Malware Analysis Report

2025-01-19 08:09

Sample ID 240605-1sv8ksac4z
Target 99576775979ce1b5fb61b3bdc612ea77_JaffaCakes118
SHA256 b24d359c328aac0f923113a6c7da8b917fd5c99cc9b663e80c11a1186ae40f6c
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b24d359c328aac0f923113a6c7da8b917fd5c99cc9b663e80c11a1186ae40f6c

Threat Level: Likely malicious

The file 99576775979ce1b5fb61b3bdc612ea77_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 21:55

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 21:55

Reported

2024-06-05 21:58

Platform

android-x86-arm-20240603-en

Max time kernel

156s

Max time network

178s

Command Line

xw.csby.com

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

xw.csby.com

/system/bin/sh -c getprop

getprop

/system/bin/sh -c type su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 serverip.sdk.quicksdk.net udp
US 1.1.1.1:53 www.85sy.com udp
CN 134.175.33.43:80 tcp
CN 180.150.189.181:88 tcp
CN 180.150.189.181:88 tcp
CN 180.150.191.127:80 serverip.sdk.quicksdk.net tcp
CN 134.175.33.43:80 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sdkapi00.sdk.quicksdk.net udp
CN 106.75.35.13:80 sdkapi00.sdk.quicksdk.net tcp
CN 180.150.191.127:80 serverip.sdk.quicksdk.net tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/xw.csby.com/app_crashrecord/1004

MD5 4ac2b5ae8a965230256856321778c9b8
SHA1 493e90761ca2f0fcd07107b3a17a8e3c81cbf706
SHA256 1ee2e48dd8731e96023ee61ef96296bb4f0ca08565e34eb19b74ce7f4e26a0d5
SHA512 95c7fa45105a70ca4e881107d290511cdf31fd48a4aac53caccf1d54ebbc591dae465d4dd44c589a6252f6f600f4fbe1c63dcc4a999b384bc51ac3af04ca152d

/data/data/xw.csby.com/databases/bugly_db_-journal

MD5 edecc9710d111a7db134b2ea794f0f33
SHA1 b6c5813af91d3338517072d4d3f95104c6a564e6
SHA256 5a79ec73dc2f85da047c0c2b6d7f75b8a79264c3fdc4e2492cb7d93f73b85855
SHA512 f88e27a2b85f31018f7e0eea6314e51e0fd852b9ad30778e675cc26da15da02ec1e4a8a4725679460cf194f14f3094a1994bd5ee8d5a7d25913f7dea21e1de75

/data/data/xw.csby.com/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/xw.csby.com/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/xw.csby.com/databases/bugly_db_-wal

MD5 2d5043f071336a688d039a01f91304c6
SHA1 82c197a91932fa7127aa3e1e95d4603eb0001ca2
SHA256 e0d0e4c5fc686d035dfcd86434d84e73665e8d0ff96ce52a6519fdd5cdf8da73
SHA512 b854d86bab1048150f8becb31cd5a0e6934526e06f60b6c9450b044773393c18c76fcb4bc635ec0ecfdf9c8c9a24441355b5c298d0555539a25de858f92c62f6

/data/data/xw.csby.com/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/storage/emulated/0/UcQkDir/qk.dvid.txt

MD5 e2d37b9a546be05846d3c04e3b79ad66
SHA1 ddb6fc4b13580654977dee6487fbc21ad641381d
SHA256 95e19dc5836ac1ed199f2644476a8afbf761e057218d25ed35175316feb2a8de
SHA512 feb63e9946183e19e90b0fc9f9669c21d0e7cd2c67df926d68297ed99030f0d4bdfdae59234664d8e395c6a8a8f17ba6345099202162a5ebbb3bcce0c3ad7d68