Malware Analysis Report

2025-01-19 08:04

Sample ID 240610-wdaacavckc
Target 9b82aca8ca796dbb23291d3d686f3458_JaffaCakes118
SHA256 f3831283e617b9504b7500e5c7d3b7171eb37ade5ec3332f75cbd8ca4b76a63a
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f3831283e617b9504b7500e5c7d3b7171eb37ade5ec3332f75cbd8ca4b76a63a

Threat Level: Shows suspicious behavior

The file 9b82aca8ca796dbb23291d3d686f3458_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 17:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 17:47

Reported

2024-06-10 17:48

Platform

android-x64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 17:47

Reported

2024-06-10 17:48

Platform

android-x64-arm64-20240603-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-10 17:47

Reported

2024-06-10 17:48

Platform

android-x86-arm-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.201.99:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-10 17:47

Reported

2024-06-10 17:48

Platform

android-x64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-10 17:47

Reported

2024-06-10 17:48

Platform

android-x64-arm64-20240603-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 17:47

Reported

2024-06-10 17:51

Platform

android-x86-arm-20240603-en

Max time kernel

178s

Max time network

188s

Command Line

com.waqu.android.vertical_mingruoxiaoxi

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.waqu.android.vertical_mingruoxiaoxi

com.waqu.android.vertical_mingruoxiaoxi:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
CN 183.134.98.76:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 203.107.1.97:443 tcp
CN 203.107.1.1:80 tcp
US 1.1.1.1:53 www.feixun.tv udp
CN 203.107.1.1:80 tcp
CN 203.107.1.1:80 tcp
US 67.225.218.6:80 www.feixun.tv tcp
CN 42.121.252.29:80 tcp
CN 42.121.252.29:80 tcp
CN 42.121.252.29:80 tcp
CN 220.181.105.241:80 tcp
CN 42.121.252.29:80 tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 42.121.252.29:80 tcp
CN 42.121.252.29:80 tcp
CN 42.121.252.29:80 tcp
CN 42.121.252.29:80 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 203.107.1.1:80 tcp
CN 42.120.60.125:80 tcp
CN 183.134.98.76:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.102:5224 sdk.open.talk.gepush.com tcp
CN 42.120.60.125:80 tcp
CN 203.107.1.100:443 tcp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 httpdns-sc.aliyuncs.com udp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp

Files

/data/data/com.waqu.android.vertical_mingruoxiaoxi/databases/wq_general_adult.db-journal

MD5 f8b7876ae4b74e6cd4df5267fbc8a01c
SHA1 895c90b0c08bb123c15f1c579b15d8efe5f83c8d
SHA256 90e85271fad1a095b855f60d77ceeed9846801ffb97e831a30f6c77eb2f6f7e4
SHA512 76de9f0375777258fc4f0e39932297f0eb44f603147cc96751b87d9a134ad671d44550a07b21d5893f249086cba30d1c74beb01ae554b56484fc8d4b3baf435a

/data/data/com.waqu.android.vertical_mingruoxiaoxi/databases/wq_general_adult.db

MD5 f8614cb4074fe9b9a2a81d4344053a2f
SHA1 b651aaef92002f6a1e1e14f2746b646e9bffe015
SHA256 ac6a8e46edad8b038cdb8cf39c2c1dbd23c383fbd6d6b8935b0d96d54738effd
SHA512 f378a6752857d19fc0e461d8be5f7672376662786629aae0fdc98535e764dc5c1d27bea9af62a50e70d758c3864b5c6a2f175d728617ec13c897e9b9db87ec51

/data/data/com.waqu.android.vertical_mingruoxiaoxi/databases/wq_general_adult.db-shm

MD5 e7f38a36c2200d4c7d96992b4f4fbcf7
SHA1 edfa19f30a2626c76024ee1f4a12aa3f6c07ddde
SHA256 d121e82c4300fc51be6cabee6705a976f44ed2f34ac1847bd9e3582464b38662
SHA512 b68718140a814213c2f58f1fc951619fa910f284e9eb35056beea2ce256c7ebda3dd6e4ea2e82009ac9625f7c4f0efbfb57fe33972f0d4d552d824a9fc5273a7

/data/data/com.waqu.android.vertical_mingruoxiaoxi/databases/wq_general_adult.db-wal

MD5 f9ed04cabf80402a59eba6282ca1d82a
SHA1 dc6aa07d589d2d7d12359f210b7ab320df3ffed7
SHA256 404574440b79e47ad38d436b71ed8e1ba09f17cdccf9c6d2a2b64a4bb5bdc583
SHA512 eb0897b87ee2234aed0c611b80f374896dc92f812fecb269fc7d80b655a758a6e5c99c15fb02acb88f1e1d9e77c83da8072a63e41e9c1a13002dbd24f3701d90

/data/data/com.waqu.android.vertical_mingruoxiaoxi/databases/pushsdk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.waqu.android.vertical_mingruoxiaoxi/databases/pushsdk.db-wal

MD5 4a29a8776b5750900023686ab7a41285
SHA1 7456cf14916323a40a6ba08f9358961c7a45ada1
SHA256 6f6ca2e2c486bf51e46d0304cb4864454b631bc883de6a5cbac0c12b9ca9a32e
SHA512 f3fef3d3ffe6c432030f272de43bcda5db361220c148eabbb31884e68556c7d772dbd796f9022590dd05a26858525a787d06128d678784027a66962f1493388f

/storage/emulated/0/libs/com.waqu.android.vertical_mingruoxiaoxi.bin

MD5 795aa9ebbccf84df48fe51096a5938a9
SHA1 b3267dec7ebeb28c96a02bbb8c16c3ad998584ec
SHA256 e4e1de9ac709a18b18a7ba6a61490cb00bd162074a379b0794ff0df281974482
SHA512 8c75f99f0be9374613e513620ea03b23be7afe7ce3800baf06459991bd6e5bd7ec7bacf172df356c51bca729e0fafd59ee48a67f06d670fb2ffbac57ec0fdc2d

/storage/emulated/0/libs/com.waqu.android.vertical_mingruoxiaoxi.bin

MD5 5c13c22a42aa33e070cd14c2f5a161c3
SHA1 22084af6aeee13861a6a31228650f56928e3a69b
SHA256 dfbe8fe756cc9593fdf64f5a35822443b58569a6de229c408cf5356e0dc9dc16
SHA512 e3e6682c5f7ea5e243985500a1526a8cf681b1064fed9861886e8e0906b8f470470e6e28490f19045c9dc1dfdd68d09ee27c08543bd9e6e65844ae23828d3eea

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 58f71dd137440711f3ba64a2aae06ccb
SHA1 9fdab8d26057f9955a8fa90e8fc50e8200591f69
SHA256 66a86c8a2182f4195ed8acf9c50312e88189dd7c85707dfbaff5f5c9ba0a7316
SHA512 efb8884ae4a982195ab6b375ff9586e9322d2106576dbfc315c6c5811dde4ae8de6c106c5bd23986e7f77d6c68d4a18bc1c801869b5cf7fb06d67b6fd20a7f2e

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.waqu/.waqu_mingruoxiaoxi/images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 4b871d6ba431d76d133773a76db33c48
SHA1 ded0217d3fa385fe5939b506745efb46e70ce638
SHA256 058f60f9922340c4d30a0043823432d6cd14aa6d0a95d78beaff7d1809608089
SHA512 468e02a688fd02fd3da9ad00ca7f3320b3c7a1118ff0423d760848da2f5261887d4ce66d72d9398432cb65fd11bfe501dd3ef3fd6d5216db55177c1cf9b049b9

/data/data/com.waqu.android.vertical_mingruoxiaoxi/app_e_qq_com_plugin/update_lc

MD5 dce7c4174ce9323904a934a486c41288
SHA1 e117797422d35ce52f036963c7e9603e9955b5c7
SHA256 0c030586945fe504b604ecc2e875c38ede400cd5cd73da9730302162e6b02c6f
SHA512 d570ab6a8f4a7b54d426b0481219074b5277ace37d88438d87ab97eb387938eca1cf7b09fa42d596c56ada860710d2a7385d2a96e1cedff58ad6ed8900f1b143

/data/data/com.waqu.android.vertical_mingruoxiaoxi/app_e_qq_com_plugin/update_lc

MD5 0bcef9c45bd8a48eda1b26eb0c61c869
SHA1 4345cb1fa27885a8fbfe7c0c830a592cc76a552b
SHA256 bbf3f11cb5b43e700273a78d12de55e4a7eab741ed2abf13787a4d2dc832b8ec
SHA512 91972aa34055bca20ddb643b9f817a547e5d4ad49b7ff16a7f828a8d72c4cb4a5679cff4da00f9fb6b2833de7eb3480b3b4a7c7c7b85a39028de55acaf2d8812

/data/data/com.waqu.android.vertical_mingruoxiaoxi/app_e_qq_com_plugin/gdt_plugin.jar.sig

MD5 9fabb1cf2cf24c194c070a774a2cb082
SHA1 7901296e19069bd56517c71f2711e356298bc546
SHA256 87c7647f6b678369b0b35e173a63661024f4942cd0c2369d81d77a82965a7a0a
SHA512 2d93db3416cfc0c0477d0b93f75346ac77e0a9c4a07fd0e0a474913f5a207d6bff6700876eabadb5517a5f047575ca09f0730aef0ed76abaf004b8cf71d1b825

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 0ba72e9b4f020e7b4bbc09cb30957c40
SHA1 5102f5fbfe17f187da4dee056c4aa842a6550965
SHA256 a9488393fc9a8e852ea0e0744ab2cb5a3c6b322a748a0860af4c27e3d9eaab77
SHA512 3a51c87a97d79cc136a0ef34c4bd536e5fb8b587c984ae3866e9ef118696de9fe127598acdfeb97e6bab219130005d83281572061c85a933b5225f1e7d5d0d81

/data/data/com.waqu.android.vertical_mingruoxiaoxi/app_e_qq_com_plugin/gdt_plugin.jar

MD5 5bbd4987057c6aa8f1992d72206c68a9
SHA1 3a2b6dae68dce8239f680c2684c648238bc1bf36
SHA256 2a7fea6e019debe6a0b0c8a5bff40a0451133d3f122d3bcb8f28aed615c50539
SHA512 ec138779d809f32ffe54998314263546f630fef799bb3cbf61fd494706724a3f756e0b3a5e721765b121a053b56cbe3e39f8edd09c17cae8289d677f9c4b8f73

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 17:47

Reported

2024-06-10 17:48

Platform

android-x86-arm-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A