Analysis Overview
SHA256
6aa5b771a8e2414a936daf01672e27b3fc0c332458bcf925799f4f9bb1567ae0
Threat Level: Known bad
The file 3052f098b40e14811eb8f75924dc83c7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Checks CPU information
Queries information about the current Wi-Fi connection
Registers a broadcast receiver at runtime (usually for listening for system events)
Declares services with permission to bind to the system
Checks if the internet connection is available
Requests dangerous framework permissions
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 17:55
Signatures
Privateloader family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 17:55
Reported
2024-05-10 17:58
Platform
android-x86-arm-20240506-en
Max time kernel
2s
Max time network
130s
Command Line
Signatures
Processes
com.fgs.rsonw
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.35:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.74:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.200.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | tcp |
Files
/data/data/com.fgs.rsonw/.cache/classes.dve
| MD5 | 2891f257389326b20ad32b10608d800b |
| SHA1 | 01953f9dc9934d567a35dc8474844346c6bbf20c |
| SHA256 | d00eb2219d342badcccc1026e2ebf7a810c31cf989c52f13245027189a4ca9bd |
| SHA512 | c3615424dc0ef41712dbffaa0b4410c04e39556103618d52286eefc15e00486e553aac9bc5e4383c2effb5b71cdce5fde0530c0fe581a0f56132c8f6d63a8c8b |
/data/data/com.fgs.rsonw/.cache/classes.jar
| MD5 | 8e4d5c76200ffada14a5c05de1276aa0 |
| SHA1 | 21dbfb4b7e1961c09127c570cdaee972134ba0ec |
| SHA256 | d2adb06c231121d07fa0c0ba426666461e405b9562819e50547bf42d937fb696 |
| SHA512 | a5ab9d6167d12078dd621519ecffcbf605ae910537c2a73d298bdb5f275c14758ed27de569fdfde1f235fb035c3a914394cd5e006c1fabbf91d52c099f29cdda |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 17:55
Reported
2024-05-10 17:58
Platform
android-x64-arm64-20240506-en
Max time kernel
2s
Max time network
131s
Command Line
Signatures
Processes
com.fgs.rsonw
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp |
Files
/data/user/0/com.fgs.rsonw/.cache/classes.dve
| MD5 | 18a1b16eac2188dd4de365e4c0a18749 |
| SHA1 | 7624eb8d2e969f42a60a236dc00ea9a56a0f0c1f |
| SHA256 | 4ff2b4d3d84a6ca8cbe5b9fe55518af4559ab691c7d38b313625d60121fe809b |
| SHA512 | 2ed00708f56ab7113d237896756afb5a209df3807f5a3da5fdc499aa27fafc6463f958f61d321c10c7c9280e2d694e5488213ee667b9145078029e0816221fe0 |
/data/user/0/com.fgs.rsonw/.cache/classes.jar
| MD5 | 8e4d5c76200ffada14a5c05de1276aa0 |
| SHA1 | 21dbfb4b7e1961c09127c570cdaee972134ba0ec |
| SHA256 | d2adb06c231121d07fa0c0ba426666461e405b9562819e50547bf42d937fb696 |
| SHA512 | a5ab9d6167d12078dd621519ecffcbf605ae910537c2a73d298bdb5f275c14758ed27de569fdfde1f235fb035c3a914394cd5e006c1fabbf91d52c099f29cdda |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 17:55
Reported
2024-05-10 17:58
Platform
android-x86-arm-20240506-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.rtk.app
com.rtk.app:pushservice
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | api.android.ruansky.com | udp |
| CN | 116.255.145.165:80 | api.android.ruansky.com | tcp |
| CN | 116.255.145.165:80 | api.android.ruansky.com | tcp |
| CN | 116.255.145.165:80 | api.android.ruansky.com | tcp |
| CN | 116.255.145.165:80 | api.android.ruansky.com | tcp |
| US | 1.1.1.1:53 | sdk.open.talk.gepush.com | udp |
| US | 1.1.1.1:53 | sdk.open.talk.igexin.com | udp |
| US | 1.1.1.1:53 | sdk.open.talk.getui.net | udp |
| CN | 183.134.98.76:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| US | 1.1.1.1:53 | alog.umengcloud.com | udp |
| CN | 223.109.148.177:80 | alog.umengcloud.com | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.179:80 | alog.umengcloud.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.178:80 | alog.umengcloud.com | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.141:80 | alog.umengcloud.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 223.109.148.176:80 | alog.umengcloud.com | tcp |
| CN | 223.109.148.130:80 | alog.umengcloud.com | tcp |
| CN | 183.134.98.76:5224 | sdk.open.talk.getui.net | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
| CN | 116.255.145.165:80 | api.android.ruansky.com | tcp |
| CN | 183.134.98.112:5224 | sdk.open.talk.getui.net | tcp |
Files
/data/data/com.rtk.app/databases/xUtils.db-journal
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.rtk.app/databases/xUtils.db
| MD5 | eb2d2bc2288a64da65f77dd4c451c338 |
| SHA1 | addf86ebf717efa84c7da4ca5cf25f87633fbcdf |
| SHA256 | cf02bb040b8f139efd2b41bf38964d2e8591dc869974e3e3b4ee0fcf3f223c7c |
| SHA512 | 6151f57d11db67b8f3e9849e1ce7c54be057ba48607237cb18e8c90aabda7c902b1eeca3d4a8c500f61da6bebadfa9698a325bb17f13e7397cc83c559c1bbf62 |
/data/data/com.rtk.app/databases/xUtils.db-shm
| MD5 | 17a0894816af9d0fb957c81e65cbb541 |
| SHA1 | 8a94c6235e5db47bf13a5c502e548dded10091b7 |
| SHA256 | 94bb8f8344716b2dc99222399397ac660e862f1e0f62d09628dc98c774435c0b |
| SHA512 | 7e16f6b6a1666c5902830e4c07fc3ddc8699ecbab767272c1af9aa250d2d8290ef728fb92633dce2d1d7ac15760051259d7c4fafc5132c41f437e1c7a9f23c88 |
/data/data/com.rtk.app/databases/xUtils.db-wal
| MD5 | 19fcd818b49a756d21d9d7def9aa8dfd |
| SHA1 | 506cbbf650306073985072bbc5e2fa069314085b |
| SHA256 | b927bc53c7f880526cc1eb5f232c1e0ec3ae61f7267299736b8283e6a77645c2 |
| SHA512 | 27bea0d7972c3e703a1d9658b107a53fceabc62d1a544afd018109b8f4ef46a85317aad590f51f7fd49b746fc299cecf3b94d8cf8dd2f2218bca3df0dfe25988 |
/data/data/com.rtk.app/databases/cc/cc.db-journal
| MD5 | 23889c4c22861c77845fa5824734480f |
| SHA1 | c2b874b12231d647eaf23b65b6e001d0157e0fa7 |
| SHA256 | a134203ec7a4b43aa4a19393981397fd84ecbe5a9d526837fe15c3f76d6905a2 |
| SHA512 | 949e4b32fcb2d999eed9f08aa6cd860ffed24718d4a174a376871d45c46134e1b83b3fac7d825d294bab6bfce330968fdc7eaa4af341b2fc7443d9ca219892a9 |
/data/data/com.rtk.app/databases/cc/cc.db
| MD5 | 5d7ea1a23af19b4340cc8d90f28297d5 |
| SHA1 | 4cfe95b23a9e98378d69c4290af81b51fbe76aea |
| SHA256 | 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da |
| SHA512 | 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b |
/data/data/com.rtk.app/databases/cc/cc.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.rtk.app/databases/cc/cc.db-wal
| MD5 | 01085ee2e75e5a8cc1e2a76793ba2df6 |
| SHA1 | 5760d54587836fb5986f0b77cd2c0c0f68a1fc37 |
| SHA256 | 3db012a83b78479965bf432f4e03f474020dbee542bed84f160dde15cb24aaad |
| SHA512 | 92cde86745346e04fb3a94e853a782417a2800e70bf1f2063c616cb75a58bc16083048a8cb6e1aac373f3409a788a381bdc6918920dc948e56c987d8932c3e62 |
/data/data/com.rtk.app/files/umeng_it.cache
| MD5 | 32ff6865fd4b106243f5351349de49de |
| SHA1 | daf371c6df98e435964743a1c1e185f7ba77d147 |
| SHA256 | a64faeda35f37efdd1f2ffe5a57001e459273cf6c46c0941fc28b2c5e0f75560 |
| SHA512 | ddb03f6a137961632563b95123c7b68dc4894b0dda906a47cdf5d09c7ed50d59281ae03cdc6f490ab2e7edf57441219c4bf6d16d2460e6a80ccdb88a3681fdfb |
/data/data/com.rtk.app/files/.umeng/exchangeIdentity.json
| MD5 | 0dd0922f32c2d07a6c66f982f86aa51c |
| SHA1 | 604796942cfe448c7aaf6f7634f8e3f019bb1e47 |
| SHA256 | 2bb97cf3636ccac6b621bcdd878991f7e44806e5eec8c9c48d8c2c40834d014c |
| SHA512 | 54c441ddbdf2b6a09cc4c8acf9c61526e47ba8e5ef98be9c0d9343d714961f58cdfeb2435971d5d3493c4e708442adc7874c0a8ff7cfaaae9a633bc90f39896e |
/data/data/com.rtk.app/files/exid.dat
| MD5 | 82495018a5ba1bf49824864238e526fb |
| SHA1 | b64fa53f8992a759c6d650a8aad6d9a1a4f0a4de |
| SHA256 | 2779a08816074014397af9101f2a9b1ac828307b83d8ef67dc0edf2ef2394b6f |
| SHA512 | c09d161837c185563f71a9cf16aee6e8c0e9d993e5d386e37c9285ae26a4c031623fe371c155ffdec5d6e3a15df88b5d221d7fa53a4b95a2fb35741b29738a0d |
/data/data/com.rtk.app/databases/cc/cc.db-wal
| MD5 | 9fa7b4e28c2c2ebb169d30521f106457 |
| SHA1 | 337588cd5741cd53c0a61db012e051ef72efbf93 |
| SHA256 | c2b15ed72deb10552c662c4a71682edc644afea023022299eeff6720b9d70121 |
| SHA512 | 3aac8cdbbf2c9f0ad92e69ddeefa3e40a5dee7efc6d0a0dc50b08d9ee9986eefee487957b642595f4452099a1834f8faf093139ac6f248d0149f1bc5a1e75e9f |
/data/data/com.rtk.app/databases/cc/cc.db
| MD5 | ce6135aa1b1fe4f2c2db2a546d2a5558 |
| SHA1 | 79b59582154017aadab783dc266fcb158c252940 |
| SHA256 | 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c |
| SHA512 | 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4 |
/data/data/com.rtk.app/files/.um/um_cache_1715363880374.env
| MD5 | d818be8a57409779d66375ebef59b0d1 |
| SHA1 | ae8ad51c143125715aa786f1d6a9303e82d28007 |
| SHA256 | 87d492d64058d72ebb1cdcfb31c84c123fc83e05a844c04067114495fa814436 |
| SHA512 | 8fab26b9e0489b8c6e99fa66a9ceb56341a88fd6b68f7efd8fdbab3f5dcbe1178e49576a017d0b504e1d6ae763cd30d190a8bff23218924d303b584242f9f33e |