Malware Analysis Report

2024-11-16 10:46

Sample ID 240603-jd12vagb6v
Target 90f7bcb9dbb4324969ce6aed7b15443c_JaffaCakes118
SHA256 c0a9fe014272751f43fc7a534e659416c8ad8b4fa1d5b44d13affe78373c1966
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c0a9fe014272751f43fc7a534e659416c8ad8b4fa1d5b44d13affe78373c1966

Threat Level: Likely malicious

The file 90f7bcb9dbb4324969ce6aed7b15443c_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks memory information

Queries information about running processes on the device

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries information about the current Wi-Fi connection

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:33

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:33

Reported

2024-06-03 07:37

Platform

android-x86-arm-20240514-en

Max time kernel

153s

Max time network

177s

Command Line

com.huanleduo.sycqzzb.qimiao

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.huanleduo.sycqzzb.qimiao

/system/bin/sh -c getprop

getprop

/system/bin/sh -c type su

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 configcdn.quickapi.net udp
US 1.1.1.1:53 sdkreport.quickapi.net udp
US 1.1.1.1:53 serverip.sdk.quicksdk.net udp
US 1.1.1.1:53 btgameweb.049u.com udp
GB 216.58.204.67:443 tcp
CN 121.199.69.72:80 btgameweb.049u.com tcp
CN 121.199.69.72:80 btgameweb.049u.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 180.150.191.127:80 serverip.sdk.quicksdk.net tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 sdkapi00.sdk.quicksdk.net udp
CN 106.75.35.13:80 sdkapi00.sdk.quicksdk.net tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 180.150.191.127:80 serverip.sdk.quicksdk.net tcp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/com.huanleduo.sycqzzb.qimiao/app_crashrecord/1004

MD5 ef4c6b962b0b9cb20db347970031291d
SHA1 694943074bed808e99172dc09dfb2545d7fb0b86
SHA256 661eed6517a996914fe61b5ed260c47a258cb54d16a48414f3004ac8daaef4bb
SHA512 7aef324fda352ed811ac867b446a96b848830164ae548168776282402709370c0a3325b5f69a181da03f48b83779800daefdcb6069c5a9feb2bb6811b682a051

/data/data/com.huanleduo.sycqzzb.qimiao/databases/bugly_db_-journal

MD5 5d3b708652fab52d7c2baf9d061fcf4c
SHA1 b037291a96c8b3b899a2f8cb5feca85176839f7f
SHA256 c06496890c0c18a069b76e50d94e4545cf59b72b063fdb08a78ff7149b9198b7
SHA512 8a9496e51d005d77bde9ccf7b0b36dcccef3d2d276a2e36f75bacc1e55c00294dfe9c4a7857a2b6abc85be137e111797c7e7de19346763d71d19f7d4ae4e76e5

/data/data/com.huanleduo.sycqzzb.qimiao/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.huanleduo.sycqzzb.qimiao/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.huanleduo.sycqzzb.qimiao/databases/bugly_db_-wal

MD5 f674b38822efaf0038815912961355e3
SHA1 69711849547728ce7483e7149b1ed2b34df9ca59
SHA256 bd2f1e004455e66fd9bc20fceb10bddf663a789eeec4f6fa21237f80f7572db6
SHA512 09faef8e9526f5efb94230cff7020f8025a11f055ecb075e44a7fa3b2ffe42c70db050e9355ce430a67bc04b47a9854e256389e0d47e53f062c98b6261ac34af

/data/data/com.huanleduo.sycqzzb.qimiao/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/storage/emulated/0/UcQkDir/qk.dvid.txt

MD5 291b91e0287266f6bf4a80a0a9733d87
SHA1 257afce7d318bca8741ce86f6a675e8136945088
SHA256 30920634758d562e8a379a5d63be3376338a80ca9c1616997085d357dcc0a966
SHA512 4f852cd50271a0025424afaabc889fab4d789f37824a6fbaa74bfbb93e7271f30ac5bbaba033a7b76b00d62f06e5c05d3980421a07a8f8514341178a79b8b6a7