Malware Analysis Report

2025-01-19 08:07

Sample ID 240605-v35bcada5v
Target 98c60b196e093fe21a108930d0422601_JaffaCakes118
SHA256 7358bd89e1ec1860038af906b290e51f17e2f76ec95514b5dbfd46f1c6bc1aca
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7358bd89e1ec1860038af906b290e51f17e2f76ec95514b5dbfd46f1c6bc1aca

Threat Level: Likely malicious

The file 98c60b196e093fe21a108930d0422601_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks known Qemu files.

Checks known Qemu pipes.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 17:31

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 17:31

Reported

2024-06-05 17:35

Platform

android-x86-arm-20240603-en

Max time kernel

124s

Max time network

176s

Command Line

cn.sunsapp.driver

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cn.sunsapp.driver

/system/bin/sh -c getprop

getprop

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp

Files

/data/data/cn.sunsapp.driver/databases/bugly_db_yaq-journal

MD5 cb8c135c2c53f7e7d154f10557fc293f
SHA1 79ffdacea00ea25e4bb9b97ade3a95b26587c329
SHA256 5494087f3a5c5082d37cc0a43e782aa8908a0598a50064c3effa4aebf8975d3d
SHA512 77ed9476c5a558c39e304fa2b749508b752d4ce41329dd56011788489ef1d8e1d8184acff3fc1f962df4725e652e336154f4a2fa2696298d013fe13b865ccd69

/data/data/cn.sunsapp.driver/databases/bugly_db_yaq

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.sunsapp.driver/app_crashrecord/1004

MD5 565fb7bbe08cfe17637194563df9d5d2
SHA1 c36b46869fdf52e22eff7d2be42b17f01281a7b1
SHA256 b621e5f4462be55cdbbcad1ef9f6737dec013dd14f70a419f7557fe34ada1ff3
SHA512 dde6f012f92da386d263cae2ca122a656dad0bd3b263be38e33f0c8eca8ce66a30854b1069cf02fd8531c766426e049b2cec6d6b635da6f61483ce6e65727ec0

/data/data/cn.sunsapp.driver/databases/bugly_db_yaq-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.sunsapp.driver/databases/bugly_db_yaq-wal

MD5 7aba158ef8e98295fb677744d83a2447
SHA1 8db837dfac338458dd3021f88374ddaf2df4a886
SHA256 858ff0e1138f2d56b9cd0fecc5751a27bcc10fb9b28fa34d2992f7399d1567e4
SHA512 88df7484f88b9850361fca41fee9e787f9a59739f54fe35b0e28a0ee3643a9e321eb54f93e188b03042d35c4e0acfde16f81cd9e4351efa84885c46408fc65ff

/data/data/cn.sunsapp.driver/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 17:31

Reported

2024-06-05 17:32

Platform

android-33-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.213.4:443 udp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.4:443 udp
GB 216.58.213.10:443 udp
GB 216.58.213.10:443 tcp

Files

N/A