Malware Analysis Report

2025-01-19 06:57

Sample ID 240523-av4dvseh2y
Target 6927ace6eefa97350f7ad3077822f2b9_JaffaCakes118
SHA256 0fdfd21b3274747a73983daa96e96996e8f7bf2bd8a205b80e441bccfecdfd62
Tags
discovery evasion persistence collection credential_access impact banker
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0fdfd21b3274747a73983daa96e96996e8f7bf2bd8a205b80e441bccfecdfd62

Threat Level: Likely malicious

The file 6927ace6eefa97350f7ad3077822f2b9_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact banker

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Checks CPU information

Checks memory information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks Android system properties for emulator presence.

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Reads information about phone network operator.

Checks if the internet connection is available

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 00:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:36

Platform

android-x86-arm-20240514-en

Max time kernel

172s

Max time network

171s

Command Line

com.yj.cn.of.pg.ps

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.yj.cn.of.pg.ps

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=46 --oat-fd=47 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
CN 61.129.15.31:5284 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 61.129.15.31:5284 tcp
CN 61.129.15.31:5284 tcp

Files

/storage/emulated/0/Sonnenblume/res.apk.u

MD5 544b4b6cfde7c5a9f28b765d2bb245ec
SHA1 7e12d510d4601833ce1fa979ce99325804a8dc09
SHA256 f72e9cc8e96b617b7792f1cef27d078a2f1d72b52ebf92774a50a349dc15a21e
SHA512 89c3222a6aaf284dcc00ae38177668bbc772e0a694f6dd32420726a30736d80ffbaac72661ee98c60ae3a2bbcdba96a3ecf0e5371bf3414d1453014ebb4c045e

/storage/emulated/0/Sonnenblume/res.apk

MD5 2bc5eedfa756ebcdedebdaa3646788e6
SHA1 99f113c6a451f01babfe7947c762a9072f70c24f
SHA256 c90c05c7fde144fb61c4a3bc8f283195e5651f61872b083b3a6f586897726a68
SHA512 c26607bae7641638a6df12b8f2d8ac28bdf29b270a58e8b5ff5909a972bb1ad4ebd1edb354c2825b5f9f504288a1a02dcde1ffffd4f815b6030ae12f2bd52b58

/storage/emulated/0/Sonnenblume/res.apk

MD5 7304676ed86ba7302add9c83aa5188e4
SHA1 9f7bf2ecbba8d9d5ee1bf2cda006aa9910bb422c
SHA256 5262c65999ec23a99a3e176dfaf397cfded7323d00c80e0e67c3e48be3f5d38a
SHA512 b15a2138f35346da77662f5109b291c33408b77e2c0952cf861c3c486cef05bf17d23366d667eed101716087e38ee5c7e8a8c3b04fd6faaf467994ccc01b83d4

/data/data/com.yj.cn.of.pg.ps/files/st_database.db-journal

MD5 44b9d85b794a539702d293f4f85f6d53
SHA1 f7b61860593a9bed6d2804b8648e32190a096b12
SHA256 70f0f22dc9ba12c800ae07af4004c96bfd262084cc082f7575cbae3ccf4788ee
SHA512 06d77bdcc2da1c4cf54488ae2d6bade09a612ad9d6f5e17a24abc58c860991246a410ec3731cc91e00a1d25af69f11f2c3f63fa62e52c6c7a258c41c9e2c79b1

/data/data/com.yj.cn.of.pg.ps/files/st_database.db

MD5 5d60e93bb6c16ebd0ad382ec4fc69b1f
SHA1 d6dae9069329067dd4b9c57abb20d252c5c43f9c
SHA256 6eed2ca1e45f5e66a67b2d034016e3d099cd11805366710c7dc1ffc0c5068872
SHA512 870b670a4971ca08e095533715313d8a201a7d15b85b7cbd039c6a8960388f6dd941573774c94867a93eb3d4b8839fe68a385589330df4400c95698b462dc5c6

/data/data/com.yj.cn.of.pg.ps/files/st_database.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yj.cn.of.pg.ps/files/st_database.db-wal

MD5 ef6b026cd30c4d2bb7d47228e7e1fbce
SHA1 73bd7b30366e29b4745b542bfe8199b292cbe39b
SHA256 9b589b57dfe312d1a75ee09c88180988cfc531d37921cffe9c10028a82164db4
SHA512 3147253c69a44db7a654e8d710c22d892e97ecd47357793ca2d9d8745454de8d22237b7ca5f1373365c4ebae9da9d9e10d55ea23aa21121d4239a5e9a34d9503

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 29ee1cb351fc5eb04251b9342d30de04
SHA1 b12e8543268dbbbed8f06263204006b764c388ed
SHA256 39d496aab452530e452558edac31f7d1ef6d5fc85f5a43f97690133d307de1d2
SHA512 6af9ef95f2fc3fd61eb8c4fcd1d676159896b563ceae8d0a68fd57472d603362743f77a1882a7d5a16c22a46a4f3dbb287d6b2c9e01e5c05cc4d3db0ecd41819

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 c471913039a8c3b336cc842de978da64
SHA1 865db7ab838482386ec2000ae7702cb8ca9c4399
SHA256 08f62ce85119f168d64befd20cfe92d072959c6a4af4b84ecebe43c03e4c8420
SHA512 a47d8d120d475e01f617c6791680264fd382cf3ea9d216151179e004ea75f7cf3d0c51874c1d564866a60686ea11bd8cce0dade48d4d089e0bee079efadf3f14

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 624e4a5e0df86061273d9374f35920ef
SHA1 8640776af7fe8f22cf6479d2ecd3c6188bb408db
SHA256 26f9a0f0fe0d768868fd183af948619baef95dfb5ea42503cbec4e3d2517e498
SHA512 cd81539c7dcd84c22c66b49fd5ffd3406a34359a8f62ce1c3e3768fa099544363946731881ade665bec00cf6bfa4edf4813fb6dc68c91b622c66e1bcef5b6a10

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 341a36315db3b1f9f8f8c0db29b202af
SHA1 43047384b46098e84cdfd9fbfff6d8330f6726d1
SHA256 872d89d191966b1b60fedac9df34a7e2cc5b32cd92e4156b6145c6479d57127e
SHA512 cf028e51c1a9e8fb129018349e4dc1ee9772385a27c60a7b8f837cd7196d9c29e4c0a5dd72f642a005bdde33330a9da02ff380dcde02a75adef3803309daf0bc

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 24b52c945469dc0cdcb940508bd50a77
SHA1 6cb4abf6cb15702ff4d9e21a57a63b67d8f2c953
SHA256 974d92da897453e9f7761920db6d27b3012bef05c2404637d0bdc99d0db46dc5
SHA512 f7fb6758dad3299c8e67586c906d28a4868a34539576b7d4cfeeec951454399762eb3805c2caa02bcd07e98d0eb2a73626e04d8378712d51a36d99e3b1db5349

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 fb76a451b1d493fa2163cff3a2b752a4
SHA1 8271da88ec38f71ec0b1b569f1f11cb9bf427bf5
SHA256 78039f4ca70ed6fb5247e007420fcf1f9d7c3da9a3d2455a5bd2f8bae0b093ee
SHA512 a58b0830cd60a0bfcda153dcecb8dff455058cc1bf5450b7a7dd2750add84b2db877a10059e578351e4096a17b8b635a59666e35c9899cc48b6627461eafc6b0

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:36

Platform

android-x64-arm64-20240514-en

Max time kernel

171s

Max time network

172s

Command Line

com.yj.cn.of.pg.ps

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.yj.cn.of.pg.ps

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
CN 61.129.15.31:5284 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 61.129.15.31:5284 tcp
GB 142.250.200.2:443 tcp
GB 142.250.187.206:443 tcp
CN 61.129.15.31:5284 tcp

Files

/storage/emulated/0/Sonnenblume/res.apk.u

MD5 544b4b6cfde7c5a9f28b765d2bb245ec
SHA1 7e12d510d4601833ce1fa979ce99325804a8dc09
SHA256 f72e9cc8e96b617b7792f1cef27d078a2f1d72b52ebf92774a50a349dc15a21e
SHA512 89c3222a6aaf284dcc00ae38177668bbc772e0a694f6dd32420726a30736d80ffbaac72661ee98c60ae3a2bbcdba96a3ecf0e5371bf3414d1453014ebb4c045e

/storage/emulated/0/Sonnenblume/res.apk

MD5 2bc5eedfa756ebcdedebdaa3646788e6
SHA1 99f113c6a451f01babfe7947c762a9072f70c24f
SHA256 c90c05c7fde144fb61c4a3bc8f283195e5651f61872b083b3a6f586897726a68
SHA512 c26607bae7641638a6df12b8f2d8ac28bdf29b270a58e8b5ff5909a972bb1ad4ebd1edb354c2825b5f9f504288a1a02dcde1ffffd4f815b6030ae12f2bd52b58

/data/user/0/com.yj.cn.of.pg.ps/files/st_database.db-journal

MD5 df6028f21a61497ef52cd00e67e52a50
SHA1 4add33bae2289f5531123646e0fa0a62134cd775
SHA256 227e23923fa5aae693c15262b47f50b61f7aba6d573004b503c4eb0adc2014c6
SHA512 f32ef0118ed296664ee8c66b788c225767606076e5f99c249dd7466bd5b45649e9e0c70295689d1540daeaa6aca13dc75959290e935491805e3357c8f3795a75

/data/user/0/com.yj.cn.of.pg.ps/files/st_database.db

MD5 491ccf7ff8a65aa6a45750d494955652
SHA1 19e9707b84a4f1506af8a09706009cc5c95903fe
SHA256 9b80f2f5b3ceb944fa4245acd87035d394fb0dec6fdc8060bc3f14e0a773d236
SHA512 3160fcdd2fec4959c4612ef76ae9234892d07c78d41dd3ff17a317d1733174749906ed084deadf025dae823f03a423f6f44a68cedb7e7242421711720a4cbb48

/data/user/0/com.yj.cn.of.pg.ps/files/st_database.db-journal

MD5 eda9d628c647e5c0cbe8ea7d59dc62b3
SHA1 8c5c84a732a35bc3827d54a939fa38166ebefefa
SHA256 68680ff49932c9e11b49b5652f19ef507a65d8bf2a5f0aa90d97e561c307b27c
SHA512 c3586bcce7e4abfcb9ad3f1abba008de8d2b5ad6664d6d1c8341999fb8c37e17be5ba5a450990c1b32973ca50aadd3cfa95d533bcdbe7097312d9fceac189ad9

/data/user/0/com.yj.cn.of.pg.ps/files/st_database.db-journal

MD5 2664334a11f45ce2556f82d270d121d1
SHA1 22ca0140d16f5d0ec240a1324f8cd4a943a0fdb1
SHA256 f9fb71cc2a3180493e2b65d5c7076952513779187c805681b5de403c134bbca9
SHA512 32d1ed6e92cd8a31dfcb112dddcd431cb5ecaeca03de942a0aae9e32150a9069355bd0904412e14c926002c185c1e632224d5dc2bcc924c2f4eaf08ef71a031b

/data/user/0/com.yj.cn.of.pg.ps/files/st_database.db-journal

MD5 608668f909b16b283125a205c971cd18
SHA1 e89c708021394121dd2b89e2cdc5917de87a931e
SHA256 cd9c91c321cd3318b337266866b9e48c135bc385e8bfa1a54f42684a408c4c34
SHA512 204a5ea89a4bdaed7a36324814b09dae52a79ee3a9c0fd5af153fa0025c7af4818b311c5d55836dd2e97c2f3363662de19622996f050fabfa870b0efcc799dc5

/data/user/0/com.yj.cn.of.pg.ps/files/duration

MD5 ae3babe38535eca587a828a329928399
SHA1 269edef24497281f47c2b39330144d6e7d2f51a3
SHA256 9d4132267575f547baf89392f42129645429ae043536d5d0768e0994775373bd
SHA512 4459ca7d8f286178ebcff51bd8f8fbbda28fe7e8a808d7e4692c0c9c6673dfeb3f1cd863ca322e1a12a6d85ddb6bffa059911a94159af2849598ddeb395bb52e

/data/user/0/com.yj.cn.of.pg.ps/files/duration

MD5 8d652b5b0b9a36f6f5fe7cefe8f1d142
SHA1 9b0ae42a1cff374c5a824807f7e0c81f384c80cd
SHA256 58193fe4f66e0c51614c3fcf65aff0dd7b301839a6b3c2fc6da4217e663e69ed
SHA512 88ff1bdf23c2c05bb2e594485140d3a4877aaa3e860ee4662fd35eca49d4787f86fdc662d19083a8aace0a9184a477a88449733e53da9094934fce840f6d592c

/data/user/0/com.yj.cn.of.pg.ps/files/duration

MD5 789a817351e7676cb75d44613866f5c6
SHA1 bed94d70573842221f9a0e40e37d523dc72b1e12
SHA256 46725376fcfa9889b9d084e1efe0f6a1854493ab5916707bb111aec3f6745396
SHA512 67c09c5e88b57063e8fd637436582bd43feaa2abdf02bceacfd0e89a080d7491c492b9d3aa74335c0d79733d37896d4cb4f234ee20a0281db154cd0223281387

/data/user/0/com.yj.cn.of.pg.ps/files/duration

MD5 9ae0071aac3107afecc60627bee9e1ec
SHA1 9aea50ed71f717afc404f0900dc20d1252ea061e
SHA256 f704a9c086eb7080d91c9c41cdc53cf00e359093b39cf7a6b94d4cf2d99babe6
SHA512 4d24d36d284b50ddd0afc8892cb32d66e08483a4ecb97470df51fe5450d9bbc38d1dcda778558e6c1bac3fdc9b3dc78ba22e41ea8d11c07507c46cf468530a8e

/data/user/0/com.yj.cn.of.pg.ps/files/duration

MD5 83bf0d886a6060a2d4ea26e677359b71
SHA1 311b815b063b8dcc39bb8a79e9bf24dd693238a9
SHA256 6531487a4fc0a6cf2c7c41cfefa50ff4f3b0db3c39187539f788d977d24518c3
SHA512 b10c4e4355553048021f17359a66a4e4739ec364c9964d0a229e62c14c50ab4184aa5a3fa3d638cc9e69894048f761b6fef556093de489eabbbb878e26421849

/data/user/0/com.yj.cn.of.pg.ps/files/duration

MD5 336713971721aa5be97d3761efc7cfda
SHA1 76740ea63761ab5303fcf9cdfba44f53cdb1f698
SHA256 90e4b3c1ab04cae103c1a6281202c920399000acd7a10af83ed3b2a3b263b71a
SHA512 005a6d58587ce3f10b6cd5be75865d32b60825391c1aa8d4e1bebccf96b68874d806a47e472f33bed9a8f3914e934d3077187a9c56238187a58c855938837384

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:33

Platform

android-x64-arm64-20240514-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:33

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:33

Platform

android-x64-20240514-en

Max time network

10s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:36

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

167s

Command Line

com.cmge.kxxxlgw

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cmge.kxxxlgw/files/epay.jar N/A N/A
N/A /data/user/0/com.cmge.kxxxlgw/files/epay.jar N/A N/A
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.cmge.kxxxlgw

chmod /data/user/0/com.cmge.kxxxlgw 777&& busybox chmod /data/user/0/com.cmge.kxxxlgw 777

chmod /data/user/0/com.cmge.kxxxlgw 777&& busybox chmod /data/user/0/com.cmge.kxxxlgw 777

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cmge.kxxxlgw/files/epay.jar --output-vdex-fd=56 --oat-fd=59 --oat-location=/data/user/0/com.cmge.kxxxlgw/files/oat/x86/epay.odex --compiler-filter=quicken --class-loader-context=&

com.snowfish.a.a.bg

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=47 --oat-fd=48 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
CN 61.129.15.31:5284 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
CN 61.129.15.31:5284 tcp
CN 61.129.15.31:5284 tcp

Files

/data/data/com.cmge.kxxxlgw/files/epay.jar

MD5 544b4b6cfde7c5a9f28b765d2bb245ec
SHA1 7e12d510d4601833ce1fa979ce99325804a8dc09
SHA256 f72e9cc8e96b617b7792f1cef27d078a2f1d72b52ebf92774a50a349dc15a21e
SHA512 89c3222a6aaf284dcc00ae38177668bbc772e0a694f6dd32420726a30736d80ffbaac72661ee98c60ae3a2bbcdba96a3ecf0e5371bf3414d1453014ebb4c045e

/data/user/0/com.cmge.kxxxlgw/files/epay.jar

MD5 67e28a2b7ae4411e42169eaa341b8def
SHA1 f18f8038e637af8bc93514599ff7dda5d76e5a26
SHA256 ace471968f2c391fd60159bb056375f445dee4934a69bd967d1208d98e369f53
SHA512 eaa16e007d72a01e827452e0586dba7812365fbc1fa7c62961c0b464de18f263e0c583dd11f9699fc7a9a56e0422cfc506bc670c78e1bd63f536a872d571fb15

/data/user/0/com.cmge.kxxxlgw/files/epay.jar

MD5 ac2e8a38fd93de41bbb5915928e2819c
SHA1 7ef2a5c9ce4cbb3cb68e0c140ac196098feabe3c
SHA256 4ed57a11968667db63f6fd8e39163cde60e9d4e864241d9fae065d22a8db7556
SHA512 3dec9384224407b8525afc244cd291539a8c8633f9a97a177b7c803508f54d155d45dbfb671320f141d1555772357b282c3d2bbbec0e17693182eb4cc3abf7c1

/storage/emulated/0/Sonnenblume/res.apk

MD5 2bc5eedfa756ebcdedebdaa3646788e6
SHA1 99f113c6a451f01babfe7947c762a9072f70c24f
SHA256 c90c05c7fde144fb61c4a3bc8f283195e5651f61872b083b3a6f586897726a68
SHA512 c26607bae7641638a6df12b8f2d8ac28bdf29b270a58e8b5ff5909a972bb1ad4ebd1edb354c2825b5f9f504288a1a02dcde1ffffd4f815b6030ae12f2bd52b58

/storage/emulated/0/Sonnenblume/res.apk

MD5 7304676ed86ba7302add9c83aa5188e4
SHA1 9f7bf2ecbba8d9d5ee1bf2cda006aa9910bb422c
SHA256 5262c65999ec23a99a3e176dfaf397cfded7323d00c80e0e67c3e48be3f5d38a
SHA512 b15a2138f35346da77662f5109b291c33408b77e2c0952cf861c3c486cef05bf17d23366d667eed101716087e38ee5c7e8a8c3b04fd6faaf467994ccc01b83d4

/storage/emulated/0/Sonnenblume/4A72F2DFFDBD84EB0C5C797BB76AFC44

MD5 d9a00fff2151a163b64e8f6ea22627ff
SHA1 b1cebbaf42ebb1031b06ef41c4b1fd58f7ed83ee
SHA256 415d939524d8dd9ea75432ecf0d08cbae556d99259377efb86b60a5def9ae878
SHA512 6b569af7330b6bd2345d34ed0a8f525d17dee38b7e69cfcbb19a5abd85431b08ce5b8bb4c22e4cfda5a0c29431278215d5ef3690ebfd5c935db791007e7a76ab

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 58a2e48a47e2340f3dc6643126aee745
SHA1 5f9eb061e6d1bc79e9bd0047ebf3ea5312dcb999
SHA256 8970751a23d2dcc97f981672c6863a8bd0c5746a475e3c7745e39b16ff0121e9
SHA512 0a2a3ad27b88f31650b1b6bf7257f343bd43c1975d8a516003f5b5c23fb0147c8f3dace30947ef2a1bf49d3170a996aa89b4b05c89a79aa011ffdfff637b2c75

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 3e0da954b484c12d6d48ef9d1397ddf3
SHA1 24b209e898631bf41c53adc7b1b40b1d44296759
SHA256 db8d4b0c0ad54aa95cba33ea8826717e70ef6d6cc4609915a41edf116594d989
SHA512 a60e9f3454ed744632d317e0e6a1c98d50e04a6d7df426e740a1103bc865a56c66c84113361d51010e7858c7cf92683514bdf611ef38003878ff4d65116f3830

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 3f4b124968b3cd03a5d5e152e14f5661
SHA1 0c1f548effa613d2c3a36783ae73380bcf3f24e0
SHA256 9bdcb6a26571c718eb793d3e99d89f4dceb2ef082aca5b24dc173777567d79bf
SHA512 9d27bb4607f1ba6e4d07ede6b7bb14875b48d93c350905bba736f2b97a2035114942f26fa76a43ecb9ed3dd93d36a7dd791e6467a8b154605dc586b92d17059b

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 0dfd4411518d5c504e639924848f0998
SHA1 2510ffb84b2a523c1f87ce574e3934155edf35fa
SHA256 a651ac300ed2ca88c44a0414089dd8e709ecac62f1514120314233ed8700b1b1
SHA512 65416394a320a7cf8ca850929d8684aeb5b5d58b83a7cb3de0be1115f9b59032fc1bd7c522b73b7c422b972662a9d2f5744a59e897d50110cf76a5d754e3c654

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:33

Platform

android-x64-20240514-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:33

Platform

android-x64-arm64-20240514-en

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:33

Platform

android-x64-20240514-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:36

Platform

android-x64-20240514-en

Max time kernel

67s

Max time network

134s

Command Line

com.yj.cn.of.pg.ps

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.yj.cn.of.pg.ps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 216.58.204.74:443 tcp
CN 61.129.15.31:5284 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.10:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
CN 61.129.15.31:5284 tcp

Files

/storage/emulated/0/Sonnenblume/res.apk.u

MD5 544b4b6cfde7c5a9f28b765d2bb245ec
SHA1 7e12d510d4601833ce1fa979ce99325804a8dc09
SHA256 f72e9cc8e96b617b7792f1cef27d078a2f1d72b52ebf92774a50a349dc15a21e
SHA512 89c3222a6aaf284dcc00ae38177668bbc772e0a694f6dd32420726a30736d80ffbaac72661ee98c60ae3a2bbcdba96a3ecf0e5371bf3414d1453014ebb4c045e

/storage/emulated/0/Sonnenblume/res.apk

MD5 2bc5eedfa756ebcdedebdaa3646788e6
SHA1 99f113c6a451f01babfe7947c762a9072f70c24f
SHA256 c90c05c7fde144fb61c4a3bc8f283195e5651f61872b083b3a6f586897726a68
SHA512 c26607bae7641638a6df12b8f2d8ac28bdf29b270a58e8b5ff5909a972bb1ad4ebd1edb354c2825b5f9f504288a1a02dcde1ffffd4f815b6030ae12f2bd52b58

/data/data/com.yj.cn.of.pg.ps/files/st_database.db-journal

MD5 1afe18476814cba86e437d348e63e7ca
SHA1 93d3eb51068b3766b324e50e1c9dab426d629433
SHA256 2cc83595ff206a918a9b51681d13fdb4c47d8c2945024d95c86d6ab0a6b541f1
SHA512 08b13b050d87a976a3d70211b70ff0c813b3cf895472065ddbcb7a41d8280b892bfe2600b26bfd370a8536914dd68a721a9c096d45791f07dd791eaf75c6fe78

/data/data/com.yj.cn.of.pg.ps/files/st_database.db

MD5 6b79a383d2d27ca0934b482f29e3eb9c
SHA1 1eb2e30a79ca4bd5c0f92100830562de02593050
SHA256 871e6f9b338b01e24462d84317672db7307c444ed2faa183cd386c728270c84a
SHA512 d8e54737204fb4b8584518862bfac2a2eeac83e0cf372e08b3ef77490ff5062b7d36f667873c3dd774d757824bd46fa0052f2477c7354bae668cb6a808269d5e

/data/data/com.yj.cn.of.pg.ps/files/st_database.db-journal

MD5 e26f573acc52b82e8784c3676f2f2f75
SHA1 609119c3ba6cde3f4a9f6795eb80ad65c46df010
SHA256 f5bc989cf07d0014962cfa2ce0fdaebf01295ab4b7b3343c85d02ce0c029f3a0
SHA512 09527c3a098523705f25e33b8dcce1b5e920bd7949d6b67c79ce08e0ee20b3377bab767570d288c3d596ded5255de38e765af8d2778535c65bf62aecbdee8d82

/data/data/com.yj.cn.of.pg.ps/files/st_database.db-journal

MD5 c84f956cf7be6783cfc7c1537321803a
SHA1 ca6d67cd805596c6e47386c98408e3a8d048d406
SHA256 aaa94c2c6ae533584f7551cd45770dbe8b899ceebfc94d73b753151f3213bf7a
SHA512 4f9bdb54b7d44946bea12e3ef6cfb216e7827c4240663f592cbd56f1c6cf8108c92b8b44d08ce81b8d7adb76741b49d91be72c80f4168fb534789f76e4163cc1

/data/data/com.yj.cn.of.pg.ps/files/st_database.db-journal

MD5 d8968415d3aed26160fd3a747fa8a33d
SHA1 ec4b7ad375e8609f6a7b309df2d6258a088d4a36
SHA256 4e45ad10ad3998a1d246d38987e662f0ac546624b91d244a18ee87d18561ed6f
SHA512 4f98933b9af8b4cc4066c236aea703875c26e733388215f1a543c1206bf2ccb85f7bc8c85aab22e8b33a3afa8722eff28389d37a01e0a40b5fad0e644a76c93a

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 0a2c7de797dbd8b8a9afddeefe409a9d
SHA1 1ddcf6a2c51694df30d69f15ecf9cfd57ea4bbce
SHA256 cf2c8bebc567ec66745702a082bc9dc2227c7e6fbc9d4456314c21660e5ca5c0
SHA512 40c1e0c79b09404804521bab94e52c48284c540af910e685ece21f1a890d48db8ad14252ea5f6160a28c0e024c845909aa8922e71c2d6e8fadf711d733cd9244

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 0f027adcfc13003c67596aa196694c93
SHA1 b29181d01a27846d09ebd2d403a7a1bcfbce7b5a
SHA256 425a0f843c9a358e1f70af1c70e391cc623d2e53672f975d137719b400ffef82
SHA512 51f65d477c3e10aca3aa16e5bb4dfa62933f3432e18a5aa0afa225638c13c8f1755bea99b41b7693e78f41b2f8605d938c9cebe719f102e880f0cdc6f5229663

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 a4afb7797e75c1f0accc574776ea9963
SHA1 8dc229cb709079d30a9bc9409922d5fce451c68c
SHA256 0965e9a3ecdc9f499c44f7b4d203bab121a44fd9d805d789acd31c31e8b79f3b
SHA512 60f993f029100ce63463dd7ab8880b58564918cb1789a5a0fe60a67b843370240d3e09c154ae0ed3ebd0de3662535ef528f66cf6feddc72190ec183d120f1284

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 05dc0b8103715335952fbfd5d1e0539d
SHA1 c5fcf45d54a91a3a1a8ed3b632b53af486c63dc6
SHA256 f9849405bbb68b0b5e7c7c0d193dd74a26ae23ab7c0a5959855ee279be3f0e46
SHA512 b17eb393b905a79b2abd876811759b6621288a3effc1879e97241aab6f5b40864519dd14b9cb28bdebe5f7b807629f5350e1f20f18ada731bd92862d268abbf8

/data/data/com.yj.cn.of.pg.ps/files/duration

MD5 2193d5a0a05420316534e89245206301
SHA1 abbd96832c93da56c6161a0b44a20ab68d421bfc
SHA256 39c279682d8050173f47b5eb412032de0e06eb841f033e563317a73ff6b2a7c4
SHA512 5f04bca2dd937e8989230106aaabf9b3cf898784d61fa91d04805f48f66cb2d8f41e82002ad85c97055d73eabcc97ae0eacd30e8610fbaadfa477ee5b46b4d06

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:33

Platform

android-x86-arm-20240514-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:33

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-23 00:32

Reported

2024-05-23 00:33

Platform

android-x64-arm64-20240514-en

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A