Malware Analysis Report

2025-01-19 08:10

Sample ID 240606-ghmnxaag67
Target 9a164185c82a900d4c6cb0e55366aa0c_JaffaCakes118
SHA256 5bc566c1d63a5d7deca7d3778418fc719a02dedd8b8838f1b612b31c6e0a1387
Tags
discovery impact
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

5bc566c1d63a5d7deca7d3778418fc719a02dedd8b8838f1b612b31c6e0a1387

Threat Level: Shows suspicious behavior

The file 9a164185c82a900d4c6cb0e55366aa0c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 05:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 05:48

Reported

2024-06-06 06:53

Platform

android-x86-arm-20240603-en

Max time kernel

33s

Max time network

130s

Command Line

com.kuaishou.help

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A f.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.kuaishou.help

chmod 755 /data/user/0/com.kuaishou.help/.jiagu/libjiagu.so

chmod 755 /data/user/0/com.kuaishou.help/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.kuaishou.help/.jiagu/classes.dex --dex-file=/data/data/com.kuaishou.help/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.kuaishou.help/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 f.appjiagu.com udp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp

Files

/data/data/com.kuaishou.help/.jiagu/libjiagu.so

MD5 acd3a64e22c56dc0628edd7615a74ab4
SHA1 ec22ef7fa9dca4b475af2724d483bda140370ca7
SHA256 c57cffd4175fcd618f29d48eeba1b8b30e2bfd4ce9e05c6c5b0bc4378914d008
SHA512 ec93027efd827742d3f9db70c4d4aba51e817191ff888aa2337939f2ce518b98f1c1f7ed3d49d25d3bff47738f68ead6348b1b309c54a17e18c4460cc2142e3e

/data/data/com.kuaishou.help/.jiagu/classes.dex

MD5 966cb46dece50309735d13575d31dafd
SHA1 3a48ab8002ed5608cc45b99880589d2a0d73d74d
SHA256 62c54a8b26ac07944609c409eabdc39e8d974259bf949ee000904a08a49b8215
SHA512 efd5be38a5feaf1d1b9274ed20467c30c0ed655b72bffbce5c479d6119140330329d903b4d01c8f8b32563c8b98a164c21d79fd19ad4b548eeec3750933661a4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 05:48

Reported

2024-06-06 06:54

Platform

android-x64-arm64-20240603-en

Max time kernel

32s

Max time network

132s

Command Line

com.kuaishou.help

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A f.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.kuaishou.help

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 f.appjiagu.com udp
CN 180.163.249.208:80 f.appjiagu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.kuaishou.help/.jiagu/libjiagu.so

MD5 acd3a64e22c56dc0628edd7615a74ab4
SHA1 ec22ef7fa9dca4b475af2724d483bda140370ca7
SHA256 c57cffd4175fcd618f29d48eeba1b8b30e2bfd4ce9e05c6c5b0bc4378914d008
SHA512 ec93027efd827742d3f9db70c4d4aba51e817191ff888aa2337939f2ce518b98f1c1f7ed3d49d25d3bff47738f68ead6348b1b309c54a17e18c4460cc2142e3e

/data/data/com.kuaishou.help/.jiagu/classes.dex

MD5 966cb46dece50309735d13575d31dafd
SHA1 3a48ab8002ed5608cc45b99880589d2a0d73d74d
SHA256 62c54a8b26ac07944609c409eabdc39e8d974259bf949ee000904a08a49b8215
SHA512 efd5be38a5feaf1d1b9274ed20467c30c0ed655b72bffbce5c479d6119140330329d903b4d01c8f8b32563c8b98a164c21d79fd19ad4b548eeec3750933661a4