b95d3736c6c16a92

/data/data/cn.kuwo.tingshu/files/umeng_it.cache

MD5 39dc7abe13566ae368af39d371261a41
SHA1 93e3b0c80663ea3a1145c779fb053908273011bd
SHA256 556c5ecb51b87db392b7b17c8cc1d6fb3bef6aac3c07582730037f13b9dd725c
SHA512 970b0df5d37a5f4312b1227a78e9f5af14886e64ea93b86929ec5c57aca9ff34cdaaad92a1c180f9924f8aa5ed3549975066071c3623635eadee0d170538e757

/data/data/cn.kuwo.tingshu/files/.umeng/exchangeIdentity.json

MD5 82db9661740b2bc4e198a3e5d328763d
SHA1 57f3798e4263bc9e7fa6170f2fe0f41d1061bcab
SHA256 5e1ddfe14ba3b9d465485f715abf8ba8e9525b811498d3bb54db289e3c4749f4
SHA512 263f769b45750766dfc6c1b66ad09643f0537a0fb6912d0c01f4da3b036ec50e0df929e3c417dccf74ffd3f829e5fd15a5d1e695c5fb31e279e5196f10ae42b7

/data/data/cn.kuwo.tingshu/files/exid.dat

MD5 4adc8920459f83f2cbb4d03e9634fbb5
SHA1 2f14d50623b67fa2e79d439dcc526c2dfac39a0f
SHA256 2fa7ae5e0195f3e5086fa5f2911759677166f88fa164ddc05a644509c4633e8b
SHA512 750f309f40ed8cb3b00ae3f401b276f4859b478eb00faaec8543d170ee7eadfbcd6d740f4aa19c267d0d30544a295c3ed377419cfc1cbbf635033ad9e6d9dd16

/data/data/cn.kuwo.tingshu/databases/cc/cc.db-journal

MD5 0c942d34c3298c75d68694df42dad882
SHA1 fa51e1f8fa3c98123c0621c1d52c1bacbc21689f
SHA256 bac056b726da2aaf4ad7d32ea7b796cec127617417c5e232a25c666194399700
SHA512 6fcd47284036beb83dc27ae66175b5a18ecb38b1cf7b9cc10ba23daba2ece6023fbf8cfe236acf413c134b667c1f3e4948cc4d72f92309fff3ed6db0dfd6667c

/data/data/cn.kuwo.tingshu/databases/cc/cc.db

MD5 67c12933d1e0e63d9801a6aa43092ce7
SHA1 b6936908554e4a1986b8eb08289e2d3545e8ff74
SHA256 abda5dd4cc2e7dbb951637c4b49d6990f9f34411fab4dee1a387dbcc8e7eed40
SHA512 db8b818daa3ff4ec7678645f84bf8b45c809bcbb758ea78b28982d071572655bba2d20e6f1ca4f0d057ab34fa655c5bc40457dc65050180351a2fc04a47175dd

/data/data/cn.kuwo.tingshu/databases/cc/cc.db-journal

MD5 c94767564436fbf508947d3bd609173e
SHA1 8b3f9010f42c8d06e2753a00f02f977cc873e04c
SHA256 ae4be84a0275e8605d8ff8497c73f77576078d7cce156d3024adac07ced0d263
SHA512 97792f8fbd0baf05204990605f025d80e9da1b5091d7ba7ca485bca38f61daf742dd37be62eb32b7e37345ba3ad0ab0caadb88782770e302c8ea3d9d06b03ba3

/data/data/cn.kuwo.tingshu/databases/cc/cc.db-journal

MD5 6131389d6e99120eefb2dc8ad53d6536
SHA1 15102051bc641316416a3c798bf0ecae876003cc
SHA256 108ac538eaaa795ce4e78cab71c772789d6d80d251616721bf692110816af18a
SHA512 3cefffb1f6ce4b070c6dfbc88a9f68e3c1894d6dd0d81a99a39a03ec2d4ece19e266ba32edad665939d8dc5030e11492a9b64e5e7b14a22f95fc1f295b1832ff

/data/data/cn.kuwo.tingshu/databases/kw_tingshu.db-journal

MD5 9f1d129a45e2ffb57e798a4a043ed83f
SHA1 414bb8ec19be887c0f38ca37d3de545efe39bb08
SHA256 3e82a1aefc3efecdc95f19f69ca1ef6833c1fc3b5a0002341ac072960937f2d5
SHA512 9fd309387dfc2ee997049b1a555b21026f0382510c3557f815fdd8386119e880d534a336a34022e13c68c081909ba9f6325fef37d98bcd7b16675727953199e3

/data/data/cn.kuwo.tingshu/databases/kw_tingshu.db

MD5 2d8ae20436e2e0d7f8ffbe4ac2b9401d
SHA1 df122e0daa81dab5df5a1be04bc1595894ec35d7
SHA256 3fa762e7a5e8742bda4b552608f4aecfa97e4b06d2e7d2b949f29f48f6819fc7
SHA512 e37c88d760fa9629d5606c88af4c0838909d4f9bf9f2c47423eb8366bf8fb64e3a5df862b5ce4c77dcf31d2b1be686d9d7c0a472660431f11d792f7c3959678a

/data/data/cn.kuwo.tingshu/databases/kw_tingshu.db-journal

MD5 4caa84b225944248a6b04e2995e5db79
SHA1 c57cb67d2349ad3734c39e83c6368a52d2c69465
SHA256 62a62b9cc87b5a90e28a4387df055b31336626c72186191e139f76f913e2ad80
SHA512 6414199dbf6a2ffe9533e078ca071a9832844c7a22005fbd5f5659fe18220539d91d347e17fe07c1d788c5d49af3ef30f90fb57a214a1bbd9e10bfaa873108f2

/data/data/cn.kuwo.tingshu/databases/kw_tingshu.db-journal

MD5 beeea616a3ea61160954fc371acc2c2c
SHA1 46eb878b9d419c8ae77fa81106d10a84e6cf21f1
SHA256 1e3869e71b2b235c845e202ac27e1bdec9c876e13d1442ad8429c72a3ba18425
SHA512 98315164023bbd584c73203d89e86c9151523b2d490456344e3965e405e435e0cc5afe2efa4221a8c60433e4b6f01959c9b153415ad9af760b915f064e60ba70

/storage/emulated/0/KwTingShu/playcache/test.aac

MD5 5bc9d569cb424f60ca236e2238f8dc16
SHA1 98ee40a9f4c5fabe8afee6a9c0025e81050de615
SHA256 a2b09fe3ea5ccc8f7d4c9a564395718cb1e0e9b993997a7d9a58f861acbe6347
SHA512 960ed83e7ddd4c9fb595600c8565a4dc8439874efde26465a4ffe81e6e0168e2db90f490b31930d5945acff29e9e5044c830537d67bd6241d6d0d3822258e9ba

/storage/emulated/0/.adm_cookie

MD5 01df832c7825e8c53f365aaaf7518aec
SHA1 1fb9ec65239019896f77e7d0612f2b75b631e18f
SHA256 6e37901044c022009a51ac828335ab2b138a68ec47a7b52ebddc5cbbcaa42787
SHA512 a0acc9a3c680dafa426f9ada46b83e1410ff41da3c99a5ec0a259b89d6e985aa4ae6ce853abd04f2fb794118ebd12494c03beb8942542a3e5fcf482279992d97

/storage/emulated/0/.adm_cookie

MD5 6317af345175fcae1b69ef6d34735800
SHA1 18a09e7033d68cc1c14308000525e22698d149ae
SHA256 8fcbc22f3d4f39d451ddf1ace099c51d4fd909a8d36d93255bff8074943b023e
SHA512 4aeccbcbad0d3537373228b24bd563d4f2052026d392b072dba38715379b5b9ccb1eb2efe7ad9cc00d40422a5a08c067f005936fba0cce6fe0479e93b51a30e8

/storage/emulated/0/.adm_cookie

MD5 7687adade03ab4a43b0e7cd46eeb0dff
SHA1 4f2f52ddbbb15032eddb17e40f6ff031cc01cb18
SHA256 acd451d8f297e2e3087169e3f530b685548e388a4a267f65a0c3d010eb1a351f
SHA512 b1d81ca9f0c22c2e15241bdaf1958328b3c851e380454eb2829b712676c622ffb4507730ce0e6d779d213e333a7a514911cf8c3e69709a5c6cd73975b3a0699a

/storage/emulated/0/.adm_cookie

MD5 68bcc6771f635882d3d219ea0100bc92
SHA1 f59ab25281c37ca5d0c3c3a99c586c6cd280835a
SHA256 58ee18be452ec507e3b55816b778994d7391d179e72a9b7e7ef06d4bafd084eb
SHA512 614b7bc574d54e835ac7e8f27f9fb780409a29ba240ec1d896521c942e2fa2055dac7b0fe98c77d6ab1487d6c6c05e94e5d73ec74b602b06deeba8081966e98c

/storage/emulated/0/.adm_cookie

MD5 200c52ef49edc3bd4aeb42ab3e7fd201
SHA1 5ed6b4b8e3c81025142e8311a6dac0a587d3d858
SHA256 5fbbc0a10f9fb3e2d80e6fd430689b2bbf59e03ac757833f3cfd1e4f08d93a72
SHA512 bfc23d13057b784cb3f3170dd3f4949c72f7eaeccf2b1728b8a4bdb622be7b4a90e6981b7b8ed6ff1a4792c82160707464e1897fc16441e95262a8c0edc3627c

/data/data/cn.kuwo.tingshu/files/.um/um_cache_1730681187573.env

MD5 0e24cdcb3369a5c3256fa5f16873398d
SHA1 5621d815108a781161fac2ebe4c72296c8f037e6
SHA256 12353c03715c787468c4c2a444d4549bde7abdb5533cc3a74d5c34019f3ef092
SHA512 1c79138b0ed23e9a192f2e708be51765e0cd8226c49dd7619d3f2b5770105c29ff7934408f9334d55e41e741ddf916ffe5df00865ccdfef93dd0ea477ad38b54