Malware Analysis Report

2025-01-19 08:08

Sample ID 240605-2b3rrsbf55
Target 996600aea5fc1d3cfad850e316f94f61_JaffaCakes118
SHA256 c436116c9b63272f89f507bc160c5d8b390152349074b156025812695847ddc7
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c436116c9b63272f89f507bc160c5d8b390152349074b156025812695847ddc7

Threat Level: Likely malicious

The file 996600aea5fc1d3cfad850e316f94f61_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 22:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 22:25

Reported

2024-06-05 22:29

Platform

android-x86-arm-20240603-en

Max time kernel

152s

Max time network

177s

Command Line

com.fanhua.box

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.fanhua.box

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 47.105.61.82:80 tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.177:443 ulogs.umeng.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp

Files

/data/data/com.fanhua.box/databases/ua.db-journal

MD5 b55e788fa758810c10b8827283483126
SHA1 2ca17372bfd16bb7cdf93484fca24c85270d0e5d
SHA256 4470b53c3e8598cc7de42a263146fef352944b7398b14e03a3e4e7ac48300ff5
SHA512 f8298bbf5a99a1cb955993d1de5a2146398019f2b1064c2efa8c95428cc3f443ae2f5b0cd525c4a43907134f11dc7dab246b25fcd42711703691aca99b671f58

/data/data/com.fanhua.box/databases/ua.db

MD5 0adda9c85a5e4808f5b1b74c0a8591a5
SHA1 5048107883ab1e345af9cf2e6849ce46e0e612bf
SHA256 1e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1
SHA512 646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1

/data/data/com.fanhua.box/databases/ua.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fanhua.box/databases/ua.db-wal

MD5 ef83484fb343a6a6472d2f47d557daf2
SHA1 68f006b3d99e26552e1cc85c3d2aeaebed55bd70
SHA256 d469b2fbab24f81135754693877bb00b1541cf6ddffb2abfe7642c7cc7ade110
SHA512 9e463f3f4a568b4698ca86f9432910b4a68cd71b41662b271f237bc5097e874c76a893e8dd653dbd87889b65abad4c3945a1ad9024e88a311b9e14e4e36b8ea2

/data/data/com.fanhua.box/databases/pri_wxop_tencent_analysis.db-journal

MD5 6f162c024f0a44f5dbf8100d70bf8559
SHA1 368219bc033d09283358aaf1ae869846c5628e80
SHA256 e2f062ebbf52b3d0f5df6b3027ce6d04d62915dd0d77997f40d526cd256de133
SHA512 d53457c1127f5dc0750fde711b8aa1be3018449fc3e4ac33bc093f04064f4013efeae16e5b4a05ac1d8f7a52c63ba99588ac6344f023943772fa11a62343775d

/data/data/com.fanhua.box/databases/pri_wxop_tencent_analysis.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fanhua.box/databases/pri_wxop_tencent_analysis.db-wal

MD5 2edfb27e0246559f9db8c9cad90578ff
SHA1 936b436d1e9322801dde4a4f7b625f2867d5acbd
SHA256 869e0bafecd6edec3c131b81746d3a0ca4269d4014bb047998d291bc3ef7a933
SHA512 e52593e6503f06eba7b84c9d118828169113a07f17cde995651a9d932c0074d3778fbf26b2f4ad10e3789e86c93a962f21511b864d437c1de55dd6219abecdb9

/data/data/com.fanhua.box/databases/ua.db-wal

MD5 6493d86c180a6ad16c7a15acfa3299bd
SHA1 25e7f7cbf15c0175d7432816437080270f69c39d
SHA256 f21b8b0164b564fc1d93f5934098625cc173238d475df006a3457219d4ebbae5
SHA512 ecbbd351447d6b21e098a00d3f342e2f2147370b90ab3d15daf89192191a2799fe681252fb106b4f9b23f409fc4b4a0b142086ef077d2002798e0f3cc94aa100

/data/data/com.fanhua.box/databases/ua.db

MD5 d3f7559952d53f4c52b27f4d86a090d7
SHA1 a495dfc41fbc99612a718a8297e6783f9dd30f66
SHA256 2f1c810818ac022733338d9815c76861fb33ed87d659fd68e7a2b6585d1d61ce
SHA512 60d885483c634d26d94a5c9431507ea9a2330337c666426b1a4b6d6071ae1056138f94f94a4bfcd9d3260a62b3417387d23d3e0a5b1c37e6e767f77525d7ba9d

/data/data/com.fanhua.box/databases/wxop_tencent_analysis.db-journal

MD5 f4f118867477b5ce544293de9bd9443e
SHA1 199dc043d48c745b8ff9e9334a739b15698abf34
SHA256 a22751f62226298573c3ee355f86b5d60f9e1899bc1cc24f808ae321bd9f590d
SHA512 2e5749e89379f02129cbb9a911e7b254b383f42398d8bc8d5993b234d50a14c85f429d4d3b820384c545d3e8f9dbbbdb8104680b20cf988bf0b4c335961c43f5

/data/data/com.fanhua.box/databases/wxop_tencent_analysis.db-wal

MD5 8812fcead7830b5e62fff6c7675e1eb0
SHA1 58a9120a186c2b7aaf785b1a083a6bb6d851a838
SHA256 78e87f14307f6306e357483d98abb379503a3248800e7acdb5b59f8df661ffd9
SHA512 a4ac2e4540dab5a9d4baface8421ad78e230f28301889e570fed5c281b773cc235a9dd03cdc0eaf4d5ef5f7c735757c3cc87a3fd1a260618b76b9b4b26183bb1

/data/data/com.fanhua.box/files/umeng_it.cache

MD5 894f5a6f5eed55b7e1482bca54b19876
SHA1 8d614af312a73887372541abc1211fec9cb14c43
SHA256 c106d5a3c55f235d80898803329a99cac625a105c0cfdb4329f23ea1e767fbeb
SHA512 5d44df5091645a70886de8afd366c3d5b8afbab7e89ab3e30d5a3064a06b972f026190d4a31239841099a98cc5b0c8f68f9c286a3f363d086fb239b2dea528aa

/data/data/com.fanhua.box/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE3NjI2NDAyNDIz

MD5 c7182c96bbd596898a0c13d08217e602
SHA1 51efc71a38cc191cf5f065d2a01427b0ee471576
SHA256 806e4fbd8fd04ebdcd8b22ff4bb7ba3204c283de4d4254e7ae89f52431df2b54
SHA512 b90b5bf28f07cbd572e6ba9a3a53a3a1ebb5e8a9a8f4356cac3c0544b6032f312f50091321e3440fbb5c264aa7922d7075b0b5312c596d64275a9b098743f180

/data/data/com.fanhua.box/files/.umeng/exchangeIdentity.json

MD5 bb4055cc49f73855a86ef55fa53f342c
SHA1 8fcd965a10baa24d840a55d99555433a638843ea
SHA256 ebc1e2b07046e48902c10cd39a03a9a9d4d8fd55e4f4548c913e8a1e5dd5e82d
SHA512 e12133bd9a70595c303e38fff194fb7a8a55fb7c3691a02d44be2ac3c9da39d80256a184b97f25d5dbc70353b9bf2e58a0e0a23640ccb9d0b6b3a9cae41dc66d

/data/data/com.fanhua.box/files/exid.dat

MD5 06fa1e3149448cdc52031353f84d6f83
SHA1 6a5c3614c64f9dbb667511184b4903cf8cc869b1
SHA256 6b810fc7af4cce078c4bbe16aa33d6668b2ca3861a719f3e649733a448298dac
SHA512 f7f4dcbedcefe02b901921f802f99273c717fe7cbd168f57c0ba420f64f609cda6d07dc5dd991bb63a1ee9462d9dbc90eae9ae12654e09cef4747472c966a0ef

/data/data/com.fanhua.box/files/.envelope/a==7.5.4&&1.0.1_1717626402782_envelope.log

MD5 f4e90cb34a660326a80f89ac6b54bc27
SHA1 581afeb1b535b5c94ac4c06e80960323d0adeffc
SHA256 928a7d76d3980f7d1865bbb148d1194dec906c4d4843f4c07501b64c517e96dd
SHA512 bcf2e18c1e0f3a39d7775321962c51eaef743a64de74aa77b027c0fa034ab7ee67ce70d4fbf4272930aef294a8ef3c735e43091f08408e38c12ca11eb7ca0104

/data/data/com.fanhua.box/files/.envelope/i==1.2.0&&1.0.1_1717626403816_envelope.log

MD5 5c15068333b092d2c48d7126b6afa101
SHA1 f6a428d2287f456036325b607e5bb616004d9d35
SHA256 d88aec57c30e1217f4c9f3b70a796809f8aa13db465b239ed9dec0c4c7657d1c
SHA512 501dbb02e76986d122cfa28f192f8d189f2f9517cf63f3642cd580a77bf04f79187e47ccbf8c417158756800343bd71783213de75b27e0cddb01daa9c8b791e5