Malware Analysis Report

2024-11-16 10:44

Sample ID 240603-l462wscb26
Target 916242ceafa5e9d40b274822f190b5ae_JaffaCakes118
SHA256 4c5301c370de49e7334611ce9901a18cbe086915d9f47190973dbf2649b815ae
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4c5301c370de49e7334611ce9901a18cbe086915d9f47190973dbf2649b815ae

Threat Level: Shows suspicious behavior

The file 916242ceafa5e9d40b274822f190b5ae_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:06

Reported

2024-06-03 10:09

Platform

android-x86-arm-20240514-en

Max time kernel

7s

Max time network

155s

Command Line

com.crude.king

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.crude.king/.jiagu/classes.dex N/A N/A
N/A /data/data/com.crude.king/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.crude.king/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.crude.king/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.crude.king

chmod 755 /data/data/com.crude.king/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.crude.king/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.crude.king/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.3:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.crude.king/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.crude.king/.jiagu/classes.dex

MD5 025ae4ea0a0a76409d1db1ac0aa3425f
SHA1 d29072ff15c0ff7e62b5c4352945ab3b87ef21e0
SHA256 385b42626dbdabcfe7b925a4d6360da72404db350e20f6abbe44166f59931a25
SHA512 c1f035b1f7f24e7d459869c9ad512489bae65a48a1963be45cbbf9a3c234adcb023ac97cc282bba3546c2b71e300172d1e914e56a7955da94c727f01d766aa25

/data/data/com.crude.king/.jiagu/classes.dex

MD5 2ed15c78c65efd7c6e7f97fee71098bc
SHA1 914e4a2e593fb9ea911595c43dcd685a38cb3206
SHA256 6d843eca0049af2a6ed1d342feefcc7a229b48d6fead4e20794f86c049b91814
SHA512 d7cde931dd0b7abc44628fd6d2f9252dbc364540885a9d01c7b52587ef58df3cd75c146c8e70b522ae20d6d3bef0136c2b7339d01d5d489899b8d42f8ff32d9c

/data/data/com.crude.king/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.crude.king/files/.jglogs/.jg.ri

MD5 a6c67a246378ef11dbf928ed9f2f73e1
SHA1 8f952f35793daee3ef85522619a4cb339efb1c73
SHA256 2e86ab74606528685086495e1900dcf0f0861b56678798b29a9075c9479bb189
SHA512 e3fb8dc8396ac3e207d4d3b9b5d38f8a8a9ff9fa60b3741b504f1ce284d3f88d4806f5fd6a959f21d74aaf62d24aff7cfc20240eef0eb530283b59490a8626ce

/data/data/com.crude.king/files/.jiagu.lock

MD5 b20fc2fe3681172fb7070afb945c2d13
SHA1 33eb05faba0736057fb84d7cf023e28ae0bb5722
SHA256 9a91a39f2dbc85f994ed1f9efc16b12b84aa2542d075774aa57f24b2f84af504
SHA512 745150c0a0f81b4d4efc3791ecc37f09ea08c258f6131acd0fc7056fdc2e8c5daa70e9ca4037e600176fbeb4540a0f3445b1f671b5545ed11aa31b671bdd0646

/data/data/com.crude.king/files/.jglogs/.jg.di

MD5 58b9a89fbc94f24a7342d8e1605fa16a
SHA1 47d82a784929d7e1ffc31681cbade25071fdc794
SHA256 97fc0c6da3229811a758084d4c2f9b20008e4309d90633af7929ca5606e97111
SHA512 8b6d0f2109cda0d42b00f1fdad57b6a521ddf6e590819bf8bd14730747bd79a0308e80c95e648db4e19292b4fad36c19af27dc22fd3bbcd9336d8f45a5a36d4d

/storage/emulated/0/360/.iddata

MD5 9e0280d942151a97d92452cc3424a15c
SHA1 d1e9ad8ec9061fda94a7ad8b744a14fb744e5768
SHA256 8993b44bd97caa982fbf8c40f4f44661414f8de49b07c5675ffeb8b24b5a09a0
SHA512 3c7fd5a94961229bab5e651435d23fb2536d98b3a0032b82c4dcca337566f6c542b02ddf74bc61b66ddceec69915fa901c99d4601a2c2a524d2bf9fc0b1f3548

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.crude.king/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.crude.king/lib-main/dso_deps

MD5 79e7a0d6a07b716af8305b7c9e6c3da0
SHA1 7dc754dd5f9f290bbfc56893280f955b043597f9
SHA256 7e3cef970bb9d6c7c517a889a8e39558b61bc9797c1f8daabdecfeeb05d5ac38
SHA512 6b9bd9d64765758b237c56ce4b767e47d65813a75c5348054c93c564a16e2919f4033035b2254cbd52422d3acaa0ec86baf797c2a8261de460b3506caa5198a7

/data/data/com.crude.king/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/data/com.crude.king/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:06

Reported

2024-06-03 10:09

Platform

android-x64-20240514-en

Max time kernel

7s

Max time network

131s

Command Line

com.crude.king

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.crude.king/[email protected] N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.crude.king

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp

Files

/data/data/com.crude.king/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.crude.king/.jiagu/classes.dex

MD5 025ae4ea0a0a76409d1db1ac0aa3425f
SHA1 d29072ff15c0ff7e62b5c4352945ab3b87ef21e0
SHA256 385b42626dbdabcfe7b925a4d6360da72404db350e20f6abbe44166f59931a25
SHA512 c1f035b1f7f24e7d459869c9ad512489bae65a48a1963be45cbbf9a3c234adcb023ac97cc282bba3546c2b71e300172d1e914e56a7955da94c727f01d766aa25

/data/user/0/com.crude.king/[email protected]

MD5 2ed15c78c65efd7c6e7f97fee71098bc
SHA1 914e4a2e593fb9ea911595c43dcd685a38cb3206
SHA256 6d843eca0049af2a6ed1d342feefcc7a229b48d6fead4e20794f86c049b91814
SHA512 d7cde931dd0b7abc44628fd6d2f9252dbc364540885a9d01c7b52587ef58df3cd75c146c8e70b522ae20d6d3bef0136c2b7339d01d5d489899b8d42f8ff32d9c

/data/data/com.crude.king/files/.jglogs/.jg.ri

MD5 b96424e3451789d57fbe0ecd81388e0d
SHA1 bc2feb8127aca84a73553a29a2742544808b2822
SHA256 9da8c44a247d32e7c048e902f39e872b146ed66fad07404f5d3d167759f5f11b
SHA512 e2447a9636c9bd58efca6c23a345729e6ca5fc4021d6815a6abb8fca7cee4b7e5a9289953efe669b4b391c305dd9ceb11dfe3bfafa22090227537e9b52a0c819

/data/data/com.crude.king/files/.jiagu.lock

MD5 6dbdcb5eb81860917f81e286afbcd9bb
SHA1 f231461f1bac945149e215aaf5f94a742c7dbef6
SHA256 b0ee524105a8836df06d9e9760570a1deb3a073cf683131898eb95d760d20af6
SHA512 f8fc432dc06ca4fa45f77ac8f72befb6d05619fc753405cc77218c608c063131c8fe95e42143bfd88c0bb3c3186aa17030051f73a89243266bd9d4da377e30bb

/data/data/com.crude.king/files/.jglogs/.jg.ac

MD5 f0c3de69fb03d5d137f42b30aec31cb5
SHA1 799dee2f85183875e0df9a7dfe98c091f8f7e26b
SHA256 8645f60708b0fab9b7cfb76f64de3584eef7beddd76c2bc2396dca535a05e93f
SHA512 81b1538bcac2d3af77dd0c0625c14e8000faf20704a058f9f31a7af1af1ba76f55ca05fc11138ffa30dc211f3288f6aa521481d89fb029648d49d81b05d940cc

/data/data/com.crude.king/files/.jglogs/.jg.ic

MD5 46410de54e33a3f78842f5b528cb6354
SHA1 54e9c1cfc272742ac8fb1418c2751eb0ec151153
SHA256 48dbbfa12801ce7f817afb13605644806fed3b241277d62bd7eb4521827bff9f
SHA512 b62f31498c1ccffa8cf39a3c0086bbbfa184ddb732e3ea0d1bdb3c5e26e9259651f23832f5bcfa34771082bbc9b578c3d87a0f461c4ccb3ebc0575101730e5b9

/data/data/com.crude.king/files/.jglogs/.jg.di

MD5 aabc65772e0f2aa3e883dfc91160cbaa
SHA1 4e7f800041ac02c35c52598a4ffc2237881269c5
SHA256 a64a1829367ba45f859b64c68fba93830ceb0b4fcd5d515a7312d33d1240d309
SHA512 5c7151fb8370fe85580b56a592386d321697475c6794b9eefdc1adbefc993e97075eacc1eeabd09c3b21e8d4180e892335efbe03bb8f0619e809219065efb3a2

/storage/emulated/0/360/.iddata

MD5 7cc1e45829b6aad563856e6309cdc0e8
SHA1 29fcb030b2fcaed6d03a8c75afd10f64ae79ef66
SHA256 e94263101e55dde113efaaa583473d5bb4f5aa455e24b5af13644d6b4fc6fbd7
SHA512 00a8db60b70ede47f98137391bf1bc1dd19f624c3b330fc9afe91d9bde66692f4142dc310fe91338704d759135d778df833ce3b3aa2ae178291c34c597080f48

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.crude.king/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.crude.king/lib-main/dso_deps

MD5 257635fe0035faa1c1dc1246ef6ce735
SHA1 968128ecdf96f85e0cee06d6c27eb8fb807b6808
SHA256 34b5346bfd7a5d81b44843ff68a378cfab62d45f4d379028c21606dfa528f59b
SHA512 7d9e5502efaff783eeada6c696db824d9d1593082cd16ae5dda56ed985dc290a171981e9eead8383089698d4ffdb2a521e16c6898b7f66a6bb60c072276598d4

/data/data/com.crude.king/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/data/com.crude.king/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339