Analysis Overview
SHA256
e77c710c9228793bba49a7788968c404d711a1b21997fe4f46393e9c0304667c
Threat Level: Likely malicious
The file 9eee67e5bb96837a5a3a2025e49e5715_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 17:09
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 17:09
Reported
2024-06-11 17:13
Platform
android-x64-arm64-20240611-en
Max time kernel
10s
Max time network
140s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
im.xinda.youdu
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 216.58.201.99:443 | tcp |
Files
/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal
| MD5 | 8480708c6a9ff35c1e5bd48ba3139211 |
| SHA1 | 29f8e1731ba7cac5507e7403a8cec068ec4acf0f |
| SHA256 | e2618545ad8baf99df8608ee5d998b1e9c7a71cb11eb860cb01e12c4ac41856d |
| SHA512 | c526ff3137b61edda5b9e642c483182eb280c505d60ff15a223f66615ae94e54660d1b9af41f8bd9ec75901ad3894be850dfb8f7d6d4938834d40c152469c605 |
/data/user/0/im.xinda.youdu/databases/bugly_db_legu
| MD5 | c2cdb6146e4e7de762f63ad7897ee209 |
| SHA1 | e2d768918e68cec73169feff7dcb92d8d2d61c00 |
| SHA256 | 88759bc50db37fcbc2bea7fcb70f70adbe7478d97c4570ec7ca0e1e0910cb79f |
| SHA512 | 64dea56b3d9c7b598e0a25071ab3ae13f55a1a141e033b26f4e4b49a4adf6000fb96735cd76da4c3fc2163399f73ae67dbd96cfbe2a7d9bb5f4bc1120f17e398 |
/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal
| MD5 | 1468de241f12994a50fa115d6c9c4ff2 |
| SHA1 | a58d9be088c3f6a1c084b2dacba03a8d69e8e357 |
| SHA256 | daac821a6f167c1a9600a2ecf9eb12bf644920ccefb6bae8ee75fddff7dbc487 |
| SHA512 | be11979ebe5911fa3ae7374a806ba6944af506d9b2f573d58dc0e8651235da71b5527d59637c685ccce5ed60cd97465b6f0eca5f830ef40f2713927e25c1ab7c |
/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal
| MD5 | 5d6663443802a815c427c2736b0d3e30 |
| SHA1 | a207e0985e7e3b7b2e8c28aad6d684d53cce72fd |
| SHA256 | b3daed0deeb00ce82e9070f41771c3bc69239b054671aaaf42aee3cf4d3a8de2 |
| SHA512 | 47474a7a8ebeac9c01f4ede166a8e22a942382a250724830985ce3ed388423c8bebea3ab77d910fd37d15fa90740b6ecad1a4e1a983d79a3d266c0d40f342219 |
/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal
| MD5 | d770658f328cde75efc63d3cd37d9b2c |
| SHA1 | 6cb2b7213f4802651eea4b8be95b326249653e92 |
| SHA256 | 706778a35a900ef2aa801267af0a4621ff40ea93bd291cffff58438848e39e20 |
| SHA512 | 9031d13a334efa6d5f9d1aa1477a2b9f15f136f0496085b12e165de0a2cfb82926f680a3f00bc837d357f8ab5e68a735210fb885a1ff81e20a83460e2d9b3786 |
/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal
| MD5 | 324c48dd73d1a7307083fe81449e638b |
| SHA1 | b585fc64e6d49cf7841e8904333bf7147a45f72f |
| SHA256 | 4f595add3d25f0925baf3cccb8b4b72294f9a587e83bbcbaf944bf2355e8a7db |
| SHA512 | d8a352bcbab8f4ab157288151cb36e43ac1ec97e89d1b78027d386d1938ab4639787954616d53e5d5c637088587f1d76e54af49a19a666fae7a4f80d9517401e |
/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal
| MD5 | 3de56f305b1d2129728afc083b93ba49 |
| SHA1 | 300cb883cab266527f86152cf24903bd8a05ef66 |
| SHA256 | e613cfdff5486a5a02d95729736da3eab52276ce78e14212cf132c588351364e |
| SHA512 | 5e01e45b41508a632c84b73c9118e3440e7c01d837119f3ca763f17c2b8e6e79a1458488763e1b2d8f3fbc0c82cc1db9d4469235333477906ca217ca3558dd3f |
/data/user/0/im.xinda.youdu/app_bugly/tomb_1718125809509.txt
| MD5 | 7f76c7869448c20433688e0ef3762390 |
| SHA1 | 4164302f73af89a0fb73e1c73e3b5d92eb0182cd |
| SHA256 | d7a0148ac73e6fc56ff1a75096a144c25b9a5cce46d7a665542b812d13e9d97f |
| SHA512 | 8f92f9630d7611c9e2f9fe6c4130f107227903c87bc56ca250770d2ad0e20e87e6da6ffd325a3a2b3fa3d47364ac27801f81645a57a3895eb9aa8212a4743e61 |
/data/user/0/im.xinda.youdu/app_bugly/rqd_record.eup
| MD5 | b3500d86fa4d3f2bb1a4ebc5f29d07c2 |
| SHA1 | 5eef64d259b5818e8ed1a93cee3520ed2e9bd976 |
| SHA256 | 166cc7709eab1e085b9e879e89968e4823244601b4176cce0dd6c657ae39a9af |
| SHA512 | 3ea8a5a8fe36807ac37ec47eea722eea070a9ebdfc6de60882cc9793cbb4b16e5dfc986f311d96b92be0a5a7aa7cc326885e4528eb26cc3235c30a62a8ac797d |
/data/user/0/im.xinda.youdu/app_bugly/rqd_record.eup
| MD5 | abb75604ff62f1afe91601af5b501466 |
| SHA1 | ebfded699c9a230177953ceb9a1cb7cb4117bfe1 |
| SHA256 | d8eeeba3c883ba45481f3aa6beca9d6d3d311ccb38d18526db434e2eccfc9f6c |
| SHA512 | 2da5b483ac587ec10752fd50a735674f78b3c0c2d02210c9ab7c8871573137c197c10132422c30414fdbd04cabbd9c409116849d798826c00e02ad0ff4891ebc |
/data/user/0/im.xinda.youdu/cache/tomb.zip
| MD5 | 0f867b02e6edc3cd0672274b4b6b227c |
| SHA1 | 05b8d0b4923ecd1f34c96f2b9837053bfe452879 |
| SHA256 | 11cffa4d4fbaab3b0e155d68762dce6f0e43ed6a7d12eda9cc3fde29f2c4fe94 |
| SHA512 | 3a44a472eb968b27396db6e4b4896643f0cf5ebef45942186dcdc9ca876dd1e1463f4046738ac8b9bcd54eadc9c888ed21d24db5ff1c028d60d8733150609a9a |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 17:09
Reported
2024-06-11 17:13
Platform
android-x86-arm-20240611-en
Max time kernel
16s
Max time network
135s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
im.xinda.youdu
logcat -d -v threadtime
/system/bin/sh -c getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.build.version.emui
getprop ro.build.version.emui
/system/bin/sh -c getprop ro.lenovo.series
getprop ro.lenovo.series
/system/bin/sh -c getprop ro.build.nubia.rom.name
getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.meizu.product.model
getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.build.version.opporom
getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.vivo.os.build.display.id
getprop ro.vivo.os.build.display.id
/system/bin/sh -c getprop ro.aa.romver
getprop ro.aa.romver
/system/bin/sh -c getprop ro.lewa.version
getprop ro.lewa.version
/system/bin/sh -c getprop ro.gn.gnromvernumber
getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.fingerprint
getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.rom.id
getprop ro.build.rom.id
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/im.xinda.youdu/databases/bugly_db_legu-journal
| MD5 | 3fa3cc60269fb2b14edbd1722ade3326 |
| SHA1 | 3b63bca51741c254bc3bda54914f302043126ce2 |
| SHA256 | 5b57eac3345213626e5d64af1b41e61a4945dd50bd0a96ac74367c38c1202572 |
| SHA512 | 2f04f72af74fadf1f5547c8cff0f094ee1026c06f3ae91419a016c9e2175cfecbec18a130f21ea2d7b7529feef4a21ad1845e732e61bd8ff1a3bc39a249c0a11 |
/data/data/im.xinda.youdu/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/im.xinda.youdu/databases/bugly_db_legu-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/im.xinda.youdu/databases/bugly_db_legu-wal
| MD5 | 42730d914918b6c73c87960e26a1ebf5 |
| SHA1 | 4131acfc92ee574f9a85e2a9157496a65c3022e7 |
| SHA256 | 032139f03c53e6a78aab87df36dbc610ca33519a09def77616f515988ea252bc |
| SHA512 | a281600bbc55f7058e6ed458630e79eadaead07d05a589ec47ba09dfcdb567aea40cce2a890ce4252d48db0a8abfddaf5a0045382a87dee058d3e907066d2833 |
/data/data/im.xinda.youdu/app_bugly/tomb_1718125806691.txt
| MD5 | e668e44cce65a4069cfc1524f23fbaee |
| SHA1 | 8c239bdae7d26bf7fc1af0948698ed624f915b65 |
| SHA256 | 886c19fb6dbbb49fdee9ffba81df64557a1494691ff19752906627172c47345c |
| SHA512 | 3cc2750cc6a5358e9e57f4aedf929acb99d4706761b626a58245205f67db041d86877b7dbd8486f0520d3711415459f64b088b0eae4755f06e067e3b9b0d4257 |
/data/data/im.xinda.youdu/app_bugly/rqd_record.eup
| MD5 | d6b0dc20be7cc1078ee281bcf1db092f |
| SHA1 | 621d5ed4e197cc5b80c4cefc4f1cac617e2c21fc |
| SHA256 | f17d8563fbf085d7865b699f24f5c61507efe82d8804f15909f301184f14a60d |
| SHA512 | 869a280fa44531b2b3bfcff619339ed015109765d009870b57f0ad03c3c46e72c2884a1b005996967c9dc4393500fbdeb53dcfa166cb49d0f5d6cc804f1214ab |
/data/data/im.xinda.youdu/app_bugly/rqd_record.eup
| MD5 | 83936f1c6324be4255042fa5c6860d89 |
| SHA1 | 3a519cc2293278ca3c209645dba0cc97fa583b25 |
| SHA256 | a6fa528688a6cd6c09acf6e628996547b40a5ed845f51b0422617ac0c3a2f52c |
| SHA512 | 154b268dd5fd75016f5a417f7b86e4769e05c10f4642eb0245902690472194ae3db3f62345289a9937b037d93c4ebdf4ea7a0d4b174c2dc1bedda8e69559de73 |