Malware Analysis Report

2025-01-19 05:04

Sample ID 240605-v5tydsea58
Target 98c8259dc42b138a77a1df1234529614_JaffaCakes118
SHA256 deb741d2bedbb5dd0b72d24cdd27f1e4fe39bade094725ae52c2d66c96c4d768
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

deb741d2bedbb5dd0b72d24cdd27f1e4fe39bade094725ae52c2d66c96c4d768

Threat Level: Likely malicious

The file 98c8259dc42b138a77a1df1234529614_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks Android system properties for emulator presence.

Checks Qemu related system properties.

Queries information about the current nearby Wi-Fi networks

Requests cell location

Loads dropped Dex/Jar

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 17:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 17:34

Reported

2024-06-05 17:38

Platform

android-x86-arm-20240603-en

Max time kernel

51s

Max time network

156s

Command Line

com.cqhd.yuxin

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /data/local/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.bootmode N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.bootloader N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: qemu.hw.mainkeys N/A N/A
Accessed system property key: qemu.sf.fake_camera N/A N/A
Accessed system property key: ro.kernel.android.qemud N/A N/A
Accessed system property key: ro.kernel.qemu.gles N/A N/A
Accessed system property key: ro.kernel.qemu N/A N/A
Accessed system property key: init.svc.qemud N/A N/A
Accessed system property key: init.svc.qemu-props N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.cqhd.yuxin/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cqhd.yuxin/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.cqhd.yuxin/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cqhd.yuxin/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cqhd.yuxin/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cqhd.yuxin/bmob_stat_p/ij.dex N/A N/A
N/A /data/data/com.cqhd.yuxin/bmob_stat_p/ij.dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cqhd.yuxin

chmod 755 /data/data/com.cqhd.yuxin/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.cqhd.yuxin/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.cqhd.yuxin/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.cqhd.yuxin/.jiagu/classes.dex --dex-file=/data/data/com.cqhd.yuxin/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.cqhd.yuxin/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

sh -c ps

ps

ps daemonsu

ps | grep su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ad.holaq.com udp
US 1.1.1.1:53 open.bmob.cn udp
HK 47.244.47.88:8883 ad.holaq.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp

Files

/data/data/com.cqhd.yuxin/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.cqhd.yuxin/.jiagu/classes.dex

MD5 3d2dd7e645ebf928ef92de99706aa947
SHA1 566b5fb15fecf3036e72ee5f31b23a536eb0698e
SHA256 60d19e1d84dd21a6a26c58193b5588e1dbb54371c10d7bf7871eae6d5a7b1c47
SHA512 024b7c21afb6dd86f327a8868fc2f05c724a8af153c539b71698fec92366bbcb7a594088deb3ce46c15645f3cbb7f08d068cba5a3c64fc9ae0942de9400bec6b

/data/data/com.cqhd.yuxin/.jiagu/classes.dex

MD5 e3373a17e13a7fe7a1f38c9e3e1ad47a
SHA1 8a613d72e8c3e6169674ce9571978310cbb42f5d
SHA256 03b0a752b02f5bb029a98f8180c114403d0d5d27a15ac215e8578ff50542a926
SHA512 6c1bb9e7541daac75c0cf70a987f04972bb9140bc2fdd8a90891d9d70889ea9e926bfa680a5ea8866fcac0bd9029b07008343d7c07767b58312bbe81df71540a

/data/data/com.cqhd.yuxin/.jiagu/classes.dex!classes2.dex

MD5 7b10c71e4fd79ca53e806e17b391a076
SHA1 cd870a9448d4f06b35ec727fde640569e778e357
SHA256 acbf280ef574baf2d6d84231b6c98c2d1aaaa94e88623dbbd95635828745caa7
SHA512 3db3837696b93d87fe02df374dcd99bed74c5af1481efcb26d66d02302496bae27e60562478fface9a7941eb01abbc64c73dd83415a3c5caf25c756271bf2899

/data/data/com.cqhd.yuxin/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.ri

MD5 0872ebd5c511a0ac9880c2a6463716f8
SHA1 45c00526c65f6a4d355840f9901a4087d1e42f16
SHA256 2db8eb6950aa1b4d74727e7e741c2039e855cec12fb102b95d5571eb014aabd4
SHA512 abbb343a088f43fcdf60f128354003f4acffc348853f02fa8ae3cf4f5e6486baa61403a1624c44038e5cead779f0c4f381e219739e8c2947615f65dc94bf8d13

/data/data/com.cqhd.yuxin/files/.jiagu.lock

MD5 ab9dcdddbab2d91ae0c87bc02c454eb1
SHA1 20a4f3bc344ec2eaf6d0aa6c0f52e10a5f251096
SHA256 8de0a2913529218210367fc9b2529c07d47a051402756663fa492eb1e82baacd
SHA512 5797da771bb75ad73b53f6664d85d80c8a0e93e82943914518bf10a1273f78639c0e68cd60b98518013db7fffa19ea0963cfe86b338e54cfbdafcfc1645445e0

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.ac

MD5 2543fcdd2d4f50bce1e78902e4318961
SHA1 ce60cf8e53f1956c64aa94fd68b18086821efec6
SHA256 e51dd1f06360057c5ed7a5ab09d0f574b86a66f65b7aa6d4f237b18924cc2c42
SHA512 d896262258fa21de0ec620e111553c8ca75a3e5219efd48bb6686504b4e5fc12c5d2611b22e15a5957fb9ffb6c23fde42c494d3549c37db05e4df5df988a6a2c

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.ic

MD5 c0522761af441fe24cb4361fcdb974b4
SHA1 ec3a13cfc2cafa6c155670bac2142f379dfbe728
SHA256 fc3f11712ce4f4b47d3a7fa5ee51edcbcd5fc3f5032823e3e58d79310ab1e570
SHA512 0390fe965f63d64c56999b0b1f785a4f1d1ca7501818e0e81b026b195f5d66cae0e337028d82b5a5683ce7830bc3cdd7481e98d67638ef364a2000822828c750

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.di

MD5 4e5ae17ea0062f817cb01f747df1c703
SHA1 a3c5ed5b9f265415f1d109a6d52057d9ecbbf15d
SHA256 3b9744745b44f6289c64a06fe8da4d99aba230476701306056e64454dd67b46c
SHA512 7c20063d549025845f9863a14d2553726e401233b69d593ccb76c04e81d4283ed9c76a57a61d488bc37d27fcc76604a2f0265df6ddefc104ea7476529a2dcff4

/storage/emulated/0/360/.iddata

MD5 8e9f56fd7a76a418f40328ed1d685ed8
SHA1 4191728f2d3201024dc52bb97a02ba5b4b2dc96b
SHA256 b858f8271d59d14ac64b6a38daddc6ddc8bf2d19ca2b35e281c78807d2fcbce2
SHA512 cb907b2638dbe663e9a291a3916e6a6db909b53caaa528e440522ca6ad907aabda3805e7046591a56f1fd9abbabd1186c6e712a8e5a265a7e776764d71758a03

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.cqhd.yuxin/bmob_stat_p/ij.dex

MD5 580a599f6899d2ef9d5a2b0b2b6e1f07
SHA1 79f3db351de9eb369f003b3c983bdfbf5cfc59b2
SHA256 23bb84112f174f25713b2d0121a9211045e0ec925bc71ac6851366574de18a92
SHA512 81bb76529281dbc1d1978371f6a4c60e856f0fe53f5d885d8dcd30532163fd605d68e86a1f6a3308aee2d4833ebeec3b430c834a31d5d10b8419b4fc0edd7f5a

/data/data/com.cqhd.yuxin/.jiagu/.jgck

MD5 8f69efda539cf10019a772fe87106b12
SHA1 8f7b6c01069cb62ddbf266ab26fe32431de15f7d
SHA256 1aa4bcb6362b343481bda4293b46370f00bdc62131dad32a21bf066781cd1037
SHA512 f0e1a898f61e3b2841b73d539159945e2b2ef9362e3c910960e3098a44910d44635455443bf4c4b9a58d9039b47a561b7c6d304db7d76b85a96cbcf183ddc514

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.di

MD5 eb9ac4264538c2d3dd9454896c346e38
SHA1 634669c19115596ad285fd5a97e46e494c37540e
SHA256 65d4b406ad0b5589a0a2d1db1f79d5c6124563c789290c680235751a437a7f1d
SHA512 d0b218da638a4d0bfbcc060be959187035c045de8ac703808f8df8f60079186615000e88a6b731a076824583fe2d7b6f31a3ab69d8bbba9a5e5a54c88e2c3bf9

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.ac

MD5 4f3087353e34b002f6e81b6f2343e3de
SHA1 2a7b0516e98660dd774a147095ca6f0d54c10918
SHA256 c368841834118ac553361ba51922372aadaf76f399690a7693dba4afd81c5e77
SHA512 db7d735820e37a2c7229dc426c58b5469b52de0f01d4fd628fdea65e8a75636debbb65c3acd1e6dceb1672bf833f02c486b92749b2924eb6849760c854f7add2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 17:34

Reported

2024-06-05 17:38

Platform

android-x64-arm64-20240603-en

Max time kernel

6s

Max time network

139s

Command Line

com.cqhd.yuxin

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cqhd.yuxin/[email protected] N/A N/A
N/A /data/user/0/com.cqhd.yuxin/[email protected]!classes2.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.cqhd.yuxin

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.cqhd.yuxin/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/user/0/com.cqhd.yuxin/.jiagu/classes.dex

MD5 3d2dd7e645ebf928ef92de99706aa947
SHA1 566b5fb15fecf3036e72ee5f31b23a536eb0698e
SHA256 60d19e1d84dd21a6a26c58193b5588e1dbb54371c10d7bf7871eae6d5a7b1c47
SHA512 024b7c21afb6dd86f327a8868fc2f05c724a8af153c539b71698fec92366bbcb7a594088deb3ce46c15645f3cbb7f08d068cba5a3c64fc9ae0942de9400bec6b

/data/user/0/com.cqhd.yuxin/[email protected]

MD5 e3373a17e13a7fe7a1f38c9e3e1ad47a
SHA1 8a613d72e8c3e6169674ce9571978310cbb42f5d
SHA256 03b0a752b02f5bb029a98f8180c114403d0d5d27a15ac215e8578ff50542a926
SHA512 6c1bb9e7541daac75c0cf70a987f04972bb9140bc2fdd8a90891d9d70889ea9e926bfa680a5ea8866fcac0bd9029b07008343d7c07767b58312bbe81df71540a

/data/user/0/com.cqhd.yuxin/[email protected]!classes2.dex

MD5 7b10c71e4fd79ca53e806e17b391a076
SHA1 cd870a9448d4f06b35ec727fde640569e778e357
SHA256 acbf280ef574baf2d6d84231b6c98c2d1aaaa94e88623dbbd95635828745caa7
SHA512 3db3837696b93d87fe02df374dcd99bed74c5af1481efcb26d66d02302496bae27e60562478fface9a7941eb01abbc64c73dd83415a3c5caf25c756271bf2899

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.ri

MD5 01c2bb2a7296194d991e0e3a528603bd
SHA1 1e8eb09019b07dc15519fe8011e520ddb6d7cd1a
SHA256 0d3611780cddc4b5e03a0190513d42997554a3e6d1a1e01e8f45a9274141177e
SHA512 1863f4d04c5c618550837d23de09b82aa1078445d2267444f7b1b0c62f318813456f92916cd6dcbe8b4e1488a70915a9057faa3dcf988831df1f8e61739a9597

/data/data/com.cqhd.yuxin/files/.jiagu.lock

MD5 7add64301a9c9c6abc427fa77a388dd0
SHA1 265b863bb7c0ccb62178857b744c32927b45f754
SHA256 0f3875c4cacb3873a2f679089b3069664d48324d903f4831da4c42338b91b5ce
SHA512 8e28493f6fc13e6b7faf1eac8eaf83104d4179e262e5d8ed34cdacd08ea788fe1259e23b2eb6ed496c5e2c273714c17e4a3195b1c49b659ab314f40f9c81ba40

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.ac

MD5 24116210c4035de0e4427e3e03617428
SHA1 cc8abe652fa926a6b268ed3aa5c0931b0e9817c5
SHA256 2352cd4a7559a0e793965010a6940d873d06d384290b76748c831e942c2037d8
SHA512 c950e51d9458a429dd3ae3aec5ccde36fd1dd1f8dc1763d1f999bfc7f3dc356d07e8187a9d3b06e9186be814296339da16e302eeb440efe29177ca9605b455da

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.ic

MD5 4375a969f8ec2077ee66ded072b5af92
SHA1 431b98319fd14882adc8f649c3e8747a6fcd173b
SHA256 e5f9d9e56b18a34e1209d07253ee43770c9d9ca8c973ebf919453e1d27662f45
SHA512 89a89ca141d95c3fb63c7039588663307512f5ca7c4fbb34cd2805f1631ecd2450280f4c4ee0a07773a3e8465eb1e5599b41d55c8b93e8e0dbd185e6657a440d

/data/data/com.cqhd.yuxin/files/.jglogs/.jg.di

MD5 4d5a7f548e9d9ba8f7979f323e53da39
SHA1 aee3d9f92f56859672c6a83728c7cbb2c4d2f1c9
SHA256 6628707704f269458b1964e8e815e3b6255b9d7bbd11d575a7b1f5fe512c7a04
SHA512 5a1aa6ee68b104da16c0e1bbb3ff205e757ebbb2dead9b237ad0b943b555fd866cee9268c68f71252677dfdb9f578d1e5c240e93dfd4f8a4668e7c20d22f3b1a

/storage/emulated/0/360/.iddata

MD5 691aecf7421e1f02762656519d69b1e1
SHA1 eadca5d8b8b4e7d9fd3b0e0e0a069a33e34147ad
SHA256 df29737482b508c7e739f59ad7e2123f7c45b164f5d7ef95461eb79e6f57fc30
SHA512 68056ab0f5d7273fe3f501cdfb6f551fd8b401d96b3d8ffc354316b07d1cf68ac1960cea714bab74febbb50aa0af19e6ba2a26a7dcb6f7a6cc22d8d25ecf867d

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399