Malware Analysis Report

2025-01-19 05:03

Sample ID 240606-avkxhsdf74
Target 999ecf52f44ac2dcb88dc7b4d09cc38f_JaffaCakes118
SHA256 242e0584c7bfb3267e39d3ad6dbf1bfe140ab5ea234a0fbdc0c8f54ca1a5bd1c
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

242e0584c7bfb3267e39d3ad6dbf1bfe140ab5ea234a0fbdc0c8f54ca1a5bd1c

Threat Level: Likely malicious

The file 999ecf52f44ac2dcb88dc7b4d09cc38f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests cell location

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 00:35

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 00:31

Reported

2024-06-06 00:55

Platform

android-x86-arm-20240603-en

Max time kernel

28s

Max time network

190s

Command Line

com.sogou.androidtool

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.sogou.androidtool

chmod 777 /data/user/0/com.sogou.androidtool/cache

chmod 777 /data/user/0/com.sogou.androidtool/cache

cat /sys/class/net/wlan0/address

com.sogou.androidtool:remote_proxy

chmod 777 /data/user/0/com.sogou.androidtool/cache

com.sogou.androidtool:push_service

chmod 777 /data/user/0/com.sogou.androidtool/cache

com.sogou.androidtool:channel

chmod 777 /data/user/0/com.sogou.androidtool/cache

com.sogou.androidtool:remote_proxy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 awpping.mse.sogou.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 defake.pingback.zhushou.sogou.com udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 get.sogou.com udp
HK 129.226.102.244:80 get.sogou.com tcp
HK 129.226.102.244:80 get.sogou.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.177:443 ulogs.umeng.com tcp
US 1.1.1.1:53 mobile.zhushou.sogou.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 config.push.sogou.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 httpdns-sc.aliyuncs.com udp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/com.sogou.androidtool/databases/downloads_classic.db-journal

MD5 a6c25d3d7fa639a88286fc42a334ef7a
SHA1 246c5ba26a392f16ee3163678804c0dbbef8b20d
SHA256 9f36fb7e5b40c22237b432b4776000585a9eef177b528d6f839b2d149ca86664
SHA512 ba9fbabc3a09e34130478e25fdc72911a986e6f516e1a10999138ed2c0c9ae505695515a008d9849c0edf79473d296634dbaf6ceb09aac1e1d652b92e6d39c80

/data/data/com.sogou.androidtool/databases/MessageStore.db-journal

MD5 96ba0270e8189bc23b0cd9a40591d331
SHA1 e9403ad148a548fe63239517f58bcac622a5c7aa
SHA256 d9943c2f69223c5b1a9bf8c678d256d07a9a2c2939fec8e9e966fe01e2acb616
SHA512 b66cc26e5a0824e2b1fcbeade30e07ca5bac77a6433b894c1168084a0e8615c7c6d7e8afbcf06df7646fd538ffad138823ad17dbf2596f05f2a5050902692270

/data/data/com.sogou.androidtool/databases/MessageStore.db

MD5 746b24da5de531df9908586080118ff3
SHA1 a8583ca59fa06837e48778e8e3c9e291c80a80e6
SHA256 6dc84a485a3bb508b125804eb4ef3ae3b97aa69cd39360c5ffebe2607673ee3a
SHA512 35440bf826454911601e1bad254ab0c16be6e5d023192fcb5ee8eb059b8f987ff42ee823b46d86281ea7c951ec86c6876e874a6bf545e95bfd00136c76683536

/data/data/com.sogou.androidtool/databases/downloads_classic.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sogou.androidtool/databases/MessageStore.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sogou.androidtool/databases/MessageStore.db-wal

MD5 9e16f64245a5372f6b9a124efe14ade3
SHA1 91d9bab092c93776023de9fcf73945a2b961e31f
SHA256 2cd6dc5ff4d5f589a4747948622acbc0c53461735afe3ce794dd529d0833f180
SHA512 89dc50b91b33f5e828cde9ca01366ba5b7395f372574d0fd74d5ea677c192b8395cf4a66bcbc18be0a3dacae7d33aaa9b8a36aaa77d5a7897b5ba2ab419947e3

/data/data/com.sogou.androidtool/databases/downloads_classic.db-wal

MD5 ae192526f46c865813e93c1c94c8747c
SHA1 e4dc3009dccbc6bb24e3cf7f6ca9ce4d1c05ea30
SHA256 7c6a16711a339d0f911126a92f6f10462cc03e3a2557e10cced52b749d3b82d2
SHA512 ae6db501dbc333118f774886e93eebcde2dc6e2110d2a93d8f5ef0a56a722af7ed4078c7b308c2cc191ebda1df91895b8d55dbfbfabbbada5d4d3ef5f09557d5

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-journal

MD5 d1430ebf5b6e075f2bea76b12e5f33a7
SHA1 9ce346ac7e94a24f0667c49d7621d1be7be3a2f7
SHA256 92c868f94fcec455e3a110ccbefc290ed242562f7e6e4af87ef7d9d915c3c4d9
SHA512 b46775a54ced44e1710d3165f8a5b4b4e22026fa4195113207de1a71d8415c01a33524e0ef9503f4960026f925eab996a8325bb5864b8ede4451443872965853

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-wal

MD5 08f10633256d51f58357ab3041eca5c9
SHA1 207e65f8df5973951b1b51032f9900a2ed5772a2
SHA256 2cb1a2c2fd801964a552c96f25f7d29a31d33b0e91e24a5d1494450379855002
SHA512 4fd9754a3d8b122c1a6ef1afbe4b2c16f317a0e6b03a8a59c4b5d3b040f2d21068754d65203bc7dfd5337d7f6f9419e06d7a4eb9a16bae3dd063faf0fa07b563

/data/data/com.sogou.androidtool/databases/bugly_db_-journal

MD5 902efd1e81c3f257dbf8c7ed1c763076
SHA1 860916087c0b8e2a57968c9a3ec42f167765d627
SHA256 3540f330b71353eef6cad983cad5c83dee100d37e542a8f9f1e26f57d57fe39f
SHA512 cd711838b529cdb90f53a4623346ea1c9ebdf3ff0fcc067e37da300780a38f9ede6e739b7b9a788970dd6e57e73670a2ddc28c3fa4ac396b0b9e6519f82c3f36

/data/data/com.sogou.androidtool/databases/bugly_db_-wal

MD5 0ec4877a56d05c6f4c3385ed2defae46
SHA1 8f804c208651ad1a3873a9b0545a0c777286adf3
SHA256 22c53ce4c57cc1e3171881d9ca618bfcf1fa04628cddfad8e289facffe0d8bc9
SHA512 ff7fd57e439faefa860c9e29eabf3272607ce5e282490d1e3dd4bb2392c2f10e02877c640fb05fdf58e1c6184554ef8c3c580c6697f965c9505ef996742e45c0

/data/data/com.sogou.androidtool/databases/account.db-journal

MD5 3271cad45d62f445aaaa73e207d3364a
SHA1 96983b816249b999eb172d61a49df768ba04a819
SHA256 53bac34560952c8e778d8fc314e62cb633cbd990b8e8f35ac8d2bff0a6db2a1a
SHA512 8bb44a0962f88ffe6ff273efeefcedb5326bcafa890532e1731b50f4e68199e82c3aa510021e46562f7be3c7897ed78e2e15185fcafda90a0940e5383f0660ad

/data/data/com.sogou.androidtool/databases/account.db-wal

MD5 c582041685154a00b9275ec8d19a3853
SHA1 80ee1ec777a77f60d9435b12cff50b1343973ab7
SHA256 ec1d7c169265ec946240c0e76ddf2aa52056cabe02f3be96f151c176a24c46f9
SHA512 c3be118d1e8621af1b7a1f31781f83434eb2bd6ad8212b2add778686b71838c04fd94ce2e136a099cd17226891a641e3d11074aae2e482db4f2e0ba09f7d7941

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 00:31

Reported

2024-06-06 00:51

Platform

android-33-x64-arm64-20240603-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.213.4:443 udp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 udp
N/A 224.0.0.251:5353 udp

Files

N/A