Malware Analysis Report

2025-01-19 08:08

Sample ID 240605-2bvq6aaf91
Target 9965ed6d3672dc8dad7f01c3492e21aa_JaffaCakes118
SHA256 d0a69a45878cf31fdda312cd816c81254f121bf9796518f3a3c0035fbf59c6b0
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d0a69a45878cf31fdda312cd816c81254f121bf9796518f3a3c0035fbf59c6b0

Threat Level: Shows suspicious behavior

The file 9965ed6d3672dc8dad7f01c3492e21aa_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Acquires the wake lock

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 22:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 22:24

Reported

2024-06-05 22:28

Platform

android-x86-arm-20240603-en

Max time kernel

174s

Max time network

181s

Command Line

com.qkbb.admin.kuibu

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.qkbb.admin.kuibu

chmod 700 /data/user/0/com.qkbb.admin.kuibu/app_bin/daemon

com.qkbb.admin.kuibu:ipc

sh -c ps 4261

io.rong.push

ps 4261

sh -c ps 4313

sh -c ps 4332

com.qkbb.admin.kuibu:JPush

ps 4313

ps 4332

sh -c ps 4429

ps 4429

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stats.cn.ronghub.com udp
GB 8.208.8.123:443 stats.cn.ronghub.com tcp
US 1.1.1.1:53 app.keeboo.cn udp
US 1.1.1.1:53 api.tusdk.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 121.199.36.108:80 app.keeboo.cn tcp
CN 115.239.209.89:443 api.tusdk.com tcp
CN 121.199.36.108:80 app.keeboo.cn tcp
US 1.1.1.1:53 nav.cn.ronghub.com udp
CN 121.199.36.108:80 app.keeboo.cn tcp
CN 115.239.209.89:443 api.tusdk.com tcp
CN 121.199.36.108:80 app.keeboo.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 115.239.209.89:443 api.tusdk.com tcp
CN 116.205.165.66:19000 s.jpush.cn udp
GB 8.208.102.120:80 nav.cn.ronghub.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 120.46.131.222:19000 sis.jpush.io udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 115.239.209.90:443 api.tusdk.com tcp
CN 115.239.209.90:443 api.tusdk.com tcp
CN 115.239.209.90:443 api.tusdk.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 115.239.209.92:443 api.tusdk.com tcp
CN 113.31.17.108:19000 udp
CN 115.239.209.92:443 api.tusdk.com tcp
CN 115.239.209.92:443 api.tusdk.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 1.94.2.18:3000 im64.jpush.cn tcp
CN 116.205.165.66:19000 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 116.205.165.66:19000 sis.jpush.io udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 1.94.2.18:3000 im64.jpush.cn tcp
CN 116.205.165.66:19000 sis.jpush.io udp
CN 116.205.165.66:19000 sis.jpush.io udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 1.94.2.18:3000 im64.jpush.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 116.205.165.66:19000 s.jpush.cn udp
CN 116.205.165.66:19000 s.jpush.cn udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 1.94.2.18:3000 im64.jpush.cn tcp
CN 116.205.165.66:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 123.60.92.210:19000 sis.jpush.io udp
CN 123.60.89.60:19000 easytomessage.com udp

Files

/data/data/com.qkbb.admin.kuibu/app_bin/daemon

MD5 be3471a0476c68567970e4d1f5f862be
SHA1 6d8d64a2a803236c9387906698aefbb463367830
SHA256 a25844258bfafe808757993ccd258f01df5bebd7a0899983238c49572eb50137
SHA512 b67f2a36112a6c1b89f25f9b3f3701dfcc230f9d3fdf3b77158d0bf5bd51e41aeb1d4301c8a908f08829deb965cef514c62d6a3af0d4de0025c1000a7afb5aaf

/storage/emulated/0/com.qkbb.admin.kuibu/cache/image/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/TuSDK/global.keystore

MD5 b069696ca38b3506a7c0969470bbee03
SHA1 c5c6917fbe914aa992b740b2e9ee20c54be871dd
SHA256 b8a49b3c83baffd42a0db7e3819c1d553a24bcb5371359f581f2541a3d96aa01
SHA512 3ab9d8827d212bc0521ed709e357455177bc350ce722980644bfe6ef9b7f18fd0c12e2a63851480c84298b7ac4f8de9b1c61c2fa4879287d1b1bf2617497bb6c

/storage/emulated/0/keeboo/deviceid

MD5 748d9beeaa1899252a7365b780b95fb0
SHA1 2158cbe9044f2b138df0094615afe6616e526c9d
SHA256 59290d2d5a77605f8140feb82e44e8438115fb2f93dc56ed4c225b88c21baaa8
SHA512 cdeb0c4cebf1cc96ebda6940763a940df76120ee991bc7f003480caf055a970f16e4a19ef2ba2c56fa056d539b981e16542ec7239a7b91dd3828585bc2d1e440