Malware Analysis Report

2025-01-06 10:59

Sample ID 240603-fg7f9aca7v
Target 90963938be64d196e5bf9ecdee9981c4_JaffaCakes118
SHA256 24314ec2564ccd52cb3674991e9cc6af51f71047b919c764bfdae199b8d85a68
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

24314ec2564ccd52cb3674991e9cc6af51f71047b919c764bfdae199b8d85a68

Threat Level: Shows suspicious behavior

The file 90963938be64d196e5bf9ecdee9981c4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:51

Reported

2024-06-03 04:54

Platform

android-x86-arm-20240514-en

Max time kernel

7s

Max time network

184s

Command Line

com.example.zhihuiluolongkehu

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.example.zhihuiluolongkehu/.jiagu/classes.dex N/A N/A
N/A /data/data/com.example.zhihuiluolongkehu/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.example.zhihuiluolongkehu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.example.zhihuiluolongkehu/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 sapi.map.baidu.com udp
HK 103.235.46.245:443 sapi.map.baidu.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
CN 36.156.202.75:443 plbslog.umeng.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 36.156.202.68:443 plbslog.umeng.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp

Files

/data/data/com.example.zhihuiluolongkehu/.jiagu/libjiagu.so

MD5 f07656a2f51ecb23edc102003c32b764
SHA1 3ef18f74b609313887b9e825c56a54b5a9eef20e
SHA256 f6847402ab69102f8495aac58b9beddde9a71dc52470c5de17e382eec2a6b913
SHA512 34b337d2cf98ec3009f80ff299e43984a1c911e5f9eb5942a915915cb7b5b591ffc9f1b79a7989534c2583a703a3f0857e74be68cdd71388f68d5bef354f7238

/data/data/com.example.zhihuiluolongkehu/.jiagu/classes.dex

MD5 ea236e207d2df52602b7a1209b129992
SHA1 3bbbb9a1f0215720923f80d8441e65f12dc1982e
SHA256 7549a4f253906bd1bd9ed12601bfb94269fdf54cdaf510dfd8df806ef7f83243
SHA512 ff3e54823a2555b1be1526b95a701985467a4872dafc71f29fcc73d341586047987d819d441867dcd92de8c0deb74d69859af856d6367de9a49564c3c07dbac5

/data/data/com.example.zhihuiluolongkehu/.jiagu/classes.dex!classes2.dex

MD5 4e57c951cb8af6a5a942aa52646443ba
SHA1 45ab4dd76410e92ea2296054018a0e3c5bc3dabe
SHA256 6276e7226d35e9eacd1f55c6a10fc328390b3ddb50a493494029c235b5165a8d
SHA512 af27e4bd2b0085912af659be41728cb7686b0b01af07a7136403dc274f5223bdc19670496cf7ad97f737dd9e5c71469e46d5abfe608df53ae7625b231f08caef

/data/data/com.example.zhihuiluolongkehu/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.ri

MD5 105af0955a825c143d082adc3e10033d
SHA1 54241a2edd22fa9df624b44f5848fa84fccba264
SHA256 605d432fd9a53b587fa678947eb991e435799ea1e2e2bbf025b337a1d397cbb8
SHA512 5a59f2a84d1e1a1b9e55f0897f7f1dc1dcc69dd49ca1d36cd70cbdf0c041cd7af29ff251ff3180b675f586f742df57e3868bf4032903c2756be95d38d9cf6d78

/data/data/com.example.zhihuiluolongkehu/files/.jiagu.lock

MD5 6a2ae91618e7173a886025705eca1f62
SHA1 cae91fd8dc41d8200af72a4993b3d94de881edb4
SHA256 430af3ae6a6acd8375118dced90c7bc9258e24bf63ed47b30450d2e1b3368f0d
SHA512 89d55447690a49543c9d1308a45492e720eab65448bff9aa3933731b7d8c6d0fe7c8d78c29841a5951b53023d2994dc77194fd072bf74f1173af58812f65a68d

/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.rd

MD5 cda2c5db4cd44ecad03b705d148786a1
SHA1 42da873edaadff5dae43348dbf99388fba8156a9
SHA256 0fc7ff44584a6aa93dd86622c6b539f7b19166f1fc9a2a37a94b755484490ac4
SHA512 08c81b7fb683eafda5aef90f27622019c07a3fe837fa4e6cc5aaf0d730d1e7ca2e656258ffd91851a781a376079c7821431425a152dd00b3f44df0831afc30dd

/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.ac

MD5 9d3f11136b1b6bfdedd8290c351581a6
SHA1 4067242101387ba17952e29778c2eaabc2f2ab87
SHA256 e255e6c475bee48ea1197d66a1f8cf2a245fdb4cef3399dd3bb8362da06c66b4
SHA512 24e2346592ef1b7fedde7cac81e3e445eb74f671e87be5f0bd920ecb520477a39f12288e8af5d1aa6c277f89e8e4ccf646ff056a856e9a0cfa5ae6fcca5a748b

/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.ic

MD5 c2ac70e6da044f2af1c56c13aceb6316
SHA1 cd7d537860686c548de4cc22b2eb4cb2c9b590e2
SHA256 8d396d7f774c2129ef2e9e47bfc96b3d2ad74fefd931f77975bceb178d8d6c32
SHA512 4ec1fd8c718702fc4aa3a667b794246ecc27f945b4cc6267fee1f9691dafae095b3695a3bdfd868ad7903d770a84b4d4c15bc9b397a4fa66d460d8bab143ad54

/data/data/com.example.zhihuiluolongkehu/files/.jglogs/.jg.di

MD5 679203335b6793b722e828cdc6fec044
SHA1 8af1b293be9fc9009411aeb64ca5994adc483df3
SHA256 2bdce483c9a0ecddc9564f2432ed85bd7a6d6c7b00917d8bf8fa97e2fbbb5aea
SHA512 914e4ee6a3cf3fcb912ba65d1d4840b9ea5de45429e8a2b3b6d9212d44c715ab5527569996f0bed15ff359d8e6c5a80ac2d3e9a0cedfa1408d511e2da04b5d61

/storage/emulated/0/360/.iddata

MD5 69890531a2827cda7d170e40d2772e21
SHA1 b87a8fba777aaa144f8947817ea432ce4ff4d856
SHA256 b93fa1f1d6ece71289e5d74a128499d123ee7a751aa9fca014165a9f1840ce4d
SHA512 8df565314b863dca6fe69c8929666ecdc7661c2f4d53d436b1691415e64790006565ad7bc8bdcc44fae3406678669ca764e51ccbc82cc9453f6796091c0e1c34

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:51

Reported

2024-06-03 04:55

Platform

android-x64-arm64-20240514-en

Max time kernel

2s

Max time network

131s

Command Line

com.example.zhihuiluolongkehu

Signatures

N/A

Processes

com.example.zhihuiluolongkehu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/com.example.zhihuiluolongkehu/.jiagu/libjiagu.so

MD5 f07656a2f51ecb23edc102003c32b764
SHA1 3ef18f74b609313887b9e825c56a54b5a9eef20e
SHA256 f6847402ab69102f8495aac58b9beddde9a71dc52470c5de17e382eec2a6b913
SHA512 34b337d2cf98ec3009f80ff299e43984a1c911e5f9eb5942a915915cb7b5b591ffc9f1b79a7989534c2583a703a3f0857e74be68cdd71388f68d5bef354f7238

/data/user/0/com.example.zhihuiluolongkehu/.jiagu/libjiagu_64.so

MD5 a60889ae7555618eab77220d0f2a3381
SHA1 c77d8204296cf62a0b486dec7b868d650f0afd8f
SHA256 9bed1e50588cff42f243aeb53e7e302ff1d2dafcad19904a45ba2b659b3684f9
SHA512 8162510299c93e1a271d3287007d91ee3974d6490b225ce292b92f8d9f92fb1bff61290e5d1b1a531beb6b2776d20941fca23563835fe423c65cce581dce9b53