Malware Analysis Report

2025-01-19 05:05

Sample ID 240605-tgtr2scc34
Target 98905c07a5fd12c9fadb1d06d5f68f0d_JaffaCakes118
SHA256 f6034e75b17cce56db6148cb478f6dd86c834fec34c4fd034c24c73074e84ec7
Tags
banker collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f6034e75b17cce56db6148cb478f6dd86c834fec34c4fd034c24c73074e84ec7

Threat Level: Shows suspicious behavior

The file 98905c07a5fd12c9fadb1d06d5f68f0d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about running processes on the device

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 16:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-05 16:02

Reported

2024-06-05 16:05

Platform

android-x64-arm64-20240603-en

Max time kernel

7s

Max time network

132s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-05 16:02

Reported

2024-06-05 16:03

Platform

android-x86-arm-20240603-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-05 16:02

Reported

2024-06-05 16:02

Platform

android-x64-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-05 16:02

Reported

2024-06-05 16:02

Platform

android-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 16:02

Reported

2024-06-05 16:06

Platform

android-x86-arm-20240603-en

Max time kernel

157s

Max time network

169s

Command Line

com.wandafilm.app

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.wandafilm.app

com.wandafilm.app:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 wdapi.wandafilm.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 register.xmpush.xiaomi.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 20.47.97.231:443 register.xmpush.xiaomi.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 apilocate.amap.com udp
CN 203.209.230.23:80 apilocate.amap.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 59.82.132.217:80 apiinit.amap.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.wandafilm.app/databases/wandafilm.db-journal

MD5 18c8a14e46cdc2266c5248ba418c515d
SHA1 56ec5a7e0fec54af90f87cbfc9399bc0b5bb3bba
SHA256 ab381a241567737ee5fdf005b7b926b90aa98e8e7e11811b7a3ce20d80069491
SHA512 e2bc83ec304b0de77dd532a18a0f9c8372349db8aa6a92ce0ba18e710f1f25190953a13b2224bdab9ffd53085752172b8997a3b0a624bd4a00d0e229b872db59

/data/data/com.wandafilm.app/databases/wandafilm.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wandafilm.app/databases/wandafilm.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wandafilm.app/databases/wandafilm.db-wal

MD5 52669401dfe24247aab2507c38ccfaf4
SHA1 25f15634e828c68e7cd0a122031a349336c72734
SHA256 48533770efa0363f9c52f35d715ce1715ff4d930d594017a6c272797695ac03d
SHA512 6f13e7318d97200cbc787621cdae1a453fc1f277a10066caf3ee22baa79814263a8359f4b8d38440c642e122292584dda80103fd1c2acbfd5a62119e68f1e25e

/data/data/com.wandafilm.app/databases/cc/cc.db-journal

MD5 ac1b607d125de783531e9df18501b2c9
SHA1 63a398b05886b1e2429eb08a952cd470d631ca8a
SHA256 72349061f332b3b2ab53fa6b4b7756e7f3b9e5a322413f2245bd3c85a7704150
SHA512 93dde96b04a3c23143252bae89f12c6a8cb956b0456e7e3fcb45d3bc008484d0a255fbff2a9f5153d0f3a6e0a00a68b5668105998ca7c6060caebda578d03fd4

/data/data/com.wandafilm.app/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.wandafilm.app/databases/cc/cc.db-wal

MD5 10c0c4d4e0aa0e9367bc98163dcafd13
SHA1 9a42a84bd1429295b5e81d1f48c17f0a60d79082
SHA256 434dac5766d75e95066b19364564c4783a64f8353e3e08e7f341247ef47a0321
SHA512 4130b7c7151a860b1c04b2a7a3be13b05c6fc10140d95998ef8b91ddc7566e40186b431a0fa49f135cfdb97c64acdc905676dc437219caad461b4a8e14402ab2

/storage/emulated/0/Android/data/com.wandafilm.app/cache/locationCache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 43043bc5228acfe030e62f699c86adf7
SHA1 9f68ccb4c5497113437237eec08dcfdd674df372
SHA256 76c172e91efdac6b16f12ab253c0a7623aff4c5e7a19fa53fd57a2e4db4c972b
SHA512 0d12485e31386150c513d3bb7d3d5aef9bdf2dbe21cd664a64b7af9eb5d0efabb57cb45bcb0ce2a3de47a0a136a7bec0b4ff4cb8078282b248b39782fc724355

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 92e1c69dc41b3db5dce4b441a8050782
SHA1 ac5fc9bdb724961be080780fe48e7bf0c0234495
SHA256 74f5123aa64670eaadc085bf5185ceee4704e5d8e0689f7427c8dce5f4b47a16
SHA512 e2fe25346af26359792742ba375aef1db3355eb1882f8afd8b9818144304bdab44767af67255425e5ee9f5cb23919cc889107f2d552c75966c546e61e0d801fe

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 fa0f1903c38b830f4334a7526f09a3c6
SHA1 d901c53bad2bc605b49c4f4b88fcb890acee770e
SHA256 2ebb50ba7e0d04f56eb7ea29c685efb6366cc537c83cfe3ba2ca7385dd776e74
SHA512 671bf522046c70e9873dbc6bca690f4fe98f646843b447ebb33ae8956c118dfe5288baaa3da85ebe84232b39be0d059c6430cffab8b3e2260918bd58b7d79c75

/data/data/com.wandafilm.app/files/umeng_it.cache

MD5 d30390fe272837af3cf83ff270ef71d7
SHA1 bfa9751e8839b75c0e102e1fcdb2b128ae026f54
SHA256 50b6e2f9008d0da8330a800c2334f60e15f7a9bd0e26450b0c89be2f01780fa7
SHA512 b44b302f5e8f294fdde9a3612364a3fe8bc6fa92b068ec61d0ee3a774bd4a30e4803fb77c1b26e363a25f3435c0d1a41c15684f232911b69082917df0cbcdaa9

/data/data/com.wandafilm.app/files/.umeng/exchangeIdentity.json

MD5 c2bc4dcd8be0c470e33954e47dd5d6c9
SHA1 32ca2d27f747ffe404c65876620c334e01e2dbd4
SHA256 8592832411680d3ae1ebd80d25f7a9254406b95ea4248d8a3072c1380be6b81d
SHA512 098bf552f6a8f014d7cef77a3db16bee44bed0c8292669319f02a69e204f10833837a9be1495c8e249aca60cd2a441f167629e701ee0f4c0bb3a911f1ac08a89

/data/data/com.wandafilm.app/databases/cc/cc.db-wal

MD5 af61fc478b6b84869c36059ebb8a2688
SHA1 a054bae68dcd61582c67717fb47b5c991f1b3bee
SHA256 eb5a9cd7a81e8b5ff48f5080b73dfb4301ed9ce2a6e8ed0b9e567cd608e9edf3
SHA512 c1632a7293a6216f0fa2a48c9e12b4546c0e0760a9ab86da4912e0116c6e471dc52f15a91273f718fb8bf9370bcafa5dea96d625b9f18645c48a5800d241caf2

/data/data/com.wandafilm.app/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/storage/emulated/0/Android/data/com.wandafilm.app/files/MiPushLog/log1.txt

MD5 5654e12c6fa73250840e1d77edbf2a5a
SHA1 fd8df6a6085b99d45ec7e79fd4d52e66bc91098c
SHA256 3783ebd00144aa5c3ca2799115966af3a6cb4b205599740885e7ba36d6838e7e
SHA512 28a9861ce550542ef272dcacdb1ea4f86e06c6921defbd02e300760002cf1d4b5ee45029829844af7846d2f4ef93366d7bc02a07cda0510f42c0968fb931548c

/data/data/com.wandafilm.app/files/.um/um_cache_1717603468852.env

MD5 2585d7a9ca4c0097547c3497a93cb4ca
SHA1 4154fe51b989f2183d0f9a3f267db4d936b61aa2
SHA256 a0ad9308ed231c997567f4d383438fdfb69d03aace05ed6d00d47d36d60a8824
SHA512 11b67db159e352eec16ab9532ad6f9e58f9ae066f70a51cc3a92c988c2a7c4c6e28db6d2b6bf66d64e9249eee6210f961ae2372af0cd1b1a3cc1568a87cfcf94

/data/data/com.wandafilm.app/files/mobclick_agent_cached_com.wandafilm.app4610

MD5 a49148786168f0733e36ebd576545fb0
SHA1 bd5330c78ed1a4d0885d57b6fd9d08749dbef38c
SHA256 d99ef8c4bd6e0996e0d938959b1d4bc9c9ccb508d0498f85b9f5616612b63ec1
SHA512 b162be1caad4a1174191889d8edd0922e86400a34eb1d39b91033e6b695843c46d869fa77f0d2c7b2e9a479c9a1fced44d1d4017d9d256d7e54bbb07538ee9c0

/storage/emulated/0/Android/data/com.wandafilm.app/files/carrierdata/1717603551

MD5 45daf6b688333e571e627d2ecb006bfb
SHA1 ab79b707f6d4ad6fe5879a429999862db9b002f0
SHA256 d1684e2a34a8ca7dd1c6fdf1ab1569a362df6ba617d8e90c516a7266180368e4
SHA512 4767febc931f3817ddfaa135c874de2393cd2eb526a1d8e0002fbd248f3e0793aafa9a1e45c05c329ce3386ef69328473d55aa7cc6dbdde37c338b6c1b84c10e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 16:02

Reported

2024-06-05 16:05

Platform

android-x86-arm-20240603-en

Max time kernel

3s

Max time network

130s

Command Line

com.tenpay.android.service

Signatures

N/A

Processes

com.tenpay.android.service

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 16:02

Reported

2024-06-05 16:05

Platform

android-x86-arm-20240603-en

Max time kernel

7s

Max time network

130s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp

Files

N/A