Malware Analysis Report

2025-05-06 01:31

Sample ID 241104-a8x41azcmr
Target 8e57f90d48211fad3d21b9e34f68406e_JaffaCakes118
SHA256 f2f1d992d187bd2d03bfddaa1d6365d6f38298348d25d8dc5dfb3ec8e083a779
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f2f1d992d187bd2d03bfddaa1d6365d6f38298348d25d8dc5dfb3ec8e083a779

Threat Level: Likely malicious

The file 8e57f90d48211fad3d21b9e34f68406e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 00:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 00:53

Reported

2024-11-04 00:56

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

154s

Command Line

com.qfry.tguu.iaxg

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qfry.tguu.iaxg

com.qfry.tguu.iaxg:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.140:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.140:80 ip.taobao.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.qfry.tguu.iaxg/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.qfry.tguu.iaxg/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 c5d0389fd22bfd1a2b6c69c59e96c180
SHA1 357a64c6c4f79f86f8d81f4606ea83ce274c6ea9
SHA256 15462ed28e01b04df931ad15434a6d4f419b4d9b1e46d519c8700a0749d1af4a
SHA512 4157f3f628065bb83f20cecfcb9155c76e982438cd7384ce9c94bfbcbf70c021d7f73b6197f373944e9dc401437d1a5720a8d5c58bf6e406a2cd7d728f88fb86

/data/data/com.qfry.tguu.iaxg/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 3b9f0f7543bee7619b47eb38c9e79872
SHA1 bc18af3043c65f0b9f95e1f2be93d4858e1a6e2b
SHA256 989dab127d8e4caf6a4baa44066ac5c29d78f6e4265f07cb6f5c76e17b88e464
SHA512 47ca58a6c7b2a42567e257ada61722662d1e4f7b95862fb449fc8025586e5b4f4a995446836ec656d3b2ece0d7f0d88b319bf2b1ff1f54202141a808db8c90e7

/data/data/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 92db2711e394a3c0e05b3a9aca164f3b
SHA1 0047f46d260bd0a96c172b53e3d0f1cca8a35ff5
SHA256 bd36cb9288c811cd3b233e1542b0f394ad9eecb16f6a17e14f342ba25376044a
SHA512 2387b83dcbc7483d44ef32996fde0759f036aa915008f9ec0528038a8ddc0c0aed35e5c70a42f0a3deb15f11fd8aee4f7db17f2faedc029ed09c95c882cd42fa

/data/data/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 4d337c1b8123e67905c5b1cd8c40bde2
SHA1 289c212f29bf71cee2c464b86670e1312516d73b
SHA256 bcf4cedbfc950badb71e5d1720eddcb2fc5cac085a7f35fcb6c97445953e79db
SHA512 17e2af269d4580486c5f1629faf592ea829288555b5dc2d3a042cfcb7917d658a5c0c2d85105a517f66d6f28a71213b0bc8744bdc5b76807014a4281e78c1b1f

/data/data/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 1b6b457f1db6f2346a51630f76bde747
SHA1 0490a5688cefad199ec4f9ce128d9ce10a466c2c
SHA256 c9d70f1223c5586547d962492fc57f37a46cee5dcba2fa59ff013494ab969f39
SHA512 3d986672fd1d00b7acc3fc4c687a5381c067dc5fe3adfa13b594c4887a1366de1f5e1d12bc430db2c39c5ec0292db843c6427ce6113f07c47152f9faef1e6b8d

/data/data/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 81ca4a114e3c78c17f8bd7f6035cdc8b
SHA1 5d840294975c802ee7cb11b13cf68cfea7c57f88
SHA256 6d6bd896db05e0d780c9f1106643c3e54e0d2556e7cbe05722b668baa1e922fa
SHA512 5636d63bf05e6cab186e869039dcdf5f339ab9bc22442b985db100fc3b703fbef83c25ca41a70a62f052840b06cd0cf8d629dbbcb18565c89a0fbebb15259e59

/data/data/com.qfry.tguu.iaxg/files/umeng_it.cache

MD5 4e8d162d536908522de46a9fc4cac5a3
SHA1 35dc26a4ece09498be4f47206142dd8957e36e20
SHA256 1bd6f9a5c1c244ad4ae29bad420e7881dcc8acf3896f7834a4b0e0bb74bb9212
SHA512 128482e460d11f44014f6d87a9236a5774578a02c76873ce2a052afc2f9f41676a7f8b7f978aa5f38671b29a7a7fa390808b29932fbe62b3f41d0595594313a8

/data/data/com.qfry.tguu.iaxg/files/.umeng/exchangeIdentity.json

MD5 1ec2905cf056bf82023245c8b77dcb37
SHA1 b02ad143c24717b6534858cdbaf8afde1dc32533
SHA256 940c26c54065d9813a9d2d41e12423f33ac4a532f8f05ecd3f10dd6a732a16d1
SHA512 b7681c20fd22cbff41b6ca235d75f4382c88429edec64d08684c3fce8272a248a44eebe1d4bc6866222201985b80dbaa3d418315bfa8a25ef41a7e0dccb82379

/data/data/com.qfry.tguu.iaxg/files/.um/um_cache_1730681734445.env

MD5 fcb52bf5e94ee8fa27d124026d123050
SHA1 171462143c32edea911fc7d38775c7141d3eb75e
SHA256 29622debe1edb0cdb0d7c62fb80630ab3dd8110b34fac1c31ed07b39dca56b01
SHA512 f16b955b941b77a50e7e1e8e4b2e7ffc9fe7ddacbacbca1b24191d43d3962b883e01aaeb4b23ab4ab5dd5475de5663566373522bb7a7095ccc0c9e275247c082

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-04 00:53

Reported

2024-11-04 00:56

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

155s

Command Line

com.qfry.tguu.iaxg

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qfry.tguu.iaxg

com.qfry.tguu.iaxg:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.120.242:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/user/0/com.qfry.tguu.iaxg/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.qfry.tguu.iaxg/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 26caf50708e252444e147ae0ca4ac669
SHA1 2e4ca14b1d42af4d0ccc2271f6591897e3238fb8
SHA256 32611f72101576308118470181a5fc83710a98f16d82c7658bf031c6d2586ce4
SHA512 f3923f5225e95eb7edb75cde366f2f431d8a913b2eabcddc8c080ead07e95f1f1aeaeead4b4a0575a7cf7292ef9a8209020d39715feab51dfd31a833e1508a62

/data/user/0/com.qfry.tguu.iaxg/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 868c7767f43888b4e39caaaf656123a2
SHA1 fa6e708e219ea436c86a70f8c6b80bcdb7555036
SHA256 10882b8be7a9d5fb5f788142d0c99a189ee4827c394b82fdea57bdb0226d8dc1
SHA512 23bc71d37a02573ff895838955424723ebbdefa2f88fdf173d2f9f8cb0ecbe8a524780a28e418bedc6855c309d0bcc7a48e8098bd235cea885a205e4e0dd6b8f

/data/user/0/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 1d96bf1e2c535045b47253d709d8d2da
SHA1 5fc6c0cbe95ddb665734bdc82bec59e355b5ee73
SHA256 361cf17ffec4527a8dbdde2ccc801db65568c27a2cc5aae96d12b97b6075daf2
SHA512 bf47e0001503a540e45ea8e8007ac7ae7ad2235f8d22060d9f5947d06607df27a11982db9129630cc18270f4a8008e908a5debcaae47b41cdab1da337722c0bf

/data/user/0/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 6fc6f5a606b6ced42b56538385f9bf12
SHA1 686cb6233e6944985d0653c1307579b589818630
SHA256 562cb254b7fb03307260f10c8bbcc6262f5f3bf64bde036ec1a1019510222009
SHA512 1cd0354e63086235a57bc2565b949397ffd1ddef2391bb15e52228a8e4ed5e03b246bece9139475879cccc9486653ca5127dd342412ff9f817ae2ea683f821ed

/data/user/0/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 530402830c9ad253bff09ef329ba82d4
SHA1 fe3b56d22666cc6ff6f244247d7443914c97466a
SHA256 a97aa9398ae5184ea0e39eb4eed8422a594b3bda13875c452c65b19a6a65721c
SHA512 91494a5c68def12e72d0b903b4912502291f1d6ea1aaff560862cb3bc499e2b72a04e2188fe27c4aac6a0c08acadbda59ae8426ccddbe2ca0ce22084b2fa0e19

/data/user/0/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 4dd8b86b6fe08959ba37b1f8385ef9df
SHA1 d3729c718a78b893dbf42df433e1eab5b7835d8e
SHA256 673d4ac258083becef23b46311f16d61765ce5c1a37ad289b95fc430cfe3064c
SHA512 eca74093e8786c497731a19b800e2f57538efafb7f795bc733a52eda3edeea15ffc46282e1b3f5be90bd567f26a2de592f153e0087971560744bea171fd4ae6b

/data/user/0/com.qfry.tguu.iaxg/files/umeng_it.cache

MD5 6eca2e10826c3581c68335052f671c04
SHA1 fe97ec2a7720019ad48857cc44ece6bb0c1488b2
SHA256 8252d1911bee65dcb8cf9e56893b12de18fe105f430f2f8e585e0501193b7ced
SHA512 944795921ef33992dd25ac04fc08835a2804e5c3c5c265f22f14522d81956a0ff7ea6e862ee0ec24462d034a8f4d6b836c61c87aa89ddb62db715937d77c6b07

/data/user/0/com.qfry.tguu.iaxg/files/.umeng/exchangeIdentity.json

MD5 9e842c080bdfbd1f3c6b87bc3559c679
SHA1 00362a2a398445d05fb6d7050e8636b76387b848
SHA256 d728877bc84700ce51ae91bcd50a1bb3441b78aa20521da6bd683d278826ab62
SHA512 f72de9c493657deb22085f6172923b88d93a6319333f0c4766fef191ad5695d277d9186007248d1453a53e916d7caecb7b6306ac701122d112173a97196d7c0f

/data/user/0/com.qfry.tguu.iaxg/files/.um/um_cache_1730681735033.env

MD5 73af28e83f0cce2d5ff45b48e140c534
SHA1 1c677c66064dd9ea88a03041a5eda86f6bfa4b6e
SHA256 10ea9885c1b7d4e795b013e4820de4f6079416d06f4c643e7c448459bd21950e
SHA512 1b8717d72785f7be530b1ae0257a690c89253f7163a227c9f19f41b24cdddc69f93dd6cde72539b1ece0ef7ddc2315024eeaa3880f212bd41e743fdad2d1eb17

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 00:53

Reported

2024-11-04 00:56

Platform

android-x86-arm-20240624-en

Max time kernel

148s

Max time network

153s

Command Line

com.qfry.tguu.iaxg

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qfry.tguu.iaxg

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/user/0/com.qfry.tguu.iaxg/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.qfry.tguu.iaxg:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.121.163:80 ip.taobao.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.121.163:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 199.59.243.227:80 o.pmuro.com tcp
US 199.59.243.227:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.172:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.qfry.tguu.iaxg/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.qfry.tguu.iaxg/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.qfry.tguu.iaxg/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.qfry.tguu.iaxg/databases/lezzd-journal

MD5 6a95ed056ecd5d4f2b6e63e6374adb85
SHA1 2777d9f1630035a17c6d0ff4f93eb118030b6941
SHA256 5fc918a12f31609d9b1c290e0dd7553248d51d6361712a704afc7bf5b01eb1d1
SHA512 e47a463bdfcd6890f899492d76f1cce63f7fc8b14181f4a59b04ef9053cce6bc85644db2fa6a7642f591755d86acc7302e3503b46b9cde36a2766641f88c01d9

/data/data/com.qfry.tguu.iaxg/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.qfry.tguu.iaxg/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.qfry.tguu.iaxg/databases/lezzd-wal

MD5 1c432d9742aad2bc3fd2518e691a3db5
SHA1 534e4a53ed6fc167f8945a0d63cc0284882ea685
SHA256 a71f49ef6a67c342a2367baf498aa7f585a9b22470466c96714f1d6d07cd93f7
SHA512 13d6aed04db0c62efdcc966c05b62b4b05457eb9b8261ce2d0fcad99f8a3c06650adbf002929c7870bf98cce324e71092c13d88d5cc06a7404cc8a14f5253d84

/data/data/com.qfry.tguu.iaxg/files/umeng_it.cache

MD5 d54096b9b94d71e710ff4bfb715ccc74
SHA1 7d7f697c89324699d45edbe5dbf95905d8c5a299
SHA256 e575774279f1d11804d51c714eb435f46eec8f0d5c779c1580a2ec3f41921f80
SHA512 ad848f10a152bc5114d1870d3af0422f5a5a185b536b83f99a1c37de0b0f85ed57e40a9a2deb49f96a94bbd7a9e8b30591181319f449166a92a1999ad11cae7f

/data/data/com.qfry.tguu.iaxg/files/.umeng/exchangeIdentity.json

MD5 686386fd936b4319d128b3eeca203115
SHA1 c8c40b14a14d499eeb3d7477725e73dd8dec9e6b
SHA256 902ada2ebf2beb507b176ba599b2832cb2b5a6775bec17af769a71355942c86a
SHA512 77c19f3611eb2c875d9fa942ee0caee1590af60dc6d1e7f7454272c7e40b5d75c07ff50430581607611fa8ae027aead3b252cc864e0a8d5c7dfdb6d831c823d5

/data/data/com.qfry.tguu.iaxg/files/.um/um_cache_1730681735481.env

MD5 537c1d474ddfbec7218d01ea0f45fec8
SHA1 c8b647bc9f2c0d837293f0fdfb60346393a33f0b
SHA256 6fe93aa329b59cd6f038bbb81cdbef17fcdd38e37d1b6255f6219b9e85359fc7
SHA512 fa44fe6d6848c16ebb0c27fcca6ffce2d73064d3144a4231a666a6c265e598a3f7ac076d403637e714e806f7340c6513b58e0cae6c6be2a0c23907fd96e49490

/data/data/com.qfry.tguu.iaxg/app_mjf/oat/dz.jar.cur.prof

MD5 14a9e317a477f16ba17fd3aeaf1535a6
SHA1 a63a1a9fabf6c25dc60032603cd7c73c7febf4f4
SHA256 fa1aebc2ae2c39437970ca459e39c06361477a655f5418a2271829349db820bf
SHA512 51080c9525a160b29b771b0dc9f77c141b4c55e8d6d0ff360f6d02c81a037915ce24e90abf5800315236011a20dd8c0104b9721d9a7757447833371b5ef12523