Malware Analysis Report

2025-01-19 08:06

Sample ID 240606-e68j6shf56
Target 99f7fa8e3e29edf07399d68e31fe1136_JaffaCakes118
SHA256 59379aa4dd91a4b346a125561ef27ccdc8a12e8a1a88cf88c7746f9ed37e559c
Tags
discovery impact upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

59379aa4dd91a4b346a125561ef27ccdc8a12e8a1a88cf88c7746f9ed37e559c

Threat Level: Shows suspicious behavior

The file 99f7fa8e3e29edf07399d68e31fe1136_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact upx

UPX packed file

Queries information about running processes on the device

Requests dangerous framework permissions

Reads information about phone network operator.

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 04:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 04:34

Reported

2024-06-06 04:47

Platform

android-x86-arm-20240603-en

Max time kernel

3s

Max time network

131s

Command Line

com.sg.dljz.qihu

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sg.dljz.qihu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 1.cn.pool.ntp.org udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.sg.dljz.qihu/files/TDtcagent.db-journal

MD5 6db4ab0de7f36611da8675f6a7562f87
SHA1 f94d5d6fa6ec009f19c70a2899863bacce58c856
SHA256 48845f5af1cea713f5cf15e9c6c95320298a0047a874f777b14940001b7dab62
SHA512 01d292f13e73d4b844d8e6b8ab340d7477524f51d4a9c13285f8d7940ae6d0ca345fdcfe353ea230f8fb8fdcdae07cbf5fe16b6cfae3e6d565961f273805e0eb

/data/data/com.sg.dljz.qihu/files/TDtcagent.db

MD5 36bcfd52a3b3fa1b16ddfe6d7cd8918d
SHA1 4860386abf1fa77c5b9d51c26a8f225ce61cc30c
SHA256 8c9b5adb013e4b6f005f8952e54d32632f702ab42be33db491b30210ae293435
SHA512 ad09acaeb00c197ae0ea5b9bec908b19dd606b37ffab4a2fb39a3c280d4f89f6891c99183a3c8b9a408532694ffc845463610716f80a72090dfe76a31d971843

/data/data/com.sg.dljz.qihu/files/TDtcagent.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sg.dljz.qihu/files/TDtcagent.db-wal

MD5 61cc88f437d98b1f9e8da667440ce552
SHA1 e1c8dfef994b85fb5201d1e9e63418a6236c625c
SHA256 666ce893a2d38befc1e02fd0303679f229d98d88be36671b857faec1e45dddce
SHA512 49a4255f200641ecba425ca07b5a2f81f5e6857c9984c864af9eeef187b25f2bf28c6d7132bfe77aa07769024b652af103d4f812f6f69c24ede77101e7b98ec8

/data/data/com.sg.dljz.qihu/files/talkingdata_app_process_preferences_file

MD5 3247b42797bcd9ab724dd3c5bd9efd26
SHA1 72f33e6d44dee5e48f3b3098e39578b959102065
SHA256 f365ca78857c65a36a924e4093d46fcda6e077775c44c80c1654b299fe4a29a8
SHA512 15ffff3ec9b2499019cd0edd7bf87ba3b839bee2dbfbf8dc0925908aaeb778b021d488ff2f5338826dd06b45a7c767080c9a2757805cbb802b10435e8253959f

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-06 04:34

Reported

2024-06-06 04:44

Platform

android-x86-arm-20240603-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-06 04:34

Reported

2024-06-06 04:44

Platform

android-x64-arm64-20240603-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-06 04:34

Reported

2024-06-06 04:44

Platform

android-x64-arm64-20240603-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 04:34

Reported

2024-06-06 04:47

Platform

android-x64-arm64-20240603-en

Max time kernel

4s

Max time network

136s

Command Line

com.sg.dljz.qihu

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sg.dljz.qihu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 1.cn.pool.ntp.org udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 id1.cn udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.sg.dljz.qihu/files/TDtcagent.db-journal

MD5 718427326255de0308c4adff034dc702
SHA1 48414e871218db232e1d38860024b9984ffb450d
SHA256 7649bb6698d952ed2f1a779b339042657deee68c2f943d4f04fbb46f2ca8bc14
SHA512 d1f786d9c9cb38daf07ed728ba9fe0aa2ceb31100a8151e9f78d75a05a92d43fc918616d517d4a900f01a35caa01ac13267a03a36983f039128ff99fdf86f806

/data/user/0/com.sg.dljz.qihu/files/TDtcagent.db

MD5 a449420e195e611cd13ded3556005b0b
SHA1 e0294f326d26e0fa7076ca9b502a8233b13b90e5
SHA256 1cc267e936cb60a6f6504af5440c5b6381769a5c9f98eeb1791b958ab286997c
SHA512 4b5708d2e26a6171ac03834181be5ab094d462c107b80da57e43215a6a149bc7c893abd8c0f4d70b7b7810a1a6fe0d454c1649b2b040d24ad99d1f957e684874

/data/user/0/com.sg.dljz.qihu/files/TDtcagent.db-journal

MD5 9646312081d6453064e55feec229aa78
SHA1 e572f72a9c668cc6ddc7f417a0ef07f619b2f410
SHA256 3081433ed328ed0986b45a5c8175582abfaca404bc3277f792414b8e72f2e0bb
SHA512 28cc83ecdd9ef6b86320dd914723420be517f71b4b66d41d17a229b4bcad6847a1702868bcd5e3ee06e20e52244dde30e1c02a48ea4a32332023b358c5032779

/data/user/0/com.sg.dljz.qihu/files/TDtcagent.db-journal

MD5 e7b8e5fdb18cff96b386569ace6369c4
SHA1 a64c67e6b923553ddfdf9c87a45bb6eea0267012
SHA256 9d009112960e8d5a47098589e651c982c94ae15174cb5c28117f6391e0dce029
SHA512 b7efab4fa6367a3f3681913fcab6c1a338e8bd2f02af406739c38c6c419a41350317ee30f8a07b80149af5163c0e777d446a6cdd725622509dc3d6561f0c2e27

/data/user/0/com.sg.dljz.qihu/files/TDtcagent.db-journal

MD5 5f2489a4c5c539ee8b4db1506e3a5445
SHA1 6826f7cf9aa30d9c3f0e4dca4dc4213735b35e88
SHA256 6a039b8fcfcc3a74ace2620c01e164bdc5ba230f4495a77106da13688251e0ef
SHA512 f981e31c26dd68a03790d04a64127141f06377dfd0cce5995e5a15d26a7abdbdbda9e482a5457b94820da8d1ea460e07e88e8256436b0ac292f1aa9e7dc3f0a7

/data/user/0/com.sg.dljz.qihu/files/TDtcagent.db-journal

MD5 0440b5ef025ef1c21d935c8baf68773d
SHA1 7bea21de6dfd86528f37dcc0551b21899426cf55
SHA256 bacceef612b127868bf2b739afedcd06deb7ecdabd7cba5c8db1909a7525bf36
SHA512 68ac9825805cfe12ca4039b950414492c84a3dd56f44ef8bd627029e9d8d751dafb2ddc7b813c4e3d8f113a7b8e8f00973f01802ea93389132c86bfa682b9c19

/data/user/0/com.sg.dljz.qihu/files/TDtcagent.db-journal

MD5 a2dfef6ae5efd69bc07240442a182e28
SHA1 79c3db95d7bdda4f3981ff89218afa298b53e1ad
SHA256 7ee62ac9c8e60bedd1811dca2ec48aefa3b94904ac59f5c660f4618e29275d8c
SHA512 9c28b9384f347cd6f3a73622681da7b813d05386cdf59f5f8fc11c5b8ac71a42f5a2a3c98bf809d142b218d750f326551ffac70dec082a26358986e9fa1fe597

/data/user/0/com.sg.dljz.qihu/files/talkingdata_app_process_preferences_file

MD5 3247b42797bcd9ab724dd3c5bd9efd26
SHA1 72f33e6d44dee5e48f3b3098e39578b959102065
SHA256 f365ca78857c65a36a924e4093d46fcda6e077775c44c80c1654b299fe4a29a8
SHA512 15ffff3ec9b2499019cd0edd7bf87ba3b839bee2dbfbf8dc0925908aaeb778b021d488ff2f5338826dd06b45a7c767080c9a2757805cbb802b10435e8253959f

/storage/emulated/0/.tcookieid

MD5 32ddf62cf383b0d592b9b9a1a1880763
SHA1 e2d721a4b68988e661544c252ab8c260e99d9c9b
SHA256 ee12eda2105858efd514ae313dd41cfa2f7aab6d7e0d940f1010288f226c4a51
SHA512 abf487e4e4619ed0d3d8b10708aa34071459db42d611e3543876136184c971222bec5ade924f4b3e916b3fe3c885540c06ed8c2b5a3aac6a9c0d3739bfb3df54

/data/user/0/com.sg.dljz.qihu/files/talkingdata_app_version_preferences_file

MD5 4e732ced3463d06de0ca9a15b6153677
SHA1 887309d048beef83ad3eabf2a79a64a389ab1c9f
SHA256 5f9c4ab08cac7457e9111a30e4664920607ea2c115a1433d7be98e97e64244ca
SHA512 e053886e1b797bc5a80f932302f0201265a599d82e2502d41941d6e652614ef88fa058e009094d26655f880200df12c2100f690254fd1e5bae75d7441763cd33

/data/user/0/com.sg.dljz.qihu/databases/talkingdata_app.db-journal

MD5 97153f8ddfaf4fc28522bace084595cf
SHA1 c3724c8a05e21bb25145e3c99231967582f6d269
SHA256 8d86f38b0a69bc18a8f42087f4ca3d94e93fbc05817c8b9983cb5550be66edf1
SHA512 270cd95c25a3733686f2de2e05f45b62339256f9f782fa35f7818f4d918e6a3b70ad6e0d588422285d7159ba76ddf3635fc83151570d8e90fcc6d1d891274fd4

/data/user/0/com.sg.dljz.qihu/databases/talkingdata_app.db

MD5 171aedf968e17a2744d2585715606cb9
SHA1 bbeddeb3b89fcf809619c35b4a318a80e7d5b029
SHA256 d2ab452d9360848f46af866b870b5c6fc98230b09c72b89cb1a4b2778586678e
SHA512 78a0f517ee3d21c153dda6dbfec4187ebaee9d520d7b1b63f358bcb125d08aea53f26943907a56fdeba40161d9fc7e4fd63f9ae3154dd2ad887ba0162738285b

/data/user/0/com.sg.dljz.qihu/databases/talkingdata_app.db-journal

MD5 361548c420bf4dfcf7956414dcd6d82e
SHA1 e2a35b77d6821e0cca87ac5b89755314465a8db1
SHA256 b0407677e74dc6258b024d9366adaacaa1604679a5054e1713ffcf655f55f554
SHA512 8d85e56b26dae1687d98908f1746e30046045bb0f9fb2c276c967a817870eb430a5d8931b4d4c97435ce3b5fcbdf068bd085387bcfb32a56b104512dbbd8d0b0

/data/user/0/com.sg.dljz.qihu/databases/talkingdata_app.db-journal

MD5 38f2a586bcb989ab87d3806c7e580fa9
SHA1 274cb1cb3a3003974e820bb50eacf02af7751afe
SHA256 ddc33ed2f2e2f3efb392657616cef6c6769141317ee3e716cb2a674c315df99a
SHA512 7a90918b09fce698fa9dcc5593c25e16b2e0006d0e0552086c9ddc2cc6d29364b82246c07ebb8be80b4be72cee28e65ab429e5bf686d80bcdd6c9964c5e5852c

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-06 04:34

Reported

2024-06-06 04:44

Platform

android-x64-20240603-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-06 04:34

Reported

2024-06-06 04:44

Platform

android-x86-arm-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.234:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.35:443 tcp
GB 172.217.169.35:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-06 04:34

Reported

2024-06-06 04:44

Platform

android-x64-20240603-en

Max time network

10s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A