Malware Analysis Report

2025-01-06 07:49

Sample ID 240530-pyb64sab22
Target 842ff30cd70fba929c539407c1c4af68_JaffaCakes118
SHA256 ee9bff07320ae9d5f43f8d83f443afd3da75df2f233fc18f957c39d1ef88107a
Tags
banker discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ee9bff07320ae9d5f43f8d83f443afd3da75df2f233fc18f957c39d1ef88107a

Threat Level: Likely malicious

The file 842ff30cd70fba929c539407c1c4af68_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries information about the current Wi-Fi connection

Checks if the internet connection is available

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 12:43

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 12:43

Reported

2024-05-30 12:47

Platform

android-x86-arm-20240514-en

Max time kernel

177s

Max time network

185s

Command Line

com.anysoft.tyyd

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.anysoft.tyyd

logcat -v time

com.anysoft.tyyd:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.weibo.com udp
GB 142.250.200.3:443 tcp
HK 36.51.224.49:443 api.weibo.com tcp
US 1.1.1.1:53 sf.o2ting.com udp
US 1.1.1.1:53 upload.189qas.com udp
US 1.1.1.1:53 v2.ysjk.189read.com udp
US 38.85.228.33:80 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
SG 47.246.109.109:80 alog.umeng.com tcp
US 1.1.1.1:53 udp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
US 38.85.228.33:80 upload.189qas.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 api.map.baidu.com udp
US 1.1.1.1:53 stats.o2ting.com udp
HK 103.235.46.245:80 api.map.baidu.com tcp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
SG 47.246.109.109:80 alog.umeng.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
SG 47.246.109.109:80 alog.umeng.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
SG 47.246.109.109:80 alog.umeng.com tcp
SG 47.246.109.109:80 alog.umeng.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
US 1.1.1.1:53 oc.umeng.co udp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
CN 115.239.136.94:80 v2.ysjk.189read.com tcp
GB 142.250.187.206:443 tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 115.239.134.199:80 v2.ysjk.189read.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
CN 183.134.98.76:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.76:5224 sdk.open.talk.gepush.com tcp

Files

/data/data/com.anysoft.tyyd/databases/tyydprovider.db-journal

MD5 dc08f48965d93f373b7d24a127d8c642
SHA1 a1251daa4f482428e87ad918e96e2f03a68b18bf
SHA256 be5ef2fcde105348f5be03efe47988f0abb30dc63a047a941da94cb62e317724
SHA512 5597ce24bbb169518c89cf7ca8e136a654535ded888bf6a458941d66c5b57fe7acacc7ad527d63dae8295e6085fbec75c3d53aa309b90f950cd6b013c663179e

/data/data/com.anysoft.tyyd/databases/tyydprovider.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.anysoft.tyyd/databases/tyydprovider.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.anysoft.tyyd/databases/tyydprovider.db-wal

MD5 c9752b7f0d52557a988e7f15cf02b0e1
SHA1 199ecce2622eb9893d4ef32ae4cd8b2afb470cda
SHA256 cb398edc4325d9f59faf60cef375dd63718da5b5a9ef04788027429f73f5cf95
SHA512 f7af9e2efa775701a863af33ed8faf7695dc4c7f8fb7b79cea545afc6125df75e40b7f3d95b840b7b93d503069c565a474c268ef5b30961bb089ae24ff420495

/data/data/com.anysoft.tyyd/databases/netstat.db-journal

MD5 66219c6de0761b1a3cdea19a27e10b70
SHA1 25826234d2fd0d8f8dd88ad3c2d23d914fce0328
SHA256 9ecdd9281e0c6793ccab1c9ef5cbc414aa7d7b8f53b53562174c48c1dc1b4838
SHA512 9f33a6f5a1ae456b86fd03d8a8e9ae8239e1024f82033eee290feeef89803b53f532c51a6c00f0efc342634d418bf3dfae304aea4ecffd6ac263bc5156b98009

/storage/emulated/0/Android/data/com.anysoft.tyyd/tytslog.tmp

MD5 0936843f1b5fdf81c7203e271b1a31c0
SHA1 ee7d7f631526a5690ba0fac6f24b7d84513a72f5
SHA256 6a07c8db13597f4032733ee209fc555e3fa68edb70763b1ecc43068225043fe3
SHA512 2cf566bf00b4a99e1b65b7a2a681df9c96cb631d5e1cae4a4e488b877e0b540420c3ba6192d00f6bf8dd0bc793196d959c23f4374bd798690ac2801842723905

/data/data/com.anysoft.tyyd/databases/netstat.db

MD5 5f55d1e842ca1f502e1aad8be2562fce
SHA1 c041ec56cd63cbc9e5ce3c4b21d20904ee1eebf1
SHA256 323d44e236ea03e5b68df34cfc4f3ce2646f584702f1c2e48b5bce682c423e58
SHA512 df2f62ded3d0f81e69084eef4c63fded446b436e9e23241b22612719199ae82c7f94957bef81242e0ba4b4e421a0d63f48848950e7390434517602929d5e72a5

/data/data/com.anysoft.tyyd/databases/netstat.db-wal

MD5 4091d2a2bf09574c8d7b2be19b9cab6e
SHA1 9f63c5ed93a9f73bee3b59dfd5802965e8072502
SHA256 fc51a7a3a7ef03dd9d9f7b4aa61d4c201c5e15f225312634b3ee492c929fb31a
SHA512 fcf07a47b8886b07637277a6f4bb19a31276d98e618710bd22df523e8ef09e2007e8432af85368357a398e23ccf0cab422e3803fe3955eeecf119aa4eea59c9a

/data/data/com.anysoft.tyyd/databases/netstat.db-wal

MD5 a017c3284ae10b15db444227a536d7ad
SHA1 77b5f8462eb3f5077771d08ec5dcdf0f0c74089f
SHA256 a152c86fc8eeaf714b44404cfddd3df4a2d7da71422fa0be0fb017849764213c
SHA512 646abb2fbbd8d26d7b2207166f0f75345a7137eeb862190c3d89cdec8220be05a917497f6ceec10af574706c12a5829b4fd040615543571858e92665f04b7960

/data/data/com.anysoft.tyyd/databases/netstat.db

MD5 6d2b32a2d87ec9260feef7e90c638df5
SHA1 a493b495f56df82f5b49c04d99cd254849b8e0e7
SHA256 db7f817c6e17ecf469715147d6c2650c1c10b25d00049063c49cf72606b51f6b
SHA512 fcf2fab0b8bd88ab2cba64eee385501bb04696499b8d24f75eed36a6f28643427efa065ddde143162d50e91bcf822660392219509aa29945dfb94aa316c44f34

/data/data/com.anysoft.tyyd/databases/ListenRecords.db-journal

MD5 d4f37c840d33da8f9ccc640232399ace
SHA1 58b7c01040121feb1db5f56eda37b5ea58dc6025
SHA256 617079fbe2828728bf5e71c19ae12580dfb74e09e7922bd9d5fa00e4e31cbd52
SHA512 fa21027cdb02cd7a141af174cf8f69d190d198fda7b163d355ff2c82710d1b7cb339adc34f4c202142dc81c81747efaed570f7adbcb0a56f61cc57ef9f61b1f5

/data/data/com.anysoft.tyyd/databases/ListenRecords.db-wal

MD5 e05e790b0809f775152ae76490dd2c06
SHA1 39d89673b11bb1f5af96958fca53e614973ce475
SHA256 aee33cddbdc276d867ae4a8cefc0cf0c31d4cc4c0f1dfe2130df117545328012
SHA512 5c8e84711ee7a12cb6dfc897a5d847c5ae4c653e8c5d6aee15d54f389c2a7b89e58b06eed5439d6dfb50f7ebb276aad23cba03e412d43fec4da57300eab2dae7

/data/data/com.anysoft.tyyd/files/weibo_sdk_aid1

MD5 4028c8b91f544d6bd51a266683ff791e
SHA1 d8bacd93b5724c8500f66cc46632704115635afd
SHA256 7cda4149bb95d3c082f01b19b365228fd339ce4fcfa02969294e13bdae41270b
SHA512 a8fdcbe785c7f9eabff76f227db4e8c1d099dc8adc81a41283f8fbf118fd0fbff93be1aaacd3c966888f30f247215125317efa56495f022486f5262cd2cc3831

/data/data/com.anysoft.tyyd/databases/netstat.db-wal

MD5 8e2046b8d0f4b34808a1fb94aec8afa8
SHA1 789c2d3c07f757419d196ff7a254c32a818dcbb8
SHA256 746b453f5d17d681b41131eaea12782b16611a72807abd21bdb16bea2be84b3d
SHA512 f24e7edb91af88145c430438a26058efb471ee333e30a41dc85399169220bad489ef02ec92c7373b66a75efb08883295224f8d2abad0aa2858f6698efb248e23

/data/data/com.anysoft.tyyd/databases/netstat.db

MD5 22052245b5ebbc3db408cec1aaa5bd99
SHA1 fd7ee3655ee0a326a2b755ebe6cbf0addf4e32ad
SHA256 69985939522217dc4972c035070113b618980d1debac6de5795a49eff4009c0e
SHA512 af022a6e777729aaed05802e905134778c25db338bc448cf700ae3f34bb6a66d3aef63b3c119cd4b3f482d19b613c9e20eae84d9239360eb4e12c7bc6ee07f3b

/data/data/com.anysoft.tyyd/databases/netstat.db-wal

MD5 72ab2126e5694068eb145a8bc23a000b
SHA1 9d2a8e9e54133c9d63ef65223877418ebb82ec30
SHA256 7a677943d38f833b6965c4744cb5f752a5994e18717b234d579687983a687172
SHA512 aef7b1e577add58d93084c5a720d61341bdfe58c5a3dca168dbe2e322c86ae9dd682bfb0a4b93dca05c5d8592582c3c0d197fff2537fee368d0fe061ca368c33

/data/data/com.anysoft.tyyd/databases/netstat.db

MD5 29a055c7fd7b0e4447ea1eba5e217bf5
SHA1 1a93dbdbc55c13b95285aac1032d5262e4e1faf6
SHA256 d44fd4d792dc4e5bcae9883635ffb238834062b1883c07c884286ec8c7f7f92e
SHA512 a4fb91a8774c2e843155532ab8b95cf1018e0634dc0a6faaf7e26f59a86aac1ca942f12b4f43fc282f899c6bfccb1010c42b2999fab4919c6b341ccff3374079

/data/data/com.anysoft.tyyd/files/.filelog_pv

MD5 a363a42c6d243652010371902fe526a3
SHA1 c82d12134fc9b29d298b102ab741198b575abc24
SHA256 9c95dfc46d4be4bb7fedd1b4690228568aee964090de05599a5f962bced5ddca
SHA512 89d8ee46362e0006714258efe67f75a5f8a8e28828a38093c0cf0656bf402b920ae09953305c6f9a45b6751ec873d7f1e8095da4aac085b06775566b78dea683

/data/data/com.anysoft.tyyd/databases/netstat.db-wal

MD5 5b8e8a4e398734e97aa3678274d9790f
SHA1 3bf9f8c2d39d853b8533870331d34f18ece05748
SHA256 b06b150e90bce51b3f6237f80d42e5f6e83d9d45f04695ceae6db740e50ba44b
SHA512 093c7877ec47bf1718e5266887d8affc7688a88179134565cf7e0b8b8f7fe2e9712e7c4bf94d58e26eaab05fe97f87af9166b8aa80c80b2ac03e9017b6743cda

/data/data/com.anysoft.tyyd/databases/netstat.db

MD5 415b95fd30e2512a313fe52f10b57202
SHA1 be23a910ed86e82e6dd9ce4d0022637e5b326a51
SHA256 9b7e6988f8e5563261d12fced418cce0f2b076c1f7c26203a3c712bc03f4554d
SHA512 673b96e1b2c1fd699b02cf73b2498492255f2812a25f8336f5d3d4a068f573fa644ffc3928eadd180d5a69f81a34b2e159c0e658495c9e66d65848df330b0927

/storage/emulated/0/Android/data/com.anysoft.tyyd/c/u-i/62flme2d2m9gz0hcz7ijf9nnj

MD5 2969359625c1e16cec7e19510327ebb4
SHA1 e39cc90e5519ff387e5f244618a9ad01bcccad8c
SHA256 e92258e35c3b3610f1c5bbaf0a90185f913e2f5a0d9f3112222775f0bc9c5d1a
SHA512 a59e87d69e0e0cea7c1821355b1ef71f1c6c4fb1fd0399376d8e9e7cb7e25952562dbec93e17de21ef684bc932ee6cc32ec39f7b097dbd4b95ff197ea65e1bf1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 12:43

Reported

2024-05-30 12:43

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-30 12:43

Reported

2024-05-30 12:44

Platform

android-x64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-30 12:43

Reported

2024-05-30 12:44

Platform

android-x64-arm64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A