Analysis Overview
SHA256
a5a8ea34f978049bf2d83fd5a3ca1a4c5364018423b67394f06918bf7c5134bd
Threat Level: Shows suspicious behavior
The file 9817a885936dd4b76bbae3d67421e227_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Requests cell location
Queries information about running processes on the device
Queries information about the current nearby Wi-Fi networks
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Acquires the wake lock
Queries information about active data network
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 11:58
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 11:58
Reported
2024-06-05 12:01
Platform
android-x86-arm-20240603-en
Max time kernel
169s
Max time network
150s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.chediandian.customer
com.chediandian.customer:ipc
io.rong.push
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | stats.cn.ronghub.com | udp |
| GB | 8.208.8.123:80 | stats.cn.ronghub.com | tcp |
| US | 1.1.1.1:53 | abroad.apilocate.amap.com | udp |
| CN | 59.82.44.11:80 | abroad.apilocate.amap.com | tcp |
| US | 1.1.1.1:53 | api.yangchediandian.com | udp |
| US | 1.1.1.1:53 | nav.cn.ronghub.com | udp |
| GB | 8.208.102.120:80 | nav.cn.ronghub.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | tcp | |
| US | 1.1.1.1:53 | apiinit.amap.com | udp |
| CN | 106.11.43.113:80 | apiinit.amap.com | tcp |
| US | 1.1.1.1:53 | restapi.amap.com | udp |
| CN | 203.119.169.174:80 | restapi.amap.com | tcp |
| CN | 59.82.44.11:80 | abroad.apilocate.amap.com | tcp |
Files
/data/data/com.chediandian.customer/databases/xk_db-journal
| MD5 | ff8e25b4d441642003dcde28d268057f |
| SHA1 | 75237c04e2838831c0979b9d67ef34b92597bac4 |
| SHA256 | e3dc43118289047cc7779571dc25479a8b813da780ade92ebd2b38a1f845b1dc |
| SHA512 | 0a899300b405440227a1ca83283d15a837fe83b02677df513a2203379327f6b2e6a95cc358d3c33da92f64e1a8bfc0d6e412b62071ecf6f9f7be6c3bef62d606 |
/data/data/com.chediandian.customer/databases/xk_db
| MD5 | 59bcf672d6aa933d7a5d5a6a41312d89 |
| SHA1 | 1ccbf2bd3647dcb1ec22784f98a4aa035d507ffc |
| SHA256 | 587526298ec8243e9e3affe269261af7c8b15c716b3f611a4fbc4768455011f2 |
| SHA512 | a662d86f07752ec3b16d89fe6ee1af615a0af7806d8bc85386cb1c3b73abca26da4f77d95eb1563168ae31540fb8988a4ab7ef8bf42703b5b6e4bd6fa36ec233 |
/data/data/com.chediandian.customer/databases/xk_db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.chediandian.customer/databases/xk_db-wal
| MD5 | ed3957d6289eb0a7b62149fbf8249938 |
| SHA1 | 913ba710b9f2696c7a0983e08b32aac3916959cc |
| SHA256 | 0c8171deee46e3a04bb562c20999cbc21b15556e7dc8c1b7c56c647cd4640aaa |
| SHA512 | 9b4ca6467ba6b13f19c37d10dccaf2aa51418774ccb690338e96afce816e2f0fb392503e8732daa076b7a283bc3f2edc526a3c57733740841f13d9aca250255f |
/storage/emulated/0/Android/data/com.chediandian.customer/cache/kit/journal.tmp
| MD5 | 8c8bcb7d36cb5a71729c00c4e7f2d330 |
| SHA1 | a352667c61dc45f43cae74a7102fa692fba98d3e |
| SHA256 | fddce724f39edc9ae1df4f8920e512cfd0fe3a9017b32031f1ca0e9ec06a1150 |
| SHA512 | 4589f9c835a12ddaa04617822b93aba809aa85b392dc8596d47368a31648c542a0eb96643ca3a8d21d31aa1a790580a3258afdc3d202d31c5a324a4b591ccb62 |
/storage/emulated/0/Android/data/com.chediandian.customer/cache/newlocationCache/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 11:58
Reported
2024-06-05 12:01
Platform
android-x64-arm64-20240603-en
Max time kernel
157s
Max time network
151s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.chediandian.customer
com.chediandian.customer:ipc
io.rong.push
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | stats.cn.ronghub.com | udp |
| GB | 8.208.102.120:80 | stats.cn.ronghub.com | tcp |
| US | 1.1.1.1:53 | abroad.apilocate.amap.com | udp |
| CN | 59.82.44.11:80 | abroad.apilocate.amap.com | tcp |
| US | 1.1.1.1:53 | api.yangchediandian.com | udp |
| US | 1.1.1.1:53 | nav.cn.ronghub.com | udp |
| GB | 8.208.102.120:80 | nav.cn.ronghub.com | tcp |
| US | 1.1.1.1:53 | apiinit.amap.com | udp |
| CN | 106.11.43.113:80 | apiinit.amap.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | restapi.amap.com | udp |
| CN | 59.82.132.217:80 | restapi.amap.com | tcp |
| US | 1.1.1.1:53 | abroad.apilocate.amap.com | udp |
| CN | 59.82.44.11:80 | abroad.apilocate.amap.com | tcp |
Files
/data/user/0/com.chediandian.customer/databases/xk_db-journal
| MD5 | 5a7c0743afffc690253253e771b9aeb1 |
| SHA1 | e7d3c1db836f96c77263dcc1416b86ce9f56baf8 |
| SHA256 | 7343c59c88a77605fb1bfe159b7d9d7acba29c0b693077f4023158298cc59140 |
| SHA512 | a3aabe9502b115d917ea46ce889a872544ffb553c9d43f72ab5b0e147b7515f7700b1f819b143c0e84fa42e8ca323542efe5c85f047559428722c1f654c26708 |
/data/user/0/com.chediandian.customer/databases/xk_db
| MD5 | b4b47c31a3031ee71f5e49145115a41a |
| SHA1 | e6ad12c9992b8d2381ae21838a80449e5b479104 |
| SHA256 | b15fa8d74525307fc302e56c1f1925dacc16e76f753f7ac61575555daae271ca |
| SHA512 | 59d5fe3c8474f58f1bb9a271de8fd7a693e221e6ca6a03a242e21cbce78ebd23fc9fa3aa520d7279cca99c8717f9b7fc7ffd6ad7af69bf34e7b1af98840c6799 |
/data/user/0/com.chediandian.customer/databases/xk_db-journal
| MD5 | adc4c361bc83198552fbe920b43e2ab5 |
| SHA1 | 8f3b813ccee57301e35fdc6c93ab8f577e036198 |
| SHA256 | 63eea4b1ff2a7ff48d6e06aea73b76e7e54208c5b1eb4a21c477519557c79a56 |
| SHA512 | fa52825fad6866bbd291146c762565b8080ce67fb3a3dc8216568aeae1220c72cbb5c61a1a12d62d2601f4a26338015599eaf4c0456a5318999b9be2bf297369 |
/data/user/0/com.chediandian.customer/databases/xk_db-journal
| MD5 | 36995f268085f6d5164addf92fdfd70d |
| SHA1 | 386cd4fe977f83250628d912c7efd2e9b53e1de3 |
| SHA256 | def81583dd0ba2a62a977e7073141f8ab3031c30746bbc8e5eefbd18e3d36966 |
| SHA512 | 9a24b59d7a7680e9ea25e8310c267b85ffd496f04d43bf42be7421b547e772745a006dd849d2443aa4ccb0977240b4f07441fba1fe166373966d132c9a784e3b |
/data/user/0/com.chediandian.customer/databases/xk_db-journal
| MD5 | 206cf203c8d5ee372a214c0fe40039a4 |
| SHA1 | 7ed87d2170c1d14ea9d6a4f10fc3587b85f4a782 |
| SHA256 | 0f80d219f52802dcc51933b2048fbc5a9a1cecea94da646a2efd3819f6ec55ba |
| SHA512 | 9289ec4d0f65f428a657b2952c394f2af45b9b5c79bf86f09498c00f5f4d489cd3465507255e89258dea3537a96fbfb73787535e85e2d0c3e516c7a15d742158 |
/storage/emulated/0/Android/data/com.chediandian.customer/cache/kit/journal.tmp (deleted)
| MD5 | 8c8bcb7d36cb5a71729c00c4e7f2d330 |
| SHA1 | a352667c61dc45f43cae74a7102fa692fba98d3e |
| SHA256 | fddce724f39edc9ae1df4f8920e512cfd0fe3a9017b32031f1ca0e9ec06a1150 |
| SHA512 | 4589f9c835a12ddaa04617822b93aba809aa85b392dc8596d47368a31648c542a0eb96643ca3a8d21d31aa1a790580a3258afdc3d202d31c5a324a4b591ccb62 |
/storage/emulated/0/Android/data/com.chediandian.customer/cache/newlocationCache/journal.tmp (deleted)
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |