Malware Analysis Report

2025-01-06 11:51

Sample ID 240603-d8jhdshh9z
Target 906c6315bcbfd9b1e8a8e1216143412b_JaffaCakes118
SHA256 f636b73f54e43566fd4720cd6c29561b881223d7aa9347a9f7bb74da41cecbba
Tags
discovery evasion impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f636b73f54e43566fd4720cd6c29561b881223d7aa9347a9f7bb74da41cecbba

Threat Level: Likely malicious

The file 906c6315bcbfd9b1e8a8e1216143412b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact

Checks if the Android device is rooted.

Checks memory information

Queries information about the current Wi-Fi connection

Checks if the internet connection is available

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:40

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:40

Reported

2024-06-03 03:43

Platform

android-x86-arm-20240514-en

Max time kernel

9s

Max time network

130s

Command Line

com.gypsii.weibocamera

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gypsii.weibocamera

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 collector.bughd.com udp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 api.weibo.com udp
HK 36.51.224.49:443 api.weibo.com tcp
HK 36.51.224.49:443 api.weibo.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.gypsii.weibocamera/databases/weibocamera.db-journal

MD5 53e01f5076b3febb242cd19556946ed9
SHA1 cec02bd3b24bc56f6da6390f72a53fb81553a440
SHA256 627eea44639cfd7d9b039c468553a5851d536de9b53c3b1c0b11bb439a57ff3f
SHA512 e5b440c403161b5fecd63735895a346be85ff711636ae7a1440d711d8f89c49c0b84b32abfba8c577ccb68a2973afce45914f59b1343f90df5a7b16775fed1df

/data/data/com.gypsii.weibocamera/databases/weibocamera.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.gypsii.weibocamera/databases/weibocamera.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gypsii.weibocamera/databases/weibocamera.db-wal

MD5 bc0f251b82ca62b1688de94392903258
SHA1 0d8f4704871fa90d852c1a57d362457bd02af4a3
SHA256 e58d4b0d1fe295cb85ca90a9bc2edb89725ca2636ad88c1a40f34492878b9058
SHA512 67c43415b4c233b5a43bc0336104dcd7a241ac4d74f392f966b4f2517e032ca1faac2aec2dd6c7a75e8a1706df7a7ecac728c2b0aa3765b297eb599c26d3f91f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:40

Reported

2024-06-03 03:43

Platform

android-x64-arm64-20240514-en

Max time kernel

8s

Max time network

159s

Command Line

com.gypsii.weibocamera

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gypsii.weibocamera

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 collector.bughd.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.weibo.com udp
HK 36.51.224.49:443 api.weibo.com tcp
HK 36.51.224.49:443 api.weibo.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.gypsii.weibocamera/databases/weibocamera.db-journal

MD5 66e9f500e22e39501b4cd020e7ab61ca
SHA1 83d5f294176bc57b9f1b7b2672a8e412271bc78c
SHA256 36dd1647c8db363c49184f667658ed56640c264e3524e0b7ce86266889081075
SHA512 046bd02e9c2f9975cd9c28f42f6ef5784bb9e06bd28fdc344e9dff2b70b1716f115289e3213997d10dc351ce7637b0941e52f0dde0d4ddafab0c2ce4f01de80e

/data/user/0/com.gypsii.weibocamera/databases/weibocamera.db

MD5 443eccc49e1f62772571016b89d9d143
SHA1 edde210118a7eb2b96ed92313bbcd95d9603b3a8
SHA256 ffa1c0a59823bf8e0eddd9cf2cbd942ef0ab9ac429cadf776ef0dd93f9a2e266
SHA512 025696358c9a960f269fffbacef768943b30333235794237e25976ab1b2a0b1949598b7a6986376636b8473ce01fa7f431179f00d8d05d23548b0c4162aafc71

/data/user/0/com.gypsii.weibocamera/databases/weibocamera.db-journal

MD5 83b44ecbb4ac9faf44824594ccfe61ef
SHA1 877bb60e95ca76d24e62f8e8c9d8106255b6bb57
SHA256 f78ffe268edff0226e14aa08b02e28a201a27d9e1d59a673618f27a6a3ab1e4c
SHA512 e321873a965d75cf3714c008d06790c81b5e013dee95084b5d5fe831871a16364bea48f322f0a637160f0dcb472047cf7199359cc4c7eed502dfcb7946420e8c

/data/user/0/com.gypsii.weibocamera/databases/weibocamera.db-journal

MD5 34b792f06c29dcce43014cac7c4a6bbe
SHA1 fe0b9663b5706f0e6e5d1f6ec7a4319f6756f0b2
SHA256 39d03da953b9e272d6671d8da2f6845f08108c3acda70d8066ee9641e8b152db
SHA512 adae2f3e444ba591fcfb7cf160dbc054236f08852d4b328cef42779308b53a7191347140da841d3375fe5c25e4cb923e3c2f9bf1d10325762b3ffda90ab8f1b8