Analysis Overview
SHA256
b24d359c328aac0f923113a6c7da8b917fd5c99cc9b663e80c11a1186ae40f6c
Threat Level: Likely malicious
The file 99576775979ce1b5fb61b3bdc612ea77_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Queries the phone number (MSISDN for GSM devices)
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Queries information about active data network
Queries the mobile country code (MCC)
Uses Crypto APIs (Might try to encrypt user data)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 21:55
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 21:55
Reported
2024-06-05 21:58
Platform
android-x86-arm-20240603-en
Max time kernel
156s
Max time network
178s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
xw.csby.com
/system/bin/sh -c getprop
getprop
/system/bin/sh -c type su
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | serverip.sdk.quicksdk.net | udp |
| US | 1.1.1.1:53 | www.85sy.com | udp |
| CN | 134.175.33.43:80 | tcp | |
| CN | 180.150.189.181:88 | tcp | |
| CN | 180.150.189.181:88 | tcp | |
| CN | 180.150.191.127:80 | serverip.sdk.quicksdk.net | tcp |
| CN | 134.175.33.43:80 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | sdkapi00.sdk.quicksdk.net | udp |
| CN | 106.75.35.13:80 | sdkapi00.sdk.quicksdk.net | tcp |
| CN | 180.150.191.127:80 | serverip.sdk.quicksdk.net | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| GB | 216.58.201.110:443 | tcp | |
| GB | 142.250.187.194:443 | tcp | |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
Files
/data/data/xw.csby.com/app_crashrecord/1004
| MD5 | 4ac2b5ae8a965230256856321778c9b8 |
| SHA1 | 493e90761ca2f0fcd07107b3a17a8e3c81cbf706 |
| SHA256 | 1ee2e48dd8731e96023ee61ef96296bb4f0ca08565e34eb19b74ce7f4e26a0d5 |
| SHA512 | 95c7fa45105a70ca4e881107d290511cdf31fd48a4aac53caccf1d54ebbc591dae465d4dd44c589a6252f6f600f4fbe1c63dcc4a999b384bc51ac3af04ca152d |
/data/data/xw.csby.com/databases/bugly_db_-journal
| MD5 | edecc9710d111a7db134b2ea794f0f33 |
| SHA1 | b6c5813af91d3338517072d4d3f95104c6a564e6 |
| SHA256 | 5a79ec73dc2f85da047c0c2b6d7f75b8a79264c3fdc4e2492cb7d93f73b85855 |
| SHA512 | f88e27a2b85f31018f7e0eea6314e51e0fd852b9ad30778e675cc26da15da02ec1e4a8a4725679460cf194f14f3094a1994bd5ee8d5a7d25913f7dea21e1de75 |
/data/data/xw.csby.com/databases/bugly_db_
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/xw.csby.com/databases/bugly_db_-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/xw.csby.com/databases/bugly_db_-wal
| MD5 | 2d5043f071336a688d039a01f91304c6 |
| SHA1 | 82c197a91932fa7127aa3e1e95d4603eb0001ca2 |
| SHA256 | e0d0e4c5fc686d035dfcd86434d84e73665e8d0ff96ce52a6519fdd5cdf8da73 |
| SHA512 | b854d86bab1048150f8becb31cd5a0e6934526e06f60b6c9450b044773393c18c76fcb4bc635ec0ecfdf9c8c9a24441355b5c298d0555539a25de858f92c62f6 |
/data/data/xw.csby.com/app_crashrecord/1004
| MD5 | 0d210bfb2a0e1f1b4c082a6a0f79de07 |
| SHA1 | bb8ed9e364db79d1d9f2fcde3f15091893222faa |
| SHA256 | 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d |
| SHA512 | 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1 |
/storage/emulated/0/UcQkDir/qk.dvid.txt
| MD5 | e2d37b9a546be05846d3c04e3b79ad66 |
| SHA1 | ddb6fc4b13580654977dee6487fbc21ad641381d |
| SHA256 | 95e19dc5836ac1ed199f2644476a8afbf761e057218d25ed35175316feb2a8de |
| SHA512 | feb63e9946183e19e90b0fc9f9669c21d0e7cd2c67df926d68297ed99030f0d4bdfdae59234664d8e395c6a8a8f17ba6345099202162a5ebbb3bcce0c3ad7d68 |