Malware Analysis Report

2025-01-19 08:04

Sample ID 240610-v2a14stgqd
Target 9b756fabbf3ab94d707d850189cc3fdc_JaffaCakes118
SHA256 cdd52ea303c2fb9cd56ae0a12fc01b9dae31ad79fb3775dd11bef79c5c77897f
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cdd52ea303c2fb9cd56ae0a12fc01b9dae31ad79fb3775dd11bef79c5c77897f

Threat Level: Shows suspicious behavior

The file 9b756fabbf3ab94d707d850189cc3fdc_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 17:28

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 17:28

Reported

2024-06-10 17:31

Platform

android-x64-20240603-en

Max time network

176s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.178.10:443 g.tenor.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.16.234:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 17:28

Reported

2024-06-10 17:31

Platform

android-x64-arm64-20240603-en

Max time network

132s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 17:28

Reported

2024-06-10 17:31

Platform

android-x86-arm-20240603-en

Max time kernel

174s

Max time network

183s

Command Line

com.wufan.test20180311874277792

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.wufan.test20180311874277792

com.wufan.test20180311874277792:lebian.base

cat /sys/class/net/wlan0/address

cat /sys/class/net/wlan0/address

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 40lwk1ag.vr.loveota.com udp
US 1.1.1.1:53 oc.umeng.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
CN 180.76.198.209:80 40lwk1ag.vr.loveota.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 datainterface.papa91.com udp
HK 124.156.122.8:80 datainterface.papa91.com tcp
HK 124.156.122.8:80 datainterface.papa91.com tcp
US 1.1.1.1:53 anv3cjapi.5fun.com udp
HK 124.156.122.8:80 datainterface.papa91.com tcp
CN 106.53.80.151:80 anv3cjapi.5fun.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 pv.sohu.com udp
GB 43.132.64.26:80 pv.sohu.com tcp
US 1.1.1.1:53 anv9.ctapi.5fun.com udp
HK 124.156.122.8:80 datainterface.papa91.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 comment.5fun.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.52.191.147:80 comment.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
US 1.1.1.1:53 consolegame.5fun.com udp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 193.112.116.108:443 consolegame.5fun.com tcp
CN 193.112.116.108:443 consolegame.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 domain.aishengji.com udp
CN 114.55.145.31:80 domain.aishengji.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
CN 106.53.80.151:80 anv9.ctapi.5fun.com tcp
US 1.1.1.1:53 40lwk1ag.vr.loveota.com udp
CN 180.76.198.209:80 40lwk1ag.vr.loveota.com tcp

Files

/storage/emulated/0/Android/obb/com.wufan.test20180311874277792/sdkinfo.txt

MD5 c7c8d45e0fc1a2ac188f9b0a62f1a797
SHA1 ffe2c07fa6f7f6b99e9be07d89c766dc029b846b
SHA256 91bf44d0a10bdb192c372abd8362e5089b7da61c9dbb2dffc0d936b0f33b5caf
SHA512 6abc5570f847c76a8f091301c26679321be9e27ea4fd07d067227937b3ee7d1a4c6e0020e4bffa769ea0d9355604e390ca29d2c998c2ca49a9341cec57a54755

/storage/emulated/0/.papakey

MD5 a950d26e81057fb42543d0c533906302
SHA1 532b985ba36c5bd0f6f0d55a0b1c204e16c10e16
SHA256 ae99900b4a6643d3d3fe440e0ec25a493d3b0cec674467db7f84c339ffe5a398
SHA512 f1cfcb8451e5ae48ffdfcdabd827fdf41aace4dec65eddcdc6aee4b987c6d85470a138f88630ee1efd19342cd3dfecce2b87aceb468dd3bfca1dcb9647a2d35c

/data/data/com.wufan.test20180311874277792/databases/papa_stat.db-journal

MD5 0ba98036f8e06cdde3f529808eb8cd87
SHA1 9145cb74f712991eed7be18c510c6868218d686a
SHA256 dca87e11f41017233c10484b91201347f94728dd71addebb355a9e0b6b3fe4a4
SHA512 22c0090821163ba0cdaf5fe3a84269ef18d780675db4b87e10565224aeb098f12c9f4bf53f61855475f6930d6ea686a072bf9bced45269b8d8a93512f8b4ff16

/data/data/com.wufan.test20180311874277792/databases/papa_stat.db

MD5 cfc228bb635ccd6d6f5e53dcbfd6bd3d
SHA1 d9ca9f12e115c8a8f1554c8c8fc252c04e5230d1
SHA256 557c8a628d19256c0c24045cb9217ff4dfaff48e2ebb4dc13fc33e1616283657
SHA512 d874690d000675bb61c9d3aba4f444ea77535aa8687af8647291e76ac4ac2bce91eb01203c35050b77933701251c0eb4ed2d7097867cbfee3783fc04b69c4722

/data/data/com.wufan.test20180311874277792/databases/papa_stat.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wufan.test20180311874277792/databases/papa_stat.db-wal

MD5 c3a5ecb54a631c2e8df02f6e2a283a3f
SHA1 1e0c085e49d39acbef02c68ceed49704f12d483a
SHA256 665f47fef39a00c2d3186e5200f0e547be0b6e84db27df77027f60062e3f52b6
SHA512 44831e028feba50e7ffcac8f0cb0a0599cd68849e243c9ae3b4bb51a059ae971f8312aaeb3fbe131d849165ebab940580300b81ab8ffdab69a20b190197d82ad

/data/data/com.wufan.test20180311874277792/databases/mgdb-journal

MD5 e8e6352a473a49d5050c8e687a18ab6c
SHA1 25f698b44379132e4779d18fcbc9691c229afaa7
SHA256 86086adf76c6816e2f0bdeb44e2f6e4b4b84f94cec9da49ee1864297f6812ec4
SHA512 19c535a04c2a771ac46bd021390cecf38f3dd27321d1d8cb84c3f303de4261a382d57e0063218de0ea18306d5912daee7979d40a253acb31662ea381b29076a6

/data/data/com.wufan.test20180311874277792/databases/mgdb

MD5 f19ad37702199ffbe9ea075d2e1f4418
SHA1 bdb621263c6319b387602e9f758832f02d7e49b2
SHA256 456d1dd37a67a3ec9c9373078b4a05a50dc0efff725da5ea9c8e24ff9cc0ee80
SHA512 ecc51c5b72c235899de2a3e3648b5c5de8c6c4ee78a9214c938a2a60baca39b8f8256f53a975a10208abecfc6b37454f2eddacbe1389f1e7d4328ca31877e8c8

/data/data/com.wufan.test20180311874277792/databases/mgdb-wal

MD5 1372ff3e925347103946a6c38a27e35d
SHA1 98e0c80174f1d8a1506790abeda9b62d3bb33963
SHA256 66e93e4060f03c2fbfb4d24ee76c24cd589fc7d2afb339b16cb9caece2013771
SHA512 0e1e3f583aa5c52fab00eec900c5ffc4e624be89f278ca2a04dc9c6e8a44122522357906406e388ea923b7747abc4d604311a66470779279e95638a1df0a722e

/storage/emulated/0/Mob/com.wufan.test20180311874277792/cache/comm/.mps

MD5 840eaa01e5d03fffee257ed5ce4fba9e
SHA1 886bd732b29f6dbdd94b890a2b203c5a276ae773
SHA256 7648e772307acf936c331c4ea9d92872b1af6367cbf83f33f569ac204df65595
SHA512 b0a4f9238c4b60bec0cca9c72e551a702a95210a735bd8176c1d5ba741e264d2f1e885d65ed07a88086afd74f69c5e02a92db8068b222a62c6f56762a26b7d4d

/storage/emulated/0/aray/cache/devices/.DEVICES

MD5 ab90dbc4c00fbbf827265a24e8bea6ee
SHA1 b2acda42d8204092a054a891ba64b9a0b4dfb26c
SHA256 e5aa7e37a5fe3363d074db87d2aa06897fc4818dfae5352ce3fca8894d830d62
SHA512 645a7a25eb101d350189b1cb9237e56e40330ce3b547264101c8f2e37fc4c83c40942666dc82cd366681254d9f8bc958833034f6de226849d8e83b6f5deae629

/storage/emulated/0/Mob/.iew

MD5 d62b25791b9f8972176645601373ffbf
SHA1 03bb840c1867ffda55c486a53fc36a9ad95ef4fc
SHA256 2050f5a0e4bce2cc95fedb74e8438f87814131057ba93f8b5e175be144bd5ae9
SHA512 21de1d2fced190df5709a7444cc2300c850537aa91a26a2ddb6d87fe59321f54e1b96e616ad1462f41a1d73db837beaa36333bcd6b7e2be29dd25c261e29c112

/storage/emulated/0/Mob/comm/.di

MD5 70a42cba408700f9a6c01c7941a8829e
SHA1 eab01cc2c0671538795fb0b1146017dc099d0984
SHA256 499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA512 8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

/data/data/com.wufan.test20180311874277792/files/umeng_it.cache

MD5 c5827a6118c626b3ed822b796fecc40e
SHA1 a8f6cd7590b9dde1f77d06a3839231639803f3af
SHA256 208004baf2c5064ff99645ea2f9fe82e713bdf0c4c463d7dae8af2b101b381cf
SHA512 322335f1ebeaf5e5b1a10de81f06ad1de0e399840a30689ed79b3cda2211cc798ebe5062433975ba3bcaeb3e6867394ace13fe576802e8786f27ca590109c253

/data/data/com.wufan.test20180311874277792/databases/ThrowalbeLog.db-journal

MD5 0d301322903250ec82b7f488b475dbce
SHA1 22fc87b15e50e1fde68d9415877a8e7341168824
SHA256 ee6a0bd9f19d0d021238d9898205a5bfe0a4a662db12f84714cbc8e946752be4
SHA512 030e563a7f8e787b7d8ef8a7eb54c06cfc3d659f4058252f9ffb20e8b43674d3e55866310fc8a06644debd7a8882320501a992029c33e32696362f222074118b

/data/data/com.wufan.test20180311874277792/databases/ThrowalbeLog.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wufan.test20180311874277792/databases/ThrowalbeLog.db-wal

MD5 a41e633e7f95e6bc07447602a86e9e74
SHA1 784f657b339a58f2359203693c7562d00b13e05c
SHA256 05aaedf24afdc1f2387a80d2b3e9f0bd29eea2d400451e3732f3a5ee6633497d
SHA512 6074a7e788241e3ce559fe3427ddf5615f3ccf66bb618d8eda2f8680f4e8bc39263195a579ebda740223051db57c33bbd958c722c2f37c40fe68a18e0b04595b

/data/data/com.wufan.test20180311874277792/files/Mob/share_sdk_1

MD5 ccb253e6e4d8e6491f97edc78cabb921
SHA1 f46fb2397343436ecc1c4a5e5d6e62fd8a1426e0
SHA256 fed97a9e1010c2759a25d5d7fe288ab16579415a842d8018c64b327afaa61a63
SHA512 5a5388a949482fe25bffbb82ba87cff5101dc5fb8562d927f8c9afdca43f24cccdf60590a2d15e8c245b89101125b94940a195961061cd2cfa319ca62c3ffd30

/data/data/com.wufan.test20180311874277792/files/Mob/share_sdk_1

MD5 da09df18e14302f36d59ea55b4b50530
SHA1 b6049d40ee4e2d65bf8c365e2cf9429073851229
SHA256 6aff310a38a1437cc8c268343d7fa10d1d381f742275ecf32b3733c79e7719f1
SHA512 1d0af4a892cc20b634ea2450b4da90e8e2fa728d34e0d98a717d39830db514f4bf3e2d1954f694cdcf95ac7b95cd086051730074bdd02601a0953c5462336a49

/data/data/com.wufan.test20180311874277792/files/.um/um_cache_1718040604611.env

MD5 6fc57ff69a2b67596436e0a90703f93d
SHA1 d4b47e7bf6df928cd774152a38696a3e1318f62e
SHA256 a6d82c014b3c89dce8058d404639ce763785b99ef80902cfd5c50efe8823742b
SHA512 c25e4187864b76f35c47c24c388bf489396f8b80f5444e213a70cf427498c712819627a51e4aacb3f144a6aa2fad72be1b12f73bcc137fb8d2603f1cf1fc95b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 17:28

Reported

2024-06-10 17:31

Platform

android-x86-arm-20240603-en

Max time network

141s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 tcp
GB 216.58.204.67:80 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
GB 142.250.187.206:443 tcp
BE 142.251.168.188:5228 tcp
GB 142.250.187.206:443 tcp
GB 216.58.213.2:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 216.58.201.106:443 mdh-pa.googleapis.com tcp

Files

N/A