Malware Analysis Report

2025-01-19 07:56

Sample ID 240610-pmn2javcrb
Target 9aaa4b00e863e3301c5b6767a8fa884d_JaffaCakes118
SHA256 71e213c5adfe972ff62171686e87937417e426a0edab16c33c836a667e9c5605
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

71e213c5adfe972ff62171686e87937417e426a0edab16c33c836a667e9c5605

Threat Level: Likely malicious

The file 9aaa4b00e863e3301c5b6767a8fa884d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 12:27

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 12:26

Reported

2024-06-10 12:30

Platform

android-x86-arm-20240603-en

Max time kernel

105s

Max time network

179s

Command Line

com.furong.android.wbb

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.furong.android.wbb/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.furong.android.wbb

/system/bin/sh -c getprop ro.board.platform

sh -c getprop ro.yunos.version

getprop ro.yunos.version

getprop ro.board.platform

/system/bin/sh -c type su

logcat -d -v threadtime

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp

Files

/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal

MD5 673331f3fcd5a05474f77188aef00002
SHA1 0479e2e06f92105bd2d26125eaa7edccfcd35614
SHA256 be66dea76bca6aa4abf973a2e87a0064d2a493285ad870fbd40f484e77715c31
SHA512 dca8131e4acf620bdebef98ffbab86af62d9e7085ac3285c1a79b3409151edcf1a0d22cd2c120778cdfefc3d045833254b41441eadfa94be4c9835a753cb4292

/data/data/com.furong.android.wbb/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.furong.android.wbb/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.furong.android.wbb/databases/bugly_db_legu-wal

MD5 4039cd7f61f8bf81403da501cf5d2ddf
SHA1 a971687da70820cb9b891c15cb0f461eb25e614c
SHA256 a1d9170a0ec87ba165bb72532ba8c2a3bb0d249a1296ed027866482125777047
SHA512 8ba31106f692e31d450f82d19f8b991fd9e725c93e392047481718281ef90abeec17a29fda9bc163869208e22724b592381f992ab48413fef26b4a47ff3da798

/data/data/com.furong.android.wbb/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 12:26

Reported

2024-06-10 12:30

Platform

android-x64-20240603-en

Max time kernel

12s

Max time network

151s

Command Line

com.furong.android.wbb

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.furong.android.wbb/mix.dex N/A N/A
N/A /data/data/com.furong.android.wbb/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.furong.android.wbb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.66:443 tcp

Files

/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal

MD5 97c13023e8a066355c61e79c6d3cb117
SHA1 b09a28465df1541a1ae14dd878e1285a6856e297
SHA256 85ad193d75c656ef0b893cb58e1d9c84451d3872b87d4706c3f967c2cff45549
SHA512 a1113c214f19c08dcd2d4ff170366ef089f3c8e8ccab078e209169da8b56e398d82e505ca475b2b1558649ef11885c5b01495d8e00711f28569988505fa3a911

/data/data/com.furong.android.wbb/databases/bugly_db_legu

MD5 4f8f962545a22feb82613240d4b70dcc
SHA1 fe3eccaf569d6558f8da4318bb4a400f290f3ff9
SHA256 fb1eee778ea76235623ce3f5458f53dd02302526c29b041b78f0b30b89b18e67
SHA512 1bc9b4e082678f9edd13a2149ec5a4e7b87cfb9706a03c6374cd9dca86eaae7240999a378aa0b238c91da93b171d5190bf5a0d4061407fc2de6748a1f556250a

/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal

MD5 e38b8887593d251d35af883fd347792f
SHA1 810545f8a97c37412fa2323fbf106a8bd51acce2
SHA256 a82b9c1bed5a493ad08125e84c6bafeb4329b0f51a38c4f0aa247bd0edc00b5f
SHA512 14ab8fea9147ae10fe14d54aaa0de93c72819f51b48b48b2466957fd9a4ca104a7822c3622bc5d9414855f7d17a6b5d998c78adbf8cf8761c5a88d3a08efba81

/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal

MD5 2ca8cedf1f4ca5083a7762ee7a4a8aef
SHA1 4421b6ebbfde570a4ffb065addbd06947fdb7dbe
SHA256 35fc7c7880359bfbd04791af00bd2f79f76ffc37b80e85a45da957e4d6942ddd
SHA512 cf8d87637c21ff01fe88bbdd2a0d87ed273c8cd508d3970c8d40e223c055c9806b56795d25877674f838dee32451864ef32520a59f78b5f7dd2a4b45aecb7c86

/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal

MD5 ca82cd9fc38556958d4472ab33b546c6
SHA1 63565148e06ccce013182e24c75eada5a36f270b
SHA256 578678826492fc230586a40d272e87a820efc1482fac931d0514157fb52e1311
SHA512 a6102c49e834981f7ee0273e47b0340ba9ea7ea7acabab6ee8cb90152333c30bf24479a7b31bfd3cd74d3ca872c7c756ccbb382796efd1d4da648c4d828b358f

/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal

MD5 d6ee3f16dc41beb4ab4eb70725cabebc
SHA1 51b6627b3adba2b994abf70114c5f565193d7691
SHA256 a79847daed20aec2e84c65bc4633963db7d1b4398d95830bf6464f99e7ace9ec
SHA512 e9cdc21220e356ba71ea9e30facf6f3c7b6a6029aa65e299e366248b11da78f7db260be108d11d4c7830434989f84371717720c2eaf98e1d67231d5bbaa3e4e6

/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal

MD5 94c1c0d082faabadfbd1377460f1ab28
SHA1 832f9475e05cc3907ac9925b40761ba3d5a03a86
SHA256 7b75e70da1c40f74e576f89c9a9dbde586a863bc1f3ad6657956d563b475b747
SHA512 eece14403102cdeb873021e3b8d9f98ce96084aa1c3023a97f7f948f4d8800bd2303f6beead4ccfd66d9482e1fc1d57d558dd9bc313595ba12d892e26fd35cb5

/data/data/com.furong.android.wbb/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.furong.android.wbb/app_bugly/tomb_1718022436687.txt

MD5 e8e5f9783f9a9fd96647ad259121736a
SHA1 290f853a09c8b396ff508fbc8c6abe2fd1d546c2
SHA256 4973b990f14cf2d0f73c4395eb9e3401eab95f242c7bdad624f9f54fdaab0731
SHA512 a8620a6c8e34586fdf56862c3ebbd3f5da046d15341a392f4f2b741daf87ec950038ece0027b9a45acd6259d6ae64e6233068723beba2aced0ed7b2cf154c69f

/data/data/com.furong.android.wbb/app_bugly/rqd_record.eup

MD5 5bb81674464ba7bfddbe00325f3b850a
SHA1 2f65fa412a2f1f4c780db6cf9927b6c77dab3290
SHA256 625160a96424fbdfae97559420b8bf022bf36e3786716b063d3a3cea6fb7f950
SHA512 97f0ffabe54561fa11471d9b269edc20678046767780390dd70a99d9c3fb4b7c9d5c26c8114602d2042da6887f206d2d15aa1c6c1e3443774ab6e951244b7b60

/data/data/com.furong.android.wbb/app_bugly/rqd_record.eup

MD5 57b90bfc2fcf0269e990f55133b6af1d
SHA1 08c3c96a98d657056decaadcfe027d177be542b6
SHA256 ce8265af0c2863e8d1273e041bb16a86ce34b51857672a6356e83ce1754cc0d2
SHA512 f8065daa7f753fab1381d2f825d4e67a72792c785cb93cef218089fd4b639be38e326cd6bf9010b575640e1185c0d5dc774602742511d1ba1dbb801353370f86

/data/data/com.furong.android.wbb/cache/tomb.zip

MD5 8c900778254b6291befe40f9e150fbcd
SHA1 de9271a79fd7da7e95c9f6210b57d86b034aaa68
SHA256 17e3d118ac109198ed20d4e4a40f46c4cf9912a9f4c8bdf0134a4dc1936b394e
SHA512 405a649d8c7af067b8641e6b672efe4375c0b71cd66675a7d84ed1b3693bd19ce7426faaa417e7c4f50c30605f377746612c95828b7c7748217a7fc9e23aab23