Malware Analysis Report

2025-01-19 08:07

Sample ID 240605-vyrjpach5t
Target 98c1237b361c3ac05f1397b621000180_JaffaCakes118
SHA256 f7c342eb3a3d56bdf4d74bc93f2fdf2eb194909451af51be1ea41f37020f7948
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f7c342eb3a3d56bdf4d74bc93f2fdf2eb194909451af51be1ea41f37020f7948

Threat Level: Shows suspicious behavior

The file 98c1237b361c3ac05f1397b621000180_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 17:24

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 17:24

Reported

2024-06-05 17:27

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

189s

Command Line

com.gogoroom.formal

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gogoroom.formal

com.gogoroom.formal:pushcore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 s.jpush.cn udp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
CN 123.60.31.166:19000 s.jpush.cn udp
CN 123.60.31.166:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 139.159.137.254:19000 sis.jpush.io udp
CN 139.159.137.254:19000 sis.jpush.io udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 121.36.15.222:19000 udp
CN 123.60.79.150:19000 udp
CN 123.60.79.150:19000 udp
CN 124.70.159.59:19000 udp
CN 124.70.159.59:19000 udp
CN 120.46.141.4:19000 udp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
US 1.1.1.1:53 im64.jpush.cn udp
US 1.1.1.1:53 tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 124.71.183.120:7004 im64.jpush.cn tcp
CN 124.71.183.120:7004 im64.jpush.cn tcp
CN 124.71.183.120:7005 im64.jpush.cn tcp
CN 124.71.183.120:7005 im64.jpush.cn tcp
CN 124.71.183.120:7006 im64.jpush.cn tcp
CN 124.71.183.120:7006 im64.jpush.cn tcp
CN 124.71.183.120:7007 im64.jpush.cn tcp
CN 124.71.183.120:7007 im64.jpush.cn tcp
CN 124.71.183.120:7008 im64.jpush.cn tcp
CN 124.71.183.120:7008 im64.jpush.cn tcp
CN 124.71.183.120:7009 im64.jpush.cn tcp
CN 124.71.183.120:7009 im64.jpush.cn tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.70.128.38:19000 s.jpush.cn udp
CN 124.70.128.38:19000 s.jpush.cn udp
CN 139.159.137.254:19000 easytomessage.com udp
CN 139.159.137.254:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 tcp
CN 120.46.141.4:19000 udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
CN 121.36.15.222:19000 udp
CN 123.60.79.150:19000 udp
CN 123.60.79.150:19000 udp
CN 124.70.159.59:19000 udp
CN 124.70.159.59:19000 udp
US 1.1.1.1:53 tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7004 im64.jpush.cn tcp
CN 124.71.183.120:7004 im64.jpush.cn tcp
CN 124.71.183.120:7005 im64.jpush.cn tcp
CN 124.71.183.120:7005 im64.jpush.cn tcp
CN 124.71.183.120:7006 im64.jpush.cn tcp
CN 124.71.183.120:7006 im64.jpush.cn tcp
CN 124.71.183.120:7007 im64.jpush.cn tcp
CN 124.71.183.120:7007 im64.jpush.cn tcp
CN 124.71.183.120:7008 im64.jpush.cn tcp
CN 124.71.183.120:7008 im64.jpush.cn tcp
CN 124.71.183.120:7009 im64.jpush.cn tcp
CN 124.71.183.120:7009 im64.jpush.cn tcp
CN 124.70.128.38:19000 s.jpush.cn udp
CN 124.70.128.38:19000 s.jpush.cn udp

Files

/storage/emulated/0/data/.push_deviceid

MD5 64b5b767e7f37c4ae2fd17650746ffb8
SHA1 4e97e17211779b383ce319143e957d6dd9589770
SHA256 5cf1ef17ca19ccc02b4f3c7a685aa735c608e3897d451a610adddd6ede694043
SHA512 cb100f0ac7890653f2d07bf53fabb98ecc90031519a270e858e68a0a7a222ba8077a506fde06d62dba9236afda4ae48d99e56a7bb4ec9ee2c9d9b95ef5e0edca

/data/data/com.gogoroom.formal/files/jpush_stat_cache.json

MD5 2c96881a45adbf75d73706c596d7927c
SHA1 479d034df22c5c45c21d722f7017a5348bff2721
SHA256 bd54a280dba7f0a3020c4f3da179bf0fe289c7aa82524ddf5e0a68e58413bbf7
SHA512 d7649315742636dc1b23690c8a17dd86034014264d76b0bcd7eb1db213f7d203629056c760e49b247880b6aa3a4f56d8036bb44868510d4b7f17b30e9774e229

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 17:24

Reported

2024-06-05 17:27

Platform

android-x64-arm64-20240603-en

Max time kernel

179s

Max time network

187s

Command Line

com.gogoroom.formal

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gogoroom.formal

com.gogoroom.formal:pushcore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 s.jpush.cn udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
CN 120.46.131.222:19000 s.jpush.cn udp
CN 120.46.131.222:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 121.36.193.140:19000 sis.jpush.io udp
CN 121.36.193.140:19000 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 1.94.2.18:7000 im64.jpush.cn tcp
CN 1.94.2.18:7000 im64.jpush.cn tcp
CN 1.94.2.18:7002 im64.jpush.cn tcp
CN 1.94.2.18:7002 im64.jpush.cn tcp
CN 1.94.2.18:7003 im64.jpush.cn tcp
CN 1.94.2.18:7003 im64.jpush.cn tcp
CN 1.94.2.18:7004 im64.jpush.cn tcp
CN 1.94.2.18:7004 im64.jpush.cn tcp
CN 1.94.2.18:7005 im64.jpush.cn tcp
CN 1.94.2.18:7005 im64.jpush.cn tcp
CN 1.94.2.18:7006 im64.jpush.cn tcp
CN 1.94.2.18:7006 im64.jpush.cn tcp
CN 1.94.2.18:7007 im64.jpush.cn tcp
CN 1.94.2.18:7007 im64.jpush.cn tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
CN 1.94.2.18:7008 im64.jpush.cn tcp
CN 1.94.2.18:7008 im64.jpush.cn tcp
CN 1.94.2.18:7009 im64.jpush.cn tcp
CN 1.94.2.18:7009 im64.jpush.cn tcp
CN 120.46.131.222:19000 easytomessage.com udp
CN 120.46.131.222:19000 easytomessage.com udp
CN 121.36.193.140:19000 easytomessage.com udp
CN 121.36.193.140:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 1.94.2.18:7000 im64.jpush.cn tcp
CN 1.94.2.18:7000 im64.jpush.cn tcp
CN 1.94.2.18:7002 im64.jpush.cn tcp
CN 1.94.2.18:7002 im64.jpush.cn tcp
CN 1.94.2.18:7003 im64.jpush.cn tcp
CN 1.94.2.18:7003 im64.jpush.cn tcp
CN 1.94.2.18:7004 im64.jpush.cn tcp
CN 1.94.2.18:7004 im64.jpush.cn tcp
CN 1.94.2.18:7005 im64.jpush.cn tcp
CN 1.94.2.18:7005 im64.jpush.cn tcp
CN 1.94.2.18:7006 im64.jpush.cn tcp
CN 1.94.2.18:7006 im64.jpush.cn tcp
CN 1.94.2.18:7007 im64.jpush.cn tcp
CN 1.94.2.18:7007 im64.jpush.cn tcp
CN 1.94.2.18:7008 im64.jpush.cn tcp
CN 1.94.2.18:7008 im64.jpush.cn tcp
CN 1.94.2.18:7009 im64.jpush.cn tcp
CN 1.94.2.18:7009 im64.jpush.cn tcp
CN 120.46.131.222:19000 easytomessage.com udp
CN 120.46.131.222:19000 easytomessage.com udp
CN 121.36.193.140:19000 easytomessage.com udp
CN 121.36.193.140:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 1.94.2.18:7000 im64.jpush.cn tcp
CN 1.94.2.18:7000 im64.jpush.cn tcp
CN 1.94.2.18:7002 im64.jpush.cn tcp
CN 1.94.2.18:7002 im64.jpush.cn tcp
CN 1.94.2.18:7003 im64.jpush.cn tcp
CN 1.94.2.18:7003 im64.jpush.cn tcp
CN 1.94.2.18:7004 im64.jpush.cn tcp
CN 1.94.2.18:7004 im64.jpush.cn tcp
CN 1.94.2.18:7005 im64.jpush.cn tcp
CN 1.94.2.18:7005 im64.jpush.cn tcp
CN 1.94.2.18:7006 im64.jpush.cn tcp
CN 1.94.2.18:7006 im64.jpush.cn tcp
CN 1.94.2.18:7007 im64.jpush.cn tcp
CN 1.94.2.18:7007 im64.jpush.cn tcp
CN 1.94.2.18:7008 im64.jpush.cn tcp
CN 1.94.2.18:7008 im64.jpush.cn tcp
CN 1.94.2.18:7009 im64.jpush.cn tcp
CN 1.94.2.18:7009 im64.jpush.cn tcp
CN 120.46.131.222:19000 easytomessage.com udp
CN 120.46.131.222:19000 easytomessage.com udp
CN 121.36.193.140:19000 easytomessage.com udp
CN 121.36.193.140:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 1.94.2.18:7000 im64.jpush.cn tcp

Files

/data/user/0/com.gogoroom.formal/files/jpush_stat_cache.json

MD5 2c96881a45adbf75d73706c596d7927c
SHA1 479d034df22c5c45c21d722f7017a5348bff2721
SHA256 bd54a280dba7f0a3020c4f3da179bf0fe289c7aa82524ddf5e0a68e58413bbf7
SHA512 d7649315742636dc1b23690c8a17dd86034014264d76b0bcd7eb1db213f7d203629056c760e49b247880b6aa3a4f56d8036bb44868510d4b7f17b30e9774e229

/storage/emulated/0/data/.push_deviceid

MD5 fc4972cde05b2b8286decb2b021a2580
SHA1 243773cdb330c6d02f6b6464ff4421e17adb4c97
SHA256 ec0969add562b01e526c910bee4c09fddccd04040cd2f3e2dea3085a3aeaf69e
SHA512 3707cf22fc0a779a282b7e18cb35ca609c7b93bf410e4ced40158552172e3950d34b124ccd59af169d54addb960101e1f7f676334b29e7a2d4814c4adc1bda38