Malware Analysis Report

2025-01-06 10:34

Sample ID 240601-e56n7aaf44
Target 896000b133e9b6024406ce28505f9aae_JaffaCakes118
SHA256 ef46cd73a02b72b2f65bb5f12a655e8837ab0a23b7501c0058c4853f81b332db
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ef46cd73a02b72b2f65bb5f12a655e8837ab0a23b7501c0058c4853f81b332db

Threat Level: Shows suspicious behavior

The file 896000b133e9b6024406ce28505f9aae_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries information about running processes on the device

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:32

Reported

2024-06-01 04:35

Platform

android-x64-20240514-en

Max time kernel

6s

Max time network

131s

Command Line

com.xgbuy.xg

Signatures

N/A

Processes

com.xgbuy.xg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.xgbuy.xg/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.xgbuy.xg/.jiagu/classes.dex

MD5 7c17366a8785c78be60ad22700e831a6
SHA1 df18773978ef0fd306f7692b1c68fbeaf006ba6b
SHA256 b1db2ad411bb5b6bd2df10ebf92f30e0ecd691fc63a06a6b26d713d3ae5e075c
SHA512 78f586522675ad57f799f5d140b89280dbb6d1661e594c1d59f57148f658914d17b2e93d066f32492449ec27f19436a4860ebef43d028c9721e99b357d0cb771

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:32

Reported

2024-06-01 04:35

Platform

android-x86-arm-20240514-en

Max time kernel

176s

Max time network

184s

Command Line

com.xgbuy.xg

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.xgbuy.xg

chmod 755 /data/data/com.xgbuy.xg/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

com.xgbuy.xg:pushcore

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
US 1.1.1.1:53 log.reyun.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 116.205.165.66:19000 s.jpush.cn udp
CN 54.223.21.10:80 log.reyun.com tcp
US 1.1.1.1:53 a.xgbuy.cc udp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 182.92.245.193:80 downt.ntalker.com tcp
CN 54.223.21.10:80 log.reyun.com tcp
CN 71.132.46.133:80 log.reyun.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 t.gdt.qq.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 121.36.193.140:19000 sis.jpush.io udp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
CN 120.55.96.240:80 a.xgbuy.cc tcp
NL 43.152.42.165:80 t.gdt.qq.com tcp
CN 116.205.165.66:19000 s.jpush.cn udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 71.132.46.133:80 log.reyun.com tcp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 121.36.193.140:19000 sis.jpush.io udp
CN 54.223.21.10:80 log.reyun.com tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.176:443 ulogs.umeng.com tcp
CN 36.156.202.73:443 plbslog.umeng.com tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 54.223.21.10:80 log.reyun.com tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 182.92.245.193:80 downt.ntalker.com tcp
CN 71.132.46.133:80 log.reyun.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 71.132.46.133:80 log.reyun.com tcp
CN 113.31.17.108:19000 udp
CN 54.223.21.10:80 log.reyun.com tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 71.132.46.133:80 log.reyun.com tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 182.92.245.193:80 downt.ntalker.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
US 1.1.1.1:53 139.9.135.156 udp
US 1.1.1.1:53 139.9.138.15 udp
US 1.1.1.1:53 119.3.188.193 udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 54.223.21.10:80 log.reyun.com tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 71.132.46.133:80 log.reyun.com tcp
CN 113.31.17.106:7000 tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 110.41.162.127:19000 s.jpush.cn udp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.78:443 plbslog.umeng.com tcp
CN 54.223.21.10:80 log.reyun.com tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 121.36.193.140:19000 s.jpush.cn udp
CN 71.132.46.133:80 log.reyun.com tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 182.92.245.193:80 downt.ntalker.com tcp
CN 54.223.21.10:80 log.reyun.com tcp
CN 116.205.165.66:19000 easytomessage.com udp
CN 71.132.46.133:80 log.reyun.com tcp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 log.reyun.com udp
CN 71.132.46.133:80 log.reyun.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 54.223.21.10:80 log.reyun.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.98:443 tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 71.132.46.133:80 log.reyun.com tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 182.92.245.193:80 downt.ntalker.com tcp
CN 113.31.17.106:7000 tcp
CN 54.223.21.10:80 log.reyun.com tcp
CN 110.41.162.127:19000 s.jpush.cn udp
CN 71.132.46.133:80 log.reyun.com tcp
CN 121.36.193.140:19000 s.jpush.cn udp
CN 54.223.21.10:80 log.reyun.com tcp
CN 116.205.165.66:19000 easytomessage.com udp
CN 71.132.46.133:80 log.reyun.com tcp
CN 113.31.17.108:19000 udp
CN 54.223.21.10:80 log.reyun.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
CN 71.132.46.133:80 log.reyun.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 54.223.21.10:80 log.reyun.com tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 110.41.162.127:19000 s.jpush.cn udp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 121.36.193.140:19000 s.jpush.cn udp
CN 116.205.165.66:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp

Files

/data/data/com.xgbuy.xg/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.xgbuy.xg/.jiagu/classes.dex

MD5 7c17366a8785c78be60ad22700e831a6
SHA1 df18773978ef0fd306f7692b1c68fbeaf006ba6b
SHA256 b1db2ad411bb5b6bd2df10ebf92f30e0ecd691fc63a06a6b26d713d3ae5e075c
SHA512 78f586522675ad57f799f5d140b89280dbb6d1661e594c1d59f57148f658914d17b2e93d066f32492449ec27f19436a4860ebef43d028c9721e99b357d0cb771

/data/data/com.xgbuy.xg/.jiagu/classes.dex

MD5 63489f8ffc4c23ff337d45cb8346f966
SHA1 22d215c56a5a20cd554eedcd1bc23154f5cf844a
SHA256 645251fb0c5def1ae81713dbbba3d23e471eca87bcf73cefce9e32c256c9a9a5
SHA512 73099e94ef1d7798248decec3527402d61bf62b2aa7c39645b1d557fbbd4a07cc65e302dd08e79052652511abb76b35a749dffbc4fd34df070926f349186cccf

/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex

MD5 a4cb96ae304b9c8463e5d2d6b61bc25f
SHA1 e40d7603620bb6685248b468487776ea7169a4ff
SHA256 b05bb83f8406984872b617c85b0b50a716c1b1baa1f5617524f3cc3f53dbd182
SHA512 9571da0805c8c8f3dfabe30d908797b5b03a2529de9d72eab6a859a44e121b8bd11797a47bc8a2ca49929601dea6b70ed07859e4eb2ac65855930c11a4edf489

/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex

MD5 bf5b40b5d4157a240dc5677f9012850b
SHA1 f7c8627ce6368fd6b6b29fce0e1cb7e1b3950043
SHA256 b163747ba703216a09be9cfe163dd8a8cb6ce7853a48a686b4d8a0a904c5aa61
SHA512 aad9d3532a4672dc56ef9bd828e825b2d08eea26126fac7ef7e8a850e772fc6651bb64005bdac7aaf5a4294c33f8720d6106ca5df58a14fdc13dba2f17bed493

/data/data/com.xgbuy.xg/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.xgbuy.xg/files/.jglogs/.jg.ri

MD5 62ddc688391f04d617bdfc5d3fffe240
SHA1 ae0e35f664ef7c6b2df83fd01326b700eae8dfe8
SHA256 11c1fc466e61e3848be3ef62d34822015607e6c0269965f1c70ef9ef18578d63
SHA512 eb6821bb93caa3cc69e7e0bb58820709df44ef5e42687b1ebf62755c5b98593f4cc5c901e0d9f1f814856fef1f2170be290a194d07ec21062e8d0e6fae092059

/data/data/com.xgbuy.xg/files/.jiagu.lock

MD5 2888dad9ad22d817d23ed37b6027d76e
SHA1 fbd72921181a2a3c1b2cf61afb377131726ed1b0
SHA256 cd97b454cb139f02f899385f08ef6a7e11284432f99dedfbdbb88b96115d30fe
SHA512 0f140c574df38a791d4155ba13c43523719aa56fbd3b240d50cd32f6cef346ed0860c4c32f7ed0278f9f4c0a178ea723425edc5ebdf9d930f7225fa8960edc25

/data/data/com.xgbuy.xg/files/.jglogs/.jg.ac

MD5 1264f30db5bc978090c891fc9ba97820
SHA1 22a1664ca5bac8af36bdaf8e4098c02c7fc9c1fc
SHA256 6383110e70c2cf20a67539bbf759d99229ac2dcd214cae6a3c5de840497bab2c
SHA512 f3ec53223344ea4763479b39ae62a3dde4b83e0db05d4707c9e2c914725943063706c6c53e6fc043ee13640ac98242775c901b84ec76eb3edf11615bd0084488

/data/data/com.xgbuy.xg/files/.jglogs/.jg.ic

MD5 9afbf0dc0b4a4fd0a874cfec2c55461a
SHA1 a42766499eef11be1120ff87588b7f715c1b2a7f
SHA256 75c6a927b6cffe50b1a48e8aff766f5d543dec5aec8010b835ab4c4d8dd3da37
SHA512 863cdc25dd26bc2db5a80480a5d5bd16965ce02afc94f732f31c24bdcd3daaae24d41504f0eefead9a8ecc402aa2e798ce100e8a225b13b38b05aa433456185d

/data/data/com.xgbuy.xg/files/.jglogs/.jg.di

MD5 b21890fcb91ae5af6031faf07d30ee6b
SHA1 f67b3b7053954640f82bfaffd451c66ccaecadb7
SHA256 f17aa6592ef1d30e69eec8f71022ddc25573afc58dff9ed673491d5698940eda
SHA512 9b08d73db4b37a18597986a4355b3af327bd3b4b7e468002b7e0a5cc9a807b17dddae0d35e7b6cd13d236ac40f2e9f53ce6ebccd103318b67c95c12943c783b1

/storage/emulated/0/360/.iddata

MD5 5bf85148841d8383d6d7b986208f4e57
SHA1 3ae0cec3700200310342e6fe027dbf002e8dbb87
SHA256 5c84aa5fca03441f84293fdc45f10fe0873daebdee032eb82ffee4ce4bf8654c
SHA512 900486ef249d3e04f5cc092b1203a3a447a80ac84a870cd749fa428e850e13e2290d00262f99ebfc5be55cbd771c9b18eb0e4133cc668b6086fe525ceb1c96fc

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/storage/emulated/0/Mob/comm/.di

MD5 70a42cba408700f9a6c01c7941a8829e
SHA1 eab01cc2c0671538795fb0b1146017dc099d0984
SHA256 499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA512 8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

/storage/emulated/0/Mob/.slw

MD5 19402718bfb1c685a726b4e1d846ad98
SHA1 02a7e30044a67085f2f1da24e16e4ecfede65b72
SHA256 079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0
SHA512 25254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b