Analysis Overview
SHA256
24314ec2564ccd52cb3674991e9cc6af51f71047b919c764bfdae199b8d85a68
Threat Level: Shows suspicious behavior
The file 90963938be64d196e5bf9ecdee9981c4_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Queries information about running processes on the device
Queries information about the current Wi-Fi connection
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks if the internet connection is available
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 04:51
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 04:51
Reported
2024-06-03 04:54
Platform
android-x86-arm-20240514-en
Max time kernel
7s
Max time network
184s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.example.zhihuiluolongkehu/.jiagu/classes.dex | N/A | N/A |
| N/A | /data/data/com.example.zhihuiluolongkehu/.jiagu/classes.dex!classes2.dex | N/A | N/A |
| N/A | /data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.example.zhihuiluolongkehu
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.example.zhihuiluolongkehu/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.3:443 | tcp | |
| US | 1.1.1.1:53 | sapi.map.baidu.com | udp |
| HK | 103.235.46.245:443 | sapi.map.baidu.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.75:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.179.234:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | ulogs.umeng.com | udp |
| CN | 36.156.202.75:443 | plbslog.umeng.com | tcp |
| CN | 223.109.148.177:443 | ulogs.umeng.com | tcp |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| CN | 36.156.202.75:443 | plbslog.umeng.com | tcp |
| CN | 223.109.148.130:443 | ulogs.umeng.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 223.109.148.178:443 | ulogs.umeng.com | tcp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| CN | 223.109.148.141:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.179:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.176:443 | ulogs.umeng.com | tcp |
Files
/data/data/com.example.zhihuiluolongkehu/.jiagu/libjiagu.so
| MD5 | f07656a2f51ecb23edc102003c32b764 |
| SHA1 | 3ef18f74b609313887b9e825c56a54b5a9eef20e |
| SHA256 | f6847402ab69102f8495aac58b9beddde9a71dc52470c5de17e382eec2a6b913 |
| SHA512 | 34b337d2cf98ec3009f80ff299e43984a1c911e5f9eb5942a915915cb7b5b591ffc9f1b79a7989534c2583a703a3f0857e74be68cdd71388f68d5bef354f7238 |
/data/data/com.example.zhihuiluolongkehu/.jiagu/classes.dex
| MD5 | ea236e207d2df52602b7a1209b129992 |
| SHA1 | 3bbbb9a1f0215720923f80d8441e65f12dc1982e |
| SHA256 | 7549a4f253906bd1bd9ed12601bfb94269fdf54cdaf510dfd8df806ef7f83243 |
| SHA512 | ff3e54823a2555b1be1526b95a701985467a4872dafc71f29fcc73d341586047987d819d441867dcd92de8c0deb74d69859af856d6367de9a49564c3c07dbac5 |
/data/data/com.example.zhihuiluolongkehu/.jiagu/classes.dex!classes2.dex
| MD5 | 4e57c951cb8af6a5a942aa52646443ba |
| SHA1 | 45ab4dd76410e92ea2296054018a0e3c5bc3dabe |
| SHA256 | 6276e7226d35e9eacd1f55c6a10fc328390b3ddb50a493494029c235b5165a8d |
| SHA512 | af27e4bd2b0085912af659be41728cb7686b0b01af07a7136403dc274f5223bdc19670496cf7ad97f737dd9e5c71469e46d5abfe608df53ae7625b231f08caef |
/data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex
| MD5 | f1771b68f5f9b168b79ff59ae2daabe4 |
| SHA1 | 0df6a835559f5c99670214a12700e7d8c28e5a42 |
| SHA256 | 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939 |
| SHA512 | dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d |
/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.ri
| MD5 | 105af0955a825c143d082adc3e10033d |
| SHA1 | 54241a2edd22fa9df624b44f5848fa84fccba264 |
| SHA256 | 605d432fd9a53b587fa678947eb991e435799ea1e2e2bbf025b337a1d397cbb8 |
| SHA512 | 5a59f2a84d1e1a1b9e55f0897f7f1dc1dcc69dd49ca1d36cd70cbdf0c041cd7af29ff251ff3180b675f586f742df57e3868bf4032903c2756be95d38d9cf6d78 |
/data/data/com.example.zhihuiluolongkehu/files/.jiagu.lock
| MD5 | 6a2ae91618e7173a886025705eca1f62 |
| SHA1 | cae91fd8dc41d8200af72a4993b3d94de881edb4 |
| SHA256 | 430af3ae6a6acd8375118dced90c7bc9258e24bf63ed47b30450d2e1b3368f0d |
| SHA512 | 89d55447690a49543c9d1308a45492e720eab65448bff9aa3933731b7d8c6d0fe7c8d78c29841a5951b53023d2994dc77194fd072bf74f1173af58812f65a68d |
/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.rd
| MD5 | cda2c5db4cd44ecad03b705d148786a1 |
| SHA1 | 42da873edaadff5dae43348dbf99388fba8156a9 |
| SHA256 | 0fc7ff44584a6aa93dd86622c6b539f7b19166f1fc9a2a37a94b755484490ac4 |
| SHA512 | 08c81b7fb683eafda5aef90f27622019c07a3fe837fa4e6cc5aaf0d730d1e7ca2e656258ffd91851a781a376079c7821431425a152dd00b3f44df0831afc30dd |
/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.ac
| MD5 | 9d3f11136b1b6bfdedd8290c351581a6 |
| SHA1 | 4067242101387ba17952e29778c2eaabc2f2ab87 |
| SHA256 | e255e6c475bee48ea1197d66a1f8cf2a245fdb4cef3399dd3bb8362da06c66b4 |
| SHA512 | 24e2346592ef1b7fedde7cac81e3e445eb74f671e87be5f0bd920ecb520477a39f12288e8af5d1aa6c277f89e8e4ccf646ff056a856e9a0cfa5ae6fcca5a748b |
/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.ic
| MD5 | c2ac70e6da044f2af1c56c13aceb6316 |
| SHA1 | cd7d537860686c548de4cc22b2eb4cb2c9b590e2 |
| SHA256 | 8d396d7f774c2129ef2e9e47bfc96b3d2ad74fefd931f77975bceb178d8d6c32 |
| SHA512 | 4ec1fd8c718702fc4aa3a667b794246ecc27f945b4cc6267fee1f9691dafae095b3695a3bdfd868ad7903d770a84b4d4c15bc9b397a4fa66d460d8bab143ad54 |
/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.di
| MD5 | 679203335b6793b722e828cdc6fec044 |
| SHA1 | 8af1b293be9fc9009411aeb64ca5994adc483df3 |
| SHA256 | 2bdce483c9a0ecddc9564f2432ed85bd7a6d6c7b00917d8bf8fa97e2fbbb5aea |
| SHA512 | 914e4ee6a3cf3fcb912ba65d1d4840b9ea5de45429e8a2b3b6d9212d44c715ab5527569996f0bed15ff359d8e6c5a80ac2d3e9a0cedfa1408d511e2da04b5d61 |
/storage/emulated/0/360/.iddata
| MD5 | 69890531a2827cda7d170e40d2772e21 |
| SHA1 | b87a8fba777aaa144f8947817ea432ce4ff4d856 |
| SHA256 | b93fa1f1d6ece71289e5d74a128499d123ee7a751aa9fca014165a9f1840ce4d |
| SHA512 | 8df565314b863dca6fe69c8929666ecdc7661c2f4d53d436b1691415e64790006565ad7bc8bdcc44fae3406678669ca764e51ccbc82cc9453f6796091c0e1c34 |
/storage/emulated/0/360/.deviceId
| MD5 | 1d8d16c4e3b19ebf18988530d9b9a757 |
| SHA1 | bc94c1cce05cd848a53271ecb9c5311e27ffebf5 |
| SHA256 | abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7 |
| SHA512 | 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 04:51
Reported
2024-06-03 04:55
Platform
android-x64-arm64-20240514-en
Max time kernel
2s
Max time network
131s
Command Line
Signatures
Processes
com.example.zhihuiluolongkehu
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.196:443 | tcp | |
| GB | 142.250.187.196:443 | tcp |
Files
/data/user/0/com.example.zhihuiluolongkehu/.jiagu/libjiagu.so
| MD5 | f07656a2f51ecb23edc102003c32b764 |
| SHA1 | 3ef18f74b609313887b9e825c56a54b5a9eef20e |
| SHA256 | f6847402ab69102f8495aac58b9beddde9a71dc52470c5de17e382eec2a6b913 |
| SHA512 | 34b337d2cf98ec3009f80ff299e43984a1c911e5f9eb5942a915915cb7b5b591ffc9f1b79a7989534c2583a703a3f0857e74be68cdd71388f68d5bef354f7238 |
/data/user/0/com.example.zhihuiluolongkehu/.jiagu/libjiagu_64.so
| MD5 | a60889ae7555618eab77220d0f2a3381 |
| SHA1 | c77d8204296cf62a0b486dec7b868d650f0afd8f |
| SHA256 | 9bed1e50588cff42f243aeb53e7e302ff1d2dafcad19904a45ba2b659b3684f9 |
| SHA512 | 8162510299c93e1a271d3287007d91ee3974d6490b225ce292b92f8d9f92fb1bff61290e5d1b1a531beb6b2776d20941fca23563835fe423c65cce581dce9b53 |