Malware Analysis Report

2025-01-06 09:57

Sample ID 240601-f8sgeacb87
Target 897dd448cbcc10e7f18d4c0a2be4e013_JaffaCakes118
SHA256 9a4996d48394f87f79ffe23c1fd5206869e32498bd339c3083a4c46f282674ad
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9a4996d48394f87f79ffe23c1fd5206869e32498bd339c3083a4c46f282674ad

Threat Level: Shows suspicious behavior

The file 897dd448cbcc10e7f18d4c0a2be4e013_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Checks CPU information

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Checks if the internet connection is available

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:32

Reported

2024-06-01 05:36

Platform

android-x86-arm-20240514-en

Max time kernel

10s

Max time network

131s

Command Line

com.maoqilai.paizhaoquzi

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.maoqilai.paizhaoquzi/.jiagu/classes.dex N/A N/A
N/A /data/data/com.maoqilai.paizhaoquzi/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.maoqilai.paizhaoquzi/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.maoqilai.paizhaoquzi/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.maoqilai.paizhaoquzi/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.maoqilai.paizhaoquzi/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.maoqilai.paizhaoquzi

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.maoqilai.paizhaoquzi/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.maoqilai.paizhaoquzi/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 verify.baidubce.com udp
CN 110.242.69.180:443 verify.baidubce.com tcp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.maoqilai.paizhaoquzi/.jiagu/libjiagu.so

MD5 f07656a2f51ecb23edc102003c32b764
SHA1 3ef18f74b609313887b9e825c56a54b5a9eef20e
SHA256 f6847402ab69102f8495aac58b9beddde9a71dc52470c5de17e382eec2a6b913
SHA512 34b337d2cf98ec3009f80ff299e43984a1c911e5f9eb5942a915915cb7b5b591ffc9f1b79a7989534c2583a703a3f0857e74be68cdd71388f68d5bef354f7238

/data/data/com.maoqilai.paizhaoquzi/.jiagu/classes.dex

MD5 e7dcd80a0faf2099e00c898f2c2c96d3
SHA1 a4e1f3ae273b6de821473b145d7965dc83bd620a
SHA256 8112d5ff1c4c7b64e0cb490b80371635f21cedfbad98047339bbe8d5431366bc
SHA512 b9e6972fc38f82bc7c617ab781f51200f985559dc90c50a43800d0eba3f522fa118ecff401179bc44223cec61c3872544b81f06e3b10abba58d98204351fa287

/data/data/com.maoqilai.paizhaoquzi/.jiagu/classes.dex!classes2.dex

MD5 c03473f98d044422460e9585abaa3cdf
SHA1 cc3eba6f9176ecd3884279c8e502396c867eb374
SHA256 ad6d568520ec95f2e867f194a64b64587149bd51440cbe5ab540dcfdac1ab043
SHA512 f0e9db70936815e38c8497573f8a64887bb6933eb0655751e4cb26130afd385a53cf10e95c8fdfea1eaea124b6e7f9b3e761b37d667727df5681456f8bb5eb0a

/data/data/com.maoqilai.paizhaoquzi/.jiagu/classes.dex!classes3.dex

MD5 1f593d4d987ac7628fe0616f3c96c723
SHA1 b49057a7e5b3daeef7513e4e5211260ca1894ae0
SHA256 16e7bd69142853e49eed2d61f7be0a5d5812ca1944c55e6eb590a734bd35072f
SHA512 e43e71ae09c61f0899f616073cb7f48560fbf24a3c628f463be72b541dece5a4f819b5be49cd8b2a74bc17c3e632a794d02a9d14bc7ca39b7a30211a0e71b2c0

/data/data/com.maoqilai.paizhaoquzi/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.maoqilai.paizhaoquzi/files/.jglogs/.jg.ri

MD5 a74b9f6fe117440b456ba9c33d157dfa
SHA1 f136d78706756874d99b1212f6781d4012c005fd
SHA256 84d3e1682d91e9671deb72451eafac204390b913cc319db14efa5bd85b3ffa26
SHA512 5a53f4cf6f10d4b7f592efa067bb51660196fa1a7942cd8c93cf11b99d2c256bc6d81573c801b6278c0cddb2fe2d8a6168908633c47be4c8b51c790761124107

/data/data/com.maoqilai.paizhaoquzi/files/.jiagu.lock

MD5 2121180374c6dae5f172a5d1058124c1
SHA1 fed9cbc055763a5e95d67f97ae09e4e2c0cad3bf
SHA256 2e82ba94f5659ad4ca2aef26680963327ce15c6b02e11920f7f70333afc13044
SHA512 e38318237e27e55bb49e4777421d1781ea1afcba9dbeb0151cd420af6a4851d87b065af6a7dc81106ee62fbf0ebfed77e2ec4b02b844385a431e80d7e4e97029

/data/data/com.maoqilai.paizhaoquzi/files/.jglogs/.jg.rd

MD5 de53ce3cb9b7a82f97f95616aeba17aa
SHA1 d3f14faf4c8492e824f4ca751294107c22eb8602
SHA256 2454c91de7d0c5ee8dfb779fc4b26d313f37b39096f8c8b9ec10e2ea14155935
SHA512 c131158afad9eafbe8eccda967603cdecd539e17178a6ba6e3687ac2c6b462103f2e3f236040e074bc4f83d3337f5ec610f501d9e8cdc8fe3ae2c9832e98d1ab

/data/data/com.maoqilai.paizhaoquzi/files/.jglogs/.jg.ac

MD5 d91aedf14cc17b508fc07d21f59f4881
SHA1 51b8f79a994c24cf737af8b1ff4f985ba7341e5a
SHA256 96cc3c85b42d771441899e6653f55b80b2f4ff24d1b8813b33d32ce96f671e8a
SHA512 e536fc173d60eca9e4f5c306f1b41741f2ec50837ee6b3d831932c8980d2bd24193e00afbe652070345947d72ef70c2bde89bfb6ddb1acd34e43d27628940f33

/data/data/com.maoqilai.paizhaoquzi/files/.jglogs/.jg.ic

MD5 c3f482eee5326e1a06160ee5b7c915f4
SHA1 e3e4c15bcc329f466154e4b61f1692262cbefe6e
SHA256 b7630694a7d3941c4f8b53a1f0c84d463db35f3a1243f32d891f796af8d85a95
SHA512 7493e51efc47107086c76dc7210cd3d62401c3e0a1b8de05db93bf71ab15f80a72269d3cc7d453f87d6ceaf9d1d07c18b9121b2c768a5e2a236d423a135568b1

/data/data/com.maoqilai.paizhaoquzi/files/.jglogs/.jg.di

MD5 f03f88cd40e59c6e7551dfc90e74b2fe
SHA1 fc46337ceff6e90b471ebf6b6ad64b7e2f5d5e51
SHA256 00cf124bc865a209782bb003c5dddd78686c31bb662e647fa8eb1e43607ec2f0
SHA512 3184b4c80afde967ce378298e923fe4bc5cb42283f773d15a555877f1a084971bbee5029562fd90b6594902ecc8914ca6ba0cc81d819978a6803f5f806abb7d5

/storage/emulated/0/360/.iddata

MD5 163d0dc9894f4627c50d6eea40dc749f
SHA1 3b92bf02e2baa97f4f917abd283d5bf766052b4d
SHA256 3951ec42a371c2eccc2a55b98f88b0533cbc5b767c4544b638a5c5fe56a5d07c
SHA512 c688263b81ae975e3ec441f585d5836b98729aa75b01eb345cdaa65d76192c30e4d07d52d635484fae3a7be1677df77a6e10e8bada808688be4cd423dc42029a

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.maoqilai.paizhaoquzi/databases/MessageStore.db-journal

MD5 29245b558a58fcc7da3b7a880a210e8a
SHA1 5f5dca9e0251a021b6a7dac0947cec75d4d9510a
SHA256 910d91d4fc0637a31dc04a64298eaca50f34ea2fafeaaf4f25d151e3ff4ad48a
SHA512 223bc2d392c7c839ad19665876c0f220ab66698aa92d60db69e3d608c19d4725bc6536f6d2efdf4986d331d021570370529a63fd7d125a52129a360b4e6a975d

/data/data/com.maoqilai.paizhaoquzi/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.maoqilai.paizhaoquzi/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.maoqilai.paizhaoquzi/databases/MessageStore.db-wal

MD5 747b82c4b63e9a0b9e6472a4956862da
SHA1 b42dcfd7aea2f59c9636d05ea7cf416212f8658d
SHA256 d5d87a58a85ada0265d7b089a75e5e705c04b44c3d19e3996708c9ee4a2d8f59
SHA512 92028bafe742cf708334e115c1558a97d8b8dff01e49978b2e09ca80cfd2a4cc589a302f3b48d5156d8c16485d615dbb7bd8f2e91c67d5567b06432172fb8b89

/data/data/com.maoqilai.paizhaoquzi/databases/MsgLogStore.db-journal

MD5 ce22b288f7636403d27715df65d99436
SHA1 c58325bfa994fd6d9b64507e8e7468c07ce4b2b8
SHA256 2d253ebe96126594f5275cab55c51d5f636157b25b2e6ca9630682eb70e9f479
SHA512 ef609fc6dac2d97386dd88ae9f69e8d012bd511744ca6cbddc265b25fe3282a3fb2f27aaedce2850da094369d487b351a56728d815404fe54eee0f2795496d2c

/data/data/com.maoqilai.paizhaoquzi/databases/MsgLogStore.db-wal

MD5 976efd2bf55766ee3bb44d766fe56c15
SHA1 60dd9769c70720aad18d802bc45044f56941da91
SHA256 3889477f9d236e0265835387c5e95273ae5d68491126aed1a23f0d1a0b607c36
SHA512 abe03f384fbac0036a0298a32a37734cdf42394e336dd376a18b32877f88a479c83b7ed43101a703de0dd628642770759e8e53799b688f3ef424a81e0e48660f

/data/data/com.maoqilai.paizhaoquzi/databases/history_db-journal

MD5 172989689f8d23eb757cfa7e1806829f
SHA1 1d155663f0545d8246a25091b682bec0e9e0fa9a
SHA256 e5806555c9f6582a6f31167c0d908d34dbcbce289bff821887e9c9ef1c815351
SHA512 1d3450d4ba922638720f498216f8a0bf9d1ab33a8aa242113566a43ed116780eebbf75eeba1c1de00aeb013cc555aab7e6f2dea49d971661b8c1e7f0029d7e52

/data/data/com.maoqilai.paizhaoquzi/databases/history_db-wal

MD5 5b429b16812adc68cbb146b13759f8ff
SHA1 e44f9fb43c187e47ac80780b33238fb36d70a1a6
SHA256 47f1f3a9bdd5abb8af8e9d582ca9a004c3f3a902406d9e993040d69d66e0d0b0
SHA512 6417fd5d51f7e168f172b1939de66f8fd091c2d79377b38323eb1bce6d1cd9cce78dd4e77f9363c934270933c380fac5a831b2823b76ee39be5becb4ca25343d

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 f4392e36886579414f989894380d162e
SHA1 9bc4dcb1eb0bcc95c1b18616846f0665f9bae9ef
SHA256 3a994701c9a00313ecb60514cdcbc0e0f6ebf3af1527b0df8e9617589990747d
SHA512 de6b5ec93a02addc5d5c23d6801e86937533139603f2e6bb157e5a06982d5e596fdfa6059fcda21ffbd25e0ab2a5311629f1e23b60e96f1b608727bb4474c466

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 99254f553325f6b0faca621ec39936e3
SHA1 3bd65cbacfb69ddd4c7689926f10d2bcbfbf334a
SHA256 e25de376383ab0554ab3b7a5160c52e75c56b72d7fa2f64fd8695b83ea68de72
SHA512 dd40eafbc0ca726aa81507208ba4c685c7871c0d42fb30201ca18eda14ea59227a1a60c0fabc5236fa3cf2f1905a44cda2adfe9a5f3b95e4a00be8f91dfe5f40

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:32

Reported

2024-06-01 05:33

Platform

android-33-x64-arm64-20240514-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.234:443 tcp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 udp
N/A 224.0.0.251:5353 udp

Files

N/A