Malware Analysis Report

2025-01-06 11:35

Sample ID 240603-ew6b3aba8y
Target 9081d3e48127e93a2ccada5c9ecabf2b_JaffaCakes118
SHA256 8a7ee433ac4593cd3730eba2f18c1c61b6de515857e72f635d5230107cb57724
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8a7ee433ac4593cd3730eba2f18c1c61b6de515857e72f635d5230107cb57724

Threat Level: Likely malicious

The file 9081d3e48127e93a2ccada5c9ecabf2b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the mobile country code (MCC)

Queries information about the current nearby Wi-Fi networks

Loads dropped Dex/Jar

Checks CPU information

Queries information about running processes on the device

Requests dangerous framework permissions

Checks if the internet connection is available

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:18

Reported

2024-06-03 04:22

Platform

android-x86-arm-20240514-en

Max time kernel

163s

Max time network

186s

Command Line

com.jedigames.guaji.qh360

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jedigames.guaji.qh360/files/qhopensdk/pro/236/pro.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.jedigames.guaji.qh360

com.jedigames.guaji.qh360:QLocal

com.jedigames.guaji.qh360:QRemote

sh -c rm -r "/data/user/0/com.jedigames.guaji.qh360/files/tmpdir"

rm -r /data/user/0/com.jedigames.guaji.qh360/files/tmpdir

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 openapi.360.cn udp
HK 101.198.192.35:443 openapi.360.cn tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
HK 101.198.192.35:443 openapi.360.cn tcp
US 1.1.1.1:53 md.openapi.360.cn udp
US 104.192.110.216:80 md.openapi.360.cn tcp
CN 111.206.127.118:80 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ps.dev.360.cn udp
CN 111.206.127.118:80 tcp
CN 111.206.127.118:80 tcp

Files

/data/data/com.jedigames.guaji.qh360/app_td-cache/tdandroidgame

MD5 db3b74e3fceee523f2361f19074310ed
SHA1 0ff7c4d09d6f468a9e5058adc527af477f1e4664
SHA256 598c3e7556a70a1ce3095c119fcfafdb8ebc797dd84a1274f090243331fccfe3
SHA512 fb02559db01aad4635b2146e5852beb5bf52e02411da91a9e7deb3df716606a61dd391aaf9c55f70800ac7a0d91f196c3e091c2c861932da6995cd5944f826fb

/data/data/com.jedigames.guaji.qh360/files/qhopensdk/pro/236/pro.jar

MD5 9f992a5db59fdc4c534d690a059b7f53
SHA1 1153f4c2e0c845de8b19b1b2cf736561250df824
SHA256 044a88f7e61f6281b87820494bc33e7dd66a341e1eed4eaa2fff9e13aabe9f16
SHA512 ed37fa30c80a96e007ff58d8738a5a77b0c1590ffe4b507d42bf189b0449af65cc9238c92fc761e646b680d9b529eecf15b0c4c83938498e8bb5a54fec3d1506

/data/user/0/com.jedigames.guaji.qh360/files/qhopensdk/pro/236/pro.jar

MD5 ac38a6dd5dbe5dff7826cf964eaadf58
SHA1 9de6bfda8a3cb4ea66e50ec1027a1e7b83fe0b77
SHA256 9cda2369f74103d5d57da8085eb8cbdab0cd9f3c9fd64e8a4d68b64522300071
SHA512 8e6ca0939ab87e0e2f7a59950dc154430ee0365b5840fbedba8ad64cf8e24ebe10187ec4d24bf78fb73e0e08defcf11db3533f7c4fc54d6e692d8ea490e21603

/storage/emulated/0/data/com/qhpush/regId/com.jedigames.guaji.qh360

MD5 2441e6160caa45a7d334271692cc2cbc
SHA1 2381ede981482e22dad52a5a3fe75a324d444257
SHA256 69a70480a1829c2b903d664a64b152e9d509c957b48454550ecb0f2302075601
SHA512 416a498cdd109243206db9d9a8d2bf046ac7743c9725fc82fd7dfa4810b0c2ea91d2140b045ffa468608043279cf831daed28d6abafcfa7ec55ce96877cf58d0

/data/data/com.jedigames.guaji.qh360/files/mobclick_agent_cached_com.jedigames.guaji.qh360

MD5 fd7bbeb02226cec617e308a049185282
SHA1 d9c3ce5c36343e68089c16ba18e4f6a6a8db1320
SHA256 33f418b734dd197ecc7a22f7d2847065485cc6fed8c1a1c858cc9dec26fd499a
SHA512 6af61c2c1d6f9791e1e9d179dd0f70d1930e5e92325d70580b864cb384b91ab1c45ec9853c405a686c1416f99060f884cfbc44edf755f38e91c30be10a0b4985

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:18

Reported

2024-06-03 04:19

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 04:18

Reported

2024-06-03 04:19

Platform

android-x64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-03 04:18

Reported

2024-06-03 04:19

Platform

android-x64-arm64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A