Malware Analysis Report

2024-11-15 05:40

Sample ID 240604-ch2qlshf6z
Target 935ab14e332e00900733b08f2e738300_JaffaCakes118
SHA256 2832995f968e658c7c14d45224acaa0bdb395a5bddda29383dcda50109b5ce96
Tags
discovery evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2832995f968e658c7c14d45224acaa0bdb395a5bddda29383dcda50109b5ce96

Threat Level: Likely malicious

The file 935ab14e332e00900733b08f2e738300_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion

Checks if the Android device is rooted.

Checks known Qemu files.

Checks memory information

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Checks if the internet connection is available

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 02:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 02:05

Reported

2024-06-04 02:09

Platform

android-x86-arm-20240603-en

Max time kernel

7s

Max time network

131s

Command Line

com.kingkr.kvwgiso

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /sys/qemu_trace N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A

Processes

com.kingkr.kvwgiso

chmod 755 /data/user/0/com.kingkr.kvwgiso/.jiagu/libjiagu.so

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
US 1.1.1.1:53 sc.jiagu.360.cn udp
CN 106.63.24.26:80 sc.jiagu.360.cn tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.kingkr.kvwgiso/.jiagu/libjiagu.so

MD5 6525dc34d4a2656b93c41bc4223fddd2
SHA1 5c2333cb8ad87abc747d13d6352d5f19dc18997b
SHA256 744cdb26f7cf86d52fa8b214813a346952fc7476826400b85a3db96356f5047c
SHA512 b98dc08115cdefc31b2c0679d046a34e788936f985bcd70bb789b1828dcd59d949b023388a3b56ef017bafac31e79c12ebd6f6b623f01a38ea0e6e04a9fd1fc8

/data/data/com.kingkr.kvwgiso/files/.jglogs/.jg.ri

MD5 4bf80785f54de692749c384853fd675a
SHA1 7961d12648a7440ca118f70b0070e4d9464f3178
SHA256 270315eedd3f581035793d754a3eafc0cce90dd86e12d6b7c6c8ef66b1745daf
SHA512 6ba22e7c774a7b51e8758299a17f0ec5a048f47b0dd39c75995a43cffb1df7e5244c7defb72b143cb933f99bec0c20ce71af72262e80689e560e577de88ead58

/data/data/com.kingkr.kvwgiso/files/.jiagu.lock

MD5 596842249155940f59c2f75c255bc205
SHA1 b099f68a5a6c5692ceb71981a85a3fb12dd2d7ad
SHA256 d61a3f74e37cbe6ff40eba575f9ac3ee56ca3182a7e928374826e6723f238791
SHA512 f2f30ddd60f7a17e68c0b04a4b2671018e5f0519f3d00176e8771bad06651a744bc742f78121119b4467baf92fb66ea4b2a0d29cbd4409f97a08fdc7acd91bd6

/data/data/com.kingkr.kvwgiso/files/.jglogs/.jg.ac

MD5 f421b9cc3cbc2f50d10d84e24df4b9de
SHA1 3032955b77be239c1b38543149abec4df3412437
SHA256 6253fa12d837491391c1826b34a20ef9af791ae789fd41d568a385df731d8f97
SHA512 f6c054030c7e92aa815a9f78eae4daf913e2f881ded6d2d9652ea03e30d983f7816a643bc0e574a1bb6b8965eeec17af92736cd91a965973e3aab95736eed683

/data/data/com.kingkr.kvwgiso/files/.jglogs/.jg.ic

MD5 027e45fda1fc36a7ca49249c06261593
SHA1 bba6dc24dd027fcc91e7c4f5de65db827b0a3f0d
SHA256 1945980fa324ae810a479178ef76e71acf8f7dac2b462db0c4b7980128209c46
SHA512 003a6725dd8e1502df4b14d8ef481ec830ccaf55c53b3af3a4f77bb0c2d7d1af7b5c95485dd0863b55a387bb060414ad80ef554e3b8dc3c611359d3f7d850657

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 02:05

Reported

2024-06-04 02:06

Platform

android-33-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp

Files

N/A