Malware Analysis Report

2025-01-19 08:07

Sample ID 240605-s7ekdabb3x
Target 9889e12ab019be9b7b7c59d64abf06ad_JaffaCakes118
SHA256 63967e52d82896b20a1a6af777060b9c3556a9aaf42dda7ecc5ea0b540b2244a
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

63967e52d82896b20a1a6af777060b9c3556a9aaf42dda7ecc5ea0b540b2244a

Threat Level: Shows suspicious behavior

The file 9889e12ab019be9b7b7c59d64abf06ad_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 15:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 15:45

Reported

2024-06-05 15:49

Platform

android-x86-arm-20240603-en

Max time kernel

160s

Max time network

167s

Command Line

com.jetsun.course

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.jetsun.course

getprop ro.miui.ui.version.code

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cgi.connect.qq.com udp
HK 43.154.252.110:80 cgi.connect.qq.com tcp
US 1.1.1.1:53 api.weibo.com udp
HK 36.51.224.49:443 api.weibo.com tcp
HK 43.154.252.110:443 cgi.connect.qq.com tcp
US 1.1.1.1:53 stats.mlinks.cc udp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
HK 36.51.224.49:443 api.weibo.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.94.137.180:19000 s.jpush.cn udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.92.70.140:19000 sis.jpush.io udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 124.71.183.120:7000 im64.jpush.cn tcp
US 1.1.1.1:53 119.3.188.193 udp
US 1.1.1.1:53 139.9.138.15 udp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 139.9.135.156 udp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 1.94.137.180:19000 easytomessage.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 1.92.70.140:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 1.94.137.180:19000 easytomessage.com udp
CN 223.109.148.178:80 alog.umengcloud.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 139.159.137.254:19000 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 1.94.137.180:19000 sis.jpush.io udp
CN 139.159.137.254:19000 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp

Files

/data/data/com.jetsun.course/databases/cc/cc.db-journal

MD5 ac8125d4443884e964263ff756722d7b
SHA1 35b9d2d1d616c77aaa5a49bf8f390ca21319ddd8
SHA256 d9e3dbdd63c2178f24ae35e9daa3edb659c7e8f5bac6cb5bd339c5cd9be49031
SHA512 512632a5d42a1f0f37d484d475d07b66000b8d27a74ea37be80463b5b848ce0d43e0809354eddc37843157af87f76891df0c779e323ef92715b0f2399eb082d8

/data/data/com.jetsun.course/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.jetsun.course/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jetsun.course/databases/cc/cc.db-wal

MD5 6f8b16974ec3e3b7523d512cc9607a9f
SHA1 016043d0e6db21288eb495c3629ce3ed951b93ee
SHA256 15e2e3f8b0899eed33afa00989a6d06d4ee5f0a4843fac9e48634fcc2d99d11b
SHA512 7e540635d94318db7fd04c2b6ecc150881e80f83ab73d1f888b808641bcbc85965746918d777c1db4e51c6ce8018b3f6cd4816b86abe6837fefa7bd071473bdc

/data/data/com.jetsun.course/databases/mwsdk_analytics.db-journal

MD5 9fadba4d3d24bf59bd7161f47a523b58
SHA1 94c2eb32cf51ff183ae2a00cb10c3bbc14cebadb
SHA256 ff2e80852ee7363ac79b6b1568800c7595229e74b530188300f9bb155b92a649
SHA512 410058de69e69a6371cdde284ea30c0118f9c8350227c69eefa4de07f670f6c580b01ad4e8024edff48143506c3269c25d91637164b61987b83b516354750d10

/data/data/com.jetsun.course/files/com.tencent.open.config.json.101527751

MD5 f526172de1566b34fdcea744710d9559
SHA1 000cb54d9a008a807a1c5a3fd2b2e7cb41e7939d
SHA256 8572be02b59f4d514000939ec04a9b4e2380c55265256b724a617d8d0f4c6940
SHA512 dc81f0fe345b18c96b1638c67b9ef4c5e60059dfc4a02f3c30a23645d4847abeef46cf467d044c42597115c48052ce0e8ea24328382114a544c5dfd039a95e7d

/data/data/com.jetsun.course/databases/mwsdk_analytics.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jetsun.course/databases/mwsdk_analytics.db-wal

MD5 b844e472f75504ce2b9c2562d5d8c4fc
SHA1 f09cbbd7b8cedf0148128fa2a3abc69f472fad48
SHA256 ba514005111668d01f86ed69c73c9a4d89e778630531e5eea4f633dc448e163b
SHA512 1431720306eb7300ee00bb37ec5cbf0134974c3844aec06efd9fe9f799b024288a14fb252b467f0d4735e6be40c3bb867a9c6cd3dd94158574adfec28fdf982f

/storage/emulated/0/data/.push_deviceid

MD5 4157b5b7c650372ead81ba93f62cbca0
SHA1 26def1fb26aa3c2c657011a73c184862ceefeb40
SHA256 dd7764afdd56f98cc44808d3007bc0d50df8c0849fee3ff18d59786b7d9f2624
SHA512 dcafc77d306212caa7469f9dbddb8c5a7ff258fc5847f934b3e50839040a8dae22a5072678b93a5610c66bde7dcac7e53a3948c3545cc56dc9472e92a64e6277

/data/data/com.jetsun.course/files/umeng_it.cache

MD5 88249fed421fcfade9f7bfdb5248fb51
SHA1 470f0d52b7cff0d0bdccf4b8325dab29b4305654
SHA256 9be9b881a8480f335e2e6567d534098cbd58d5bfe2d93f28293915cbafe384ca
SHA512 c2fd2c3c2d9e0619c393c8e86a6d94b7cfb6d44afc385220030aeaa400b314e5239448c01d9677cce8eb49e9ba197dc29f11c5528eac52f4c17c3bfe3c23d758

/data/data/com.jetsun.course/files/.umeng/exchangeIdentity.json

MD5 d0116754da7bab05086222e56086ad4b
SHA1 97f86545a34c61868ff6d6f557e2d90710addb49
SHA256 2e72c4482215459135f79a4feca72564ec217a8612ee05a8d96925da2b1de7e1
SHA512 89e2abb485442ee06a0a7eebfb5a56677995d4c45e7cae3c24a8588bc235b1d4c34f4fbe4d933d6c3d7be5401f22253967c9c4bbe534f3674490bff5bbb25232

/data/data/com.jetsun.course/files/exid.dat

MD5 c960f3333bb1df8b3f067b6488d8d586
SHA1 05687e383dbeff8c7b140aed6637b855b7ca8250
SHA256 9da0e4dcf42bb6e10fe8aa7de95a8bf467c4fff7b23a37ba82c57bbc844b02f8
SHA512 670d08d4fb3512109974ba664699a6a2f25b46bc42fe4bce6fa066ad0cd2e6263ef7f5e334b0d4aa51e48640bfa4c4a6b5cfbd07d5b4b72d5099086bda3a001c

/data/data/com.jetsun.course/databases/cc/cc.db-wal

MD5 b7ab2dea403172b9041d9450d755f71c
SHA1 473ade558f7727caa7445ec76489b5c40c76415e
SHA256 4e5997dcc88d67168dfc44e89aba38a77b2eccf74c13787eaf6783e69e960bbb
SHA512 0e22ee758c2af6588987ddef6865b90123589d362fb58239a673ba2de289b3dc0334206d869bed0f1f6c964325b7fbc0f236d8c3529ecc792c2dda6223964a37

/data/data/com.jetsun.course/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.jetsun.course/files/.um/um_cache_1717602505804.env

MD5 d72eb7044977cda3eae857b2ceea7e8b
SHA1 c4dc4d931aa64fcdb0c1636da6be0f924d472b35
SHA256 42fa4da839a2ea530b6cfc27e4c21bd02e58b0dad0180778be2be6a1fa6ffee5
SHA512 83afbe26ae9925f0bb2cc864334e0d469fd3df86a50531a0294e12809fdc509369504f4103dd3b9612d7458d09a76812361d2f4439d7077a5dfc1c740925268f