Malware Analysis Report

2025-01-06 10:59

Sample ID 240603-fg1zgadc85
Target 909622477bf87ad2aaadd138c7ff8a2d_JaffaCakes118
SHA256 c3f9471d2c211af64534b9eb643204d426664dd5ec5ac8899cc7ab634277208e
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c3f9471d2c211af64534b9eb643204d426664dd5ec5ac8899cc7ab634277208e

Threat Level: Likely malicious

The file 909622477bf87ad2aaadd138c7ff8a2d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks known Qemu files.

Checks known Qemu pipes.

Checks if the internet connection is available

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:51

Reported

2024-06-03 04:54

Platform

android-x86-arm-20240514-en

Max time kernel

124s

Max time network

175s

Command Line

chuangke.chengdun.com

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

chuangke.chengdun.com

/system/bin/sh -c getprop

getprop

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp

Files

/data/data/chuangke.chengdun.com/databases/bugly_db_yaq-journal

MD5 e9810214546d569d120e9027ec212d70
SHA1 282fd1e43fd99b111311bab10b4531bf9b1b494e
SHA256 9ef11dea3279e6ee249e7f8bf7576beb10911a7eb2f8226d1d20904ec5fc1250
SHA512 dac51cc307c90dcc6468bf26e9302ebe71efb351b502659aeebc545ddf21fd91efa83eea0a106c81b9a1f27753748be24674388903b484137e3e54c421d36d86

/data/data/chuangke.chengdun.com/app_crashrecord/1004

MD5 2459223dba8c8c5b028929572765cffa
SHA1 c3fb1cf8612a6d8c7a39fa137577420abccf4d05
SHA256 0c470965e3e7d64eda15a4b48d55b93327fcde5b2bbe1adf09f91d9a383322dd
SHA512 731ea6a593f1fbe3820eebce4f0f82b14be35110b39566421f6f66fd13e0e4c38cb02f7547b79e1abb43b0b947f056756de5e2d9a4d23651526cf720d9f4d347

/data/data/chuangke.chengdun.com/databases/bugly_db_yaq

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/chuangke.chengdun.com/databases/bugly_db_yaq-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/chuangke.chengdun.com/databases/bugly_db_yaq-wal

MD5 470f212fe33b9c976ad761a2a4bb9d65
SHA1 1216a5e9a56324c59af5a5d4e22b365db94ec464
SHA256 c9725d7455cde10f9563719ff8eed1721039507e990da167e54e31208504417d
SHA512 c41182b121587adf61b0e6c84a1150c8ae4c9c8b021080c8cddc71e91ec100b68651ebb3884940f308d13a9b87dab249163edbf007540a8227d1a24cef089717

/data/data/chuangke.chengdun.com/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1