Malware Analysis Report

2025-01-19 08:07

Sample ID 240605-v7n5xseb23
Target 98cae89ec80bddb72d245fd330ee539c_JaffaCakes118
SHA256 052f6523fd87e0b889b50d16390bac3c322d816494566dda077c640a66fe1067
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

052f6523fd87e0b889b50d16390bac3c322d816494566dda077c640a66fe1067

Threat Level: Likely malicious

The file 98cae89ec80bddb72d245fd330ee539c_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks known Qemu files.

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 17:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 17:38

Reported

2024-06-05 17:41

Platform

android-x86-arm-20240603-en

Max time kernel

156s

Max time network

153s

Command Line

com.qmdk.fqgj

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /sys/qemu_trace N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.qmdk.fqgj/.jiagu/classes.dex N/A N/A
N/A /data/data/com.qmdk.fqgj/.jiagu/classes.dex!classes2.dex N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.qmdk.fqgj

chmod 755 /data/user/0/com.qmdk.fqgj/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.qmdk.fqgj/.jiagu/classes.dex --dex-file=/data/data/com.qmdk.fqgj/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.qmdk.fqgj/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

sh -c ps

ps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 app-router.leancloud.cn udp
US 1.1.1.1:53 api.leancloud.cn udp
CN 106.75.100.17:443 api.leancloud.cn tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
US 1.1.1.1:53 www.zhonglongit.com udp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:80 api.map.baidu.com tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 106.75.100.17:443 api.leancloud.cn tcp
US 1.1.1.1:53 api.leancloud.cn udp
CN 106.75.100.17:443 api.leancloud.cn tcp
CN 106.75.100.17:443 api.leancloud.cn tcp

Files

/data/data/com.qmdk.fqgj/.jiagu/libjiagu.so

MD5 f7f5e960db0c8a6f3b5b8d1a0427a042
SHA1 a8b623f9f87a6e785508befe07314da2fa903bfa
SHA256 17ac5b03f2a51ebdf2cce66314bc8e3e1547bfa0dde61357fcc07768aaaecb3c
SHA512 ec889d1d9428cdbac082d0b5ab81cf33ac417874a416daf27b02af3d207b1b02ed794fc0b3f0ea266c8edaf3bfeb8f3cef7c631af689405fa629fee948ae8cba

/data/data/com.qmdk.fqgj/.jiagu/classes.dex

MD5 884d4a76c074f77baa27307dfff82392
SHA1 ff03cc10ab162c3b1850d3841382919778c407b4
SHA256 a9cda39251842b275e24898a13c5f073ce0705e424b8a927ef7bc4057db808c6
SHA512 af62c6dc4c668e04f1733badc17d3abb88eef0f5a3feb86b53fdac8f7f7eca526191765dd22adab4a13adc0aa584347deeb64636a2e3d7d63737d05df6f6a838

/data/data/com.qmdk.fqgj/.jiagu/classes.dex

MD5 756fdecbbcb8b33a8632e16ded65c18c
SHA1 24239d58376911e4dcedfa22b16ed7b837d6c1ca
SHA256 14d530c01cab67093973c73d99d858f0f1fea3e2164a88fdca9aaf0cad2274af
SHA512 3a6491f04fdd8be2cd46b86dfcaa6485a54fcae477b93c6b2329a7481ff3be81ef743a255d5973f8c5fb706146a593917fc0b27bbdc49e700b3cab8f8c6c401e

/data/data/com.qmdk.fqgj/.jiagu/classes.dex!classes2.dex

MD5 c4111cfaca162b46042310b11ea9a8cd
SHA1 1ec963a64a2561f02811fd8ec18f4503b0ae4dfa
SHA256 247553a455dd3464a4620badddd20cf62de48c52fa59b4902a45b84a92ddff80
SHA512 07ed4d5b2f05e9dbcb9035d2406053aa8aa8521d9e159afcbda94f1a6418d8ef665603e9f40e4fb71b86bc26e149b5a8760b344be79386fff63ae280b14fcd07

/data/data/com.qmdk.fqgj/files/.jglogs/.jg.ri

MD5 ad3921efd9896f24065fc7484f8b8384
SHA1 aae1b3fb8efaf388a2c763cd2ca195850c25848e
SHA256 837516a98c7cf44d10d4a5c76c30aac87f4a8b32822419e63bc8a0adbf305d8e
SHA512 0ca1156135f6ee6951001d3fec7f5534c1e3103e6722c90391699dbb17f8c64ab0f558a064646392e9a870c81d78722d9bdb8b2d08ef9153711d8d7647b2ba56

/data/data/com.qmdk.fqgj/files/.jiagu.lock

MD5 893d6e8aa45bd6b51caf9ff08362ba50
SHA1 abcf47953ab79de69ca2ccee46145ff73f94a6df
SHA256 7361c28fa45b7ff5f96ea109fc3b566228dead44e96ebc2f637382e45c454350
SHA512 495f59f611926c203493cb68b727774940c5672a8d3b47b9c983d45d65f40ca9ccebaa7319d89eb00c8066209d7187599a613f2c3323ff8365d49250e99d6bad

/data/data/com.qmdk.fqgj/files/.jglogs/.jg.ac

MD5 fb646c85c9abb88a289cfa977a9e9aa3
SHA1 f7600d7204adf7ce2a996034bebcda0550242b0c
SHA256 d673e78ef450a1cea44667118b9d7e9a93d82a232cca78c20caf7fca1c8d552c
SHA512 ca4e7059a8201b9dbceb50e3d346c2f46064a0cdb45bc2ae0ffdc35a816ad06c9a06caea7298801fa2391f80dac3636aa26ce967ef87d7f4a50b46cad2a9fbe5

/data/data/com.qmdk.fqgj/files/.jglogs/.jg.ic

MD5 71a1ccd95c88ff3da04a927b7cf15ca4
SHA1 daa7780ca9237a05d4a5011c8cf659e672bf5458
SHA256 3114a87d80b7c6dc5edbdb91332c3d4e9d02352c8a0d726aed07b009b147d93b
SHA512 9e16f36f6d3972e4078e8eae05f79c0b4d5de370709a509589f8050d9b72ace01669d93a9f09e6c4fbc38c76c2de70f194d650dda77fab83ab782decd8607ad7

/data/data/com.qmdk.fqgj/files/.jglogs/.jg.di

MD5 8c2b4780ce928355457d1d5a67e1ae96
SHA1 21b13ecac11b1990139a1a2e3d47241efb303494
SHA256 2b14497707352a5e72f96752bc7f17dad13995d9e0b5568d967b5d8c6e5e7b44
SHA512 f4693a12474f11fbdef8aa1d3565038a1bdf3c18df99f5e59850078f0c1481cfb816db695666dbb078a499e114376e952f1f25a63b9848b41ba5540233dc84cc

/storage/emulated/0/360/.iddata

MD5 73f9fceeb41eaaca4c93a2db7eade5d0
SHA1 555b794a6a082c11d76df76b09826325a6196cee
SHA256 b4af43264b96d5dc103a0c4712d31bb44bc226865e1cfd0bca7dab9943d19fe9
SHA512 56625ba4dca96bfd4082ab9b245d55566e9736ccbe6250fcc9d48f4de7525e1538628c9bf2fdfde3405139c92bbaaaf8d872ac4697b06da71f5fa79dbc2c295e

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.qmdk.fqgj/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.qmdk.fqgj/lib-main/dso_deps

MD5 63507b65b722048bdd68dcf0af03fde8
SHA1 d072108896d4c3c8b35ee32646b52141c5bfa164
SHA256 60efce0a2b0acc96c04fdf2778b1ec553d9bb29286cf8e39036b0101fe89323c
SHA512 8c1c9f98c3f602685f65dcd57ff2fb300ffc329723716174e1bab778279de2ebba967206fb3d3c90c5b65f16023b4029a02b5017ee1e97d0a85610ef1b6668eb

/data/data/com.qmdk.fqgj/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/data/com.qmdk.fqgj/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/storage/emulated/0/Android/data/com.qmdk.fqgj/files/tbslog/tbslog.txt

MD5 992080ab6049850de20261fc95d43a40
SHA1 e348ab6536cad2fdf01e58b68b0531f12ad906dc
SHA256 342de70b9642715786f1b2735064771192c8663d8896f277f73459278801efa0
SHA512 9eb2f97b82a5ff9cafb35ad67e2d2ec5f8c0461a484c4e60bb6b9619f755cb98c86365f0638add48e8c888a3eb75354123828c21a6f779fc80adc60ada9dee75

/data/data/com.qmdk.fqgj/cache/CommandCache/a221f94dfbaeeeebd4aeae0c3d6ab347

MD5 545fb8bbed93d214b6a61a03245936b4
SHA1 d85ca31c6021ec6b2bd0de5794c057b9f7684b84
SHA256 38f6b23d35ee2358210d7061a48c91867cad603e81d49ee3e55a77e4c0d59c6e
SHA512 9617ff71328bdf9fe846812817bb789e0829a0ab5a46a64c86bbcea2a76449c93549a9f8af88891af8ed7ee66e98984e69197dcd46ff735d7ee72f09be49dd44

/data/data/com.qmdk.fqgj/cache/Analysis/avoscloud-analysis

MD5 71466861646b617eacafde345141f770
SHA1 ad1d03571b3578ca7ab9096e09204a54670a4f28
SHA256 5a2c87ec66b464a71bbd52828d55172954ed47d6be703a88c8af1f133fbb0657
SHA512 214bf8bf8fb101e2e613047598addcee0e1b3faf41f520800444815795585895b24704c6501240e6fdd3983c05f52427e00ac825493b5373d31325a982c13988

/data/data/com.qmdk.fqgj/databases/RKStorage-journal

MD5 80797c667f4b3470835284680f85b787
SHA1 c7d0c67accc4d97fc185dca410cee05e7d51a66a
SHA256 43dfa776b262d34a5f79357c8e4764c5d9d639935e162c268065586a9613f062
SHA512 c98a19ac9f371e7f1572453f506f9a822f3d2ad64094868f8914f21115657feeddecf80f68f4811c486772ed31bf97b1aff056c444daffda3f06cd18d4a298c6

/data/data/com.qmdk.fqgj/databases/RKStorage

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.qmdk.fqgj/databases/RKStorage-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.qmdk.fqgj/databases/RKStorage-wal

MD5 1bf733e7d3f77cc913923cd15dafcfaf
SHA1 a797030f1c77f9681de915c6918406f050b9de10
SHA256 0e71c67a27e525a2ee27e3fd6f05788c9207694d8cbf3025e8f3fc9fbae301c4
SHA512 17d1a2f5612a9dad0011f2935d63d8e7d946ad88349fa39ba1c72370b8fa56257b4c337922cf471cb3aed7d2adb3973ff55aa5e938e9f166eddec95393019074

/data/data/com.qmdk.fqgj/cache/CommandCache/feaebe3233781579d301893b1f207885

MD5 a1e2da023f1d37b77153e9422091359d
SHA1 c3eb961fd7d7f79ce832d547a75a311cc2d5cf51
SHA256 1180f5af2d1967f20235f7167f7341f9da8e2633c1c3fc6c5bf2d6627e8b4b88
SHA512 b6947cd41855fd271c57023edb9f38945776281b35610c32f52cfb1d29a9cf1a5b24411b8f4f8bc4628e34465e3c3e1fd8d5b378e3bb1e0048cdce7dcab3f5ea

/data/data/com.qmdk.fqgj/files/.jglogs/.jg.di

MD5 8dd87529e7eb81879ee2a896bfd29600
SHA1 4e71012af9fd33391ec1962c6c7165847f075413
SHA256 ec95733e466fc56528c4d611fade67ec81bd89a15ed24c82ea8f2294564b83a8
SHA512 37a972df58f2edd8d600a5ffa413a4f5d56441e62ba92f69f94d443c02328e75dca06e1210dfb107347c83d3f0d1a4645b13dc5c5c7f8cf9b764afb8f232ea5f

/data/data/com.qmdk.fqgj/files/.jglogs/.jg.ac

MD5 002a38d2bbf96a643aaecc21a2a4e347
SHA1 7edcf11771f999ec4d3d4707f8b4654c1b29418f
SHA256 bd8c80511e6c9bcea670c66042e0b4f0878b833e04328e9545387199d51bc885
SHA512 e0c11a118b734d302af74f1073cac1fdd4438deec7f83d8015ecc0a9ae14bd2d18a303bbbd0a7c43916eae383f6d216d02e137833c2000b921a2f445821496dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 17:38

Reported

2024-06-05 17:38

Platform

android-33-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 udp
N/A 224.0.0.251:5353 udp

Files

N/A