Analysis Overview
SHA256
2832995f968e658c7c14d45224acaa0bdb395a5bddda29383dcda50109b5ce96
Threat Level: Likely malicious
The file 935ab14e332e00900733b08f2e738300_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Checks known Qemu files.
Checks memory information
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Checks if the internet connection is available
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 02:06
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 02:05
Reported
2024-06-04 02:09
Platform
android-x86-arm-20240603-en
Max time kernel
7s
Max time network
131s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/bin/su | N/A | N/A |
| N/A | /system/xbin/su | N/A | N/A |
Checks known Qemu files.
| Description | Indicator | Process | Target |
| N/A | /sys/qemu_trace | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | s.appjiagu.com | N/A | N/A |
Processes
com.kingkr.kvwgiso
chmod 755 /data/user/0/com.kingkr.kvwgiso/.jiagu/libjiagu.so
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | s.appjiagu.com | udp |
| US | 104.192.110.60:80 | s.appjiagu.com | tcp |
| US | 1.1.1.1:53 | sc.jiagu.360.cn | udp |
| CN | 106.63.24.26:80 | sc.jiagu.360.cn | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.kingkr.kvwgiso/.jiagu/libjiagu.so
| MD5 | 6525dc34d4a2656b93c41bc4223fddd2 |
| SHA1 | 5c2333cb8ad87abc747d13d6352d5f19dc18997b |
| SHA256 | 744cdb26f7cf86d52fa8b214813a346952fc7476826400b85a3db96356f5047c |
| SHA512 | b98dc08115cdefc31b2c0679d046a34e788936f985bcd70bb789b1828dcd59d949b023388a3b56ef017bafac31e79c12ebd6f6b623f01a38ea0e6e04a9fd1fc8 |
/data/data/com.kingkr.kvwgiso/files/.jglogs/.jg.ri
| MD5 | 4bf80785f54de692749c384853fd675a |
| SHA1 | 7961d12648a7440ca118f70b0070e4d9464f3178 |
| SHA256 | 270315eedd3f581035793d754a3eafc0cce90dd86e12d6b7c6c8ef66b1745daf |
| SHA512 | 6ba22e7c774a7b51e8758299a17f0ec5a048f47b0dd39c75995a43cffb1df7e5244c7defb72b143cb933f99bec0c20ce71af72262e80689e560e577de88ead58 |
/data/data/com.kingkr.kvwgiso/files/.jiagu.lock
| MD5 | 596842249155940f59c2f75c255bc205 |
| SHA1 | b099f68a5a6c5692ceb71981a85a3fb12dd2d7ad |
| SHA256 | d61a3f74e37cbe6ff40eba575f9ac3ee56ca3182a7e928374826e6723f238791 |
| SHA512 | f2f30ddd60f7a17e68c0b04a4b2671018e5f0519f3d00176e8771bad06651a744bc742f78121119b4467baf92fb66ea4b2a0d29cbd4409f97a08fdc7acd91bd6 |
/data/data/com.kingkr.kvwgiso/files/.jglogs/.jg.ac
| MD5 | f421b9cc3cbc2f50d10d84e24df4b9de |
| SHA1 | 3032955b77be239c1b38543149abec4df3412437 |
| SHA256 | 6253fa12d837491391c1826b34a20ef9af791ae789fd41d568a385df731d8f97 |
| SHA512 | f6c054030c7e92aa815a9f78eae4daf913e2f881ded6d2d9652ea03e30d983f7816a643bc0e574a1bb6b8965eeec17af92736cd91a965973e3aab95736eed683 |
/data/data/com.kingkr.kvwgiso/files/.jglogs/.jg.ic
| MD5 | 027e45fda1fc36a7ca49249c06261593 |
| SHA1 | bba6dc24dd027fcc91e7c4f5de65db827b0a3f0d |
| SHA256 | 1945980fa324ae810a479178ef76e71acf8f7dac2b462db0c4b7980128209c46 |
| SHA512 | 003a6725dd8e1502df4b14d8ef481ec830ccaf55c53b3af3a4f77bb0c2d7d1af7b5c95485dd0863b55a387bb060414ad80ef554e3b8dc3c611359d3f7d850657 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 02:05
Reported
2024-06-04 02:06
Platform
android-33-x64-arm64-20240603-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.228:443 | udp | |
| GB | 142.250.187.228:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.228:443 | udp |