Malware Analysis Report

2024-09-09 16:31

Sample ID 240611-gpab6axelj
Target 9d33d89cf09814bc9ab2b79015225ad9_JaffaCakes118
SHA256 e8bf71be02aee39e145afa4801280d8bd2647f54ce1b758af294e761beeda66c
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e8bf71be02aee39e145afa4801280d8bd2647f54ce1b758af294e761beeda66c

Threat Level: Shows suspicious behavior

The file 9d33d89cf09814bc9ab2b79015225ad9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 05:58

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 05:58

Reported

2024-06-11 06:01

Platform

android-x64-arm64-20240603-en

Max time kernel

55s

Max time network

132s

Command Line

com.app.wkinput

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.app.wkinput

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 api.wukongtv.com udp
US 1.1.1.1:53 au.umeng.com udp
US 1.1.1.1:53 au.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/user/0/com.app.wkinput/files/umeng_it.cache

MD5 e766fb877c6f4bcf41a492ae3f94d18a
SHA1 943f5923815b9d0b74f56cfda641cbcc6d249ca2
SHA256 48a2aee8387e1834ada50b8f677cf704b50fada7981502cca7591e1f40798e61
SHA512 4f42372b8633753cc9fc29827008dda56eb2b10ea506648d9fb222d00dd64a4f0eee26f028c4ad5bd332d469c2bed78cb5c69c7977c2d93c2bedbdf137ced75f

/data/user/0/com.app.wkinput/files/.imprint

MD5 6063567915de472e4dc1239a66e2ed4e
SHA1 60f589ce9ad9f0f47f5d044914e809c9ded479c0
SHA256 65fd09a9b1a5c67173e6600be493148a8fb28452b6a9da33ba75a79444ef25d5
SHA512 8be3c3f401ea590969a2a3e4d2415ae02d68876b1bf3758b9dbf4a003454905536e1134efe12e7ed098d37faf45723e44a4073ddf54c9a1a122e1fb58b647227

/data/user/0/com.app.wkinput/files/umeng_it.cache

MD5 d18fef130a99072a47d3da8d29560b95
SHA1 ba7f3ef460e1c51c8849c2ca6d816dc5f7e10221
SHA256 4fa0c1169dde2d7ad7a4270cea83a803bcc0ad1cbed5d56e4c6344c37b915907
SHA512 2ef5bfe483d3ac1a1097812b0ff13e1597a6d132be0f00d9fba3d1f3ac9396f9f7eaa702d9172a4b072b0b8e06393431e4d83638c4376ff3162e2696642b273a

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 05:58

Reported

2024-06-11 06:01

Platform

android-x86-arm-20240603-en

Max time kernel

168s

Max time network

174s

Command Line

com.app.wkinput

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.app.wkinput

su

su

Network

Country Destination Domain Proto
GB 172.217.16.234:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.wukongtv.com udp
US 1.1.1.1:53 au.umeng.com udp
US 1.1.1.1:53 au.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.app.wkinput/files/umeng_it.cache

MD5 d9074f48aaab25a98ef09dcc01227fdf
SHA1 94d7f1fc32bd9ed894c696651eaa91aed9be548b
SHA256 5e1d61ae4d14fd0666e19b56e26005f27808d46e3fdd65cade6dd279e0002116
SHA512 3bf254e5e53486b87f415924f51ae3c0808c2810a00ce7863ca71b386bdf4dcd925ac7756bc3c65c3b69a1419bfa8cbd76568c3db65bbd741df89ca55ee58cb8

/data/data/com.app.wkinput/files/mobclick_agent_sealed_com.app.wkinput

MD5 c94439a047208e9b31ac168b8fa35df5
SHA1 b2b1be6921d3a9567c390c16bfe2ee80c47fadf7
SHA256 6c78d1becf1f10433bcd7979e89fc1add9f96b067de889fbc337fe9934b4c655
SHA512 ef2bf2664307df7cffdd14cd52d161d8a6c24a798da478c6d2e2e8f4d670d6512b64ac1609e55c7a5165417c3638271712daa7cb1920981c895c9cc3607ae692

/data/data/com.app.wkinput/files/.imprint

MD5 7ed66b4470b5b9b68fc16ee4c15c0395
SHA1 2ac3dd2f6d4e2a340039c4ff2030f84cf97713fb
SHA256 b9e910de1b382fba84b52d41826ffabb37c7b7c558cf5c23c303e88e099480f9
SHA512 eca3b13fe9045a0bd581348751cdcd599f67c95873b997d922aed16b4cd478a8180e510883fed3c49df0005ebff263fe60e6b7e333884047936fed1f21f5fb30

/data/data/com.app.wkinput/files/umeng_it.cache

MD5 36ca0e6fded6d5b5ff2f6cce70808ba7
SHA1 afd48f1a1761b2e22ee4a5212330c654fb03a229
SHA256 b11b5133483f77d599fc69ba9454a1663f4208ef8b395324a1766d1f832e83a5
SHA512 3b4a4a1aa34554b30174a6569aa781e9c83bd629385a09d0a6f09523f72a4ccfb4460a7ae6dd8e5ce7daeafa6f9895d542d0cce4c828f658ec6e16ee70e4f6ef

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 05:58

Reported

2024-06-11 06:01

Platform

android-x64-20240603-en

Max time kernel

125s

Max time network

146s

Command Line

com.app.wkinput

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.app.wkinput

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 api.wukongtv.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 au.umeng.com udp
US 1.1.1.1:53 au.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 static1.wukongtv.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.34:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 172.217.169.46:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.app.wkinput/files/umeng_it.cache

MD5 c85a66aa5689facaf6aba750a380d1b5
SHA1 8aac4e1c3bc3f9088a7f476441a0bf49fc7de4dd
SHA256 5d5b69481773b20a315910eade27cf9afb9482bdb285a0fdcc7e4b4844aa4286
SHA512 9b2072ff6ceee75841ecf0c0fe7c02865fea64bd7591277cd24cf36612337a10a20d37b4b154fdfc8e7b9c7090adf02dc7fc1d4e952f2aea9d540d1b35c65302

/data/data/com.app.wkinput/files/mobclick_agent_sealed_com.app.wkinput

MD5 dc6c06208b1923f380d57e470dbc3835
SHA1 e7430c01420554565b847e87f702823446873a21
SHA256 4812c622cca7777d511eb4e1322779b26f3053e3b1f4f3ba3f235581c331c558
SHA512 a4b57864fa6c6871f5f330840e2440b40be38ab0b8b05a1a19c50db382482cda462d1d2eb04fb47217c3269f624e1b8925146f4000eb880e1dcfc4b5ecae28c8