Malware Analysis Report

2025-01-19 07:57

Sample ID 240610-pnlb2awakl
Target 9aab83a8c99b6f740dbf1af80dd2dc25_JaffaCakes118
SHA256 b77d494adc55aa393858c259784951b24cbca2e7d06370081273dcbcb13e24cc
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b77d494adc55aa393858c259784951b24cbca2e7d06370081273dcbcb13e24cc

Threat Level: Shows suspicious behavior

The file 9aab83a8c99b6f740dbf1af80dd2dc25_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 12:28

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 12:28

Reported

2024-06-10 12:31

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

172s

Command Line

com.startfiy.bean

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.startfiy.bean

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 139.129.13.5:80 tcp
CN 139.129.13.5:80 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 172.217.169.10:443 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 139.129.13.5:80 tcp

Files

/data/data/com.startfiy.bean/files/umeng_it.cache

MD5 b5515e4c200bd9f7a5dd8510c1a6acf4
SHA1 402d390ba29a7df3810997560dd25b708e0cb1f1
SHA256 74d07c2cc9bbb22abf6cdfbb67ff31cdb6e21dae0556c9305317fb9c924e04aa
SHA512 b563db0fd8c1900b6224aaf8dcb8a2576c0fb633a03a5a30cb5b48ba442274b7ca35cf2e29047798f04e121f475b8d22ade9b28cd92571b186750d318f8a1807

/storage/emulated/0/ShareSDK/.dk

MD5 c9383021bd97affc44be4db7018c4d7b
SHA1 7e680409d1c86e35149bebc22f2cf8c484f0d23e
SHA256 b7b7e032170e3190a84359e5c37adede1d58b6bf4c455ef0c01f73335709bb65
SHA512 7303f068da97319891e2d25c1c737035f1cfdc365d75d954102b612000e54d7e2b5dfafe10bdf909563e2b46ec3ff9e546423bff6f0aa9496880eab1c1c36a81

/data/data/com.startfiy.bean/files/.um/um_cache_1718022587398.env

MD5 b86eda5595352e4cbeda7fd935116b9a
SHA1 bda624da22858b4fa60d6235d07ea7bd2494d796
SHA256 e271164785f2eb8fed706db6ba9e8bde132cb52d682a6011cc242a5808507164
SHA512 f729e9944f29cfe1dd1b3979d5cfab9bfdbe108f5cffe2c83dbfca094b5a3f9225bcaa8c888e347742d406562cd8b469627197ee10cd96f163fe45fb388edc3a

/data/data/com.startfiy.bean/databases/sharesdk.db-journal

MD5 1ddf54a824ce5cfbe22f7e35cfa6b938
SHA1 b2802aeae43fdae198d69ae0e11dbfa5b581ca2e
SHA256 d2fff7840ca234c06ca5c58cbd020aca38075d6c51b06914274e7ed496d6d5bc
SHA512 638d98cfd27ac876e4dea00d9039a58cb14a57d21b8c9b6f641ae073482e2bd3ceb73b44eb942674094aeea08a5a50f970f8c08dff27fa58bd5d86829a66e1ff

/data/data/com.startfiy.bean/databases/sharesdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.startfiy.bean/databases/sharesdk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.startfiy.bean/databases/sharesdk.db-wal

MD5 14a8de18f9e11f27b7fdfc24d66861be
SHA1 bace5a3bef00a554779a2c419215e1a20d960aa3
SHA256 0a9e4861cc068749657dbecff6463b22a4502dfbcde858b516f5e8b0332f9283
SHA512 52892c87acb3faf0e3d0892d4e257192161f7465bc9658ae53bf3f559d5fced439ff8a5817d519366f54142d723a4d8150fd11869a1794a07028624fe6cd7c05

/storage/emulated/0/ShareSDK/.ba

MD5 40f922350bca2de9c3165656b3cf10f5
SHA1 ef60cebef46910691051f822db5f49504b99d765
SHA256 40957d8a73a00fe422fd3b098cbb24575833c9b8834b3f464ff9f5fd316c3726
SHA512 29306e4dc0705e64d9dcb2c570d73443b1423b6f59225082463f800d106a73f06af96a5b2bbee94261ac19cf735d2a6f349f1a4dec35ad3ec971ffcdec3e367e

/storage/emulated/0/ShareSDK/.ba

MD5 4312fea187e2e7772202db8f741dfa62
SHA1 d6687f0a85338f8542bac57c9306dbf2ed688f6f
SHA256 45fbcc1c98c86d417bf7df52c049b0f02e4bad859e41588ef5aa4574b4df980c
SHA512 041567d61fdac28b55140fc5badd4909ccb6627ac80d4285c220eafe755657f1803322c401c9e7a6ae289828de4924b6d568de9e98040475e7ea2a612d418be2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 12:28

Reported

2024-06-10 12:28

Platform

android-x86-arm-20240603-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 12:28

Reported

2024-06-10 12:28

Platform

android-x64-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 12:28

Reported

2024-06-10 12:28

Platform

android-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp

Files

N/A