Analysis Overview
SHA256
59c77cbbf2e68b2338b3e88eae8cf1d86bc079b17c0fa69471d20b45a227529f
Threat Level: Shows suspicious behavior
The file 98795b321c3f256b95d5248bbe643f7f_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries information about running processes on the device
Queries information about active data network
Queries information about the current Wi-Fi connection
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 15:16
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 15:16
Reported
2024-06-05 15:19
Platform
android-x64-20240603-en
Max time kernel
6s
Max time network
146s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.yunfei.qianjiangcgt
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | api.map.baidu.com | udp |
| HK | 103.235.46.245:443 | api.map.baidu.com | tcp |
| GB | 142.250.187.234:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.14:443 | tcp | |
| GB | 142.250.187.226:443 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
| GB | 142.250.200.14:443 | tcp |
Files
/data/data/com.yunfei.qianjiangcgt/files/libcuid.so
| MD5 | ef7939ef31154876dcd774ada8844555 |
| SHA1 | 5eb7e9585394521a851f2f0415193d4c67a6b88e |
| SHA256 | 3dde1f932bd93f0f82d4ddaf9af8cc96564d4ffc00403826372fef1312de251a |
| SHA512 | 7bb6c0f841b45bc9e6fa5f2a02809b22fe2347e91845462e5be207875aeec808b02593cdfa02182f6081b67cb257c3221b0643dac02c16be0c71d9c340878804 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 15:16
Reported
2024-06-05 15:19
Platform
android-x86-arm-20240603-en
Max time kernel
6s
Max time network
131s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.yunfei.qianjiangcgt
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | api.map.baidu.com | udp |
| HK | 103.235.46.245:443 | api.map.baidu.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.yunfei.qianjiangcgt/files/libcuid.so
| MD5 | 02eef34429a49d49842b1f5fc7a4f45d |
| SHA1 | 4ed44e7e2ed4e58b1ed7d007f44f66c333d4fc8d |
| SHA256 | b61eaf967c822d025897d7a83baac0debc8cd1443e6a7f634c396196674b26b8 |
| SHA512 | 430df9486bb841e6c8dc230d3b25a1d25be00c8e9039287f474662f6265a539e51b88e56f9af76d3b3cad78c403469d771241d36414651f40adca4df3e8635ff |
/storage/emulated/0/backups/.SystemConfig/.cuid
| MD5 | 2f4e4cacced16d686f1626f124aa5ead |
| SHA1 | 11cf8b5e53c4cb906caf3d083c09fdc8fddd9bfe |
| SHA256 | 63fe278d0b6d41d471b2c7a83f6ab5c43563a052a565528dbf6818acf2401ab7 |
| SHA512 | 4b7da3f95ec1fe44fe5b16a8f71ce7b19472b71c0307c4500023cf9b20f3287199e2f8b0d66df7589798278a3af6a8ef4527372d09e31b83c61485bd9ea9aee9 |