Malware Analysis Report

2025-01-19 08:05

Sample ID 240610-q2dd1sxgnb
Target 9adc8ea490730586f58bc621a42f20a1_JaffaCakes118
SHA256 a72902a244c72cefb3e9053b03d835dc0ab4fce56afa1e2a5d0d929e6291f054
Tags
discovery impact persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

a72902a244c72cefb3e9053b03d835dc0ab4fce56afa1e2a5d0d929e6291f054

Threat Level: Shows suspicious behavior

The file 9adc8ea490730586f58bc621a42f20a1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Reads information about phone network operator.

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 13:45

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 13:45

Reported

2024-06-10 13:48

Platform

android-x86-arm-20240603-en

Max time kernel

66s

Max time network

157s

Command Line

yqj.m.u

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yqj.m.u

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sync.jueyejia.com udp
US 1.1.1.1:53 video.elouge.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/yqj.m.u/files/umeng_it.cache

MD5 6ece964fe9a1171b7b84dbbee932e49f
SHA1 ac7ec2ad85c091a3e00b35118c6f9a6676337ef8
SHA256 fed53f6f0de33fac7fc9b0c8344a341367cd355288a3acdbf73fb4b0fb31377d
SHA512 b9aac415ce2289496d96144953d459d2f75c91573f97167c77ba0405c205d4e39c36ce72876b7fe268c88fcbd08be65054ceac1601a2eb39fdd77a10b432e950

/data/data/yqj.m.u/files/.umeng/exchangeIdentity.json

MD5 6ee87dd0ba5bee330c4fa647607127bd
SHA1 1a5960f37c635a474ac196fa93d22c781a04ecf7
SHA256 6e0bfb39ce56f14242d1b1816815d832a84b601d5a5a42fca446813765eac0fa
SHA512 4c9280d37f134ca02095ed172ea80794d82cccdea8a6f4a1db5d815ea8c2e4941584b43de50507a7ad76a7758ef1ce0b6db76956a55e154a2261f27104b1c428

/data/data/yqj.m.u/files/.um/um_cache_1718027174550.env

MD5 a73a779c2e37a0305812997a58d15b61
SHA1 7532c9bcfab5f45f6bb8de139f86e3c4ca09044a
SHA256 de868e0effbb3a3590919f7461a030c84e292f8a85187dbaf4f5860f65f87197
SHA512 44b1ffc18281d8cb7081738c981ea60ff98ea16f11e38bbd394937042d9c357d31af60f1a6e58252bc1c7b6282e7e79d379f708a5d2146c2c43ae3f075b8077c