Malware Analysis Report

2024-11-16 10:46

Sample ID 240603-jxvdeahh83
Target 910b9bccc7e8a20e738b8ec139b3bb05_JaffaCakes118
SHA256 a7749ac68f8ef308b5e771ea7c92e6973f9b65f0064d53b1a92a1223ae097000
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a7749ac68f8ef308b5e771ea7c92e6973f9b65f0064d53b1a92a1223ae097000

Threat Level: Likely malicious

The file 910b9bccc7e8a20e738b8ec139b3bb05_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks if the internet connection is available

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 08:03

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 08:03

Reported

2024-06-03 08:06

Platform

android-x86-arm-20240514-en

Max time kernel

13s

Max time network

141s

Command Line

io.dcloud.H558D8C6D

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

io.dcloud.H558D8C6D

logcat -d -v threadtime

logcat -d -v threadtime

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

/system/bin/sh -c type su

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 rqd.uu.qq.com udp
HK 43.135.106.212:80 rqd.uu.qq.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/io.dcloud.H558D8C6D/databases/bugly_db_lejiagu-journal

MD5 b557b63b8a657b815623f4de6b63a90a
SHA1 e47e7f40bf1f31c6dbe0421c032c68d9ad45d4c0
SHA256 8e4d8c6983b24f184f5d8ddba2f7191b1eb812bcfa955a40e13e5a2f7a553fe1
SHA512 0771f85f40f02a142c20650b3a5cc311c4da858a9aa9b6c3da22668f2df65a60fe96c544e0df798cbda93a2a2a924afc87568b8cec549d46def3ccddca825743

/data/data/io.dcloud.H558D8C6D/databases/bugly_db_lejiagu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/io.dcloud.H558D8C6D/databases/bugly_db_lejiagu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/io.dcloud.H558D8C6D/databases/bugly_db_lejiagu-wal

MD5 9dd0132f1e410f67933f2bc99f3cbe11
SHA1 73e9e14fbccbff1108e86fd818a0d92fee24c7a5
SHA256 59c6960a0670f22136f9c170101ea3915e98ffc0bcd76b665d0f814449e1a438
SHA512 af5830b3c70fd6b54ff8f59088a5d0136a4d6cdbc4806b02176ee15576c4fa9d7b96debc6a9628aa1ad7e10e3c279721d5fc255e82ebfc2486d2d78d348769d7

/data/data/io.dcloud.H558D8C6D/tx_shell/libshellx-2.2.9.so

MD5 2f07ae9d60043d12d8d8aa341be0db83
SHA1 043752e64c93efcc54fecb88e9aa645412439a10
SHA256 97fb2791646f852719528d30075efe557140c5576a4310ae930ae117f7baad48
SHA512 d91660c2cb082234f4a72e1d99abd005759310301f84b3d4991b1932ee82a9e3503f56653b2b408aaf9d0bae85d2d059b84009dea88a1a72e492cf313c8023b0