Malware Analysis Report

2025-01-19 05:05

Sample ID 240605-sfar4sac9s
Target 9875f781886ffd9489453abfd016de31_JaffaCakes118
SHA256 7b598eb9a295b396a21e52727f8b8caaf51253e89a6565ba1bc51d9f0576f416
Tags
collection discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7b598eb9a295b396a21e52727f8b8caaf51253e89a6565ba1bc51d9f0576f416

Threat Level: Shows suspicious behavior

The file 9875f781886ffd9489453abfd016de31_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence

Queries information about running processes on the device

Requests cell location

Queries information about the current nearby Wi-Fi networks

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 15:05

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 15:03

Reported

2024-06-05 15:09

Platform

android-x86-arm-20240603-en

Max time kernel

176s

Max time network

130s

Command Line

com.hoge.android.app12106

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.hoge.android.app12106

io.rong.push.service

com.hoge.android.app12106:remote

com.hoge.android.app12106:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 client-api.dingdone.com udp
US 1.1.1.1:53 nav.cn.rong.io udp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.hoge.android.app12106/databases/dingdone.db-journal

MD5 4a73bc262d34d53002a8caea7478f04e
SHA1 42afc9cd0f6e07af9567325124cdb9d2ab68684a
SHA256 45c8f4fbfc2759c8c98a4b04ed890b6819801aaf56fbca2f6933272a8c18f7cf
SHA512 78b74e260e428e3708f4fae66e4bee8fb800ec6a76b7e71cc751d06b690c39c45050cc851e4230cf2b1a5da4a32ac22c7ffc3d270ee8b59e41606e51e0beaf47

/data/data/com.hoge.android.app12106/databases/dingdone.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.hoge.android.app12106/databases/dingdone.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hoge.android.app12106/databases/dingdone.db-wal

MD5 58c08cec9e7952dc948e583eeeeb7709
SHA1 f47b0a9cc794573cc5a4a98b31c56a111e8d03c9
SHA256 398fe81ce8de61351e9eabfade9984d89e5f859b424bd0dc25c43a49039cfc4d
SHA512 1ed75ea58ead245e649d4892dd0d3b80b09b1a9f9bed988a552f09a9d5b4c533a87c483e1c18a7e8ea35c1648293751a34f620ace278dc676311bb59eaedb3e9

/storage/emulated/0/Android/rc_push_mapping_1_1_3

MD5 3ee58a74c5b626bf4e3fda2f8a67e3a5
SHA1 e7bdf5fd3b567406ec72d74416da1e4f0f88ac40
SHA256 4afa97f9e25d53610530e42adf1a2ee40e0983fe71427a4073f215e119a52dba
SHA512 64242f1c90364b49910eeb076a69ccf02fcaadc0b7699474461875c5b02bcf3f99130c14d1dd1cdb8bcedb021eb2fe44eab55e41f10cc5ec7fd54f25a4a5274b

/storage/emulated/0/baidu/tempdata/ls.db

MD5 7f0f7ed6bb56bdf2d67a45702e8b0274
SHA1 fde55ac8dc9091f9a42ff9dff09717ec818c90a5
SHA256 cab46245b1a15cf6949bbf332895887ef24a6f3d8edf950ebf6f959947339cc3
SHA512 fb9428001f7e99ab998de19506c1905cb5afa40e645ad1cde38b68af8a3d827c3e421b86d8684e75fb01b72967a7e14408218bd5c0a904c1f128f22641fa913e

/storage/emulated/0/baidu/tempdata/ls.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/storage/emulated/0/baidu/tempdata/ls.db-wal

MD5 30d79a7c23f5e36543d6f1744d3bae66
SHA1 ab3042ef9ad90902debb0f14c1b9f9e89bc77aae
SHA256 0d75be4871801a1440619d049e6491dfe2b0d250de6ced588b16794498482391
SHA512 8de42944f7a11770d611629336159a3a9fa22bc54a5cf8f2eab89997b716d0d55280cf21bea355b476a53901a4ec7999fcaa64e7eb6689c90495273268c383fd

/storage/emulated/0/baidu/tempdata/yoh.dat

MD5 a936690571e9104e1922dda4a0ba5bd1
SHA1 65f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256 f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA512 3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

/storage/emulated/0/baidu/tempdata/yoh.dat

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

/storage/emulated/0/baidu/tempdata/yoh.dat

MD5 441018525208457705bf09a8ee3c1093
SHA1 6768033e216468247bd031a0a2d9876d79818f8f
SHA256 de47c9b27eb8d300dbb5f2c353e632c393262cf06340c4fa7f1b40c4cbd36f90
SHA512 d296b892b3a7964bd0cc882fc7c0be948b6bbd8eb1eff8c13942fcaabf1f38772dd56ba4d8ecd0b626ff5cef1cd045a1b0a76910396f3c7430b215a85950e9c3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 15:03

Reported

2024-06-05 15:06

Platform

android-33-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.213.4:443 udp
GB 216.58.213.4:443 udp
N/A 224.0.0.251:5353 udp

Files

N/A