Malware Analysis Report

2025-01-19 05:03

Sample ID 240605-n5fmfaff59
Target 9817a885936dd4b76bbae3d67421e227_JaffaCakes118
SHA256 a5a8ea34f978049bf2d83fd5a3ca1a4c5364018423b67394f06918bf7c5134bd
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a5a8ea34f978049bf2d83fd5a3ca1a4c5364018423b67394f06918bf7c5134bd

Threat Level: Shows suspicious behavior

The file 9817a885936dd4b76bbae3d67421e227_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 11:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 11:58

Reported

2024-06-05 12:01

Platform

android-x86-arm-20240603-en

Max time kernel

169s

Max time network

150s

Command Line

com.chediandian.customer

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.chediandian.customer

com.chediandian.customer:ipc

io.rong.push

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stats.cn.ronghub.com udp
GB 8.208.8.123:80 stats.cn.ronghub.com tcp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
US 1.1.1.1:53 api.yangchediandian.com udp
US 1.1.1.1:53 nav.cn.ronghub.com udp
GB 8.208.102.120:80 nav.cn.ronghub.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 106.11.43.113:80 apiinit.amap.com tcp
US 1.1.1.1:53 restapi.amap.com udp
CN 203.119.169.174:80 restapi.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp

Files

/data/data/com.chediandian.customer/databases/xk_db-journal

MD5 ff8e25b4d441642003dcde28d268057f
SHA1 75237c04e2838831c0979b9d67ef34b92597bac4
SHA256 e3dc43118289047cc7779571dc25479a8b813da780ade92ebd2b38a1f845b1dc
SHA512 0a899300b405440227a1ca83283d15a837fe83b02677df513a2203379327f6b2e6a95cc358d3c33da92f64e1a8bfc0d6e412b62071ecf6f9f7be6c3bef62d606

/data/data/com.chediandian.customer/databases/xk_db

MD5 59bcf672d6aa933d7a5d5a6a41312d89
SHA1 1ccbf2bd3647dcb1ec22784f98a4aa035d507ffc
SHA256 587526298ec8243e9e3affe269261af7c8b15c716b3f611a4fbc4768455011f2
SHA512 a662d86f07752ec3b16d89fe6ee1af615a0af7806d8bc85386cb1c3b73abca26da4f77d95eb1563168ae31540fb8988a4ab7ef8bf42703b5b6e4bd6fa36ec233

/data/data/com.chediandian.customer/databases/xk_db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.chediandian.customer/databases/xk_db-wal

MD5 ed3957d6289eb0a7b62149fbf8249938
SHA1 913ba710b9f2696c7a0983e08b32aac3916959cc
SHA256 0c8171deee46e3a04bb562c20999cbc21b15556e7dc8c1b7c56c647cd4640aaa
SHA512 9b4ca6467ba6b13f19c37d10dccaf2aa51418774ccb690338e96afce816e2f0fb392503e8732daa076b7a283bc3f2edc526a3c57733740841f13d9aca250255f

/storage/emulated/0/Android/data/com.chediandian.customer/cache/kit/journal.tmp

MD5 8c8bcb7d36cb5a71729c00c4e7f2d330
SHA1 a352667c61dc45f43cae74a7102fa692fba98d3e
SHA256 fddce724f39edc9ae1df4f8920e512cfd0fe3a9017b32031f1ca0e9ec06a1150
SHA512 4589f9c835a12ddaa04617822b93aba809aa85b392dc8596d47368a31648c542a0eb96643ca3a8d21d31aa1a790580a3258afdc3d202d31c5a324a4b591ccb62

/storage/emulated/0/Android/data/com.chediandian.customer/cache/newlocationCache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 11:58

Reported

2024-06-05 12:01

Platform

android-x64-arm64-20240603-en

Max time kernel

157s

Max time network

151s

Command Line

com.chediandian.customer

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.chediandian.customer

com.chediandian.customer:ipc

io.rong.push

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 stats.cn.ronghub.com udp
GB 8.208.102.120:80 stats.cn.ronghub.com tcp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
US 1.1.1.1:53 api.yangchediandian.com udp
US 1.1.1.1:53 nav.cn.ronghub.com udp
GB 8.208.102.120:80 nav.cn.ronghub.com tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 106.11.43.113:80 apiinit.amap.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 restapi.amap.com udp
CN 59.82.132.217:80 restapi.amap.com tcp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp

Files

/data/user/0/com.chediandian.customer/databases/xk_db-journal

MD5 5a7c0743afffc690253253e771b9aeb1
SHA1 e7d3c1db836f96c77263dcc1416b86ce9f56baf8
SHA256 7343c59c88a77605fb1bfe159b7d9d7acba29c0b693077f4023158298cc59140
SHA512 a3aabe9502b115d917ea46ce889a872544ffb553c9d43f72ab5b0e147b7515f7700b1f819b143c0e84fa42e8ca323542efe5c85f047559428722c1f654c26708

/data/user/0/com.chediandian.customer/databases/xk_db

MD5 b4b47c31a3031ee71f5e49145115a41a
SHA1 e6ad12c9992b8d2381ae21838a80449e5b479104
SHA256 b15fa8d74525307fc302e56c1f1925dacc16e76f753f7ac61575555daae271ca
SHA512 59d5fe3c8474f58f1bb9a271de8fd7a693e221e6ca6a03a242e21cbce78ebd23fc9fa3aa520d7279cca99c8717f9b7fc7ffd6ad7af69bf34e7b1af98840c6799

/data/user/0/com.chediandian.customer/databases/xk_db-journal

MD5 adc4c361bc83198552fbe920b43e2ab5
SHA1 8f3b813ccee57301e35fdc6c93ab8f577e036198
SHA256 63eea4b1ff2a7ff48d6e06aea73b76e7e54208c5b1eb4a21c477519557c79a56
SHA512 fa52825fad6866bbd291146c762565b8080ce67fb3a3dc8216568aeae1220c72cbb5c61a1a12d62d2601f4a26338015599eaf4c0456a5318999b9be2bf297369

/data/user/0/com.chediandian.customer/databases/xk_db-journal

MD5 36995f268085f6d5164addf92fdfd70d
SHA1 386cd4fe977f83250628d912c7efd2e9b53e1de3
SHA256 def81583dd0ba2a62a977e7073141f8ab3031c30746bbc8e5eefbd18e3d36966
SHA512 9a24b59d7a7680e9ea25e8310c267b85ffd496f04d43bf42be7421b547e772745a006dd849d2443aa4ccb0977240b4f07441fba1fe166373966d132c9a784e3b

/data/user/0/com.chediandian.customer/databases/xk_db-journal

MD5 206cf203c8d5ee372a214c0fe40039a4
SHA1 7ed87d2170c1d14ea9d6a4f10fc3587b85f4a782
SHA256 0f80d219f52802dcc51933b2048fbc5a9a1cecea94da646a2efd3819f6ec55ba
SHA512 9289ec4d0f65f428a657b2952c394f2af45b9b5c79bf86f09498c00f5f4d489cd3465507255e89258dea3537a96fbfb73787535e85e2d0c3e516c7a15d742158

/storage/emulated/0/Android/data/com.chediandian.customer/cache/kit/journal.tmp (deleted)

MD5 8c8bcb7d36cb5a71729c00c4e7f2d330
SHA1 a352667c61dc45f43cae74a7102fa692fba98d3e
SHA256 fddce724f39edc9ae1df4f8920e512cfd0fe3a9017b32031f1ca0e9ec06a1150
SHA512 4589f9c835a12ddaa04617822b93aba809aa85b392dc8596d47368a31648c542a0eb96643ca3a8d21d31aa1a790580a3258afdc3d202d31c5a324a4b591ccb62

/storage/emulated/0/Android/data/com.chediandian.customer/cache/newlocationCache/journal.tmp (deleted)

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56