Malware Analysis Report

2025-01-19 08:06

Sample ID 240606-gywlrabb58
Target 9a214bbef83a1193b749c83824507bd7_JaffaCakes118
SHA256 dc9ea367cb5409995dd466858384da4bc4ecef3db1a751b04626dbb7110a0264
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dc9ea367cb5409995dd466858384da4bc4ecef3db1a751b04626dbb7110a0264

Threat Level: Shows suspicious behavior

The file 9a214bbef83a1193b749c83824507bd7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 06:14

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 06:13

Reported

2024-06-06 06:21

Platform

android-x86-arm-20240603-en

Max time kernel

34s

Max time network

175s

Command Line

com.shanghaixiaoming.suona

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.shanghaixiaoming.suona

com.shanghaixiaoming.suona:pushcore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 tcp
CN 203.119.169.84:443 tcp
CN 47.101.193.204:443 tcp
CN 47.101.193.204:443 tcp
CN 47.101.193.204:443 tcp
CN 223.109.148.178:443 tcp
CN 123.196.118.23:19000 udp
CN 203.119.169.84:443 tcp
CN 103.229.215.60:19000 udp
GB 142.250.200.36:443 tcp
GB 216.58.204.67:80 tcp
BE 142.251.168.188:5228 tcp
GB 216.58.212.206:443 tcp
GB 142.250.187.206:443 tcp
GB 216.58.213.2:443 tcp
GB 216.58.212.202:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.187.234:443 mdh-pa.googleapis.com tcp

Files

/data/data/com.shanghaixiaoming.suona/databases/FeiMuAndroid-journal

MD5 2b3bb00491e30bd0900ff1373082d1e4
SHA1 5f83556c54eb37f12d0322b0ac6bf800683e3195
SHA256 d9f5f15b2610df2c45c7306a087b68a52dc94bbc5c2b9fd2643db02cfe6b1f59
SHA512 615bf2e90b60ecc3054a4b68334955e4966841281120638b052bda1ca9c3ff4014880fcd82c0c371def192356597f38f288977dab2d10ac5f3c97a147e279a99

/data/data/com.shanghaixiaoming.suona/databases/FeiMuAndroid

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.shanghaixiaoming.suona/databases/FeiMuAndroid-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.shanghaixiaoming.suona/databases/FeiMuAndroid-wal

MD5 575c7100ab3c9266b57b7b7dc94bc959
SHA1 8ffd88ea2039dc4e9d9753a9e121e7955b40e13d
SHA256 19a2d1088ddf1a76ec8927702fa0aae5f7f4c1f7273a6418deaed9317a837656
SHA512 856948fdddf4045fd43dc094b8fea2ae059b2a281b8d923f4e8d4a18897d3448961594763cdf7f863abace0b31c2c14e74fd074672128229ac1d1bc814c3a5e4

/data/data/com.shanghaixiaoming.suona/files/ffmpeg

MD5 efab65c8885bd5594996d41fd5d13b1b
SHA1 871888959ba2f063e18f56272d0d98ae01938ceb
SHA256 1f268a790407d56ddc65afc0b10658a646156bf535519345510ff8347ad7ea5e
SHA512 ed7046029b9f945cc55d4c9149eb12000d27a31d11d6b80ac24ba33d6da6e40de854dd7cb5a3bf4743b3d9a73653917ab5d0220697ff16e89ca0483be8428e78

/data/data/com.shanghaixiaoming.suona/databases/sensorsdata-journal

MD5 4d0122472164b1ffa5021a3c6ff98337
SHA1 b583a73a33b8e44d3b499070a7494b3e63478189
SHA256 7e0b3c5d14e200f126c41bea18f15ca7f474ea6676fc5f9e4e954767d4923d2b
SHA512 b88bd59ecb728fc3d453baf8bea44a4349903e3cc25336954ee846b3baed8e9172de0d4eddb886b497d5410f0aca82b0ffff32e74bcd0dd9831063d2f0b08071

/data/data/com.shanghaixiaoming.suona/databases/sensorsdata

MD5 2e86491f3a28ca9d30e10e19841b33d6
SHA1 236c54f0968731de157d2b64c7bdec4cbd49135c
SHA256 aa9be6421e7e7f5496bfbc7ae33623175431c526a80b2ad3aa4db66b623a995d
SHA512 e10a7f5886b68e833a1cd63d2e9677dfddf6048fe3ff000929b6d7145f01f6f774f7ddd44d8b7b7ea0856935e2bdd90fb13ea00cbe9a3ad4b2b42795d0f529a0

/data/data/com.shanghaixiaoming.suona/databases/sensorsdata-wal

MD5 58d5ff7a04c835e34532514f446ba312
SHA1 2995bbebf5b58b2648d7247addb40df77a7d2381
SHA256 3e1c0d7deccce459b1693cb80f475f16e74a4a6cb245341067cfa41b1064028c
SHA512 8a4561c834db6c9b8e06f3dca7da6e23c906b9ce0a1fde9a5a1397793874b3ab0c8d3cb27b8219e6d7f5406191497db48ac26912b432149535c211397e1f4521

/data/data/com.shanghaixiaoming.suona/app_06851326-179e-4f06-8472-d5e78a1ab259/be7b7b05-7ca6-433e-b4b8-e26585aa3a9b

MD5 ac66d58ddabc53ccd1525b8f0d289d0d
SHA1 9e2185a6c12f88bb10443202b73cd3f2c41f7005
SHA256 ad9558493bba19053823079b3ba169d3dece407e2e8d9f959f512ac36d2ef1e6
SHA512 98416daab37637a35deffe2aff7fb08c3d155f3a8e945f4d7aab4cb385928c688897b4837618554a2c9bc59782d79688673fe8484b69bd98d2dcd9e66ed22878

/data/data/com.shanghaixiaoming.suona/databases/ua.db-journal

MD5 9e2ad9c62bda11aeef1f0ae80abadfbd
SHA1 fef2f314bfaba04d9a566e8c507746a29638d50b
SHA256 efdb58fdbb31460c80ccc4bf742b4f74cf8859ca1e64c7c393ab7108f3c4ddcf
SHA512 eeb8bfc505411c3eb1cd2569d8094f99cecbcda614549a998d1598dc82f67e2c5c033eb6399ddc1f8fba7d659a99b027b409cfb33d6f9196a42a2ff8c516657d

/data/data/com.shanghaixiaoming.suona/databases/ua.db

MD5 0adda9c85a5e4808f5b1b74c0a8591a5
SHA1 5048107883ab1e345af9cf2e6849ce46e0e612bf
SHA256 1e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1
SHA512 646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1

/data/data/com.shanghaixiaoming.suona/databases/ua.db-wal

MD5 b0bd04d9166f4e5d85a970d7fc7a0b59
SHA1 904847b20a72a4d6cda236fadea056dafc39b9fa
SHA256 6ce491e7f65c70b790da83e2a1923865bb355d1afb223af84e00333197042c8a
SHA512 d03fd8aa4f9d0a062ba2b9ec257b13332dd3d8a36be76072d13eb378b89874559f8308d9a8ea7120b484785e1c8aaaec2c3c7d50a00b83b8deff0a657333b0f6

/data/data/com.shanghaixiaoming.suona/databases/ua.db-wal

MD5 a7ccff8fe4d9b09b2d49077362466e77
SHA1 7fecbfd98e21462242725517c0bceafd86daed46
SHA256 666840df1ab6b6990b48494eaf2af7e264a5335d42442de9309e0eca3dd5d25c
SHA512 11c4a203f071851d60889c04a91f9d0e97b351800abae00b8205bce8e107782e4c1080ca1512afdfb36826597c63fbf0c98ab2b9660ebc2b17e2bcecddb9f458

/data/data/com.shanghaixiaoming.suona/databases/ua.db

MD5 c94b7a1a3b5dcf2c2f10db0140972b04
SHA1 81424c233635de2ad0fb349d80c771cb92c31191
SHA256 4bdda52f9f3eea305d37d0d61bbf86c6239a3b08e9d4a8fe534af45ea27d7903
SHA512 007718a7fc02b5c2094190a56e7da138188c799aabd91a254f53546aca2af5d19fd90793005f336333969abbfd4d0e945f58adde40c2d035b804aace5186d0e8

/data/data/com.shanghaixiaoming.suona/files/jpush_stat_history/active_user/nowrap/23868da6-2977-4591-9991-d1068f5fe0a2

MD5 d9db144fc59f8cc67fcf86243f3081e0
SHA1 adc0e2f5df8b212057a5a84cfd5764afa0358b4e
SHA256 6ea56b69a03b3330d86631e7d08b417210d2d545457be2a69831f206584e1155
SHA512 494fc619ac293361a52f9d944d2caae32555894b9642de89dd53b9e2d2706b6862156bcc678c278059e106280924f634ede953fa0fe489d0dd1932504e4e6c2c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 7145270f37da9e37abca9c681ea7b585
SHA1 7d201ab11fc3a8020f2226a886c976784b718ecb
SHA256 beaeb9d0d8e6dba067f2757d1c96b9c0d3e5b3b9216916e20eb98d8eed418d40
SHA512 025abb08077ee08e8b206668171a79aa9ab998c91634768da2091da049cbb902f23b0b230477ae63129ac5cede3ddad370a76447e0d98c6b82b00f6f21a8d8ee

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 98c2ce099a15aab62cc428f533c8b4ed
SHA1 a5d12cae54cc70e7348aa1464863cb182386a8fe
SHA256 03bd80a741a2e8e86b8df05a94f1ba32c8acb4195c6b993d07da2cf7f96812fd
SHA512 ccba97083d1524c70c313d2dd828232d808c2faa7d03bcf008f13d401f03b9878163234b837636526c17b6e7f2429509dd8780314d69877b076d203d04b8fdda

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 83e84a55791685c1bf9de335e3e1b0c4
SHA1 9edcb0e2926dce8c3f2ba0601aea5fc110347706
SHA256 0de1aeec242227a096dc96bf6ca7984993f4b2ca10537091dcfb5ccdebcb8553
SHA512 37cc7d4557506f3074c8ec87d3484420bb53bc46f41b36c121a30e7efcd8e485e794fd474d8c9633d6b24c1bf5955f882996c4b5e7007c31b0dfbed1c6a5ed12

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 b1887d9f0f95325c5cecb295d2113716
SHA1 91990e51563a1a425e02c9035ff0c56f905cb34e
SHA256 41d610543b8526e3436dd27153f4a975b7bf3bf61d6ba84eb745dc8ff2c75682
SHA512 ba87d83ec9764479f921597c3ba0976cf7cc8de2268cb829f8b28d5e7a3b7d536a4b803495ee662e2e2d0cc6d6476630802eea8d385c1d21775bcf0e6638f43e

/data/data/com.shanghaixiaoming.suona/files/umeng_it.cache

MD5 c6c14715945a1491157fdfd8fa711527
SHA1 66b0e6bdb3a65c3711676a1eeb6508d0e6eebdd2
SHA256 3e4571fca5f17a75fb03eb66e281d70358143bb6a97128ac77e73d2b66e9d8a3
SHA512 c036bc380d0d4f009e0d59369cb6462a8fe233d4abae0404ef6dd0ff6fbce766c56ec81da4a276d337c05030c4a6d375cd3e087977f3828cfa0e4bdda2088fe8

/data/data/com.shanghaixiaoming.suona/files/.umeng/exchangeIdentity.json

MD5 db4cff460303a2f7901f8bf9ba9905f3
SHA1 625648f4961fefa9ba57b3655b4e0c5e7b679c03
SHA256 6468d34da3702ce16fc43183c8bb292e63ecf27cd2bd438f27fd342e0db59aac
SHA512 9f0be4418e9094ba1015d520af1e3298f24b45e71d37138ab14832888c978dc1816565d76a465764d6bf1515b7b5cfe0609f5644fd6649d6fc62b895a9a7c578

/data/data/com.shanghaixiaoming.suona/files/exid.dat

MD5 04fd9971583d17056886224b87d51fbb
SHA1 98ecf0d78a88868a10fb7bc192ef0cc8756cefc6
SHA256 095902c21545092bfd4c9f0b4560131c22e1f5204736b4eb4f750f6a8dfd7dbb
SHA512 c25e294b6d0b796a1f327b4dcdd4aed447f7fd06b4176f2791f0d8e76f3a8850e7a988789771515409a2d17faaaec685ba3d30e6ccbc7115a3458241258c3bb9

/data/data/com.shanghaixiaoming.suona/files/.envelope/a==7.5.3&&2.3.4_1717654685044_envelope.log

MD5 ad31849c558604803d17f36c9cc56fe0
SHA1 91227d14fe8e2f22df3f943f7cb0d87b2267787b
SHA256 8107dc0e6e8260bb933d4ec96e60ed7dc032e422c5a10b9dbf4a825d27634d70
SHA512 65b8d9731bbdcc55a6534964981f88adcb5ebf164518418133cf3bf402ea1212621875561282306e6e8adeeaa2343f8a9a102f9ef96caada983e903086b916fc