Malware Analysis Report

2025-01-19 08:04

Sample ID 240610-vz6p1avbnl
Target 9b74489a7564021275f19d52571af94f_JaffaCakes118
SHA256 035ce693e99c7531745bd6a0b571d6bcd0303f275e3d4951178f465ca0d131ac
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

035ce693e99c7531745bd6a0b571d6bcd0303f275e3d4951178f465ca0d131ac

Threat Level: Likely malicious

The file 9b74489a7564021275f19d52571af94f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 17:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 17:26

Reported

2024-06-10 17:29

Platform

android-x86-arm-20240603-en

Max time kernel

131s

Max time network

131s

Command Line

com.weidanci.dc

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /system/bin/su N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.weidanci.dc

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.weidanci.com udp
CN 47.94.43.131:8888 www.weidanci.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp

Files

/data/data/com.weidanci.dc/databases/tencent_analysis.db-journal

MD5 6a01289b3888e49ee3ae2c8390ea7947
SHA1 89ac55db7c3d9f1a797d77ea60965a0e1f3610e6
SHA256 15a809d65780caf03f33fe12fcb5328ed5b4430a8504caf9b060e12d99230806
SHA512 8f12cd56e0416f959df858b7806288cd204f32aef0eb179d7fdb90bd70f8243873e68ba4b00ca4d86a73812344678ca3088bd2477849da68539c4dce782ecb4d

/data/data/com.weidanci.dc/databases/tencent_analysis.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.weidanci.dc/databases/tencent_analysis.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.weidanci.dc/databases/tencent_analysis.db-wal

MD5 002be38431ffe4b611b43ee6c20cdcdb
SHA1 61ea8b1d1de65b1f14dfa375f3498d5e584e5589
SHA256 b9309dae13696f874f7be080d45b6ef2ffb7a9118c8afc6de25aa8ec378a6223
SHA512 391f940ab68bfb0ebb68313dbcb1455a93443f09b647bed2c6292e5b49f69951181784ba070f389dd88f3915de4a31a38480ba20265b7abb7fbaa1aa7ea6bf3b

/data/data/com.weidanci.dc/files/gfagent.db-journal

MD5 1ceaf96d68e544784bc5143acd5e0618
SHA1 3ba9824aaed9bc370c2f58fa62e5475565dbbb64
SHA256 5517860ce9ec73c281475592e210e42b658a245a67a5a97d02c2c6af5109f637
SHA512 8691a047fae3b43fae5aa5511f797ea3bd087cee81f9c039f48afc988a69b47e73aea784179abbcbbe3702faee625b70fe1e3a6533fd4da36d99b358354030e0

/data/data/com.weidanci.dc/files/gfagent.db

MD5 dfa8794554637f39fbfaa130b5d9a228
SHA1 2d7a99c143107e98487f06d55a9e780629875a4e
SHA256 8c3fe1e6861fc7f989b7f273aea9ef6ff8eba7618a14a3dac93d5678360c5447
SHA512 49f006e69fa94d9db704afc298d3ec1acae641d6c47815eb7bbbeb1af5ad32c83451d3b0cc523416595e4ce27543c47db3b19ea5a5457ba71902369b0fc424d1

/data/data/com.weidanci.dc/files/gfagent.db-wal

MD5 b228f6c3e970c1683e40b02a1d04a96f
SHA1 51ff78f786e45cea8882e71c0f05e79a60ac2431
SHA256 2fb87d6140cf08273e6bfd319043a9d06c032a3ff656ec3f85470cf117877e9c
SHA512 e2a1578c70baf78ac4695c85d766220b5542731b08bbc7e0e444a3be16914a2ad9e50ee6d41b60de4eda5b35b9d1e0eb29eae92219f3b534f7af5f87c72beeab

/data/data/com.weidanci.dc/databases/dailyword.db-journal

MD5 d62d490e29cb8edc8392e0637909ed29
SHA1 d2f426ce2eacfaff32f3b7e949d90ff71ba6b9c3
SHA256 c5ccf323d95567466bc0e8476202a3b7a115cf0df2ba2fe51843bc10dbed6c4f
SHA512 6a43bd0b76269c798327de108737084e89e9f943ce83307ca20bdb1ef9dd3c337c474a25ea9d83496a84e4f0928d809567024c9265add57311d1bf55f611d77f

/data/data/com.weidanci.dc/databases/dailyword.db

MD5 36c4ec7fd6d21fa96dfde033a9484a4d
SHA1 68067e351ac16414659460da82100fb613e745ad
SHA256 7c2f4c99fb0b0481ab229218d1d4d3c30251f1301ecf1958c773a2fd476113a3
SHA512 7e8fb4cd394606ed523e7abc95884bb2d1069040f1535a6790b2d4fc6e1046d20e73059dad1e0c5d4267780f8645a9f3618b304ff82eceba9d9e8f31c28e4d86

/data/data/com.weidanci.dc/databases/dailyword.db-wal

MD5 5ff4879ec71aaf6ae3fc21101da02b6d
SHA1 e1295d110e35ff709cfedfe9022fb6f9e1d508f4
SHA256 9854f453d7b48e901653ff60d6ddd0bcc6f460820aaa3df13ef3d68bb72149a3
SHA512 942589b8a48fd9e25902f6187d4c531cc2bacaee6bc718c6a90ddd68946f141a290fe667e3c8f54720517b4fafe84bf4600401a0cf998ba639130e27c225427c

/data/data/com.weidanci.dc/files/gfagent.db-wal

MD5 ff39c6f3eb10b235c1223d148e64d73d
SHA1 9b4e5fc52cf0a4bb1dc092752c44789e24e3fc6f
SHA256 a4d1ec8b4c2eb8d18ba0f271b73f9b7665bd87201749209d2932c7e97b93de2b
SHA512 04f36d9af508c3b4f7b1cb0cd12fad5bdb49e935b5c0bc35d667c07d7c50099bf88dd9c728d6251ebefc27215f0b17ad09cfbf926720c812bdbbac4fdf5cf176

/data/data/com.weidanci.dc/files/gfagent.db

MD5 6bd012bc39a3284baa35a2a8ce81189a
SHA1 358271f0747a28a739f6f6ac3f9ad8bdf58f68a2
SHA256 acf6c03fdf03a29cd3552b66b7ce00d7a35458a079352deb95f8a59f4c399b51
SHA512 9b44879c94c9c671e9081aa8c0be5720e18f387229a535d64a652b45836f87558a9488b2c1f287cb2c96c9dab37c00a5f9cc95112cef84c1a132d377833a5cba

/storage/emulated/0/.tid

MD5 67f21b466c3c2c4b0db16af247105fb5
SHA1 cc375a5ba9c315c20ea2f24fb9791cea0d20a832
SHA256 d049475d722699a5ca3ca0138a4db6468bf5b5a8c9415a25190cf81d75f29f86
SHA512 1c77069144becdb786e055084335173bd06bc631ccfac19a52e5feffc0d97c1e2d30f1069ec2999279b77dc6e43947394f4494bccd3e16107df92f7a50336651

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 17:26

Reported

2024-06-10 17:26

Platform

android-x86-arm-20240603-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 17:26

Reported

2024-06-10 17:26

Platform

android-x64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 17:26

Reported

2024-06-10 17:26

Platform

android-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A