Malware Analysis Report

2025-01-19 05:04

Sample ID 240605-jc7g8sae43
Target 977ba1a844d36c328bc9e71c8f3a0cb7_JaffaCakes118
SHA256 b9b5551db376a25c6d5831aa29415da1d5af915d7085b9f70fc629909242b9db
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b9b5551db376a25c6d5831aa29415da1d5af915d7085b9f70fc629909242b9db

Threat Level: Shows suspicious behavior

The file 977ba1a844d36c328bc9e71c8f3a0cb7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries information about running processes on the device

Requests cell location

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 07:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 07:32

Reported

2024-06-05 07:35

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

189s

Command Line

com.yxxinglin.xzid8996

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.yxxinglin.xzid8996

com.yxxinglin.xzid8996:pushcore

ls /sys/class/thermal

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 s.jpush.cn udp
CN 139.159.137.254:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 110.41.53.90:19000 sis.jpush.io udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 124.71.159.41:19000 easytomessage.com udp
CN 123.196.118.23:19000 udp
CN 103.229.215.60:19000 udp
CN 117.121.49.100:19000 udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.135.156:7008 im64.jpush.cn tcp
CN 139.9.135.156:7005 im64.jpush.cn tcp
CN 139.9.135.156:7000 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.135.156:7007 im64.jpush.cn tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
CN 139.9.135.156:7009 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.135.156:7006 im64.jpush.cn tcp
CN 139.159.137.254:19000 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
CN 124.71.159.41:19000 easytomessage.com udp
CN 123.196.118.23:19000 udp
CN 103.229.215.60:19000 udp
CN 117.121.49.100:19000 udp
CN 139.9.135.156:7007 im64.jpush.cn tcp
CN 139.9.135.156:7008 im64.jpush.cn tcp
CN 139.9.135.156:7009 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.135.156:7005 im64.jpush.cn tcp
CN 139.9.135.156:7006 im64.jpush.cn tcp
CN 139.9.135.156:7000 im64.jpush.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 120.46.84.108:19000 s.jpush.cn udp
CN 110.41.53.90:19000 easytomessage.com udp
CN 124.71.159.41:19000 easytomessage.com udp
CN 123.196.118.23:19000 udp
CN 103.229.215.60:19000 udp
CN 117.121.49.100:19000 udp
CN 139.9.135.156:7006 im64.jpush.cn tcp

Files

/data/data/com.yxxinglin.xzid8996/lib-main/dso_state

MD5 8b47abc8b3a7f0f4ca2024b96ba6f36a
SHA1 c47a7ab010b6858de0f49c4c8c1dc0b0ada92f9c
SHA256 e751c30de7afa746e90b92dd491d80c327cd67ad1ab4f3cbcb562e52715d48a8
SHA512 5c280798149ea1fd795aaebe65de733626e5dd1b48389e970e61c7377832e7d4675603a2e472c0c016bed07cb619f8d49f8d9a31a5a4b36ebf4851c2f2e3cbef

/data/data/com.yxxinglin.xzid8996/lib-main/dso_deps

MD5 2430eceb2943542658a8410edcb145c3
SHA1 6c723f9a98e773c6dea626464bfd4901897ba7a5
SHA256 cd56d0a0f37a8244b6bb21c5d7049133f67a9abda32f9f1dfd58a50872921d95
SHA512 a7f3e12d2a4b2160041532167907f556a2776473edf5302ebeb46bf10bf00aa718d4bfb577d2c563ceb20bbd46970d580a4a42422ff28ebea08a329cf4372af7

/data/data/com.yxxinglin.xzid8996/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/data/com.yxxinglin.xzid8996/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/data/data/com.yxxinglin.xzid8996/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.yxxinglin.xzid8996/databases/bugly_db_-journal

MD5 a74cdfb6257ea3c7af5ffe6aaf6cec5e
SHA1 190924bf84384da17f5b0fe754c5f521d1256ef3
SHA256 938cd1c1dbffb46ac878842f2f88042ada0366dd5cf2c3eac863321fbbd94710
SHA512 d12582f8870252e19c004a4217f76dd42d0e7701ffca3a33172660275c12fe6fafd4f22801a3f2c248bcaf84185252ccd860ad0fbe8886a25f8c9409f4a163bc

/data/data/com.yxxinglin.xzid8996/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yxxinglin.xzid8996/databases/bugly_db_-shm

MD5 044ed5b7dea1a9a18b765e35a02c236f
SHA1 3587ddfa8417d9ccf263d0c56c2dd91edd001f91
SHA256 f2714e208f907ee29337d6fb4b5896a50dec470bb35bbc3df63f74ea03021a47
SHA512 25714bdfda5d16dd5c171da5bf2fd138160d7368aeb43c6d8006f3368fe628ffd3accbe295b06724063101598c716861b396e068c891471ff234543f34ac766c

/data/data/com.yxxinglin.xzid8996/databases/bugly_db_-wal

MD5 c8aa708cca1cdbfa7726ad21ecdc7de9
SHA1 5c21b296b9fdd677712df0f592d17a82883287fb
SHA256 4bac00042ffe499370620cb1cdb984a1f3f09e0434783d385950825a811869f9
SHA512 bc0c21e2d57571b678c28897acfdf647b479d490b7761780d276dbd55fb42eb9ded97cf7c24e4e54ce16e66194669cdbecf76452abb967a84cb405e6b62b93fa

/data/data/com.yxxinglin.xzid8996/files/jpush_stat_history_pushcore/normal/nowrap/a1f2ab35-7b26-45e0-af67-31a5337c01c3

MD5 68a714383f11e8350cf2e5430a15cd2c
SHA1 83aab0fedb98e595116a77e03e417e80d861d2b3
SHA256 5309a5157d5f355964b5b4585c1e50b461df7538f391a29d8174f808f3134777
SHA512 d07bb406af479783f954e74848d3463a188ef5aea4f1bfcecea2e0218ef711f3e41e5c54825d50fdea080bf6c99ad2a006aabe21561132d004d6da2979107643

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 07:32

Reported

2024-06-05 07:32

Platform

android-33-x64-arm64-20240603-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp

Files

N/A