Malware Analysis Report

2025-01-06 07:48

Sample ID 240530-pxtprsaa94
Target 842f9651e8493660b2c437473711ee3d_JaffaCakes118
SHA256 1a7456577b20a26c80c48b1d0bb77b6223a2dfb24422e80d16271e33b9072bdf
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1a7456577b20a26c80c48b1d0bb77b6223a2dfb24422e80d16271e33b9072bdf

Threat Level: Shows suspicious behavior

The file 842f9651e8493660b2c437473711ee3d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Checks if the internet connection is available

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 12:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 12:42

Reported

2024-05-30 12:46

Platform

android-x86-arm-20240514-en

Max time kernel

54s

Max time network

186s

Command Line

cn.pipi.mobile.pipiplayer.hd

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Processes

cn.pipi.mobile.pipiplayer.hd

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 m.pipi.cn udp
CN 120.53.80.190:80 m.pipi.cn tcp
US 1.1.1.1:53 oc.umeng.co udp
GB 142.250.180.14:443 tcp
CN 120.53.80.190:80 m.pipi.cn tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 reg.pipisite.com udp
US 199.59.242.150:1863 reg.pipisite.com udp
CN 120.53.80.190:80 m.pipi.cn tcp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.108:80 alog.umeng.com tcp
US 199.59.242.150:1863 reg.pipisite.com tcp
US 199.59.242.150:80 reg.pipisite.com tcp
US 1.1.1.1:53 query.pipisite.com udp
US 199.59.242.150:1865 query.pipisite.com udp
US 199.59.242.150:1865 query.pipisite.com tcp
US 199.59.242.150:80 query.pipisite.com tcp
US 199.59.242.150:1865 query.pipisite.com udp

Files

/data/data/cn.pipi.mobile.pipiplayer.hd/databases/vlc_database-journal

MD5 dd38d5517829f4e3d445fece91995e5e
SHA1 7b566d800a6c7dac32a56336c94611406af13c68
SHA256 686b02a22df2be5533f28442d524936e7de27cb5e5ee3c13e1520902e0f042cc
SHA512 b59d94954f2af71ab44df9a1c4abdc14134f3c3e77d745eac65f824dedc296205baec752ef13fedb3093316292871c01861bb40495f062161dae7c9e1e5ae4c5

/data/data/cn.pipi.mobile.pipiplayer.hd/databases/vlc_database

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.pipi.mobile.pipiplayer.hd/databases/vlc_database-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.pipi.mobile.pipiplayer.hd/databases/vlc_database-wal

MD5 10a1255949801a304aeab9fdcbf77014
SHA1 985d68ace1c9f96c43e855364f1c6bf77154fd9b
SHA256 f16932dc30a1534bfe8c118416fa02bb82569a8f8f4b9b958df4205ff8962f5b
SHA512 f096c94eaa93686ddd51546f4c1687046297502dfb3543262d5278f95cf1f3b0c4591eccab38696bd300e2449123c4ef8f86e5edd73a6ceb5e1a54efe4bb5262

/data/data/cn.pipi.mobile.pipiplayer.hd/databases/pipiplayer.db-journal

MD5 bf6c9c1e1855721c90ca17047430acf5
SHA1 49d72f69dbc14f802add53f955b57dd4a3d92d19
SHA256 c1ed7d048d3310d03bfb5409a6193225a8d33f20b8c7621b382283a29d4de16e
SHA512 2be9a395c491b568ce4085dfbfb5ace851db2ef5b149f74d6701ff618b069e6107b8a3848eb37c9fe721e25bb0860f6d2e0bc457075778b183cc16bf1090e5ed

/data/data/cn.pipi.mobile.pipiplayer.hd/databases/pipiplayer.db-wal

MD5 07a456dcec2ff8f5feed0a32861c1128
SHA1 6f595546c6df48733ae982a7028230747fe86d04
SHA256 58385f2ef2bfbf6947cd32ec78b43025aac0e4ccd76d3dec904f63269a834423
SHA512 7d4e1ec2cd9fd52178c49ef76ba0cbc820cde41704073d0df271d81621b0d249a21e8532436caf82fb6939055b269e08a5bd02e9efe929a79204f63b94da68a5

/data/data/cn.pipi.mobile.pipiplayer.hd/files/umeng_it.cache

MD5 6c0ae8fb4c6c6aff41eb00da2e3aefaf
SHA1 25b79e2f11685edef3f97e038e4c0b4d1b011ee6
SHA256 6e5fd094f0e1837b7548ac9a4129903edc2e9416162481ff405a19f503ddb7ee
SHA512 d20c0213f8194d7509109214a36405301ac50b93259b4b417b6e0e093903023ce0c327af34ddc2a677fb5c980e55358814438c0a0071ed75bc44a331e9e08fa1

/data/data/cn.pipi.mobile.pipiplayer.hd/files/.imprint

MD5 33727a00583d88ca4c6250d88ab6b0fd
SHA1 a8e060e91cbd5a2fe6648f19042b3dd62880414e
SHA256 06bb18ac906e75360401ce8041f9918f47dcf7ec9243ab3038ead911da626ed7
SHA512 c1f1aae0b680733d565d466bdedf327596e14e14e94fc0b7c42fc71e433dc5c393409214e0bf29c5f117c44ff06c7a10a756f643cf1798180a816069cb1074fa

/data/data/cn.pipi.mobile.pipiplayer.hd/files/umeng_it.cache

MD5 8ee08c6e03d0e820574c67cf120c6d37
SHA1 137d8fe15ca69c7cf67b34fa4097da72c7c1172d
SHA256 0e8d2ff1b605f56195cb12261c7b3c7b26eb4d897905f8c723e6f3669a1392f9
SHA512 3f2cbc91c468405e279b407222d4c25f447b822475d5645ccb3ffc66b62618263b428ef37410f7a861828aee75ca64fced9d22ddc730b643f2afbfae290d1764

/storage/emulated/0/pipiplayerHD/ConfDir/profile.cfg.new

MD5 7da548f1bb83f41f506006ac24639eca
SHA1 ab38471e28af317f82f6f319cd963e6a3c7f3e72
SHA256 faa966ecf849a4c8aed7113e4a17e007174a33daa86560109040b084a72b0233
SHA512 5d3f1e5191cf75cf6aedd6e9481828a4013e3b046d6bae920ae743c59961e5b2f59d2d8227b9c4b58e14df96c0a7dd2be9380782c7de2cffaab05561468d96ec

/storage/emulated/0/pipiplayerHD/ConfDir/hlib_index.db-journal

MD5 6021ae8237f687a1d62eecb3da5f3daf
SHA1 6ce240c93aebce684b23d450ef992f1ff0f8cd91
SHA256 85935220aa0eca66d97a5a361d96c4729bc9a213d096ede8f027578d635702b7
SHA512 b628af21eae159edcbe83fd85529718f37c560f9762a4403d5d09e8efe436cc69cf6e2dd0a8cbe4665368af350ead269c7b8d985f8ad97560371bf35bd59f7c0

/storage/emulated/0/pipiplayerHD/ConfDir/hlib_index.db

MD5 adfd282f62a688755e98b7dd69e22b13
SHA1 3883496f6e680b741488525a553f166f5770366b
SHA256 ae758e8836c496271f3531fd92496af950946fc0c225cd62b2c3632422a97578
SHA512 fed698f81173a22a9d3343afa638474e60100f77390660808f80e31afa7d69ac8397242d2ffb7219b1d1f7a9b8e98a29fd209674a4f7794bf97ef472c1a7c76d

/storage/emulated/0/pipiplayerHD/ConfDir/hlib_block.db-journal

MD5 ed08b2617d7d7ffb1d2568857efe5934
SHA1 e2efcb3f2a4ccde1d154dcd7b2c3c0bef4ae68e4
SHA256 99010c0c04c29ad02059db8f705533a44d25897d832e7dcdad6e053021265a45
SHA512 930783a49f2c8f4c932aa78eb6f1b5416bbb631b2dbc3e7ecf8a6d080cd9c49516dbf40f0fce2c1637580cc02876f770fa4fabe895b3e8bc884a3d5026e7379d

/storage/emulated/0/pipiplayerHD/ConfDir/hlib_block.db

MD5 8d6a4ff3a7da8cba13a8c268f58f2295
SHA1 3c8c6e488f8bdf66a6f26dc6b7fd4290d0b2878a
SHA256 3c714047740343acd9011fc9d6a318e4f8413944660ad0b066727ac3b852de12
SHA512 96af344c233ba8fbeb1efb74bc4687267a27cbf2f766a40d27ff8b0d89578f5648c364ab35ee57f6e9da08b96195c03b6c9f2b252c28f9170688e76c236e0b98

/storage/emulated/0/pipiplayerHD/ConfDir/hlib_pcrc.db-journal

MD5 6c60d34c429a63161c3a5c988d5a6d1f
SHA1 6eaf4637848b3ff92655cb4ec1c94b1647da38f5
SHA256 db62adceebcdc92339ca881855f3da42e7e4b03a9c07c0085b6e1747148f1179
SHA512 e277f59854980b1e7f1570e37872660d3e62e88bb66b8cb7f7a0d8eb49b99041453523cd35c339d0e4a1f0040e91da1efff82d3885e434305d1b3bc888d30b49

/storage/emulated/0/pipiplayerHD/ConfDir/hlib_pcrc.db

MD5 dbccf5f5a66d47f685ed6f82a1d9c1eb
SHA1 a688f3b052015cf842e8d7161f6f40e061a9914a
SHA256 0dc2214d632c8296f7b3ddbf9c1bac094818acb3e28b73186b22769d40f9c79f
SHA512 3a88fea451326aa0568a567ff4d00669a6e271e98637b75a8f82b43bea527593472f69024a0405532b69a53db5c0eccaaa5d9b9d55e3868b370b06d55e6e3406