Malware Analysis Report

2025-01-19 08:05

Sample ID 240610-r789ba1aqp
Target 9b0edac3ec8f8efc184a7ee10c30fab8_JaffaCakes118
SHA256 e301dc8652d3303efb38baf37e78a2638af788baf68891102d906d648eedfb8e
Tags
discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e301dc8652d3303efb38baf37e78a2638af788baf68891102d906d648eedfb8e

Threat Level: Likely malicious

The file 9b0edac3ec8f8efc184a7ee10c30fab8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 14:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 14:51

Reported

2024-06-10 14:54

Platform

android-x86-arm-20240603-en

Max time kernel

156s

Max time network

186s

Command Line

com.yxxinglin.xzid134003

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid134003

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

com.yxxinglin.xzid134003:channel

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cgi.connect.qq.com udp
HK 43.154.252.110:80 cgi.connect.qq.com tcp
US 1.1.1.1:53 api.weibo.com udp
HK 36.51.224.49:443 api.weibo.com tcp
HK 43.154.252.110:443 cgi.connect.qq.com tcp
US 1.1.1.1:53 umengacs.m.taobao.com udp
CN 110.253.189.208:443 umengacs.m.taobao.com tcp
US 1.1.1.1:53 pingma.qq.com udp
CN 119.45.78.184:80 pingma.qq.com tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
HK 36.51.224.49:443 api.weibo.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 pv.sohu.com udp
GB 43.132.64.25:80 pv.sohu.com tcp
US 1.1.1.1:53 kefu2.qkagame.com udp
GB 163.171.129.134:80 kefu2.qkagame.com tcp
US 1.1.1.1:53 update.qkagame.com udp
GB 163.171.129.134:443 update.qkagame.com tcp
US 1.1.1.1:53 down.qkagame.net udp
US 69.28.62.188:443 down.qkagame.net tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 110.253.189.208:443 umengacs.m.taobao.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 124.239.14.248:443 umengjmacs.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 106.11.61.135:80 tcp
CN 106.11.61.135:80 tcp
CN 106.11.61.135:80 tcp
CN 106.11.61.137:80 tcp
CN 124.239.14.248:80 umengjmacs.m.taobao.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 124.239.14.248:443 umengjmacs.m.taobao.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 123.183.232.33:80 umengjmacs.m.taobao.com tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp

Files

/data/data/com.yxxinglin.xzid134003/databases/MessageStore.db-journal

MD5 abfadaa4fbf18da2138ad22ed11c26f0
SHA1 6ce896f9e519fc9dcc4c732f72fbed0cd8026488
SHA256 4655acb7e877a2923af5e4298c5408573d0d952e49f59274e3384d5ca9762755
SHA512 2aa2ce9f5d535609a0e0cfd2ebe190b451df5e1bed0474b5753f09a0edd9ac2ba67849aa73ae6c0448d2c0d7914eddcc81d0199011b74584c5f8d34e9fc45b18

/data/data/com.yxxinglin.xzid134003/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yxxinglin.xzid134003/databases/MessageStore.db-shm

MD5 2db7e0cf825309a9dd8a2087ffd2c7ab
SHA1 5000f191df0d8e645e24cc92b1d0a2a321cb2b03
SHA256 c1e390549d9750e7a44f1055e3a368fd6089de4e09a40ececcf4e35abd98d359
SHA512 5111d5d548c0b30e32bf78802bf6faff6dff7ef536d9bccf8fb870c65c65a107574be4a206a3fb3301b0b8a2b7581420736308669aa40888b3171dc61d81920f

/data/data/com.yxxinglin.xzid134003/databases/MessageStore.db-wal

MD5 db27338e09e29048e259daa7fb8a2cf1
SHA1 f4e9c1ba8ed9c0573181f69ea08bb9571772559f
SHA256 bce83339b0f2419ea7ae4867ff292cad835f28a521b23419b0e2d2b2db1114e8
SHA512 5314dc049d37fc6f3b9f918bf45db058282db3061d62e88c27c29c872705aedb1522a64f45f3a07486faad996de66799dc6d07474bd464d6002c8fa7178ef517

/data/data/com.yxxinglin.xzid134003/databases/MsgLogStore.db-journal

MD5 000d3768021b33fd66cfcd18cc9710b4
SHA1 b029418920587d7a10a44de476a0121e39e6f78e
SHA256 ca7830b5fe791800ac480603845db619cb8884aaac93c40ea2d2c83cbe432c65
SHA512 3f11e664d22757e732af6c659bce160de612859bf680d5b60bd5848e8f5bc7619642f8398256bb61e3847b2c69c25be7beff2de3b12af592bfcea8e7461a96f9

/data/data/com.yxxinglin.xzid134003/databases/MsgLogStore.db

MD5 9a3196550fd2078809ff4a65680650a3
SHA1 f5aaa4fcec3b32562e277b5c9f6e2dad14a6ff75
SHA256 e639dc8590bcaa24c5ca14542eeb7b1a8ca479d6c6bc5e70bd9209009f5c3cae
SHA512 0c4942c1959742e10a7839fe77d75ce7d8b42776152f6b7d00ab4bc7e22e71b0575e07064e425b7c67368bd86e6e65107b66b93116af851924f7e71a6aa1bb1f

/data/data/com.yxxinglin.xzid134003/databases/MsgLogStore.db-shm

MD5 41d0154c16c4daac4b0a9a448c8af4c9
SHA1 61911f891eba11c0db540d029e75c593bbaef0c8
SHA256 d7f5c76d5d02814a543551d9e83b3686842d0b4b1d2fb4847d6b438f0263af03
SHA512 5316afb9748f862ce2774a99d1b13d477e3b82de99f6b0043b590e049940a039ad441d31ce1e0ad98f18d1f629f0a2416ca707f0e6e291cc65db7bd6c8c9137b

/data/data/com.yxxinglin.xzid134003/databases/MsgLogStore.db-wal

MD5 0d761dd3f00dc53d3d50e0f229a29155
SHA1 4a1d89d675113eb7bf44a2bc818525a25629faac
SHA256 60a801e4887fba44dee4c8809b227eba462001976170a5eb06236e6ee195950d
SHA512 614a6ee8780baee69e3251c924c33a0063e897a459bbc7219692ccf573478b19bb59c9de7b111e4bba028978d01c05299f8aee8f75b8fd185d2ee515699485ec

/data/data/com.yxxinglin.xzid134003/databases/accs.db-journal

MD5 ce7190f210785dfc6504b86da65ac6b7
SHA1 0cbf270affff23c3874da652a50e8ebeae002949
SHA256 7567b6b8021a7cd0f1c05878f6c230dad2a45e605d14407097fd35966e3274f8
SHA512 9f0263e18b51b25911ef6fef3c336342afa1eaab9a3c4dff9992cdf1a5cd096e5bc7118d083266ae1536118f5d26de615331c178a312edd753c3151a21108b64

/data/data/com.yxxinglin.xzid134003/databases/accs.db

MD5 486e2bac2b3e9e1cb411d2838a4854bd
SHA1 81dd0a7537f4af319b830ae834908986be85da8b
SHA256 5644a250fa6cef16c2c802b98275656a5fc39dcf89bcc22193742d85c7313f57
SHA512 c146789563dae163e373489b3df53f22efebd32b69643992969241eb5ad5eec668de67e7cd2aaf5c3a8af57b0842115d00183825734f57643d3fdb09835fe681

/data/data/com.yxxinglin.xzid134003/databases/accs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxxinglin.xzid134003/databases/accs.db-wal

MD5 6bdbdf954705fd8161cb8d2f419f0b6a
SHA1 b92870c2f6eb7b54221ef3002f5d15defd77984c
SHA256 86c993083d415eb91278288f5c8e8d315a8c1cc3ac66544d378c4afe0ac7df16
SHA512 aea84c3deb60cfe2ef92cd6ef1c1518f47e6015e8fdfc9896f7b8457fccbacb43fd9b2527668ecaeb60d8519877d677c8410563550f3babe26aa72a7b9731747

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 a7357fe9451f2c34f2acb63b35f37287
SHA1 738bfbdc1d2000b5033c7f12349ffc4589763b34
SHA256 dc67700b790f4dc44d2cb5027c7f1c4b9c7f02527ca1186e8f4dec19600ea80a
SHA512 33a38bd960decf0d7f861b3481ee7f34eedb2131f152202473ab9affe342ed93c3f5c17d259bb2da1d7755b45fd2d2f537d99b68d8553b5b4692f51f58636f22

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 e7e89164dc94275344cc8668f9f92eee
SHA1 4ea303ff1c579e58ffd1087476ef41490d6fcb18
SHA256 f16c0a99319f47a2135387cc7aec5ac80195fe5b0e9b36f3d417d0cb2d7099b5
SHA512 a535dd728512fb9b16647ab094bb8e93130ebaaf171dd2eabbe40c75f4063f864ed7f4bf90ba5cd31223d29ec8b9a6514d237eb1a88b4f7afcf87b228f7d167c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 b2b48d2db7d36ee144053112cc729087
SHA1 be8e632cecd5b258afdc5f262b7a478549b53807
SHA256 af49a2c0c5902778d6a97314a1d3c4a6599224e649bd151c2b2525a895103427
SHA512 c0508bbb06b91d5d6dd456eebab1a17501c98eba2aa6361df435f4bb04f33d6d7303a324b8bcc07da9e5ff6899815475f18ef4bf0ff55a40f61d4ea64cf03150

/data/data/com.yxxinglin.xzid134003/databases/tencent_analysis.db-journal

MD5 dd14d761de13d9b3d1b9b40667fa2ff0
SHA1 be7b05e73d6cf06bb4f6296782f190a01d990f1e
SHA256 efe5a8953de65fe6753746f8db0f727173aed14dd173c57d7a4ed85e9be2dd2c
SHA512 9b8f8105cd688ef3bcbc592adfe6237f3e990a4d3a4728390684b58d38a4565ddc67ae43e177c4cdc6e8727e017a8c988bb674c95678b5b3c68fe7cd15d218fd

/data/data/com.yxxinglin.xzid134003/databases/tencent_analysis.db-wal

MD5 5e17dad60917f8e0b7220e8e4e2f2428
SHA1 f920e64af6ce8585ce08439afc4ef2eefd4fa509
SHA256 d784c740ae0e020d36ba9dc8b7076be61bc8b696ff16844d16d7dd00e350aeb3
SHA512 501803998882c209d2481b02de2ac9cd7bc2193e95a9a7b4732ef0baecdf6905faa19fd84405bfe5167669c1b6d60592f8ce90858fedfe929d8bc24ad13c852b

/data/data/com.yxxinglin.xzid134003/files/com.tencent.open.config.json.101400326

MD5 f526172de1566b34fdcea744710d9559
SHA1 000cb54d9a008a807a1c5a3fd2b2e7cb41e7939d
SHA256 8572be02b59f4d514000939ec04a9b4e2380c55265256b724a617d8d0f4c6940
SHA512 dc81f0fe345b18c96b1638c67b9ef4c5e60059dfc4a02f3c30a23645d4847abeef46cf467d044c42597115c48052ce0e8ea24328382114a544c5dfd039a95e7d

/data/data/com.yxxinglin.xzid134003/files/cclogs/2024-06-10 145141.log

MD5 5fa350c16d75ea9698576359c296bece
SHA1 66dcd91538dad5bd86a857ed5df7e86213d0694c
SHA256 04c6c7cafd51d28783b0358af64a122ede04820247a5b13c4c0c88a65f4529c4
SHA512 ee0abb1f3b84dc43a096e0931302c321000579ce8cbd45caddf24442d272ad155392fb9466e1072ec25f4e88c6158f6b4fa20a08e56cf9862eb66522d96a287c

/data/data/com.yxxinglin.xzid134003/app_crashrecord/1004

MD5 829265bc7fb959b0adb0189bf3575b48
SHA1 fbca442efd900370d913384c875bc94fbd43f372
SHA256 f5c2c4f691d8a4f2dcbb5c01db79ee0dbb71fcf898677eddd6c00d79f133941b
SHA512 d9100bd84b0032f6787c2438a933aa57edd060b25585490b8794a0d2ffd9d8bc2528c2c63309e6a8052eee5a29680cb9df3b05ea650c332162be7b14bff5f818

/data/data/com.yxxinglin.xzid134003/databases/bugly_db_-journal

MD5 e314157cadb67aaaa7064695ee1893d0
SHA1 479b49a80602e68312939f5a75b4433f96602b1e
SHA256 43e7aa5ddf5592c09ddd17071ce708d73bd4ff4692387df64e257468b350373d
SHA512 92dc6c7b710c6c31e1a6f47fbc9468987bd4f3b862bd02d7e4f59840a236491f79689dbba570a564769449eb951c5bcbd124e51cd0248b1a8dcb45672619ad6b

/data/data/com.yxxinglin.xzid134003/databases/bugly_db_-wal

MD5 c2f1b2813021648aba5749abb62bfbf6
SHA1 cccac9eb0b0fe917ccd1358339e0b0fd51a0e2eb
SHA256 1faced5b83e3bb0e718a9fd0dddc7599b4725afd921b4092e05c3cefd5cae05e
SHA512 0dc0c1f451e29b46d85b81f8b18a751b1183465277bc5a015f7dc2b27d64269818b558c7368c78574f87152dcb496e7eb3384f80bcc95ff13323520153d1c639

/data/data/com.yxxinglin.xzid134003/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1