Malware Analysis Report

2025-01-06 09:57

Sample ID 240601-f8lnvsbe7x
Target 897dd3f8e6091e400062e99b788fe824_JaffaCakes118
SHA256 49d9b0a60319f31db9f0709819d2944e79916c0898da57325bf8bcba850d4507
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

49d9b0a60319f31db9f0709819d2944e79916c0898da57325bf8bcba850d4507

Threat Level: Likely malicious

The file 897dd3f8e6091e400062e99b788fe824_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks if the Android device is rooted.

Requests cell location

Queries information about running processes on the device

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current nearby Wi-Fi networks

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Checks if the internet connection is available

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:32

Reported

2024-06-01 05:35

Platform

android-x86-arm-20240514-en

Max time kernel

13s

Max time network

150s

Command Line

com.ear.oin

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.ear.oin/.jiagu/classes.dex N/A N/A
N/A /data/data/com.ear.oin/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.ear.oin/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.ear.oin/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.ear.oin/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.ear.oin/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ear.oin

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ear.oin/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.ear.oin/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

ls /sys/class/thermal

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 app-router.leancloud.cn udp
CN 106.75.100.17:443 app-router.leancloud.cn tcp
US 1.1.1.1:53 open-vip.bmob.cn udp
US 1.1.1.1:53 log.umsns.com udp
CN 203.107.1.97:443 tcp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 itoslaj5.api.lncld.net udp
SG 119.29.29.29:80 119.29.29.29 tcp
US 1.1.1.1:53 blog.csdn.net udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 umengacs.m.taobao.com udp
CN 220.185.184.16:443 blog.csdn.net tcp
CN 111.63.206.54:443 umengacs.m.taobao.com tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.ear.oin/.jiagu/libjiagu.so

MD5 f380717bd1e3916c7b697fab8d46c5d8
SHA1 04f51f0d16097214e38be517d93be44cb0603a88
SHA256 8455632be7bacb221468c4daab2f9b5ee33739f08b22244ff81a36a02bec36cc
SHA512 b78fe11f77d2c0ec5b36850e8cc3b955661b31641405233c8842b91205e44dc16a30d7fc1ef18dde1b066c1b98959ae9c18be5472413d2b398b7ab6a6b52c07e

/data/data/com.ear.oin/.jiagu/classes.dex

MD5 0bffe934f17d69d17a4c3af20daa532d
SHA1 c8c28bb38d8bf904c2e59bf1145c343711f7b45c
SHA256 4790c6399df247aeec39a5277aedec9736d5259aa46d26f4ed301ec45d7b25a0
SHA512 623a89a5e4a3082c94286b4cd7abaf8de5038b91f802e9c7f354be4a8f729e8daceea139173b9e924299abdef95abdc2ef48a0d17a4cca0e931eea7663905cf5

/data/data/com.ear.oin/.jiagu/classes.dex!classes2.dex

MD5 6b2c832d95a59bcc47934e09a0345078
SHA1 44a1539f46006d2ca49853cde054ef727f7c306d
SHA256 2f7677e3d5e8d2af290c22e1fad6da141020183f772a30cf5ef0898988dbdc5c
SHA512 7ba7a7180e4da0b7c782548c7fa60feab2e755c19cb7c54303e86abc9b92e3087cde80e6f7e5534aa36d39f49e3d4b586952b99ed7fe67a2a2af6de55bca44ed

/data/data/com.ear.oin/.jiagu/classes.dex!classes3.dex

MD5 06c0dcd62e2516179f0c5b6a8d84db00
SHA1 e54f7f1a7cc3897c1bfa13e41e052ed9b8373046
SHA256 cd617a382aa40ee0b55a4aeee924126fdb027e61b8ef55668f07ccd36c08f2e8
SHA512 1e4dfed4fd6dc986cbecb47748e89a27bd4b7c06f6dd44d55d095e07e35a5823f50247f232b118198cc566f570207bd299a9fc2216fc4f67021061497c2d0580

/data/data/com.ear.oin/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.ear.oin/files/.jglogs/.jg.ri

MD5 8e442c3f9ba56c423447d1e65f09f7a2
SHA1 3eee6e053ccbeb8e2bd06f73915bcf5395c2a457
SHA256 a396cdc76e79560f443f55214b153ae3fbbce0fa6ba2b52de23421084b124542
SHA512 767b8cb73c85d3daa26d391d9395e955823d8319d34dae1418f93f94f1af4394bf33c7a16a37aa94d791952b6eb70aea1221d5c373480066cf44d3192014e0db

/data/data/com.ear.oin/files/.jiagu.lock

MD5 ab4d72f208a9965cf9b5f933a665c694
SHA1 32dc83588bb0a8ed43e920d7ba9fd828e77573da
SHA256 8fc0301b68552fd8c9b93a94575b15e1b7e77e90f14717f7f74311202672779c
SHA512 742e1cfa6bc42de2dee2e5ad351789c8becc201e355eaf457c1525d5a914122c042e3fcd7a8fdc699489d2c5afcbaf61e383d6cf925573f7b728e802af6d8df5

/data/data/com.ear.oin/files/.jglogs/.jg.rd

MD5 ed4f7ecd96e4c0c0040d03646431a2d7
SHA1 296035957d016ab23127fb93b71adb3b1f304d3f
SHA256 1d0191507c806d6a9bc9e87a7556802a8658a72fa6ac422a38e00ec311223306
SHA512 ada7cc9e65abb9de59213e4f63756e02ce647bab86124f32a06981ecddef367997aacf042e507324ea0b9e35146520a61d6172476d7f9bfadafbc180eb9e4487

/data/data/com.ear.oin/files/.jglogs/.jg.store

MD5 448e391c59eef34ee1defbe4dee4c41f
SHA1 df1f890987371d7d8e6963c68b787856e42bc146
SHA256 55612e17689f4bb05f27e18b4f6d06ffef92a6a8893a5cfdd3d5b99a6028b549
SHA512 ce336ce895ba861dda7da27e8869dea065eb3c3403cac55cdf1935409e5ebc95b495370f87ed7416af20af533b15615472e333ae9f2fd2713040f526835399b7

/data/data/com.ear.oin/files/.jglogs/.jg.ac

MD5 3fe2a1cc86f5a067cdbef8ad75faf8f6
SHA1 b51a178df57a5e15e77d500267d2362c4153dead
SHA256 10d1a17fe0ac056b174781532207fe0c127d3bc37767c6e411287eaae9e750bf
SHA512 a68a55c6a4eca881103aea153ad2fc68428de22bc11fe0766004cda7de61c519d0faadfa327d9c9f30a95335e02384357316b60ebbe3919ac5953e55f615163f

/data/data/com.ear.oin/files/.jglogs/.jg.ic

MD5 1b88ede812913759b23c93b8ac2d1249
SHA1 d8b5669bc6d6b5c5289cc3a74b1e083eec17204c
SHA256 edee19b5ef0b1ee1c6e8ee80d0925a91d055851bffa4feb62ae9c404ad0cef9c
SHA512 6fee5619722d72ebab717a229f6d64dfd42bbfb38238725dd735530ce56916f447f6d414586f36d240a88eb5485408d9bc505bdd518dc164333b0a0aebef90af

/data/data/com.ear.oin/databases/MessageStore.db-journal

MD5 b011d59b4c656e857c3e8b440c7e1055
SHA1 0b6969499114de5094b5e21dc98e493ae9b156d5
SHA256 0bcab7a2bf4150a60ed2e8329e8385c37ddc14c43d8e5a5b607e2dbdd2a96299
SHA512 0c85631fdef20af6fb6e0e95ff94a72643f214c7f1ce91632fb2cf715c38d2cc7e69d57353d19939cccdacc4f7062618600436080562cd94d7fe5e86b6743628

/data/data/com.ear.oin/files/.jglogs/.jg.di

MD5 87d0408ac70cf3b63e29426c6bb3c3c8
SHA1 d99e726fb1b9d93c64c65c6699a2915ef0de887f
SHA256 8d4815436c5c81c6dff3cb6d65711327b0d59087f97614469b2350abf2b44cd7
SHA512 b9ae7e65df8942ab8e0b0ee6782f154f99b1a40b6709bb9f8cd9e1fb7111a47d040a318ce52726a6422c49f62c36ad4c514346a77e441219f6b1e82aad0e57d0

/data/data/com.ear.oin/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/storage/emulated/0/360/.iddata

MD5 e1c24dc8e95355ee188d5fc809c79731
SHA1 0ed197568a024dfd2eeb698d9c73601dea6015ed
SHA256 83b2d83566be4e74c816b5357be27167397ad0a3eaf93585d1286616884c6543
SHA512 96712b3e3570e735c42b1397e5e699abf2f6711418c48181d0880e0b1c966e55b6fe63d42fc5d8684afd7d74dbeded9ad223ce26ebba554071c38048de2ce730

/data/data/com.ear.oin/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.ear.oin/databases/MessageStore.db-wal

MD5 632acf1157f0065c9209113ef63eec2e
SHA1 05c00326d35b9a7ad2f7906b837a633ef1524aee
SHA256 9f481a0c7ae5b42a5d6fd83e908032daca0465bfd551d0d1d6904d7ef1a8766b
SHA512 a39e4d63db0dc39b7c20ec799907fafe0070c6cd712ed38a7e2ac489cb2a9d6771a362f054d006105631683d6c45492acfaa67dea07a9b16bee4711cdb68e581

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.ear.oin/databases/MsgLogStore.db-journal

MD5 4c96193c00bf81dfe095676de5963a5c
SHA1 aa8ba5efb394b4dad07515eb69835d6a1d0811c4
SHA256 5e878727dcc48b65438db4e6cc2ef76472009551e0cc6bf5005b3a39c060866e
SHA512 3da3a18e3c6c0a24915bebb8e2c7fb61261728b07c781a27a262f3e5c52fe1f028da55d2dd8bd6cce26319830a25df68982a4b8b80e2cef9356e021ead7eb088

/data/data/com.ear.oin/databases/MsgLogStore.db-wal

MD5 3e1a0801db92bd691723ebceabe76515
SHA1 8b7d90d0166fb14b0fa0100c84010ff9c1ffc7a9
SHA256 0861309dd7c0f8ee419a6d5cdda8ce300aa0c853816c124edd7ba52bb0782979
SHA512 3f86dfd5c47f2dba34c918e2feb4b2e2ad38b8100f7358b1b94d5c2fc0b9711839031532780ae7f1e7b3251a012942fa7c5679882b4743bacf55a18ca08d37e8

/data/data/com.ear.oin/databases/bmob_provider.db-journal

MD5 4d74e90602dc1bc88e2905a594891eee
SHA1 cce9cb88021525aca0af883495abff69a3e40349
SHA256 481aea7cd4299a86dfe398ec772c68d0b114fcc69f9b938f53d0e4f57d5cf807
SHA512 b785c898c9c69c26b296c2a4a5f15157d0d25d01f492526918559f4db704c1f3ec3a0aa86c89815d7028f44a83f37456d908438c414403b6b3d6e94f40f527df

/data/data/com.ear.oin/databases/bmob_provider.db-wal

MD5 3a8aed97a279a91cfc07dcb2fe623381
SHA1 5190cdc584f5bb6b85646859ed7bc451c6381a3a
SHA256 c4fa991a8b08e36a492cc1192736052790e2278c7c2c0af2ef2a0813b4f5a885
SHA512 dca483de75c50a7c1613240e6e679d72d1c2baa70e1052787260ed405b8450390fc31cca8b78432443baf852b9f0eae5e1539c55d94d021ac950447000b3ca49

/data/data/com.ear.oin/databases/notes-db-journal

MD5 bccce26d3bf12064e5c4db2c18d0c657
SHA1 ea1da2d31cdf4396e70615727515213df50bef2c
SHA256 d019d10ebc8d9327c1fc5f32711ca7b9851e111b45a7b480e752e74ce210d243
SHA512 8d89d83742e58944e4aae4a59cc53b5f3545287d6d6e95e3c277a398eed43ba18a6bd04bbdb259b740fe7e2073d572fe265d78ab0fd8dedb38d474b520ee4f0f

/data/data/com.ear.oin/databases/notes-db-wal

MD5 5cb285ed0f52744ba6a163c160af28fa
SHA1 12bc6f085e6f431cceb76336a8e9d747d604f9af
SHA256 0271a99b81bbd4a7110af34bd3b021347e06f97dc56caa040164c8287e8aa64d
SHA512 ad01c7ebed9f9f2878ecf3235b56d9c623b21a964f5902b9362b79cfa8deef7ab6a57b6c4b634f585cbaef817c062ee2dfb85b285c3039fe130d7e5524622ade

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 06c51c4dc81e21bc9b98285f4559af5b
SHA1 f1da7720df4a82afe0754774aab1ab080b025b3f
SHA256 f2d1830f2bc7da7498d89ae83147ec8ff2f0ba60910da9eb032a3aa0b12733b4
SHA512 77232e03bee1ead941084be2d93a3cba20069be530844502ef3b669ec0d324c5569c1466a9cc52036c708dbe68e768a88a96edd966d7c3e31818d90ef5be9b3b

/data/data/com.ear.oin/databases/accs.db-journal

MD5 fa1448d3f7a07c0fde648908ae1e3781
SHA1 f5a8fdafe7c11c7f8903bacf8e62bad2c2961e2c
SHA256 35f763d45212c42015a996637af1b93255a7c6f5433ea5a853498d15806b67c6
SHA512 e6cb0aa1694940b0418803fec6af9b6469f7eda246821329dce1c5ba433649c9fd4a731363b6701c45262682abfa8f74b984c4ee739e01fa62556db85dd047b6

/data/data/com.ear.oin/databases/accs.db-wal

MD5 213673c73c488583643fba822c99890c
SHA1 89823d973b14bed798dc311aef19a092a8080ff9
SHA256 b4adab233438a73fc36ccec23e4e984655244cdf24570bd499328a4056c337ad
SHA512 002f5a81e49acc8d8efa834111fe73fa6b8ac73625dfb81ea9db9e134e4c2e3cff6ad76cc4104c13df8987d23d8e2b2fc89d3517ad6c9766df8701e3d158338d

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 1d605811ccdadda7865075a73dc4250e
SHA1 6e548eb85e2031bcf8b5a72e31f854181a4b5d36
SHA256 9072d52d30fe36cb260a051cb4d262d72975aa887fbcf88180599cd52a70ac64
SHA512 a9e0ddb1978e08a06471c9e078dd42e378cfd7821a9d3e8c4b4803c9e5f402754b38105bbb8956e80d948f14429d8670e688656860c017f9b4a9138a7f2ae9a5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:32

Reported

2024-06-01 05:35

Platform

android-x64-arm64-20240514-en

Max time kernel

3s

Max time network

132s

Command Line

com.ear.oin

Signatures

N/A

Processes

com.ear.oin

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.ear.oin/.jiagu/libjiagu.so

MD5 f380717bd1e3916c7b697fab8d46c5d8
SHA1 04f51f0d16097214e38be517d93be44cb0603a88
SHA256 8455632be7bacb221468c4daab2f9b5ee33739f08b22244ff81a36a02bec36cc
SHA512 b78fe11f77d2c0ec5b36850e8cc3b955661b31641405233c8842b91205e44dc16a30d7fc1ef18dde1b066c1b98959ae9c18be5472413d2b398b7ab6a6b52c07e

/data/user/0/com.ear.oin/.jiagu/libjiagu_64.so

MD5 585208a50849d74967be092bf41ab7ce
SHA1 7b7105bc642c01784e7a301c5008f82fc3d4ec44
SHA256 38cc9d02e42be8f2e0dcd69a0a826f9517b3381b4ca24eb1769c2880e7460a37
SHA512 9f8b659e91f2c40eba6bd82a2d3ecdf0dffaa9a211f0a64fd52ae8f8fa713d2ff9dfa48a94e654d5797e0304ecf53546d828085d9b96b6d3a4c42131405de7f2