Malware Analysis Report

2025-01-19 08:09

Sample ID 240605-17b39aae7s
Target 996291886c144a285d1836168d4890a5_JaffaCakes118
SHA256 776965ffd02532301537fdf7d6a4e10c79c62bbd2fa6a6b76c9044dfb35596e9
Tags
banker discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

776965ffd02532301537fdf7d6a4e10c79c62bbd2fa6a6b76c9044dfb35596e9

Threat Level: Shows suspicious behavior

The file 996291886c144a285d1836168d4890a5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion impact persistence

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Queries information about active data network

Queries information about the current Wi-Fi connection

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 22:17

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 22:17

Reported

2024-06-05 22:20

Platform

android-x86-arm-20240603-en

Max time kernel

160s

Max time network

167s

Command Line

io.dcloud.UNIB06D3A1

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/io.dcloud.UNIB06D3A1/.jiagu/classes.dex N/A N/A
N/A /data/data/io.dcloud.UNIB06D3A1/.jiagu/classes.dex!classes2.dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A s.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

io.dcloud.UNIB06D3A1

sh -c ps -ef

ps -ef

/data/app/io.dcloud.UNIB06D3A1-52Yp8yHDUZvRU9U73PNIug==/lib/x86//libweexjsb.so 132 140 1 /data/user/0/io.dcloud.UNIB06D3A1/app_crash/crash_dump.log

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.108:80 alog.umeng.com tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 ez4q2.cn udp
CN 112.65.70.244:80 ez4q2.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp

Files

/data/data/io.dcloud.UNIB06D3A1/.jiagu/libjiagu.so

MD5 5aea02f4e4c77fbf2e7a27f7ca9cc06b
SHA1 522db1748608e9173547b29b7aa82ddc3542c534
SHA256 5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2
SHA512 5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

/data/data/io.dcloud.UNIB06D3A1/.jiagu/classes.dex

MD5 b56ff4b5f9f8125a06fece7184cadc59
SHA1 6fc6704e95495c9510a1362b43343cb6b78c0dc8
SHA256 8c2be8f94a526bbffa832bd5e32092bfc2a4fcdb39a40818e50a0352871fae15
SHA512 a986d5dbb1431890352a3bb018b5b7a652760afc06b09c489c6484c3964aee7e5d6006a115143456dadb8168ef07f4937d1fc5b99f728d10830fd6eeacfe63a8

/data/data/io.dcloud.UNIB06D3A1/.jiagu/classes.dex!classes2.dex

MD5 ad02660bf456f141c9f09737d17bce2a
SHA1 037be742db4ae6ce8066bdd18b2af1e0e3f02337
SHA256 282ae522dece7371e9133a5cf6e29d40f1fe5f107ca6c859c766510bb526beb7
SHA512 b17738bd87d34a329e8b95568f4b1f132ff40d35964f07a860d941982ee543a527a9afb30293dc0812133f172572e6e16a4e5f52d0a9225a52ba5bd57af26dbe

/data/data/io.dcloud.UNIB06D3A1/files/.jglogs/.jg.ri

MD5 509c7509fdf52bd485e81bca46dda836
SHA1 58cf5380f4e45c1419083fa0975a58c86ea40f07
SHA256 fc18fa955060c326c3e37cc9f53c7497f754274e901d9ebee5b9f84247920142
SHA512 4cc8e00ec3afeff5547bdf06b4c5c29561d1406a47dc506bb79b013b2806a3c3485148a9dfa2fea9dbaf332dc0e0382da0b4b784645cabd15057c395a8a7d7b8

/data/data/io.dcloud.UNIB06D3A1/files/.jglogs/.jg.ri

MD5 3c40f09859ec51525c67c7902e194a83
SHA1 5197ebc53ab82e9a818d030a002c80cc1c4d36e6
SHA256 1d0059765cc9c7811eefeb7b75d51491bde4ae259a3189dbbb66794ae85b17f4
SHA512 3d56753b90997a22be6c1dcc20a7cbce35cf1373f7da6a848e0a159d72a68442fece63c863ee97739365c6447f8ef937cf0af02d3ddf15b51807decdc68b1795

/data/data/io.dcloud.UNIB06D3A1/files/.jiagu.lock

MD5 c22453cae2b89297173e338a08461d06
SHA1 f8ff87432d7a5b7ef6625ad7e7d27269488b7d57
SHA256 bc04a08f90eea443c5bd41ec656e8c95879944d1f1a12ef3e367d27a34de7fa0
SHA512 44422e6eaa083d8254b6235a63edaa80004761fe2dbc7a5cc9988616d0295f84c56ecc6ea017a3567b97a28a407cb1bbda4763d638233abf23b9344adc31e62d

/data/data/io.dcloud.UNIB06D3A1/files/.jglogs/.jg.rd

MD5 44760179a97c573f6a7400f1ad4ac56c
SHA1 df3c8784387145e7aa67b4a8d40eae2b5c825f8b
SHA256 f5877d386a7e5f7e700f639c7f0a6ce02c4f6e077e24cc422e5a556507fe1dd9
SHA512 7bba8ef78dcf704e5427e00fd5a4a90b495a418006f90bf4142db9e402a093d8d5ee34352eab8fe8b07b02cb5b22e7f913063a71d2c63c9257361745d21e7458

/data/data/io.dcloud.UNIB06D3A1/files/.jglogs/.jg.store.report_pid

MD5 6cdb60167c81f11667902e212092cfd1
SHA1 158dbdaeab374aa93c94ea0b45f9ea47686c9dd9
SHA256 6078118ed77159fe0e609235878e09a35490106ca1f7e4265933453a7b5a714a
SHA512 81c4e5c75009b44d0c2ad738c808e732a3f6a025ba2295bdb77c424f0a026cec22daf4a8134bdc1fca4a15d6415ffc39821d393fd2604494b9798b459a6ee50d

/data/data/io.dcloud.UNIB06D3A1/files/.jglogs/.jg.ac

MD5 08335572861f4b0efd05de6311a7d67d
SHA1 cff8ed0235018593de8a2947eda118859c5b6276
SHA256 9cf75146c0dfc89c96359c0d091f0dd1098f3313771890908c537fbadcc6d68b
SHA512 a3893da9d118e9176ff0aac6a0c8cd6b978230123633ff2e4b615b9e0b2a8e7ecf068671bcccaa1524c081aa4ca0276230cc7b716868b40d1be3b5eac7674207

/data/data/io.dcloud.UNIB06D3A1/files/.jglogs/.jg.ic

MD5 3d466861f3543618291ae28685a3f382
SHA1 0d2ddbff47988035371592be56042d88eaeb5787
SHA256 70cad910ca191e2bde8a748f34ffd985fed05dee55c9065868cce79a144903d1
SHA512 808ae0c8f021713e49c2a8859d7c1f738255d427b70b5d63f12b585105dc29d7de41072af9311c0482b5ba071f78a4074bb0c921144cf5a4d6012c9fb8850e1d

/data/data/io.dcloud.UNIB06D3A1/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/io.dcloud.UNIB06D3A1/lib-main/dso_deps

MD5 6839956e4f91ab0557ca99db5b22c938
SHA1 d03e6c0ceb9828398ea0cd8ae4c7818a4454b83b
SHA256 2873abfb7dd00834f76c7c1b48a5265aded16971612026755d7ebb223692879e
SHA512 390772f4b59eb3228f12bd40b08af56450a071ba347a26649c5dde8e3be5d9e51137f936897cd7e6f9509d2566d5c72f310716cb7e42a2ee31048142b202311d

/data/data/io.dcloud.UNIB06D3A1/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/data/io.dcloud.UNIB06D3A1/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/data/data/io.dcloud.UNIB06D3A1/cache/libweexjsb.so

MD5 7daa126a59a44091b737186c77697355
SHA1 3d0edde6aad106a18b3c5e139bc5b17872544920
SHA256 075f5431397263562da0a61835f543ff13c708f4b5c4a4588a93f5ef08254c5a
SHA512 1dff58d4598278d53a4f571152142de312c2b1494b0c9f6a908e281845a041bfd4c864726fec0ece1c6d3994f13622ac7310aef479bca71e42a071f8d2307cfe

/data/data/io.dcloud.UNIB06D3A1/cache/jsb.version

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

/storage/emulated/0/.imei.txt

MD5 c89d06a615f18a816814f4dba744fe2f
SHA1 5056fa5ef93028c2dbe017ff4dfa78bc6f390400
SHA256 de1ed161dbfbc096388280a639b14683a984a2229048a1a6d86e8da8d5647152
SHA512 b15af60f57a30b1e94d83ba7a8f67f152b40fd8f7b3f3a2bb3ae16d5a97fced9ff806db56b528566949529d125532f67caa93564556b8469c92a0a0930716142

/data/data/io.dcloud.UNIB06D3A1/shared_prefs_ext/test_app

MD5 e9c9e92dd41951852971c30e1f9a1dc0
SHA1 2286a0b863735693e55a68bf06ee7e8a587456c0
SHA256 c39da7b0991910da0c0f170ae6273cc951baf119d6a5dc70390e17a5e9cbd68d
SHA512 494c79e380f4c51499a43167ece6415c7951b5528e1647243e84289561324754f079fd08618b46607b30f6206300cdc667f614d8d1851c26a90de9d0db52d4bb

/data/data/io.dcloud.UNIB06D3A1/databases/cc/cc.db-journal

MD5 0ff43bafcde1e58ad01555ef84a2a714
SHA1 4fc3b620a9fb086769c629c0e5c2a30d15b20974
SHA256 e3f6f47b00d77a3a3765138a83f8d04ac9da59e1faba0fedd6366e2c3771a01b
SHA512 46518f78226c501b015681c38e700311daca0748b6ee7b86d74e7e887f22679844ff3228509032b46fddb47d1fa547b1aad9dd6bcaa618afe2b37eec0556703b

/data/data/io.dcloud.UNIB06D3A1/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/io.dcloud.UNIB06D3A1/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/io.dcloud.UNIB06D3A1/databases/cc/cc.db-wal

MD5 e94c3096a859e60ac9dbd307bc85b00f
SHA1 486631d80c30b5821f08cdecbfc6d1d6b37c7004
SHA256 23ee6c40c848f0c2f45bebd2d4158f2796eade6934ba348c83168cf0031dac85
SHA512 ca71a705d7de55138d81ff4b9543220ce5213f7b3cc0543e93c247770db23592baca3c91785aae9d07a350462eff26e81850db0642607fc62bb7cddd04174c06

/storage/emulated/0/Android/data/io.dcloud.UNIB06D3A1/apps/__UNI__B06D3A1/temp/1717625847490

MD5 ecf89bfc07afc88b504a48f52b14de72
SHA1 e4caa8b608b3b46f077e0f6ae32b545b8ef31a7e
SHA256 9399964e78df4e7ce176b4b90e1972552be732660d8d50a0b248c59e4c229438
SHA512 9d5754a84e11c86ecf7fc4df77c1db8da280e2bb1c66362cbc949c3d74323846813a3458af4e042c41c250d8fa8a03c6f1cd3edd42105e9f8a8be6d363fdb505

/data/data/io.dcloud.UNIB06D3A1/files/umeng_it.cache

MD5 9ac7ca6966c63eeac65ee438281a365a
SHA1 8e98a1a8e993a97965d598fc9f8f7599ca14708c
SHA256 e307ce7af74fdd2be00821508abd7716471be36b2347546c11c91980a6825bcc
SHA512 93f5b60926b90f21920bc0c53bb08c801233e9caf7528c81cb6baf55a4807e42decb8a602a6443ff26be41e8bf07bbb23d9827167625d9efe535a4cd23c48b4f

/data/data/io.dcloud.UNIB06D3A1/files/.umeng/exchangeIdentity.json

MD5 c1c810ad51dcc6739fba7879afd22f17
SHA1 504ee1e7cd8effd9aa5ea8938b81e316107f16a8
SHA256 301fbd261b10e2ccfd306ed2dee5d7920b49357f1a7be62672ea9fe573885d4c
SHA512 e6b79067c4f94dc4410a55626748d61c7c39132bf5e6f8d2afbd36698f1ecf0d904e66dcb8fddde0a1fb8ef7dcf0906434024d7ab5a7ce14bd7338ae863e2cde

/data/data/io.dcloud.UNIB06D3A1/databases/cc/cc.db-wal

MD5 6a291bdee0916c0c66d560d604e30665
SHA1 31308b5074bdea79de3e5192afb020dbbd19056b
SHA256 06e0e1696ee45c2df4751fd64e4b893e787d54ad0ea83e5ee7e7df0b3afae57c
SHA512 2392a3b451e0112d44c1b0398af2929ca7214dd2c951368a8767968bae3dfb42766ed491edc04c8d7833097a2772b79b347008d9c86e042f733d67747a656711

/data/data/io.dcloud.UNIB06D3A1/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/io.dcloud.UNIB06D3A1/files/.imprint

MD5 a79dbd8e79f631bf10dbdb021d09bb02
SHA1 0125dcf2d16e584944986311853ebb73884d2be2
SHA256 3a551627d7c26c408f2ef627567e1b64f91bee607e7c39b2623127c1fc5e9583
SHA512 c9a291b02508ee8b80e7acb8995fa62a6ae8bfb84f28460c31d4b8503c409cf0d101c14ed3456f24677f91551b2f145665748b1a9710af1e72515030d090e9d4

/data/data/io.dcloud.UNIB06D3A1/files/umeng_it.cache

MD5 30f6cba8760bf3864ec2dd09ca5f498a
SHA1 e9f2371c4f446ed26d8ac9b2c5314a73950b8b61
SHA256 a7b1ba221baab2b7c78e45f7a9fe8829d2472714c936ee15aa27285c00eb8daf
SHA512 f99f0d9ea016a1d730c2952e224588c53415ddfc21e5b572dad3dd1735d6ea9d9a98e6c10b4bc5a5f9273cacf4d1e92e0484e4857db5de4ec6a5bd6ed15a564a

/data/data/io.dcloud.UNIB06D3A1/files/.jglogs/.jg.ac

MD5 7dfa715717dfdb064bb22625398eb09a
SHA1 d486387bffe0a7dac5e1dbae959647c8f2dc497d
SHA256 c0ff33168c070ddb70bc5d850c967635ef67cb8f952f0f3efffd35aef19b21f0
SHA512 56d333f98b482513b5ad0e74868b6c13c4447fe4f9b6cac4ad8e14a43c10c110385b4fa8553924e3d275fd09517ec8330269f43ce19370d2102342a75e248bb6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 22:17

Reported

2024-06-05 22:17

Platform

android-33-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 udp
N/A 224.0.0.251:5353 udp

Files

N/A