Malware Analysis Report

2025-01-19 05:04

Sample ID 240605-tdw31acb64
Target 988e2ce3e14ce47c08b143d4fd47e3c6_JaffaCakes118
SHA256 2606e9e7d3cb402b2fad8512a65ef3620c3e54fea44a2e5af5d2be2bc4c572e2
Tags
discovery evasion impact collection
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2606e9e7d3cb402b2fad8512a65ef3620c3e54fea44a2e5af5d2be2bc4c572e2

Threat Level: Shows suspicious behavior

The file 988e2ce3e14ce47c08b143d4fd47e3c6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact collection

Loads dropped Dex/Jar

Requests cell location

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 15:59

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 15:57

Reported

2024-06-05 16:03

Platform

android-x86-arm-20240603-en

Max time kernel

175s

Max time network

140s

Command Line

com.gamed9.g360.pet

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar N/A N/A
N/A /data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.gamed9.g360.pet

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/oat/x86/pro.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 openapi.360.cn udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
HK 101.198.192.35:443 openapi.360.cn tcp
US 1.1.1.1:53 au.umeng.com udp
US 1.1.1.1:53 au.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 oc.umeng.co udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.23.79:80 oc.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar

MD5 15bba7ef94733357290f9fa497b0d9b0
SHA1 711c49a3f95ad820831121dca8457353c78053ac
SHA256 8c5bc659bfc15882f27b3c8b661a14822161f23ecc4660ac5df7a5fc50edc77e
SHA512 776b67f1cc3dbe7909257b3ab515266343d20e25827604564e73fb0251b8dedbc6f9dd4b80c852dcdc135729ee38336e225041ed48db26e45f13266df34de841

/data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar

MD5 463cc82334cd91474e6b40a6597f5796
SHA1 dd0345f766de775c3bbf2345493f3493e69f32a7
SHA256 22ab17f12d0da010a9dd0bb729a9e42ac060e636feb97f2f01ef45343ce634ee
SHA512 93ca318249bb60df2aaf67a9eed107bae1d582143d41b7e430af47265709af19fe2c7fa7a8b7e904543ff9cf2ae4478770bfd1f3aa1bdd15408265d4e01e2b09

/data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar

MD5 ac8af37fd04483d85300c62e63f7712f
SHA1 d639fb2004c4aab3b31937bc131ae974939b8e61
SHA256 80eb44132a098f0ecdabd2e28f4e4b778ff3db5c6aad2c2e79a74c77f830d04a
SHA512 b0b92d2f0d8fb9d0c843bf17f6cdc971d6abb2dd6e142e44877ebbc34a8022506f535e802d7f5c997b9a456f4656335c18b1246044a8448cbc00014401b2bdba

/data/data/com.gamed9.g360.pet/UserDefault.xml

MD5 4a8226e4211ccb4cb79f54d4ee35a55a
SHA1 7144e993ff784e4458c4d53d6f9f29930cf13fb8
SHA256 8d5bfd20db452314b315192d7160e28bce53c777c98a31aa6df7c93345a692eb
SHA512 7d7480da93b3363306438c7cc08fb913e29098eb19c4f6ac40ac5282329ecd8eae77fed695822955183a4b7084d18da89c2c937af5fcdf43b3f1bd7854cc7041

/data/data/com.gamed9.g360.pet/UserDefault.xml

MD5 fe3364ffbb92104e365f306b7c3f4a71
SHA1 a9e112177a6b432d79bb0953695a6ef4a7ecd086
SHA256 161750f868f2e9ec20382bfc3a7838793a847e7373602cb0418afe0e1ee9da9b
SHA512 a16a9bb689dbd4147217066d578059f0318b81505a6a390153ba1a463e887901820704fd7bffc83e6fd17faac4f45210d9f6116c7e785773c829ce7781296841

/data/data/com.gamed9.g360.pet/UserDefault.xml

MD5 f824772e85c59aa9284beb1afb5bd708
SHA1 09a2ba5896857dc95d2beec0869fc1084f61138d
SHA256 b62dc7b20def4941f4c1aa047ec1037d971c18abb4c8580cc0a13f79fa70090d
SHA512 9f1bb28c34c1033cf4ec843b998c98d878cc2b081cfee668642b4b4ea680066f9b230f7b8584101376cb965db339c2efb0d9f64674f18203a12db9a83034241d

/data/data/com.gamed9.g360.pet/UserDefault.xml

MD5 edbf72e9b2b7172144c07ff99e82b2d8
SHA1 6fbcc848ab8a804349ce238fef02f34623e84f80
SHA256 6651f918ebf70b4a4c7b94f8bc2cbae0a597832614ad7a341accf09c132cea64
SHA512 197bb88efa8b620a038109d9f1d16446b91f01961482610f6ed15474281a470440e7e1813f8963c625dc28125c23282db93898a13613432e029ec459c54e5066

/data/data/com.gamed9.g360.pet/UserDefault.xml

MD5 8a7ef9a04a7583ebf3d5f7d338dbd3fe
SHA1 008ede01f584eb1e7edb05f8182fb44d283f3b0e
SHA256 fb963eafd075d6d6ca285324df454ffab20422f2bd24e7b42f333cf4c0e27220
SHA512 448083c6a45ad02a78d23107b6b44aced2198f275f77adfb7cb08243dddf19b69f6df2aff1eb69593ad58f45baddbf20fa6c485065bf8db4f8c8e4073f56af49

/data/data/com.gamed9.g360.pet/files/qhopensdk/pro/190/oat/pro.jar.cur.prof

MD5 ac1786848861adc75e846f576948880e
SHA1 2fca5d669a7ff0d716622dbfcdc2ddf7e704589f
SHA256 80fc61b1a59193fff03c984043a8148f77b31608be74668b5e7582ebbcc37c84
SHA512 d4b46d55fec7c913a8db8e8d21db3903760fe9ee13f0e0bded513bb8cc7ce857454ba68a04b238f3f0e86da11dd7b87e31067c14eb9c3e32a96914e24071efcd

/data/data/com.gamed9.g360.pet/files/mobclick_agent_cached_com.gamed9.g360.pet

MD5 3e1e4eb41a839536febe99d9aa1c3e67
SHA1 cfc42cbb9e9cd2945ce138d75b95dbbf47b7a32b
SHA256 4c6c896fcdce62b09c3c572e8a90bbbdc117b7d47df0903c531adf61a9807825
SHA512 901a91d29d2b27d50310a295e6abc64d05fac0796af3de72f0a70a78154682e02ccbba9722b38ea45a609e427d8df79ec3645ef32f858f5b4867980c0f62498a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 15:57

Reported

2024-06-05 16:03

Platform

android-x86-arm-20240603-en

Max time network

135s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-05 15:57

Reported

2024-06-05 16:03

Platform

android-x64-arm64-20240603-en

Max time network

134s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.10:443 tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-05 15:57

Reported

2024-06-05 16:03

Platform

android-x86-arm-20240603-en

Max time kernel

2s

Max time network

134s

Command Line

com.alipay.android.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 15:57

Reported

2024-06-05 16:03

Platform

android-x64-20240603-en

Max time network

148s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 172.217.169.46:443 tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.34:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-05 15:57

Reported

2024-06-05 16:03

Platform

android-x86-arm-20240603-en

Max time kernel

3s

Max time network

153s

Command Line

com.unionpay.uppay

Signatures

N/A

Processes

com.unionpay.uppay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-05 15:57

Reported

2024-06-05 16:00

Platform

android-x86-arm-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-05 15:57

Reported

2024-06-05 16:00

Platform

android-x64-20240603-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-05 15:57

Reported

2024-06-05 16:00

Platform

android-x64-arm64-20240603-en

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp

Files

N/A