Malware Analysis Report

2025-01-19 08:10

Sample ID 240606-d9dzasgg32
Target 99e57351d25a205de078973320ac23f5_JaffaCakes118
SHA256 caa1447387f14558a31a669182dd9a8d779b5e69c466b5c8f9b71d511a1fc3a0
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

caa1447387f14558a31a669182dd9a8d779b5e69c466b5c8f9b71d511a1fc3a0

Threat Level: Shows suspicious behavior

The file 99e57351d25a205de078973320ac23f5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries information about active data network

Queries the mobile country code (MCC)

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 03:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 03:42

Reported

2024-06-06 03:52

Platform

android-x86-arm-20240603-en

Max time kernel

25s

Max time network

130s

Command Line

com.shouyou.hstx.guopan

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.shouyou.hstx.guopan

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 serverip.sdk.quicksdk.net udp
CN 180.150.191.127:80 serverip.sdk.quicksdk.net tcp
US 1.1.1.1:53 sdkapi00.sdk.quicksdk.net udp
CN 106.75.35.13:80 sdkapi00.sdk.quicksdk.net tcp
CN 180.150.189.142:80 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 180.150.189.181:80 tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp

Files

/storage/emulated/0/UcQkDir/qk.dvid.txt

MD5 e8ecc66c8deb1ce98ab4ad273a82bbfa
SHA1 e34b5979381df240fedfc0bd23cfaf5e137fb9c1
SHA256 00af873f622e88160c5b6d5645d0fa03f5a732e9c428ac5632dbace3f13d65ff
SHA512 ddee35e877125d3e62df262dbcef0f88bb3cc00e5995b7b4c9961b526899ebad6753c18c38eaaffdf96da9321b6152306609c985a677fc8713e201c13dd698d1

/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/gp_sdk_plugin.apk.temp

MD5 2ede52fe18bb7e30e2a2552d5f22c4d1
SHA1 8f10f5e587707d7b3d24cb21bb6dbbb3a158fcb3
SHA256 f2cd0a8683e2785d2716dc7aecb08adba2aecee740e0ea88c5949cf6549ebac2
SHA512 3bc05fd192f98bfc392221bb77691820f389770ffb71b06a3e283cd57e882712c5cdeaa35f2be55e518a82c8ed5db1fa901aa623371ef0882d2b935f89a0b10a

/data/data/com.shouyou.hstx.guopan/guopan/sdk/gp_sdk_plugin_config.json

MD5 67e9644af22c48ea609a98103eca4ff5
SHA1 d35536c78658427d9fca3407625a4e2d246d841c
SHA256 edf54af35d3a5004cc84c05783ccc88d0b3f41e0ec9f907bb144718593d92b4b
SHA512 0bf72771ae8e752cbe081fb3cada8a265dfc7b8a74f25fde4370fb3d68f13cd8fe09f0ebaa40fb7a9803832c309d150e766c0a1f47fb7affcaaf2c899820c711

/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes.dex

MD5 95f034cff01db1fc68c386e32eb06a7f
SHA1 90300080c93e3e5616f7f4d1a83630a394ec07cd
SHA256 e687af74b0e0775cfc275d38868212d0fb877b0ad75385c8d575bb8faf43cea1
SHA512 962fa648c05a66f48d50245de04f90ae83c48670785b0588d4e8c1e6d8ab09b6b8a7c8a51236fa47727d060f07456c8baa011fc448422ef3e132222e933caf05

/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes3.dex

MD5 14463df390168269f982456bf5948ca3
SHA1 ae3aad30b31d8ff611afee8c02336ae450ce981d
SHA256 2864260e4249aaaf9e2d6d38ab32e9305f3cecc6233395209e05cc632227e1ba
SHA512 bc7a41e377cbadbcfef27ea1e4ad920439b2746a8b5cf831b0f04f9ed3c334f2a4a3c046404b43e3dbdd4bc604047cbbaf31b60bf5aef2619e028fb2cfe17d5e

/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes2.dex

MD5 ef2be12c4e1a1874636a3c4795882dc3
SHA1 cd12cb2890d77553b221bdb6f4103e551e1b7e5d
SHA256 6a887c2e654dcd46c3d602cf3fadab554ba38820adea47c5520b17b291e5851f
SHA512 5ca09acddc8e0ad30d204b5529e43bfc349c21981da6e90249d0a3feca1140556f85f4ffe2c0827ec118d19fefd5047d763111eba9c238746ef53a4b1f5857f6

/data/data/com.shouyou.hstx.guopan/guopan/sdk/plugin/dex/classes4.dex

MD5 9a497ae4e3c021eadf67992cfbdd5ecf
SHA1 c88fff749cd1fd7a0016f929b53e07e5c5c32a7e
SHA256 94e68e911929b87edbe05445e6d3900a84fa1d4894baa12f0e98a8b1743836d0
SHA512 fdfbc14441003661e02f4b5b59700cf08778a5fe35a605f86ab01501b14641e59edfe4cc14b4cc5742e98b1d2d49c202cede0fd0b2af1e86b5cf552b8d7d6913