Malware Analysis Report

2024-11-16 10:44

Sample ID 240603-lk12jabe66
Target 914d75c70107ce59c23aa897224d087e_JaffaCakes118
SHA256 ae831a3f855d36c3a115d7c14094edb9014d3af532fef8678ca43bffe4050819
Tags
banker collection discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ae831a3f855d36c3a115d7c14094edb9014d3af532fef8678ca43bffe4050819

Threat Level: Likely malicious

The file 914d75c70107ce59c23aa897224d087e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion execution impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Makes use of the framework's foreground persistence service

Queries account information for other applications stored on the device

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Schedules tasks to execute at a specified time

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:36

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:36

Reported

2024-06-03 09:39

Platform

android-x86-arm-20240514-en

Max time kernel

161s

Max time network

181s

Command Line

com.duole.zhuojimjhd.qihoo

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.duole.zhuojimjhd.qihoo

com.duole.zhuojimjhd.qihoo:PushClient

com.duole.zhuojimjhd.qihoo:channel

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 umengacs.m.taobao.com udp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
US 1.1.1.1:53 sdk.s.360.cn udp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
US 104.192.110.245:80 sdk.s.360.cn tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.112.112:443 log.umsns.com tcp
US 1.1.1.1:53 api.gamebox.360.cn udp
US 1.1.1.1:53 mgame.360.cn udp
US 1.1.1.1:53 p.s.360.cn udp
CN 171.8.167.69:80 p.s.360.cn tcp
CN 101.198.3.46:443 mgame.360.cn tcp
US 1.1.1.1:53 update.duole.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 101.198.3.226:80 api.gamebox.360.cn tcp
CN 101.198.3.226:443 api.gamebox.360.cn tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 update.duole.com udp
CN 49.233.236.64:80 update.duole.com tcp
US 1.1.1.1:53 relation.gamebox.360.cn udp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
US 1.1.1.1:53 amdc.m.taobao.com udp
HK 47.246.103.10:443 amdc.m.taobao.com tcp
US 1.1.1.1:53 mdm.openapi.360.cn udp
US 104.192.110.235:80 mdm.openapi.360.cn tcp
GB 142.250.187.206:443 tcp
CN 220.181.150.165:443 tcp
CN 106.63.27.86:443 tcp
CN 123.125.82.184:80 tcp
CN 111.13.65.241:443 tcp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 124.239.14.248:443 umengjmacs.m.taobao.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
HK 47.246.103.10:443 amdc.m.taobao.com tcp
CN 111.13.65.241:80 tcp
HK 47.246.103.10:443 amdc.m.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 59.82.60.44:443 log.umsns.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
US 1.1.1.1:53 android.api.360kan.com udp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
US 1.1.1.1:53 data.iapppay.com udp
CN 101.198.3.226:80 relation.gamebox.360.cn tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 180.163.249.138:80 p.s.360.cn tcp
CN 111.13.65.241:80 tcp
CN 220.181.150.197:80 tcp
CN 111.13.65.241:80 tcp
CN 111.13.65.241:80 tcp
CN 111.13.65.241:80 tcp
CN 220.181.150.197:80 tcp
CN 123.125.82.184:80 tcp
CN 123.125.82.184:80 tcp
CN 123.125.82.184:80 tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 59.82.29.248:443 log.umsns.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
US 1.1.1.1:53 gc.mobilem.360.cn udp
CN 180.163.251.81:80 gc.mobilem.360.cn tcp
CN 180.163.251.81:80 gc.mobilem.360.cn tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 124.239.14.248:443 umengjmacs.m.taobao.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 59.82.29.249:443 log.umsns.com tcp
CN 106.63.24.127:80 p.s.360.cn tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 124.239.14.248:80 umengjmacs.m.taobao.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 59.82.31.154:443 log.umsns.com tcp
CN 171.8.167.68:80 p.s.360.cn tcp
US 1.1.1.1:53 mdm.openapi.360.cn udp
US 104.192.110.235:80 mdm.openapi.360.cn tcp
CN 39.156.84.40:80 tcp
CN 59.82.31.160:443 log.umsns.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 124.239.14.248:443 umengjmacs.m.taobao.com tcp
HK 47.246.103.9:80 amdc.m.taobao.com tcp

Files

/data/data/com.duole.zhuojimjhd.qihoo/databases/MessageStore.db-journal

MD5 d50e07a654aa9cff570272cee40af8c6
SHA1 fc71a4cd28f4cd3f02b01d04eef2406e42bdf5d4
SHA256 a3d76335d69c5be623afabfe5cdb1ac087be61233560abae844072775ec803ef
SHA512 d65c7fbc9f6edb7907e905cd1aaa277d6ba07c93ed93b662913615eaabafd80048bdf457158294a1ad28af4eb260f1d2a2cb9ceb891ba29f171a2ad828c5d021

/data/data/com.duole.zhuojimjhd.qihoo/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.duole.zhuojimjhd.qihoo/databases/MessageStore.db-shm

MD5 b4854550571aed69358aae490d452540
SHA1 e3113cd049d314485a40ec8b39c3fd07cfcb11d7
SHA256 4d71bc49cb83381141995e00d9abe83e8a80664bbebd18e03512a5ae0609f5af
SHA512 a78d019f80b6a8a14c7165ede904f5808aeadea98a82ae5167fda8c45275c7948e4965c94002cf8e1c68a2346409c38fc84cf95fd425da2d69838b25fcd63cf7

/data/data/com.duole.zhuojimjhd.qihoo/databases/MessageStore.db-wal

MD5 c7909f2734f279690a387dbda43bbf91
SHA1 5722bb0d21ecdcc2fffa8ec5d304c0d50948b817
SHA256 6e974390e99fab3f7b3b18dde232b9c2c7d5ba322e53f85f228fc25858808393
SHA512 bae199ee0b3abbc2f7a80f726359e26c9a2bb6ad0d83e8fbb23c02ac36ac71ef5cfcc9f85b59cc97336d5e15257c3c2c012f34d4bb8e9ac50e68abbc191b1fff

/data/data/com.duole.zhuojimjhd.qihoo/databases/MsgLogStore.db-journal

MD5 1a40789f4452a7eaebe902f5b078dc61
SHA1 f929be605eba348acaba276b4a7a9e23bbdede6f
SHA256 7c03ff1a9a54ec2833460ab185f0c45db690912d2eabfb28937e982117f3c13a
SHA512 b80432cb67904068eca033d0e19695c386da79b5aabc5ea442d33abc561aa0a28dabcc37efa84bfefbf1f754f54e2ae2bcc11d26cb9e3fa96cac424ecbfcc692

/data/data/com.duole.zhuojimjhd.qihoo/databases/MsgLogStore.db

MD5 062ecb24f51b80bd9552fc6160aea885
SHA1 d795b1bd7f3f976e8ec247816858c8953205a637
SHA256 43a28077f20c9bd6d38001c3d0596cd7434f8c1637857221d82084c0e850e803
SHA512 fe58a87b1551fb3c50d4a5286354ad9ef1349c41e9459a0529a006bf7427ddcd8aa78cf57beda1bffcea89fd89324ce533f1bf6dd85285419e5519ff494a6f3a

/data/data/com.duole.zhuojimjhd.qihoo/databases/MsgLogStore.db-shm

MD5 9dde69e93dbeb1b7d3ac871451a5a040
SHA1 e054cf1089ff461f68400e4cbf7e31518d42d4f3
SHA256 a00b0ff8174af7a49d1ef48364686769689761761b86ce2e187c28fbaf77045e
SHA512 f5ba4c92b4ce45b8df653c3e0f46afa18e340b60e26c88833ab239e14c4a62da9a4f46aa6e9d78092338cd92c306070ab5ee508b51c486f0b5d3f12377162579

/data/data/com.duole.zhuojimjhd.qihoo/databases/MsgLogStore.db-wal

MD5 c0e839a05c2140454aa13f9b1d75b2b3
SHA1 c536b96be6146dc4519cdf340d27d86802c618eb
SHA256 63a65abdbda16861a786f96be2379d31c362c676fbccdeffdc10a30306b01c1d
SHA512 fce8381c071045816b209f6d8e00e6f34189bf4fa5005223ed72490d81c9615867b4cdf3d11c362e4d9c2e97d1c547ed68907f5c2aa30b381fecfa502fd3fca1

/data/data/com.duole.zhuojimjhd.qihoo/databases/accs.db-journal

MD5 3330a9e54741b85c03a0112db4cd48ce
SHA1 c29661d037ed8b10db8602e80d3ba8926c1d1633
SHA256 bb87874a3e1aca727794b31889faaae8dd69a67974c9d5fbfb977c16384121e7
SHA512 f43a01d1ae7963015454a87899e40462a2dfff59da3045f7f57a47b3df97383e45b3150dec0405de0038d9f2865b3a631529b33bd5da4637b25828771bff34f9

/data/data/com.duole.zhuojimjhd.qihoo/databases/accs.db

MD5 486e2bac2b3e9e1cb411d2838a4854bd
SHA1 81dd0a7537f4af319b830ae834908986be85da8b
SHA256 5644a250fa6cef16c2c802b98275656a5fc39dcf89bcc22193742d85c7313f57
SHA512 c146789563dae163e373489b3df53f22efebd32b69643992969241eb5ad5eec668de67e7cd2aaf5c3a8af57b0842115d00183825734f57643d3fdb09835fe681

/data/data/com.duole.zhuojimjhd.qihoo/databases/accs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.duole.zhuojimjhd.qihoo/databases/accs.db-wal

MD5 f1efb79276c919036567e93cf58c9496
SHA1 f959e8d8fa5804a1810b717ce6d76e0eb5a985b3
SHA256 d867f76cf72c2e81a2d758586dbaf957f49498cde507ec33a574b0a9ac6a4670
SHA512 e919bd68ea4e1493f9c1142bc4a2970f32c984ee752d60dcebf2ee9660254b0a96612ca92e012f972d9208354a6037276c189c4bd0ad150bd438528764d1c88a

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 85a0c2f12d35ea3041cf970bfc2ebbb7
SHA1 95a97930b720e1aea35a7f808e4bdad79cac8e02
SHA256 644d5156f29a17b14ee1c5a1145da4f415f5e7a56278f3646f515d7ec90427ee
SHA512 e544e52174c54826508d9640a9255b0bf738b27cf466837e4ef6d6895f558c0c4e14211caa2632099caf08e03eef7ee89f6f635624eb2364fc7dc2804639bb49

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 54a90847b703e4689a649fe3dba7f1f7
SHA1 54f8eed2359657095372408b7b08038ae20f3d07
SHA256 2ad8f7ff30d836ef059305d84c3567ce159b84b5e87619dd56cfab51a8b6bc24
SHA512 b439e6f2a7d2223123a87a9427963cca7e22a918a207409fb99b243f46b562e20ddd425544556a7f0ec189218e3e250a80755b3d69024f496275167ebf9c2c5a

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 7e053b9ff60cae27ae8ad21d21632932
SHA1 674652aeea091ccc87e35cbe782b4c597c5e305f
SHA256 9573c317dab83c2c53eb65fe9b054b7888c116aa35f487ab26746e3ec383c9b3
SHA512 75dafacaf80780cb0140f5320234af957ed75a3af837069b52b1dbc44e67bb2e08f14dfafe1c3ca276e75b228c47b39f62a5d482fbdfb943d99f7e22ce5f4c8e

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 2dba20a60e78ca9b1320d86368dbc4bf
SHA1 c53f832b079db847739768a2677555805336c565
SHA256 41b327de233cd01556400e9906e8e0572ec10fb84e8ca2b6534d7ecfda6d63e6
SHA512 92fcc2043a4983b1f016593f467d122bb463af917d67882fe85f66fdd909c4096d4e09ba6caa82b17e68a1d680b2f868573527eec576f29eeaf86e43747361a4

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 4e6b6e474c7b9ae611b2a779380dfcea
SHA1 bfb35781579eac38c35be5229b8c9629ecce4ea0
SHA256 9cf4701af7404e0701d9f4396b0e46ee3f56bd68d337789b2be8dfe42816ae73
SHA512 7a65cdcf55105b424331f3c9bc247145285b8252b761967c84bed31b447f03919ee1142fe6ad83674b2e800af08d779691283cd05be406daaeeddf54da5435d4

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 9db8b81b7efe560104a38632d59e32e6
SHA1 d2389ba3b6a35cb60cbfca7440c67cb5bbd20b27
SHA256 e42b25bc7b76829b0ff1416d52abce70c49ad46a87a37dd3c65b4466abc28e07
SHA512 d5c5aa23ff9c592e1b645b7e152fcc64410602aa2b3285290d30c3fd942e6378c92da755aded483c784b229be0ba5a8078b2bf4314686d326788213cd57abf82