Malware Analysis Report

2025-01-06 10:59

Sample ID 240603-fn1maade95
Target 909c434017ed87a744322fe8a1d25862_JaffaCakes118
SHA256 47b2b48e1543cbd4d614a02104145e81b78f5451c1ec4b2191b5ba4bb11dee5c
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

47b2b48e1543cbd4d614a02104145e81b78f5451c1ec4b2191b5ba4bb11dee5c

Threat Level: Likely malicious

The file 909c434017ed87a744322fe8a1d25862_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Checks if the internet connection is available

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:01

Reported

2024-06-03 05:05

Platform

android-x86-arm-20240514-en

Max time kernel

6s

Max time network

131s

Command Line

com.sdjr.sumiaobei

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.sdjr.sumiaobei/mix.dex N/A N/A
N/A /data/data/com.sdjr.sumiaobei/mix.dex N/A N/A
N/A /data/data/com.sdjr.sumiaobei/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sdjr.sumiaobei

sh -c getprop ro.yunos.version

/system/bin/sh -c getprop ro.board.platform

getprop ro.yunos.version

getprop ro.board.platform

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.sdjr.sumiaobei/mix.dex --output-vdex-fd=49 --oat-fd=51 --oat-location=/data/data/com.sdjr.sumiaobei/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/sh -c type su

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.180.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu-journal

MD5 fe4eaab7cdbc4b5ac2789ca56e66f5bc
SHA1 43e4fea0f044900e331d87704df29b50b5e54f19
SHA256 29aa073c4bdaaaf3577522be3db280b1ac237347d17ef295e3a42b3b73136cc7
SHA512 6bfdb5bbfac76ddaac055b7d465d0b463357acaa3eb33ce638b9120a25cdce2adc70b6d08d8360ac123442bd83106377922d6422f0ef4611ec03d7668e68b6d6

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu-wal

MD5 ff864b68ec1db027e70d2a0702970934
SHA1 9c35774af3067e12332a6c18c92eee26d0dc54fd
SHA256 11b906f95c794c72a92c55892bf4bc02d48a0ee14856efdc9ea6b20355c40818
SHA512 6a6bff729e8701c79a01b6654f60d1eb11cdd91a2f07bf3631a81c354cb5f4933b67479159a361c8688db8fd10e9ff14616caade01637453b5ac9b16ef56fbcf

/data/data/com.sdjr.sumiaobei/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.sdjr.sumiaobei/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:01

Reported

2024-06-03 05:05

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

164s

Command Line

com.sdjr.sumiaobei

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.sdjr.sumiaobei

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu-journal

MD5 c1aca364420873d20c4c55a6f1da65f0
SHA1 1eeb9a1076b8464fc3b717eae6370a2bb00ab9ad
SHA256 75b9dbcce3f12e0d1655d28468758326a78325bad54d71c5acc217354ce36a7d
SHA512 d4b2675fffaf7f486ab716b28c0da1bcf36788a4b7eae3fcc3a68a9d6ac8ddf6a3f0a8bf3880fad06751a219e83661829b81f31a2f041c97228fd3e3a6eca453

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu

MD5 d9906ec4d20ca81b930abb58c79effe9
SHA1 73ebb52af463497082a6c854a67af0792339d4a9
SHA256 93e09384dbbc259d8c9d629bb02134d701d412adbec349182796dcd5c68c47df
SHA512 3ae68c702c216255389ba961c397005f9726207264a9de8a47a98f8489e1e2fe5f629a58143b7e8694a3e7b93f198b94365b34fbfbf1f567390562e4a5b34c78

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu-journal

MD5 2c3e59bd09fc31fb9f74cb9465bd6da3
SHA1 458d4b7496baa643cabe2c402891d787acfe6075
SHA256 1638d517d0198c86b839cd4f26f0f277099d5ca2009b1ac35e1c86f992ae524a
SHA512 e3e1a5e9e07624f0c017e099e76eb7b61a1ef222541c64c49dea6553b5365992c84db1728b98672f6714335d4f73d6e1fa565c851604d0f565c2b25557277f42

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu-journal

MD5 32f043a641b7db3b8bbb14c8ed623279
SHA1 0943e16e7f4f0f2e6972041c0b82d02beda3334f
SHA256 32f38bf6cc0f55ba95bde14f286d938104260f3684777a6151e1740c6c6bab1a
SHA512 ab272e4d7de4c405ccf6db2f5dceff3fbaeed9ad0f937db4e0d97d6615e58692c922b6c41c1c876a52b46dd3bc6c29fdb1e65284e6451e3b08945692b3b6ee74

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu-journal

MD5 1957cff5b973aeb09ccfcf0af2446ef3
SHA1 51814ea6b617d2f2c016dca7b2314448e8b47984
SHA256 e889055802ae15291a50edb3f64fb7bf1c8f5e6c345215cf8da8b4c36d90e16e
SHA512 c6386ba6a8aa978ae9ceade62440ef5b19ba21de2defe5986493c97d7053ee978d08946c88b494d1f5e155a94c69ddc12455878e5be2d54b455ec513fd5c2149

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu-journal

MD5 a03223915c476a24e505a9d12e736b4f
SHA1 593134e766e2bff64f8b3d60a7ea0c3573c69a7d
SHA256 139edb275d242500bc21f5b9ad375716e3c4918a1551f19402f43347847755f8
SHA512 423314f134a3d9e733dc00d7fc0862e98f6051712b81f3772783071b809672e5c997127ad9aa8a2bc243265091aaf53b86cad346cad9a7ba4bd9e12d0ca6dff5

/data/data/com.sdjr.sumiaobei/databases/bugly_db_legu-journal

MD5 fa42ea6594f20f385189a3ee4642372e
SHA1 2e25d8e4b8e246ba7d361e0cb89e070e043df6d8
SHA256 8c6822785c1ab332e748bca16b32bc86e269fef4fb78cf26798bd7f896ba7d3f
SHA512 cf3729897ed53656f4b8b3df9796426017b3cfd5849ca9b84605190b1911080f2e1fe559230366cdc850f8123ab1e3e481dddacfea776422929ee559299adf10