Malware Analysis Report

2025-01-19 06:56

Sample ID 240523-mznkesdg52
Target 6ab48143125de5598a5c4d8d80092954_JaffaCakes118
SHA256 76bc03a9c2c03fd86eef6e7e562eaa18fb184daff791b59d29c69c66604a812c
Tags
discovery evasion persistence collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

76bc03a9c2c03fd86eef6e7e562eaa18fb184daff791b59d29c69c66604a812c

Threat Level: Likely malicious

The file 6ab48143125de5598a5c4d8d80092954_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Checks if the Android device is rooted.

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Queries information about the current nearby Wi-Fi networks

Queries the mobile country code (MCC)

Checks CPU information

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks if the internet connection is available

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 10:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 10:54

Reported

2024-05-23 10:57

Platform

android-x86-arm-20240514-en

Max time kernel

2s

Max time network

130s

Command Line

com.losg.xiaozhulaihua

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.losg.xiaozhulaihua

ls /sys/class/thermal

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 plbslog.umeng.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.3:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 10:54

Reported

2024-05-23 10:57

Platform

android-x64-20240514-en

Max time kernel

65s

Max time network

180s

Command Line

com.losg.xiaozhulaihua

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.losg.xiaozhulaihua

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.141:443 ulogs.umeng.com tcp
US 1.1.1.1:53 www.0s518.cn udp
HK 154.80.177.67:80 www.0s518.cn tcp
HK 154.80.177.67:80 www.0s518.cn tcp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp

Files

/data/data/com.losg.xiaozhulaihua/files/umeng_it.cache

MD5 e491e75995b2aac596443a73bfe1dad6
SHA1 a894e323a292f9840e5247f8b5b69f537fee58af
SHA256 6b516464c803571bfd944ab64ee6f2c1c97b19f8f228ef5e56e5b794ed9cb33a
SHA512 51834bb9b48e578a6d2028774c2b21f9878c50f39ef61156a0598498389f072de6057cb1d76272a0d755d6f26060b335151845061515d618c3fe938d015fd72d

/data/data/com.losg.xiaozhulaihua/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE2NDYxNjcxMzM5

MD5 c78a2d4925d13dbd42e557bc92f8e1a6
SHA1 e08df2d8353ec876896d82fa44990ed7037788ec
SHA256 86abeeda8d054e462bc351e432cdc349046465854115bb12bfed407f5b335823
SHA512 5f718babd017b084c7f8a75b688db3dd4bd60a109aeadcd98d6cfd84630a2753513a7f9f75757546a4db66923eac7beeeaf13e24a540a5c85d56942688543490

/data/data/com.losg.xiaozhulaihua/files/.umeng/exchangeIdentity.json

MD5 99d23e197147caed43ac61f36d2a906d
SHA1 40941c7f6d535868a95e0957af567771b28ee6ff
SHA256 1011d5b7a0ed0233cca373756b824cd021195abdadd0c1cac7a18bed0d67703c
SHA512 58107269e2fb73b1f7ff46ab8fa016ee6cafc67fa3d1de4798977d3a5327c6da6142c80171294188df9b32889b9b6ebd3154bda3e5edadfe21c85bdd9aa8d039

/data/data/com.losg.xiaozhulaihua/files/exid.dat

MD5 86370ea746350813acda0728a8388e14
SHA1 938f3f164cd8f71250a31930b56e982c1657a03c
SHA256 80db6e63818b1f223b22fc9254d70638cc5dc085efe26e541e38b1b4cab058ea
SHA512 170c7a3cf66d547b2f1af57f9c044625cafccdc1ad3f6d6f34d9de85a5bc67da033493153dfe07c7b46627cc67d69e5443593b181be854b6cef1a1ff25b2e50b

/data/data/com.losg.xiaozhulaihua/files/.envelope/i==1.2.0&&1.0.0_1716461672158_envelope.log

MD5 9887e993d7d1892cc2c9d823a79f2625
SHA1 30482dc11cf75d1b89ab3afc0fdad0ce7aa980d9
SHA256 9f78adee64abab4643ebd85d565127f8d9f83a3b5d5a06ff01fdc9601e9fed8b
SHA512 a5774ed0b69d838e90da922e2b36dd3ea35d3af7f6a712a0c408eba915b581aeceab57e2c8ac5dd9a06065d18a1233260cba60839ef6beb68c4a4297db1f26a8

/data/data/com.losg.xiaozhulaihua/databases/ua.db-journal

MD5 eec6e4a15f4661f13f84b53487e5817b
SHA1 6f19e01dacc0da0007ec1da2ab40093c167b0b86
SHA256 ba4a5f75b2f7fb44758d5c229510dd0481ecd0cda1d6cb552386bba962d01845
SHA512 bc784cd07470aef04b8f9dc19d694cf51bc3396201ee02c9495848820ef5cd0ed2b918d46b3d61e6628a49fb43d7fe4c552c5d5fd16daa6aa4a56661a0fdcba2

/data/data/com.losg.xiaozhulaihua/databases/ua.db

MD5 b7036131b84bdf2b66c67fde18d62308
SHA1 18b1e5a358d68c846495cab5cfef7c6679659093
SHA256 c2c0bc8842203ccf1665dbb5b3333b22ae5a6ae3ef8eafe83e7f43adf32d0295
SHA512 256bc83e1a516a58f5d1d024d27dad3c26723df0f96e0deca6baac86d84518000212570b06996a14bcbeadff05fed05125862aba2d4aa08c15a6999563dac067

/data/data/com.losg.xiaozhulaihua/databases/ua.db-journal

MD5 0d13c5f0a5ca97514f580b5d849b80bb
SHA1 8a35f8af6003d993d50fc0b3ea6f425bc349807d
SHA256 32238a19a27d99cb4aaeb39cc9d77e3b72fe2e43c9e9e0e8daac97e6e0546c95
SHA512 b25eec214ea57362a968db250bc035bc705d7c5025eb820077324759a13c5bd6c9c4effcab0c32f3bbb16b32d66effd35577cbb601b1e9f73548a54f98cf40a1

/data/data/com.losg.xiaozhulaihua/databases/ua.db-journal

MD5 65c3e0fb088f92cb33c632e5d88bee66
SHA1 b56922ae1b5aa4d131d6c85be372fb364b849f37
SHA256 f67065e5bb045c9170ae47ab191633e7a4423c28d7cc4bb097c8224810b4331d
SHA512 2693d36e53b02c3a098e336398726927985d65d99a55336ef0fea6c3d8003aecf0952c45d207c37bbad49626c03aae2b69fed864009acb7c26d34866aeb19f9d

/data/data/com.losg.xiaozhulaihua/databases/ua.db-journal

MD5 8460463a506527bfc094e82bcbe2d2bb
SHA1 37cc68ea0ac66eec20e73f0f26a3d14bc74ce87e
SHA256 dabedcba150a9f097ad887044db8fa2139e9c8f49110dac2de607050e24edd23
SHA512 537d1e93ce31b0781ed2000059f1a93201472b70c92743a8d2f740d91e97a099ada57b47e7ae3c0a2e7335133b720b9f54574fe67efb368ee1f440fbfd3a785a

/data/data/com.losg.xiaozhulaihua/databases/ua.db

MD5 f5801123bb1d825cfadc2e611e07c6e8
SHA1 4a44908c629723aad3e914cd69be1e1657da95cf
SHA256 4581a232296f5aaa6f43d6ee625d677d897d5d7096053716d57e4f586a0087e4
SHA512 0c7dd822d12f49b7d35ffc0cd283bff9079364cca42d984b510402a2f8ddc9f9526476a983722dc4903056e3c341c4b419d267ca78e43c64b9d2d7a59d7346f9

/data/data/com.losg.xiaozhulaihua/files/.envelope/a==7.5.0&&1.0.0_1716461676628_envelope.log

MD5 df1aa8f10bef4eca33af1a9a83f1fa37
SHA1 0d5ae11699deab0447a7e9fca6166045549569f7
SHA256 0bb1a3a4e65e1cb69368b99287ef132d78e4b48f18ec52bef9dc02ed24292d7e
SHA512 cc04638246fa5cee7f5a700498b99787784d0a18dee53c2f23b7e498b9412e930800bf4f968fef1c228ffc31e09a86020a1c91dbf7d5cec84ff042b6a07aedb9

/data/data/com.losg.xiaozhulaihua/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE2NDYxNzAxNTQ4

MD5 2fed72f7ce4e2597508b885cd2c4f4a2
SHA1 30df7dae846565550eb77c263649d8a94d4e43e7
SHA256 582749d410e94dde2ea7e6cf8f2e92475afe6e29dfcd6985d488f54b9d1f1b9f
SHA512 48fa2d0a0d549067269b08c4ff19784d85025160e6e5c192aade5a480df8caeefad9167911e9e995cf83997a59fbf3d1e797a7154142cc415d0fa9cd41bca44f

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 10:54

Reported

2024-05-23 10:57

Platform

android-x64-arm64-20240514-en

Max time kernel

64s

Max time network

132s

Command Line

com.losg.xiaozhulaihua

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/bin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.losg.xiaozhulaihua

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.0s518.cn udp
HK 154.80.177.67:80 www.0s518.cn tcp
HK 154.80.177.67:80 www.0s518.cn tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.78:443 plbslog.umeng.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp

Files

/data/user/0/com.losg.xiaozhulaihua/files/umeng_it.cache

MD5 fc439de22babce44620eee0f96e85b82
SHA1 2d8acbb892654bb106889cf8c1ff9487ed7038fe
SHA256 b06132462b5edf69c1ed6d377238fa84cd2a3df122933593c6b20a18793e5d97
SHA512 dc3944c22d7ec79ee74ac8c4cf6edea515f82f7aaeab8f7d6c1593513940e1ef321ddfae33710472bf5585731ac446734e0b45f5d78beda5502870ead48e5a8a

/data/user/0/com.losg.xiaozhulaihua/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE2NDYxNjcwMDI4

MD5 b92147fe44591fe09239659577f4c270
SHA1 7ea400ee29a7e2c904cdb368f58a45cac6666836
SHA256 856e88ef566fb37acd9a60d1086883b83262d408714a7980d4f6690bbe648afb
SHA512 ddf35b3882ea20bc5aa13fce3940bb5b27510c3579218c302921449dc5aadcd017e2f98560cba1af360e90ffb9219b7889c8304daa6ec0eaa2fdfaf2fc5d646b

/data/user/0/com.losg.xiaozhulaihua/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE2NDYxNzAwMTc2

MD5 6cb2d507a3a0f9b56d24a2fe7504d99d
SHA1 6f615519cce13721a2cba92910112fa1b68e40f8
SHA256 5d5c51de765d27cbe4d82097b07d301ccc7a50218d092beb65586c34fc2bf897
SHA512 068c078666fe6b7c3ac61b0e0bec8989c10f2e59a542f99bdd346198fe37a2d42d5e21805722ce481ecb244f60d91899383c10096565b0c0b20ecfc4cb833a3a