Malware Analysis Report

2025-01-19 08:05

Sample ID 240606-b3k3xsdh9x
Target 99baa663ea60375fdf5a4b733296e7fc_JaffaCakes118
SHA256 084a667ffce643e4755a6283bb67acf3b1b245aac3ba0b065a60e9a997f533b9
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

084a667ffce643e4755a6283bb67acf3b1b245aac3ba0b065a60e9a997f533b9

Threat Level: Likely malicious

The file 99baa663ea60375fdf5a4b733296e7fc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 01:40

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 01:40

Reported

2024-06-06 01:43

Platform

android-x86-arm-20240603-en

Max time kernel

17s

Max time network

130s

Command Line

com.lxianj.simple_video_edit

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lxianj.simple_video_edit

/system/bin/sh -c getprop ro.board.platform

chmod 700 /data/user/0/com.lxianj.simple_video_edit/tx_shell/libshellx-2.9.0.2.so

getprop ro.board.platform

/system/bin/sh -c type su

logcat -d -v threadtime

logcat -d -v threadtime

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.lxianj.simple_video_edit/databases/bugly_db_legu-journal

MD5 835195c48e17fbf0194e9fac9602999a
SHA1 3aaa858f643ea81f689fd724758aa66eef06cefa
SHA256 2710f728a1aa7a573f6938363e607ea16f8d4ae45d873a350d3bcce8e01777f7
SHA512 c40ec0c3530d3e36d0abe033b8dfebd968653ba6e3a8640f1a0f615b93435123b41ef62c3afb844ffb265b8c16150fd9ea55b2cd6cb853477444f41df3c3c7f3

/data/data/com.lxianj.simple_video_edit/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lxianj.simple_video_edit/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lxianj.simple_video_edit/databases/bugly_db_legu-wal

MD5 282218b81bc4e09bedd8b6753f631b40
SHA1 db8f89bcceee8dd125971f906da251eab76f9e2e
SHA256 f07b181435fca9fcc40444da6d984eb6a8d18ce1fd3571943195cbd9970ae683
SHA512 316c00db6d076cd82ccbc5f618b91a39c6816d168fc34696f16b8160b7357421036d5cd4f47d48f1e4d7a0088676abe4595098bee34fabfbe69e406dc9d34594

/data/data/com.lxianj.simple_video_edit/tx_shell/libshellx-2.9.0.2.so

MD5 4499e8eb481dde2716df92aa0225ced5
SHA1 0a6d5bfa0d42c2638cc3081f4cd6c06272e92a94
SHA256 d1ae2559b2cfe48d3fb199cfda3eee3e2237d7eeec0d88a7bba0692f7ce5a8b5
SHA512 4ea90e517b73214234b2b6c97a1e99b0204c44a3c31d891e244cde892eed4d00a33b86128df073d86a787070ed7b79008a312e647973d3599728a6dc4ee590c9