Analysis Overview
SHA256
71e213c5adfe972ff62171686e87937417e426a0edab16c33c836a667e9c5605
Threat Level: Likely malicious
The file 9aaa4b00e863e3301c5b6767a8fa884d_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Queries information about active data network
Queries information about the current Wi-Fi connection
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 12:27
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 12:26
Reported
2024-06-10 12:30
Platform
android-x86-arm-20240603-en
Max time kernel
105s
Max time network
179s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.furong.android.wbb/mix.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.furong.android.wbb
/system/bin/sh -c getprop ro.board.platform
sh -c getprop ro.yunos.version
getprop ro.yunos.version
getprop ro.board.platform
/system/bin/sh -c type su
logcat -d -v threadtime
/system/bin/sh -c getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.build.version.emui
getprop ro.build.version.emui
/system/bin/sh -c getprop ro.lenovo.series
getprop ro.lenovo.series
/system/bin/sh -c getprop ro.build.nubia.rom.name
getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.meizu.product.model
getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.build.version.opporom
getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.vivo.os.build.display.id
getprop ro.vivo.os.build.display.id
/system/bin/sh -c getprop ro.aa.romver
getprop ro.aa.romver
/system/bin/sh -c getprop ro.lewa.version
getprop ro.lewa.version
/system/bin/sh -c getprop ro.gn.gnromvernumber
getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.fingerprint
getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.rom.id
getprop ro.build.rom.id
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
Files
/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal
| MD5 | 673331f3fcd5a05474f77188aef00002 |
| SHA1 | 0479e2e06f92105bd2d26125eaa7edccfcd35614 |
| SHA256 | be66dea76bca6aa4abf973a2e87a0064d2a493285ad870fbd40f484e77715c31 |
| SHA512 | dca8131e4acf620bdebef98ffbab86af62d9e7085ac3285c1a79b3409151edcf1a0d22cd2c120778cdfefc3d045833254b41441eadfa94be4c9835a753cb4292 |
/data/data/com.furong.android.wbb/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.furong.android.wbb/databases/bugly_db_legu-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.furong.android.wbb/databases/bugly_db_legu-wal
| MD5 | 4039cd7f61f8bf81403da501cf5d2ddf |
| SHA1 | a971687da70820cb9b891c15cb0f461eb25e614c |
| SHA256 | a1d9170a0ec87ba165bb72532ba8c2a3bb0d249a1296ed027866482125777047 |
| SHA512 | 8ba31106f692e31d450f82d19f8b991fd9e725c93e392047481718281ef90abeec17a29fda9bc163869208e22724b592381f992ab48413fef26b4a47ff3da798 |
/data/data/com.furong.android.wbb/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 12:26
Reported
2024-06-10 12:30
Platform
android-x64-20240603-en
Max time kernel
12s
Max time network
151s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.furong.android.wbb/mix.dex | N/A | N/A |
| N/A | /data/data/com.furong.android.wbb/mix.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.furong.android.wbb
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.72:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 172.217.169.66:443 | tcp |
Files
/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal
| MD5 | 97c13023e8a066355c61e79c6d3cb117 |
| SHA1 | b09a28465df1541a1ae14dd878e1285a6856e297 |
| SHA256 | 85ad193d75c656ef0b893cb58e1d9c84451d3872b87d4706c3f967c2cff45549 |
| SHA512 | a1113c214f19c08dcd2d4ff170366ef089f3c8e8ccab078e209169da8b56e398d82e505ca475b2b1558649ef11885c5b01495d8e00711f28569988505fa3a911 |
/data/data/com.furong.android.wbb/databases/bugly_db_legu
| MD5 | 4f8f962545a22feb82613240d4b70dcc |
| SHA1 | fe3eccaf569d6558f8da4318bb4a400f290f3ff9 |
| SHA256 | fb1eee778ea76235623ce3f5458f53dd02302526c29b041b78f0b30b89b18e67 |
| SHA512 | 1bc9b4e082678f9edd13a2149ec5a4e7b87cfb9706a03c6374cd9dca86eaae7240999a378aa0b238c91da93b171d5190bf5a0d4061407fc2de6748a1f556250a |
/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal
| MD5 | e38b8887593d251d35af883fd347792f |
| SHA1 | 810545f8a97c37412fa2323fbf106a8bd51acce2 |
| SHA256 | a82b9c1bed5a493ad08125e84c6bafeb4329b0f51a38c4f0aa247bd0edc00b5f |
| SHA512 | 14ab8fea9147ae10fe14d54aaa0de93c72819f51b48b48b2466957fd9a4ca104a7822c3622bc5d9414855f7d17a6b5d998c78adbf8cf8761c5a88d3a08efba81 |
/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal
| MD5 | 2ca8cedf1f4ca5083a7762ee7a4a8aef |
| SHA1 | 4421b6ebbfde570a4ffb065addbd06947fdb7dbe |
| SHA256 | 35fc7c7880359bfbd04791af00bd2f79f76ffc37b80e85a45da957e4d6942ddd |
| SHA512 | cf8d87637c21ff01fe88bbdd2a0d87ed273c8cd508d3970c8d40e223c055c9806b56795d25877674f838dee32451864ef32520a59f78b5f7dd2a4b45aecb7c86 |
/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal
| MD5 | ca82cd9fc38556958d4472ab33b546c6 |
| SHA1 | 63565148e06ccce013182e24c75eada5a36f270b |
| SHA256 | 578678826492fc230586a40d272e87a820efc1482fac931d0514157fb52e1311 |
| SHA512 | a6102c49e834981f7ee0273e47b0340ba9ea7ea7acabab6ee8cb90152333c30bf24479a7b31bfd3cd74d3ca872c7c756ccbb382796efd1d4da648c4d828b358f |
/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal
| MD5 | d6ee3f16dc41beb4ab4eb70725cabebc |
| SHA1 | 51b6627b3adba2b994abf70114c5f565193d7691 |
| SHA256 | a79847daed20aec2e84c65bc4633963db7d1b4398d95830bf6464f99e7ace9ec |
| SHA512 | e9cdc21220e356ba71ea9e30facf6f3c7b6a6029aa65e299e366248b11da78f7db260be108d11d4c7830434989f84371717720c2eaf98e1d67231d5bbaa3e4e6 |
/data/data/com.furong.android.wbb/databases/bugly_db_legu-journal
| MD5 | 94c1c0d082faabadfbd1377460f1ab28 |
| SHA1 | 832f9475e05cc3907ac9925b40761ba3d5a03a86 |
| SHA256 | 7b75e70da1c40f74e576f89c9a9dbde586a863bc1f3ad6657956d563b475b747 |
| SHA512 | eece14403102cdeb873021e3b8d9f98ce96084aa1c3023a97f7f948f4d8800bd2303f6beead4ccfd66d9482e1fc1d57d558dd9bc313595ba12d892e26fd35cb5 |
/data/data/com.furong.android.wbb/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/data/com.furong.android.wbb/app_bugly/tomb_1718022436687.txt
| MD5 | e8e5f9783f9a9fd96647ad259121736a |
| SHA1 | 290f853a09c8b396ff508fbc8c6abe2fd1d546c2 |
| SHA256 | 4973b990f14cf2d0f73c4395eb9e3401eab95f242c7bdad624f9f54fdaab0731 |
| SHA512 | a8620a6c8e34586fdf56862c3ebbd3f5da046d15341a392f4f2b741daf87ec950038ece0027b9a45acd6259d6ae64e6233068723beba2aced0ed7b2cf154c69f |
/data/data/com.furong.android.wbb/app_bugly/rqd_record.eup
| MD5 | 5bb81674464ba7bfddbe00325f3b850a |
| SHA1 | 2f65fa412a2f1f4c780db6cf9927b6c77dab3290 |
| SHA256 | 625160a96424fbdfae97559420b8bf022bf36e3786716b063d3a3cea6fb7f950 |
| SHA512 | 97f0ffabe54561fa11471d9b269edc20678046767780390dd70a99d9c3fb4b7c9d5c26c8114602d2042da6887f206d2d15aa1c6c1e3443774ab6e951244b7b60 |
/data/data/com.furong.android.wbb/app_bugly/rqd_record.eup
| MD5 | 57b90bfc2fcf0269e990f55133b6af1d |
| SHA1 | 08c3c96a98d657056decaadcfe027d177be542b6 |
| SHA256 | ce8265af0c2863e8d1273e041bb16a86ce34b51857672a6356e83ce1754cc0d2 |
| SHA512 | f8065daa7f753fab1381d2f825d4e67a72792c785cb93cef218089fd4b639be38e326cd6bf9010b575640e1185c0d5dc774602742511d1ba1dbb801353370f86 |
/data/data/com.furong.android.wbb/cache/tomb.zip
| MD5 | 8c900778254b6291befe40f9e150fbcd |
| SHA1 | de9271a79fd7da7e95c9f6210b57d86b034aaa68 |
| SHA256 | 17e3d118ac109198ed20d4e4a40f46c4cf9912a9f4c8bdf0134a4dc1936b394e |
| SHA512 | 405a649d8c7af067b8641e6b672efe4375c0b71cd66675a7d84ed1b3693bd19ce7426faaa417e7c4f50c30605f377746612c95828b7c7748217a7fc9e23aab23 |