Analysis Overview
SHA256
caa1447387f14558a31a669182dd9a8d779b5e69c466b5c8f9b71d511a1fc3a0
Threat Level: Shows suspicious behavior
The file 99e57351d25a205de078973320ac23f5_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Queries the phone number (MSISDN for GSM devices)
Queries information about running processes on the device
Requests dangerous framework permissions
Queries information about the current Wi-Fi connection
Queries information about active data network
Queries the mobile country code (MCC)
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 03:42
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 03:42
Reported
2024-06-06 03:52
Platform
android-x86-arm-20240603-en
Max time kernel
25s
Max time network
130s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes.dex | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.shouyou.hstx.guopan
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | serverip.sdk.quicksdk.net | udp |
| CN | 180.150.191.127:80 | serverip.sdk.quicksdk.net | tcp |
| US | 1.1.1.1:53 | sdkapi00.sdk.quicksdk.net | udp |
| CN | 106.75.35.13:80 | sdkapi00.sdk.quicksdk.net | tcp |
| CN | 180.150.189.142:80 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| CN | 180.150.189.181:80 | tcp | |
| GB | 172.217.169.74:443 | tcp | |
| GB | 172.217.169.74:443 | tcp |
Files
/storage/emulated/0/UcQkDir/qk.dvid.txt
| MD5 | e8ecc66c8deb1ce98ab4ad273a82bbfa |
| SHA1 | e34b5979381df240fedfc0bd23cfaf5e137fb9c1 |
| SHA256 | 00af873f622e88160c5b6d5645d0fa03f5a732e9c428ac5632dbace3f13d65ff |
| SHA512 | ddee35e877125d3e62df262dbcef0f88bb3cc00e5995b7b4c9961b526899ebad6753c18c38eaaffdf96da9321b6152306609c985a677fc8713e201c13dd698d1 |
/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/gp_sdk_plugin.apk.temp
| MD5 | 2ede52fe18bb7e30e2a2552d5f22c4d1 |
| SHA1 | 8f10f5e587707d7b3d24cb21bb6dbbb3a158fcb3 |
| SHA256 | f2cd0a8683e2785d2716dc7aecb08adba2aecee740e0ea88c5949cf6549ebac2 |
| SHA512 | 3bc05fd192f98bfc392221bb77691820f389770ffb71b06a3e283cd57e882712c5cdeaa35f2be55e518a82c8ed5db1fa901aa623371ef0882d2b935f89a0b10a |
/data/data/com.shouyou.hstx.guopan/guopan/sdk/gp_sdk_plugin_config.json
| MD5 | 67e9644af22c48ea609a98103eca4ff5 |
| SHA1 | d35536c78658427d9fca3407625a4e2d246d841c |
| SHA256 | edf54af35d3a5004cc84c05783ccc88d0b3f41e0ec9f907bb144718593d92b4b |
| SHA512 | 0bf72771ae8e752cbe081fb3cada8a265dfc7b8a74f25fde4370fb3d68f13cd8fe09f0ebaa40fb7a9803832c309d150e766c0a1f47fb7affcaaf2c899820c711 |
/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes.dex
| MD5 | 95f034cff01db1fc68c386e32eb06a7f |
| SHA1 | 90300080c93e3e5616f7f4d1a83630a394ec07cd |
| SHA256 | e687af74b0e0775cfc275d38868212d0fb877b0ad75385c8d575bb8faf43cea1 |
| SHA512 | 962fa648c05a66f48d50245de04f90ae83c48670785b0588d4e8c1e6d8ab09b6b8a7c8a51236fa47727d060f07456c8baa011fc448422ef3e132222e933caf05 |
/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes3.dex
| MD5 | 14463df390168269f982456bf5948ca3 |
| SHA1 | ae3aad30b31d8ff611afee8c02336ae450ce981d |
| SHA256 | 2864260e4249aaaf9e2d6d38ab32e9305f3cecc6233395209e05cc632227e1ba |
| SHA512 | bc7a41e377cbadbcfef27ea1e4ad920439b2746a8b5cf831b0f04f9ed3c334f2a4a3c046404b43e3dbdd4bc604047cbbaf31b60bf5aef2619e028fb2cfe17d5e |
/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes2.dex
| MD5 | ef2be12c4e1a1874636a3c4795882dc3 |
| SHA1 | cd12cb2890d77553b221bdb6f4103e551e1b7e5d |
| SHA256 | 6a887c2e654dcd46c3d602cf3fadab554ba38820adea47c5520b17b291e5851f |
| SHA512 | 5ca09acddc8e0ad30d204b5529e43bfc349c21981da6e90249d0a3feca1140556f85f4ffe2c0827ec118d19fefd5047d763111eba9c238746ef53a4b1f5857f6 |
/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes4.dex
| MD5 | 9a497ae4e3c021eadf67992cfbdd5ecf |
| SHA1 | c88fff749cd1fd7a0016f929b53e07e5c5c32a7e |
| SHA256 | 94e68e911929b87edbe05445e6d3900a84fa1d4894baa12f0e98a8b1743836d0 |
| SHA512 | fdfbc14441003661e02f4b5b59700cf08778a5fe35a605f86ab01501b14641e59edfe4cc14b4cc5742e98b1d2d49c202cede0fd0b2af1e86b5cf552b8d7d6913 |