Analysis Overview
SHA256
d0a69a45878cf31fdda312cd816c81254f121bf9796518f3a3c0035fbf59c6b0
Threat Level: Shows suspicious behavior
The file 9965ed6d3672dc8dad7f01c3492e21aa_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries information about running processes on the device
Acquires the wake lock
Queries information about active data network
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 22:25
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 22:24
Reported
2024-06-05 22:28
Platform
android-x86-arm-20240603-en
Max time kernel
174s
Max time network
181s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.qkbb.admin.kuibu
chmod 700 /data/user/0/com.qkbb.admin.kuibu/app_bin/daemon
com.qkbb.admin.kuibu:ipc
sh -c ps 4261
io.rong.push
ps 4261
sh -c ps 4313
sh -c ps 4332
com.qkbb.admin.kuibu:JPush
ps 4313
ps 4332
sh -c ps 4429
ps 4429
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | stats.cn.ronghub.com | udp |
| GB | 8.208.8.123:443 | stats.cn.ronghub.com | tcp |
| US | 1.1.1.1:53 | app.keeboo.cn | udp |
| US | 1.1.1.1:53 | api.tusdk.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| CN | 121.199.36.108:80 | app.keeboo.cn | tcp |
| CN | 115.239.209.89:443 | api.tusdk.com | tcp |
| CN | 121.199.36.108:80 | app.keeboo.cn | tcp |
| US | 1.1.1.1:53 | nav.cn.ronghub.com | udp |
| CN | 121.199.36.108:80 | app.keeboo.cn | tcp |
| CN | 115.239.209.89:443 | api.tusdk.com | tcp |
| CN | 121.199.36.108:80 | app.keeboo.cn | tcp |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 115.239.209.89:443 | api.tusdk.com | tcp |
| CN | 116.205.165.66:19000 | s.jpush.cn | udp |
| GB | 8.208.102.120:80 | nav.cn.ronghub.com | tcp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 120.46.131.222:19000 | sis.jpush.io | udp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| CN | 115.239.209.90:443 | api.tusdk.com | tcp |
| CN | 115.239.209.90:443 | api.tusdk.com | tcp |
| CN | 115.239.209.90:443 | api.tusdk.com | tcp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| CN | 123.60.89.60:19000 | easytomessage.com | udp |
| CN | 115.239.209.92:443 | api.tusdk.com | tcp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 115.239.209.92:443 | api.tusdk.com | tcp |
| CN | 115.239.209.92:443 | api.tusdk.com | tcp |
| GB | 216.58.204.74:443 | semanticlocation-pa.googleapis.com | tcp |
| CN | 113.31.17.106:7000 | tcp | |
| US | 1.1.1.1:53 | im64.jpush.cn | udp |
| CN | 1.94.2.18:3000 | im64.jpush.cn | tcp |
| CN | 116.205.165.66:19000 | easytomessage.com | udp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 116.205.165.66:19000 | sis.jpush.io | udp |
| CN | 123.60.89.60:19000 | easytomessage.com | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.106:7000 | tcp | |
| CN | 1.94.2.18:3000 | im64.jpush.cn | tcp |
| CN | 116.205.165.66:19000 | sis.jpush.io | udp |
| CN | 116.205.165.66:19000 | sis.jpush.io | udp |
| CN | 123.60.89.60:19000 | easytomessage.com | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.106:7000 | tcp | |
| CN | 1.94.2.18:3000 | im64.jpush.cn | tcp |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 116.205.165.66:19000 | s.jpush.cn | udp |
| CN | 116.205.165.66:19000 | s.jpush.cn | udp |
| CN | 123.60.89.60:19000 | easytomessage.com | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.106:7000 | tcp | |
| CN | 1.94.2.18:3000 | im64.jpush.cn | tcp |
| CN | 116.205.165.66:19000 | s.jpush.cn | udp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 123.60.92.210:19000 | sis.jpush.io | udp |
| CN | 123.60.89.60:19000 | easytomessage.com | udp |
Files
/data/data/com.qkbb.admin.kuibu/app_bin/daemon
| MD5 | be3471a0476c68567970e4d1f5f862be |
| SHA1 | 6d8d64a2a803236c9387906698aefbb463367830 |
| SHA256 | a25844258bfafe808757993ccd258f01df5bebd7a0899983238c49572eb50137 |
| SHA512 | b67f2a36112a6c1b89f25f9b3f3701dfcc230f9d3fdf3b77158d0bf5bd51e41aeb1d4301c8a908f08829deb965cef514c62d6a3af0d4de0025c1000a7afb5aaf |
/storage/emulated/0/com.qkbb.admin.kuibu/cache/image/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
/storage/emulated/0/TuSDK/global.keystore
| MD5 | b069696ca38b3506a7c0969470bbee03 |
| SHA1 | c5c6917fbe914aa992b740b2e9ee20c54be871dd |
| SHA256 | b8a49b3c83baffd42a0db7e3819c1d553a24bcb5371359f581f2541a3d96aa01 |
| SHA512 | 3ab9d8827d212bc0521ed709e357455177bc350ce722980644bfe6ef9b7f18fd0c12e2a63851480c84298b7ac4f8de9b1c61c2fa4879287d1b1bf2617497bb6c |
/storage/emulated/0/keeboo/deviceid
| MD5 | 748d9beeaa1899252a7365b780b95fb0 |
| SHA1 | 2158cbe9044f2b138df0094615afe6616e526c9d |
| SHA256 | 59290d2d5a77605f8140feb82e44e8438115fb2f93dc56ed4c225b88c21baaa8 |
| SHA512 | cdeb0c4cebf1cc96ebda6940763a940df76120ee991bc7f003480caf055a970f16e4a19ef2ba2c56fa056d539b981e16542ec7239a7b91dd3828585bc2d1e440 |