Malware Analysis Report

2025-01-19 08:09

Sample ID 240605-2gcsjaah3z
Target 996a6253442f8fb3db2abcb7cf567c73_JaffaCakes118
SHA256 6354fc91a202d813556857e8b301c8a72b586be86b11f20f3960c0bdb273abbe
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6354fc91a202d813556857e8b301c8a72b586be86b11f20f3960c0bdb273abbe

Threat Level: Likely malicious

The file 996a6253442f8fb3db2abcb7cf567c73_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 22:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 22:32

Reported

2024-06-05 22:36

Platform

android-x86-arm-20240603-en

Max time kernel

49s

Max time network

131s

Command Line

com.yuetun.moshengren

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /data/local/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.yuetun.moshengren/.jiagu/classes.dex N/A N/A
N/A /data/data/com.yuetun.moshengren/.jiagu/classes.dex!classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yuetun.moshengren

sh -c ps

ps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp

Files

/data/data/com.yuetun.moshengren/.jiagu/libjiagu.so

MD5 50750315eef281575611bc425174b939
SHA1 acaff02526d7b4c257e00002ed09af364f66a401
SHA256 c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef
SHA512 60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

/data/data/com.yuetun.moshengren/.jiagu/classes.dex

MD5 2542032009300cb92c31022dcedd7674
SHA1 0e96781c2753e5047bf54ed373d90894c46db238
SHA256 a1b4121f8208b86d4d4fff45c4755bae1a95a4fec1aa01ebc08a81edb9145317
SHA512 c95fe0c52c09da0072cb4c8c716d0cfc45965b04aea60dd7421ffc82a253596b44d0e06236495c218d57772935918842713b5a5068aa611365c241fb12df204b

/data/data/com.yuetun.moshengren/.jiagu/classes.dex!classes2.dex

MD5 9f44d7cb3ec04c887cd975cda32727b3
SHA1 fa90c187a52b0bb371e08b59a1072d0371680842
SHA256 28d4783830ca24e264737cd42cd64f44ddce14c2fce2f16fcaf7ea7bd20c89b1
SHA512 d5b8511e8a61386aeeb74c2bf45b5134924973f96293deff92907f3f31ce291b9545861338bf35a5fbe41b458201c8278532ff3a8f0ad202c28af4f7b2a3b846

/data/data/com.yuetun.moshengren/files/.jglogs/.jg.ri

MD5 033515b0e580b30722c3532940ee76a6
SHA1 f810ef7e21e4f5e40e7311147abea9443fb68db5
SHA256 81cd3ceb1b75f41b1a5439fc854b7750f06fba316faa592f7828473e7924e2e3
SHA512 517077b28d951ce3e5118f14f9b1236493019020a53944d7e057dee4068834d4aa3150f93986c3e5b7fc1d13a5f4dfea10aca0bc9c5b82bfd39ffc065dcdb313

/data/data/com.yuetun.moshengren/files/.jiagu.lock

MD5 a836b6e865d5bea9b811e1ea3b77c5c5
SHA1 3774b3379ea5aa1488d3bbd218963aa78a905007
SHA256 865d82ba5fdd11300574528ece438c4307b098b708a07f760f04787cbd4cd5a3
SHA512 1e7c081aabf9522445515ad768d9388e6d8ca118ac4f2cc8319976622443fbcc5b98d5c89c462e19c8713234e5ae9cedb0bf771e9e1bec773777bb42d3b5558f

/data/data/com.yuetun.moshengren/files/.jglogs/.jg.rd

MD5 9f9659540daea381a383dd39d63cef88
SHA1 34112c5950a041c7f2f12b2bed2e61425d56a691
SHA256 55d3c3929aafd867795eeaa4942ddbd75d011b65b01a306c9f0c1aeced1cd5ef
SHA512 9e5f9381747cd7f219749e1a8d159345f35cccf3b393ba0b2d67aa5ff10702fc8e6133f15f2cedf94f41f91b3a5373ded28065de9dea93cfe193c138d7aebd4b

/data/data/com.yuetun.moshengren/files/.jglogs/.jg.ac

MD5 23e6f44af02461dfb17e346550de3e86
SHA1 1283e59caefb320110ad1b6c6fc917f347234361
SHA256 42632812f59cd566f44d00d8849a348cc0e5290dcec7efdd9d96c5c10fe0fefd
SHA512 fdcece7277a1a470e6a7f9e41e1a47763428eace132ab9cb874dc1d189dec374ac9e1074829af1a9a3ddde6f28b6f6bff45caf8afbfdc94edc6986b24779e794

/data/data/com.yuetun.moshengren/files/.jglogs/.jg.ic

MD5 fd9f3ce29d40ced866fdd765d395e49c
SHA1 327e2d23e3b30504a5a02a8637745b4adbee9a7b
SHA256 13f793466bd3b8104ce3b4f2e23b5b0bd4304fa8df6f3e1de99393da570db975
SHA512 08d1c394acf0815bfbd5cb64c448ab5d11bd026ca53f45ef53dcdb201ee2b72e7528c8d5a3d887e364babc6e71ca64afb868e8a2ba3288d5e2d02ad1efd6de02

/data/data/com.yuetun.moshengren/files/.jglogs/.jg.di

MD5 1922fe44c9d406c48309c8d7ff48e6e0
SHA1 9e6f92aa48a788cf753e570e6addbdcebb191e5a
SHA256 5ba133e76fb06d95cfdb6fca9d560a272e382a55d901e329d65aa04addc2cb13
SHA512 23cfa13b7b5c1b27b88e1cf48270365ed502752c68a1d7cee517f472585f50c8beafe26c0aff25d529e72c6eebb5e7078354d77c9b1e4c7d6f123a00362cb6b4

/storage/emulated/0/360/.iddata

MD5 1cb60dd25c18607f9e9fd660fbe60308
SHA1 1339addb3585c456d1c9125621afe1c306b49df6
SHA256 1bbbe50dc6c922b454eba064e4960d6167db9e72459e890da3d29f5850910537
SHA512 471394e9e64357323a55c9a90dea9683c4b8d6fecfeadf0a27d8514b3dd927004e867244e6087beae1a805c037225380a1f6a18757ff68337df11eb1e70c31a6

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.yuetun.moshengren/files/libcuid.so

MD5 aa2cd7cabc19c483daa74a79a284f913
SHA1 0aed029f1bab4d67110dc7e3be29f0433136e3d2
SHA256 0af339af66b877b8db8556a07ccd979d475eb1999890a72ebb9d1bcf3739b8fc
SHA512 41ba94fe4af5acf7e81fe36d8b03cc4c422c80c5bb692094957aa3f25013718202a95b66ac5a18be78f43f2f6388b678c607ef8453a2b317e45803c3bf3c01a9

/data/data/com.yuetun.moshengren/files/.jglogs/.jg.di

MD5 00886678a714410e07b09bf1ff1e3149
SHA1 9936ee64bae609e16622a7d2bf58dda3f5ea64ce
SHA256 ce8d5eb552ba896e1ffa12118643e215f3404dfac6b2f78e1b6a8a2fcc709592
SHA512 8f12abcb2a0be5e06f966b4e8a5ed3cb7fbc06be816da2337871e2927629b36661c1d70e8aa089d559efbda25ac1051d63798bf29191c0b573e8dbd3085e4bfd

/data/data/com.yuetun.moshengren/files/.jglogs/.jg.ac

MD5 50d22a696397808de1f6fc1c4bc87d78
SHA1 816627117e555d6d54df9653f91d1765441d29ee
SHA256 9e3613a8d19df89aacf0d673ff4b1ebe1c1b94e04128fbcc662a3061881f28d7
SHA512 1fc68ba4dc15bb131b8c2869fbc5434eaa529f05bfa4acd30bcb5d0410673f0b342d7a1c48c8d5fcd563bf2fa86bb56e3df0d04200cd374b567a00b96e3d251f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 22:32

Reported

2024-06-05 22:36

Platform

android-x64-arm64-20240603-en

Max time kernel

58s

Max time network

139s

Command Line

com.yuetun.moshengren

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /data/local/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yuetun.moshengren/[email protected] N/A N/A
N/A /data/user/0/com.yuetun.moshengren/[email protected]!classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yuetun.moshengren

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.yuetun.moshengren/.jiagu/libjiagu.so

MD5 50750315eef281575611bc425174b939
SHA1 acaff02526d7b4c257e00002ed09af364f66a401
SHA256 c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef
SHA512 60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

/data/user/0/com.yuetun.moshengren/[email protected]

MD5 2542032009300cb92c31022dcedd7674
SHA1 0e96781c2753e5047bf54ed373d90894c46db238
SHA256 a1b4121f8208b86d4d4fff45c4755bae1a95a4fec1aa01ebc08a81edb9145317
SHA512 c95fe0c52c09da0072cb4c8c716d0cfc45965b04aea60dd7421ffc82a253596b44d0e06236495c218d57772935918842713b5a5068aa611365c241fb12df204b

/data/user/0/com.yuetun.moshengren/[email protected]!classes2.dex

MD5 9f44d7cb3ec04c887cd975cda32727b3
SHA1 fa90c187a52b0bb371e08b59a1072d0371680842
SHA256 28d4783830ca24e264737cd42cd64f44ddce14c2fce2f16fcaf7ea7bd20c89b1
SHA512 d5b8511e8a61386aeeb74c2bf45b5134924973f96293deff92907f3f31ce291b9545861338bf35a5fbe41b458201c8278532ff3a8f0ad202c28af4f7b2a3b846

/data/user/0/com.yuetun.moshengren/files/.jglogs/.jg.ri

MD5 83e2d3bd255edbe18cfdb5a8e1273057
SHA1 55a3e7917f2dd4c7962f991c97fb102e02a5d7af
SHA256 337324e4409eccab9644e640fa9f621e7f828395884a3cb9effc548b23589ee9
SHA512 a65319b27a6b3ea2c5ae0ae556aceaf5d2680e094f4dc1b0d108e1b3f7a4554c92629fdd30df4bbc8fb049c16f56e2da30f925d343dd41d8f39f9a8c1587d902

/data/user/0/com.yuetun.moshengren/files/.jiagu.lock

MD5 08cfe6eb716b39b86666022d23e1e575
SHA1 9bbe0c2bd36e79947d08fce07e754f8cb428bc5f
SHA256 88f051bc6152ca484570a12b8251a84bc257499adb2c97e3efa4d670d2ff774a
SHA512 facac71608fcd9a7c723c9d26f55cb91a411921fc6dce8418d6ea9226b86907fe279e75376abbbcd7bea27301bc7519609c155f61e6e186c8c066df24d4799dc

/data/user/0/com.yuetun.moshengren/files/.jglogs/.jg.rd

MD5 3f15e6c83d54046cb14cf066ab469519
SHA1 ec4c2791cc30b6b41bf22639bc48543af8adb74f
SHA256 64131bc21af8a045ee13e2892b8ff929efe4a5233bf156dc78831af076be2845
SHA512 1fbe0dc6bb1b381ea6e3c9e585e6d9eda20aa375217fa5c9363552d4a5f7c15cf26b48a028b09115dc65a40db69091ec9056b520e4da68a3c074928097070e5e

/data/user/0/com.yuetun.moshengren/files/.jglogs/.jg.ac

MD5 23e6f44af02461dfb17e346550de3e86
SHA1 1283e59caefb320110ad1b6c6fc917f347234361
SHA256 42632812f59cd566f44d00d8849a348cc0e5290dcec7efdd9d96c5c10fe0fefd
SHA512 fdcece7277a1a470e6a7f9e41e1a47763428eace132ab9cb874dc1d189dec374ac9e1074829af1a9a3ddde6f28b6f6bff45caf8afbfdc94edc6986b24779e794

/data/user/0/com.yuetun.moshengren/files/.jglogs/.jg.ic

MD5 fd9f3ce29d40ced866fdd765d395e49c
SHA1 327e2d23e3b30504a5a02a8637745b4adbee9a7b
SHA256 13f793466bd3b8104ce3b4f2e23b5b0bd4304fa8df6f3e1de99393da570db975
SHA512 08d1c394acf0815bfbd5cb64c448ab5d11bd026ca53f45ef53dcdb201ee2b72e7528c8d5a3d887e364babc6e71ca64afb868e8a2ba3288d5e2d02ad1efd6de02

/data/user/0/com.yuetun.moshengren/files/.jglogs/.jg.di

MD5 028c608e9d54585366cc36de293a9d6c
SHA1 5558a053bb8c003c26aea82eca9e3e95e1b1d492
SHA256 b7fafe366101833c737e36fa1ae26f96e7b1653ae77c7edd566b03bf53e9b53f
SHA512 92640f1476117e8d0206ff43108bf737c0ee62d403dbca77ee44c3f14fa057611384f3430021b5426b00e519c6fd8c71ecfcca53be220843fc9a3dfc9dbb62f2

/storage/emulated/0/360/.iddata

MD5 cd5aacf830cc85a68a8343a950976764
SHA1 186e046cfe00cf76ae5f2305f4e114ab0bdc8f63
SHA256 0c920c3bebb33d85e4f963b76de3536473dd1fca73337449b9a36917b20836c6
SHA512 7368c21e2c2a076e09591f5c6030a9c1875b8d7a321491a4ad438a1b21aa681e885e330d80f504b1b154d735c92c21df25b8174b2c57930ecf73bfe7d20d5358

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/user/0/com.yuetun.moshengren/files/libcuid.so

MD5 0157263432000df53e04d7c88abb9662
SHA1 3b2678c28636afaa7ee205b90b157e15b1404daa
SHA256 a8b0e9713eb57eb38d0bf94d6e31ac9d9dc575b798fa81825ceaaee5e15ee397
SHA512 3a87bef68caaf1abb5a85445f0ef334cdbdd5c0431352dbd24944280ba9155cb93422b6114095545b6e05c396ae81fefdc83ed97b21ea6c1752685e6fdb6c819

/data/user/0/com.yuetun.moshengren/files/.jglogs/.jg.di

MD5 0a141f3f4db52ea8c0bc10b1f2b5c62f
SHA1 8ffa7e18694ca675fc7ccbcf53502d3fb9c213d5
SHA256 e8ba18aefbcbb8bb8d449b0e98f3066ee0aa669c5f22826a1567116b9323fc0f
SHA512 e5a1ec4b1b6d09e035956477d9e65fbbfd2381a2263444432daa57823ca466e8991c3ab3faa5dbedef9a33b16f1d86a9f94447ce736dafee40d91db45c982c38

/data/user/0/com.yuetun.moshengren/files/.jglogs/.jg.ac

MD5 50d22a696397808de1f6fc1c4bc87d78
SHA1 816627117e555d6d54df9653f91d1765441d29ee
SHA256 9e3613a8d19df89aacf0d673ff4b1ebe1c1b94e04128fbcc662a3061881f28d7
SHA512 1fc68ba4dc15bb131b8c2869fbc5434eaa529f05bfa4acd30bcb5d0410673f0b342d7a1c48c8d5fcd563bf2fa86bb56e3df0d04200cd374b567a00b96e3d251f