Malware Analysis Report

2025-01-19 08:08

Sample ID 240605-x8s7dagd67
Target 9908ed4ed7140f76fea501066882809f_JaffaCakes118
SHA256 b40dfcec69980b6246bdb4255169f0ee4ac06de815c91e0bbe3562b3d1cbba8d
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b40dfcec69980b6246bdb4255169f0ee4ac06de815c91e0bbe3562b3d1cbba8d

Threat Level: Shows suspicious behavior

The file 9908ed4ed7140f76fea501066882809f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 19:36

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 19:31

Reported

2024-06-05 19:44

Platform

android-x86-arm-20240603-en

Max time kernel

158s

Max time network

169s

Command Line

com.baidu.locker

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.baidu.locker

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ufosdk.baidu.com udp
CN 124.237.176.102:80 ufosdk.baidu.com tcp
US 1.1.1.1:53 crab.baidu.com udp
CN 112.34.111.91:80 crab.baidu.com tcp
US 1.1.1.1:53 app.safe.baidu.com udp
US 1.1.1.1:53 sofire.baidu.com udp
CN 124.237.180.66:443 sofire.baidu.com tcp
CN 106.12.1.64:80 app.safe.baidu.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 111.206.209.144:80 ufosdk.baidu.com tcp
CN 124.237.180.66:443 sofire.baidu.com tcp

Files

/storage/emulated/0/Android/data/com.baidu.locker/files/baidu/locker/imagecache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.baidu.locker/files/wallpapers_bd.zip

MD5 2e6d88b0006b8364f2dd5c7045b30473
SHA1 61d8f61719082aa4bec0f539b9ddf9279395c65d
SHA256 2daab09c27c28587ea29c58bb18537f4b7448fe1763838060ffa5b19a41a708b
SHA512 0f6aa35e8b1ac88fa955b43b8e55530268424938a6a3225044c1e3ff8b8a7fbcf5d351d2854d6e2d738b15705191e72f7c74e839600e85ec53fd6052c4ef7755

/data/data/com.baidu.locker/databases/faster.db-journal

MD5 e72ccb6d995d5cadf9ff15a232ee06ec
SHA1 dff7aaa063c594053c8830f2640c699ceccbe7f7
SHA256 2443c514db63eac532fef577fb260b32ad5de91286ee9612ee4ff5ca5131ef3d
SHA512 d80d62afe0f9ccec1cff99f53e11a33c534ee92058aff34ec3f6e2ba26f6a7859453194b05a1925df3158de06b1bf653cb679228db7ba357bbff12d8aa91b3af

/data/data/com.baidu.locker/databases/faster.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.baidu.locker/databases/faster.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.baidu.locker/databases/faster.db-wal

MD5 c000e209552f20591fb848de97e20533
SHA1 248821602ddf34ca50571edf28293712c7d42769
SHA256 88776813b5f54f681cab6405b5d6b8668d8d4ec1fdd6a4075049f381c713a877
SHA512 35fb1a775773c1fe4cb32275ad2de7691ee2abc40ca29c9a67eef2a9eecca40e9eca938c5cc1ee81296b3f2a1fd57579fb22c9e860fc88beaac6dceec7fa437d

/data/data/com.baidu.locker/files/01.jpg

MD5 4c7d63b93ea4be072a1b4a36d2a98c2c
SHA1 ffc25314616ef1cb02c7fb2b55011ec3f2ccc649
SHA256 41dc5dda19ef13612212494f1ef2a1027f909b02b804e1629da021a24432e448
SHA512 edfa84445a5a34a657bbe6b69b5e843c6a327fcf74d7cf316041e5dea38bbfac4f25f855ff8c77a310947ab36e07de6e59f68971a40157b8450ed7cd393fa1c8

/data/data/com.baidu.locker/files/02.jpg

MD5 07a8aad74fc8ffc2de8976e2bfa60014
SHA1 8d1f2edf14830dfc8e10f9d449789a114f0dc713
SHA256 0e199645c61fc1e58748d49d428608eef2b7dcfd3966d199d8524e9cd3c54923
SHA512 5453a6c93d2461a3d9021e9bca4785e125f3cf614bdeac0c37381c5068c85d14d6bc21aec70a5c14b477078934c66e3624180d04ef796db9d7ed80ae4643c835

/storage/emulated/0/baidu/.cuid

MD5 14ac2e583533a0e72bb129ad047c2e82
SHA1 b70ca38971729112f962fa685e92e5fca82a0546
SHA256 f26681c768594cedbd8a142852253e5c4a69254d5ce6989473c19f670ca722a5
SHA512 1a0e6a44ca43c98d7863a441112017ce2cff42ce8b87754979d79b627220db2ed6360b6b2edaa4ef6995a637cce50995f84a16eec245c21990c6a8fee2a616ca

/data/data/com.baidu.locker/files/03.jpg

MD5 99d66f04988a5b70905c0c2504a163e8
SHA1 73bb013ce4a7048694a0b672b663c77910c73483
SHA256 0a07012d87da07b314a188bf1447a0a0f686ba56f9f9498f697434bd9dd6ec0d
SHA512 50d460a63249f25fed0d6eb47db3581bf6b22810fc385e3975a9547e0b87bbea2e46346003fca8cee95a4c85751c0d874129b4f3fc5f8cee51e30297a26e45fd

/data/data/com.baidu.locker/files/04.jpg

MD5 b799be308d917b0ed4adce0dadaa9968
SHA1 1bb9b0c19e5ced611ce92753081369ac108316e4
SHA256 e909a50b3639f028aed46e49bef2f66e74578b70d61c6b820bbc4bf0783f9765
SHA512 33042af9ec367933060b9c140e9c59208fd07f005bd6ad4db653265d5815cf17085df31ccfa480f49fe09e75739034b5b8a8164c6888d85581a3e1d60cdf3644

/data/data/com.baidu.locker/databases/tpgcc.db-journal

MD5 511291c968a641756be2f1eca0481703
SHA1 eb5b76cb23c0dcdd013b05c69cfa94800655a86a
SHA256 0a42ea1d8a259e598806d74ff97f320f68ef8ed89500c6a36c6fcac48474a527
SHA512 a322836ca93164db40d5a809cee21f7d1833eebceccf2abdbdb730e3194d7a8f6514eeb7928843508977c1cec7fd0e4790cf82022e0e42908c63834f50d59f95

/data/data/com.baidu.locker/databases/tpgcc.db-wal

MD5 1333b4210eb6dd877e643b33dcb8e05c
SHA1 43bdb8aac196b4242a6b861087c75fcc923d6dde
SHA256 dea069c8bd40fa380326f013b8281d58662ac9ecac729b7c6433f0ddabb016ff
SHA512 0437bd2337fedfe51f2175f9072e9794581ddef4e78f2d9fff337ae3d8603fe7096e15966b7fd2a17205115cc4e2b5741cea484570a8e1ca9a0d2286499493a2

/data/data/com.baidu.locker/databases/wallpaper.db-journal

MD5 9e53416c73d21a43f973554df840bda0
SHA1 24c2daf54c0d6a7c67d262eb40fbf747715c8c6d
SHA256 2b1c55085432c34ae35ac3a24e5ec5686684eb893c50b817663328c4296374e4
SHA512 f8a3d365c3cd2bd06fa79244e4451d8f750f65b127d2a27b504110d37bc7b3aa319f7c785cc3777f4ea015836af3ce566bcb7e3ea619f20dcf9394712212a5e3

/data/data/com.baidu.locker/databases/d.db-journal

MD5 8b8a5842d28ccc66e4257fcd1ace5dfc
SHA1 74489ded6417913e59dcc44ae703ed8cf9cab53c
SHA256 b718ec3375c91a8798228d7286c98b742edcfd9040b593bf253e43e42fa782e7
SHA512 be6f3077e172253a476f1597cd55f149fe18db6eb8fe58195b3b3f5c98440bfb516dc8db005df6a86cd1d41314d41e235c352b4a12f2429621b6585f813f7038

/data/data/com.baidu.locker/databases/wallpaper.db-wal

MD5 39ec50906888f288d5bae4f31f73b136
SHA1 5db5efa02e61dd2318e38b61e79f66470fc2c2d3
SHA256 0af1c8089f20a30533bdd2265bbbca6341d82b90c9f42fab0607460d85e1bdbd
SHA512 9a5aeb70d0295dc9280010542c6520460c9a3faf4c32df2d1774c48fa49d1f862309f322655002f64704f02b55f72230b7e879b41146967e0adc8092efe97b2a

/data/data/com.baidu.locker/databases/d.db-wal

MD5 193f50b977a031c30406ad7003577f6b
SHA1 8e0316d1a2ad124333645adfeedb6ea5097b765d
SHA256 eba1fecacf88c65b2e723fdc6bf15733297c33b64022fae6e44ca7ffb6782ad2
SHA512 864b34e279f563ffba38a6713dda8652d670cf5e924fd9e18f5aa1348766499a38699d103a5f7214ebda7d240bcb6523502261fdabfabf067c3548048e84f787

/data/data/com.baidu.locker/files/05.jpg

MD5 6f84e1bc2f631a5024049e4a6df27820
SHA1 b714338e77bb38ccb1707e30a7b2273b44e2e1b3
SHA256 a59001f559acdd5913068d2e12118543e773c29b8bb8061d4ec14a2ddd9d03b6
SHA512 94a364b4b40c62a2bae9ea8d1d02194268521a5223f8b6363d26e5ef48eac621260c2920d7e23e88be78d962f7ce5415e9b1cccd15f584bc65eb8c48b8882ddb

/data/data/com.baidu.locker/files/06.jpg

MD5 3210cdc44b29a4377a19615633b7efae
SHA1 ddee7d15b779c81c8112f177e474d8d042b9a6bc
SHA256 061c76e89604a04a0bde9be070a2a2398a201beb67f87f83afde7009d554ed89
SHA512 7933cca49192095ed4f05430007ab924055b504dbd8ea715a4dff2f983c4c1f969685d597a9dc6c23171f3f8b03cd35fd786908c8d58e5527b13816732fe1632

/data/data/com.baidu.locker/files/07.jpg

MD5 80bd8129fe9a1ef78285474d4ab1c214
SHA1 f4f5bf5531141ab6d65d3bfea4cc24a379896acb
SHA256 33bc47fcfa20aecb84aa99fca94479a1274778fb608281c2c189cf2955ed0cb8
SHA512 065259d43814826a073dfb723cf4782176f77af0d485f368f8de312ef417d41b3aad8b7d6ca54a204d0738cda36a21dbd28a45975e98071ef39322444ab2f69a

/data/data/com.baidu.locker/files/08.jpg

MD5 aec22799f0a10fe2bcadfb2d27b456a1
SHA1 6e08f876bc0e37c8bb7b28130c0a7ea207a728bb
SHA256 cbcce401e85692721e5dd2f9f63fdc9bc6117d4d359d90c2e089b95a17e657ef
SHA512 2d4feafd5001e17919e6a08a6898361f9d06a41350f20b09906fc0076662880bc1526c437c8878530a3a1f87675408bfbaa8944085836e6ceae8e3e24eef8513

/data/data/com.baidu.locker/files/09.jpg

MD5 97673685fc3ea1ef65549f82b2040b6e
SHA1 f0cd715796fb262975ba3b6f5cc4d7b1839a6af1
SHA256 f6c1ed65699cb6b41a4b76228fd92d68fe5cb1dfc24f28e9b8b231ff001e5570
SHA512 7d5e736aeaee6abb26a519dfe45d4ddfeea5154b14ece1ee29712ce42582700d916da08bf10c0b9dcdeda7ac8b4f267e85a59c4a50203c96b69107b445567a56

/storage/emulated/0/Android/data/com.baidu.locker/files/baidu/locker/imagecache/journal

MD5 b9bedef522ac843e41735162e8a3b0c0
SHA1 fbe513b205474cd7ef4cd9cf1cfdcf19624dbee6
SHA256 f8c579205ad3b0c7aa36afdf11fdbb318fadacad244697f6a693af44990b6c89
SHA512 c4e852dc57917cd9f179ce1a8066f2710448c25b7a4226ac5a21c81b26f2ea343f87d46a629f716cf14d00c3d173d5a0662e11460ddeeceddeaa9e9bba051e53