Malware Analysis Report

2024-09-09 16:27

Sample ID 240611-rxhzda1cjk
Target 9e867bd7e7c41f6aa2a48fe1c9856019_JaffaCakes118
SHA256 e5e8e91ffc0499e8e7b01ba8f8305fb1c98e49778c9278d862334d23ec3e821e
Tags
discovery evasion persistence collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e5e8e91ffc0499e8e7b01ba8f8305fb1c98e49778c9278d862334d23ec3e821e

Threat Level: Likely malicious

The file 9e867bd7e7c41f6aa2a48fe1c9856019_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Checks if the Android device is rooted.

Queries information about the current nearby Wi-Fi networks

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 14:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 14:34

Reported

2024-06-11 14:37

Platform

android-x86-arm-20240611-en

Max time kernel

64s

Max time network

131s

Command Line

com.yxxinglin.xzid25697

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid25697

Network

Country Destination Domain Proto
GB 172.217.169.10:443 tcp
GB 172.217.169.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.78:443 plbslog.umeng.com tcp
US 1.1.1.1:53 wendsldj.com udp
NL 78.41.204.34:80 wendsldj.com tcp
NL 78.41.204.34:80 wendsldj.com tcp
NL 78.41.204.34:80 wendsldj.com tcp
US 1.1.1.1:53 ww1.wendsldj.com udp
US 199.59.243.225:80 ww1.wendsldj.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 partner.googleadservices.com udp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
GB 172.217.16.226:443 partner.googleadservices.com tcp
GB 142.250.187.238:443 www.adsensecustomsearchads.com tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 142.250.187.193:443 afs.googleusercontent.com tcp
GB 142.250.187.193:443 afs.googleusercontent.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp

Files

/data/data/com.yxxinglin.xzid25697/files/umeng_it.cache

MD5 bd647ad4aaa9b57501f289a84eed5ee4
SHA1 9f9364c791c9c221578634f78bf0575ceeed41db
SHA256 b8b296f16fe2371c06ed20b0f6f4e4302c0403f3ed356b0c70363b1c84cf3a0a
SHA512 ccb9a524900693e7cd6a5063e0045380e007fe01e1190f2f36c312ec687e3498ac32dd9192224c25787b78fd730325dfa3b84839a00c08e56d8a0aa71215f10e

/data/data/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDY4Mjk4

MD5 8b62526f7f6bbc2e1e850b9a0c428cc2
SHA1 52e8bced520fa8e2b4c72abb93d7b89940aafb77
SHA256 6bcdcd7bc7a15ea479364d1967c64ab21a25fc379ce37ce8aa8d4ceff704f3cb
SHA512 0402f230a98b457f0ba022f43c9d4cd41cefaa9d4358cc133b77915e8ddf0b468c8b2bef39eda812a4bba3071b74a8c1b3f8e574e85fe10a2623f2b7e2636026

/data/data/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDk4OTcz

MD5 d1f531dbd53bd10069716c33e2374ced
SHA1 6205e846e8e0e078a8d615cfd8690fc757ef340d
SHA256 8957f46c37daaaddb705e82659a93412c74e013e8b3f75cd142cca35b11a1a91
SHA512 65b7745d7421c2a6a0f4027d06c05b54b77742e4472a57d4513a202ea7f017b11e31fdda83f8013ed99a75b5d9fa54770a6a570e9cc1bca1167b313a1a001898

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 14:34

Reported

2024-06-11 14:37

Platform

android-x64-20240611-en

Max time kernel

64s

Max time network

155s

Command Line

com.yxxinglin.xzid25697

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid25697

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
US 1.1.1.1:53 wendsldj.com udp
NL 78.41.204.34:80 wendsldj.com tcp
NL 78.41.204.34:80 wendsldj.com tcp
NL 78.41.204.34:80 wendsldj.com tcp
US 1.1.1.1:53 ww1.wendsldj.com udp
US 199.59.243.225:80 ww1.wendsldj.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 partner.googleadservices.com udp
GB 172.217.16.226:443 partner.googleadservices.com tcp
US 1.1.1.1:53 syndicatedsearch.goog udp
GB 142.250.178.14:443 syndicatedsearch.goog tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 172.217.169.65:443 afs.googleusercontent.com tcp
GB 172.217.169.65:443 afs.googleusercontent.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 36.156.202.73:443 plbslog.umeng.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.yxxinglin.xzid25697/files/umeng_it.cache

MD5 9dd9f5b7f1d6ee4e092e3ed40c466787
SHA1 e68b10bfd75b6f25ce2748663466a07c0c318a07
SHA256 e4882d0b0a790ca2ce9d2a209791fd1db60a7cd00469b77f34607b673ade7e27
SHA512 c483341cad9525b0c4b8005ab71417d7c8a3a351bcfba0748d354868302f02c435ce73f865e954d1f549d2f1f18f8568ddcf6daa9720ee417805fa5f3a662ea6

/data/data/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDY4Mjk0

MD5 12d1326cff81f7b87b221f2e6cdf0540
SHA1 fc1bf909d3d1b6da8cf896ea7f1741a4cd1882f8
SHA256 e6bfa02da05c98017e8b3f895b1d71bea952d972a6a6bfa5b7b1861a801590c7
SHA512 ff6f59a7c7d0b7ee5033eaa11410080dc37e4255c74913dd4d28dbae162598857a78d4af104b471039c2f3763c214a3332c1153d3419ca2f039b1dbca18e97a7

/data/data/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDk4NDg2

MD5 612eecf004c25b4cc052aa14c1895f70
SHA1 295251bf631b4309ae7556d7ca7a08cfac8aa979
SHA256 23392ea7832b37b4a21d7a8effcd5b7f36ce93bc4776cf93de002ddfc6d3d612
SHA512 18bf8897d7fe1763665bee94ba52cfee7f6d7e8f0b8ff3235b161458e3d406fb64624ff50597f23ea77ae1936ea94ba9a6d074b9cb8a74f327e487b5f28ea795

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 14:34

Reported

2024-06-11 14:37

Platform

android-x64-arm64-20240611-en

Max time kernel

87s

Max time network

163s

Command Line

com.yxxinglin.xzid25697

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid25697

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.78:443 plbslog.umeng.com tcp
US 1.1.1.1:53 wendsldj.com udp
NL 78.41.204.34:80 wendsldj.com tcp
NL 78.41.204.34:80 wendsldj.com tcp
US 1.1.1.1:53 ww1.wendsldj.com udp
US 199.59.243.225:80 ww1.wendsldj.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 partner.googleadservices.com udp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
GB 172.217.16.226:443 partner.googleadservices.com tcp
GB 142.250.178.14:443 www.adsensecustomsearchads.com tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 172.217.169.1:443 afs.googleusercontent.com tcp
GB 172.217.169.1:443 afs.googleusercontent.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 216.58.201.99:443 tcp

Files

/data/user/0/com.yxxinglin.xzid25697/files/umeng_it.cache

MD5 c5c3442ce38db9bd53a30a6878396637
SHA1 2e6627acc214f2eab4153aa767a77673c16a852b
SHA256 6eb0edfd7af7ae562320f45e92259c99b26cfa192815f716338494b14edafe6e
SHA512 a11f72a9c81435a220fdb1d3dd8584ab0ee679834ebee32d41fc9f5cd8b6f206f10c7da93fb8a3d55b204354d33b537fc2d1b50ad49147f64f609541f3b86cbd

/data/user/0/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDcwNDE1

MD5 1f9d3d467d7fb8951ffefa18471f255c
SHA1 cf18fab7593acbc3b9cba841279aa1aa842e840b
SHA256 7fefc4026e4e5e1a7fcc40c8f1b1d22b720d62ca58c66fece7bb410d3ed09188
SHA512 ebcdab6758e203ecd0621ca2467ba5f41122e845b5345aad5de94f1332c1c4794b2e8a1b45fed10a55db20875176198e35064412cb6446e875698e47aba394a1

/data/user/0/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NTAwNTY2

MD5 e050e18278ecc60db5f96c9c4bb75a16
SHA1 6ede5ee4533fc56536314bbf94315178c465d157
SHA256 eacf874748f57f0d5174916b2fdf100d45dffc9a4d2e806d0ffced331b741082
SHA512 915bffc24134974e52384d670461cca6dcc22d94867512754ba7043111ac14cbac38e1fa0179c43abd56ef799c5687eac12a2b52666a2986d5cfa7109af029be