Malware Analysis Report

2025-01-19 05:01

Sample ID 240605-xaj6taed5z
Target 98ee531908a7a6b952a258674979682e_JaffaCakes118
SHA256 bdc1d1a4bcfdaa5e1cbf123236faa1bd205b40f30d419740ff11a425d733ad95
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bdc1d1a4bcfdaa5e1cbf123236faa1bd205b40f30d419740ff11a425d733ad95

Threat Level: Shows suspicious behavior

The file 98ee531908a7a6b952a258674979682e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Loads dropped Dex/Jar

Requests cell location

Queries information about the current nearby Wi-Fi networks

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 18:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-05 18:38

Reported

2024-06-05 18:39

Platform

android-x64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-05 18:38

Reported

2024-06-05 18:39

Platform

android-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 18:38

Reported

2024-06-05 18:42

Platform

android-x86-arm-20240603-en

Max time kernel

142s

Max time network

132s

Command Line

com.yundu.YaLiMaino2406oApp

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yundu.YaLiMaino2406oApp/app_push_lib/plugin-deploy.jar N/A N/A
N/A /data/user/0/com.yundu.YaLiMaino2406oApp/app_push_lib/plugin-deploy.jar N/A N/A
N/A /data/user/0/com.yundu.YaLiMaino2406oApp/app_push_lib/plugin-deploy.jar N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yundu.YaLiMaino2406oApp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yundu.YaLiMaino2406oApp/app_push_lib/plugin-deploy.jar --output-vdex-fd=56 --oat-fd=57 --oat-location=/data/user/0/com.yundu.YaLiMaino2406oApp/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&

com.yundu.YaLiMaino2406oApp:remote

com.yundu.YaLiMaino2406oApp:bdservice_v1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 react.xinpear.com udp
HK 47.90.88.140:6969 react.xinpear.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 f42769.xinpear.com udp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 103.235.46.246:80 loc.map.baidu.com tcp
CN 121.201.11.121:443 f42769.xinpear.com tcp
CN 121.201.11.121:443 f42769.xinpear.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
US 1.1.1.1:53 sapi.skyhookwireless.com udp
HK 103.235.46.246:80 loc.map.baidu.com tcp
US 1.1.1.1:53 dns.map.baidu.com udp
FR 52.47.53.213:443 sapi.skyhookwireless.com tcp
FR 52.47.53.213:443 sapi.skyhookwireless.com tcp
N/A 10.0.0.172:80 tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
FR 52.47.53.213:443 sapi.skyhookwireless.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
N/A 10.0.0.172:80 tcp
CN 182.61.62.50:80 dns.map.baidu.com tcp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:80 api.map.baidu.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
N/A 10.0.0.172:80 tcp
CN 182.61.62.50:80 dns.map.baidu.com tcp

Files

/data/data/com.yundu.YaLiMaino2406oApp/lib-main/dso_state

MD5 7fb214cbf745906422f97e526b0aaca8
SHA1 782714d67374e02603e9d3a71b22cdf21d48b4e5
SHA256 33bbc1fe9c9adba40f0e79cf3d74545c1f5cbb2ec73e4c58ae0a925faaf1cec9
SHA512 45c866a75365ecdbc77ce44e4478b0e28c294fa12239eb2c4024595d7ae9a2afcf670019b1dc1e2da89f0dc3beea576f00dc146d8019a7dbb6d01c1243e148c2

/data/data/com.yundu.YaLiMaino2406oApp/lib-main/dso_deps

MD5 1c7f44c4909b8297f24a57105c789cb0
SHA1 ba1aa342b41542bdcfe294b1b248dd87eec9ae68
SHA256 263a0d40a13efaadef0464b310794ba0c9311922d5a9a98134103675eab10d5c
SHA512 074f18e26b5889f0a5fa6bb536b051ae10d98a2f4e63d9b595b18f8b5cdf891aaa145ec413d550a035e05d4023de4796ec8aa5372b57d0e84e8e5200bb6e5951

/data/data/com.yundu.YaLiMaino2406oApp/lib-main/dso_manifest

MD5 d184065a9b9b00c67363bed4ee1e98a0
SHA1 67ac24b2f82ccd9b1da0e00cb6f0f866ef46bbca
SHA256 f737be7c5e853084306b1e36df199ac87d68239a95599d5e421f1ca15d2d9cf3
SHA512 77b4f2b8a2abc6b01dbf90be172356ece3d44424e4c4b4cfe1d91d0f766a1ce45a7413b6b3b6d9bc93528ce0c8a20248c4a9971e69bf48abdde8447f084249b4

/data/data/com.yundu.YaLiMaino2406oApp/lib-main/dso_state

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yundu.YaLiMaino2406oApp/app_push_lib/plugin-deploy.jar

MD5 5bd8ee492a05053afe343bdc827861c2
SHA1 1c0595e9a807304133decbd555f7d519247b5207
SHA256 78dace0bedf9c94c8adb9a46df2c6bedab38f574ca817c692796ffe2ec1ff0ac
SHA512 add5cbe5ca15c419b030916da5a1089ca7e673763ec4677e48c7df8bf031f62ca150aa8a92463f9c4ef9cdefbfb74bc2ac896ac5715e02f7e3ab07097eb85297

/data/data/com.yundu.YaLiMaino2406oApp/app_push_lib/plugin-deploy.key

MD5 d5791ba4495ef82b42eb2732a343d725
SHA1 88f939045fbab1c96af159e58777a120fa51983a
SHA256 9c21bb4fbc9811c57f2076716e7a72a90fd8e0a5fe011fbec063ad7a01bce93b
SHA512 b4691b7dfbdba9d59fe2e5e534aed61627852d8a9a67026827dbbbd6d6f8fde13f592c5d62f82ffdd482b359e79efec68e04cd6944a676461d8ed2197ed4c2a9

/storage/emulated/0/.YaLiMaino2406oApp/._cache/.dat/yalioaData.db-journal

MD5 860e3e83229e0b542f84dea545e53c21
SHA1 eaf6fe19f27989524d1f08a74612bef7947a962f
SHA256 29c54c0c9409ce9c90682cb8009bbffb8cf5393b78b9fff5ed24caf06af1187e
SHA512 e2cfd8f0e82eebbd30065d7e92a820d4ce7e2acb652be3b95001f2e0460ebf1b9a22f8a4297e782d073e523917af38b95e0550497b723df0bc8b808fb6c950fa

/storage/emulated/0/.YaLiMaino2406oApp/._cache/.dat/yalioaData.db

MD5 6206dff9cd65b9c93526d0d8fc0602ab
SHA1 648f58e9f3661985376c775c9dc35b0d0db026ad
SHA256 8a8fbd4c46cd4f3f8014f4125ee9d4c5fa2e8dbb7db6ba6b717b2e3e3dffacd8
SHA512 d2ac97d99db7af25012c33e1be5568af36334009c91d7eee3e0280f6bc9882b23b50fe2143558686626cb6ac8c2f2223bee45cc21d66e2a6d36103ea03e6f55c

/storage/emulated/0/.YaLiMaino2406oApp/._cache/.dat/yalioaData.db-shm

MD5 81e1086c048e17a2a072914afdacd094
SHA1 2c98a1a683377454acbcbe39231d354a43ea181a
SHA256 0cb1995c04af1d45f485cfd455908eb17317a98d8269aed0e751a659996213b4
SHA512 0948ecf4087676377cc93231d8663175e151e5e12b5c2eba8953e5ed94779bfd6e44313f6b77c668fa5af439039619314d6aab36cfbfaa99b455c4fb4cdf82b2

/storage/emulated/0/.YaLiMaino2406oApp/._cache/.dat/yalioaData.db-wal

MD5 de1cc7bec656096b52cb4031a409f82b
SHA1 e28427310ac47475c23a367e17a3527f94ec9ce1
SHA256 4d92445ba84845a17af16510895338b66fdfe3af2f9d9848e786868103f2c565
SHA512 fc5b5e50bad37c33e34e002ee34a76c63f398f38cd24f526c85f272ecc4466124f217722eb08e312f61f5049215b565f80f67e8bcf520ce4a003ea3bdae318a9

/data/user/0/com.yundu.YaLiMaino2406oApp/app_push_lib/plugin-deploy.jar

MD5 bdfa71feb08b80b649fddcd7488b03b4
SHA1 bcacf11199fd2c353034a7271b5dbfe2dd4cbddb
SHA256 f8bd07a7afce2d102976afaadd33dc70336a0b06682ac8d6fe9544a08d086d1d
SHA512 37dc848b995def498d0c832a76ed0ad429db18f26a5e9659c2b77a63bff555560160b6be4d22387eb529b2291bb27ae21718ddadb315bd1aa4c092d6330f049a

/data/user/0/com.yundu.YaLiMaino2406oApp/app_push_lib/plugin-deploy.jar

MD5 5597a541eabd3fb792c581587550dc4a
SHA1 6500b0ff20c75717e1cb67dcee76b4641a4e8a35
SHA256 473b02216f8d2b5ffb26571e51ff322e3ce04ba45418408452bea103576ee8e2
SHA512 39b4acd82f67f11140cd1b0b4291e656a4a46ba63064509977f3f1de24a931dce83964f031e16ccab95cf0540ac5f613ca87d7665ce99f1c1ee4a0778e2c19e2

/storage/emulated/0/baidu/tempdata/ls.db-journal

MD5 217d8bd3f372e4a9ab62471e8b59e1b0
SHA1 d0d3de128706ad2687d5983a28db170d63821874
SHA256 f55a1c3b4fda5e5f44dbdc3fe427b4547f052ec177793bd88867aa00b0cce748
SHA512 d7cc74384e58dc988806c7c70be5207f89d22136ea112caaed4facc13c2059c7124a42a078526940ea3f3a607dd96b57254be2804d923e2bd7f78bdf00d031c4

/storage/emulated/0/baidu/tempdata/ls.db

MD5 0d3e99204c6401ea499fe9e6d9855497
SHA1 09829f00ca458eab7374d5079393a2cd69a2348a
SHA256 63ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca
SHA512 8d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68

/storage/emulated/0/baidu/tempdata/ls.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yundu.YaLiMaino2406oApp/files/ofld/ofl_statistics.db-journal

MD5 2fe49e4438a1bb5d9e0ab6ff1e1baeaf
SHA1 fecde9883f0962dd215abf477438a04bcc9d11d8
SHA256 6126b27b79e4a54683febd78467bebb8f405f5251001a8c41a347164b8e2d860
SHA512 eaa7e66b1d38d10537e1b8353570220556da238b8a39fbd67ad8ea7c72270c11d2b077ec6ea55e9520715f420e2253430ca43432c3cc15096fe450feac385cfc

/storage/emulated/0/baidu/tempdata/lcvif.dat

MD5 c57c0d62651676bbb936d8ece69af4b7
SHA1 7e097d6267ede17eb4600058274caaabd71e2632
SHA256 f7d207a73d27e00b24890a0be340e884ef76711c3f4b0f591bb996fbdd22dc3c
SHA512 f6d99067105a6ad60ae3a06180e7a49e9bbb24f62312a85ee18902cd0e0256738b404f37e9e7acc3858b6f71ba8b11da385d574c65ad60e82829b8728202f005

/storage/emulated/0/Android/data/com.yundu.YaLiMaino2406oApp/files/baidu/tempdata/llg.dat

MD5 161557b06b4a4d3ce095528dea370eb7
SHA1 8bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f
SHA256 f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4
SHA512 96ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449

/storage/emulated/0/Android/data/com.yundu.YaLiMaino2406oApp/files/baidu/tempdata/llg.dat

MD5 8199b75e895e303d5276523669a28612
SHA1 c81379b9b219b7f6b79e69dc034490257f64bad7
SHA256 e344f05d0d84f05977741932c1ff531b2f0cd2d6d93040ffdcb10c1c2547f17a
SHA512 abfe78635e911a63ceb5467bfe4d7401cf592f9823a676928805758961698fa1cd9941a696d9bd33d6c4f18e214ad4c4da21d224886b7053b7953abd9440d887

/storage/emulated/0/Android/data/com.yundu.YaLiMaino2406oApp/files/baidu/tempdata/llg.dat

MD5 34d7125107f092b2e561258daa857dec
SHA1 52961c3c1d812598850ae4639ed6a2669ac46c82
SHA256 54348c39101c9f07ed006b98bdaed691f72afd7da225d91323296eeefae5fcf1
SHA512 d86cc9c67a8747ae70b9c970ccc1f4e2bda45161a7bdc377333fb53cdbccbd6c2b3201933b210ac5b9007056c0a12b413408c95b4a8396f80fb8e3a394455303

/storage/emulated/0/Android/data/com.yundu.YaLiMaino2406oApp/files/baidu/tempdata/llg.dat

MD5 31c168cabd8d89a5de2717a4165f820a
SHA1 623990c0a5ece4ba084c65a73e0bb9bebad79ced
SHA256 b6d08fb556edba36da58ad5d9092cacf5246bf35f991195e88a8fe16a92dac33
SHA512 f8c403a5048c57f466c0eb72db5a269a8e1bc7a7e4caa671bfa4038c7c3a4b35b3224c8325deb543af3dbd38b591822690fbff4ba9ac6ec2626a5e6989da8ec3

/storage/emulated/0/baidu/tempdata/lcvif.dat

MD5 4fd20b5a0227c3cfc9416a47a596032f
SHA1 67d61c1355b98baea8ce9f8cc3e0b3e8883b9b02
SHA256 ffd723e1b43bb4ce95843dd3c86d00823e109bef66d89352cf737210cfa3c9f2
SHA512 be0decf6fa30908378e719361c992c6b7f4238349997fbd7ecf881ca9c20dfb96e18301c69332a5ac4452881b9a23bc14ea2866511f74241fc18a2f9b953435c

/storage/emulated/0/Android/data/com.yundu.YaLiMaino2406oApp/files/baidu/tempdata/yoh.dat

MD5 a936690571e9104e1922dda4a0ba5bd1
SHA1 65f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256 f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA512 3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

/storage/emulated/0/Android/data/com.yundu.YaLiMaino2406oApp/files/baidu/tempdata/yoh.dat

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 18:38

Reported

2024-06-05 18:39

Platform

android-33-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 18:38

Reported

2024-06-05 18:39

Platform

android-x86-arm-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A