Malware Analysis Report

2025-01-19 07:49

Sample ID 240611-vpkpsavcnk
Target 9eee67e5bb96837a5a3a2025e49e5715_JaffaCakes118
SHA256 e77c710c9228793bba49a7788968c404d711a1b21997fe4f46393e9c0304667c
Tags
evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e77c710c9228793bba49a7788968c404d711a1b21997fe4f46393e9c0304667c

Threat Level: Likely malicious

The file 9eee67e5bb96837a5a3a2025e49e5715_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Checks if the Android device is rooted.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 17:09

Reported

2024-06-11 17:13

Platform

android-x64-arm64-20240611-en

Max time kernel

10s

Max time network

140s

Command Line

im.xinda.youdu

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

im.xinda.youdu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 216.58.201.99:443 tcp

Files

/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal

MD5 8480708c6a9ff35c1e5bd48ba3139211
SHA1 29f8e1731ba7cac5507e7403a8cec068ec4acf0f
SHA256 e2618545ad8baf99df8608ee5d998b1e9c7a71cb11eb860cb01e12c4ac41856d
SHA512 c526ff3137b61edda5b9e642c483182eb280c505d60ff15a223f66615ae94e54660d1b9af41f8bd9ec75901ad3894be850dfb8f7d6d4938834d40c152469c605

/data/user/0/im.xinda.youdu/databases/bugly_db_legu

MD5 c2cdb6146e4e7de762f63ad7897ee209
SHA1 e2d768918e68cec73169feff7dcb92d8d2d61c00
SHA256 88759bc50db37fcbc2bea7fcb70f70adbe7478d97c4570ec7ca0e1e0910cb79f
SHA512 64dea56b3d9c7b598e0a25071ab3ae13f55a1a141e033b26f4e4b49a4adf6000fb96735cd76da4c3fc2163399f73ae67dbd96cfbe2a7d9bb5f4bc1120f17e398

/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal

MD5 1468de241f12994a50fa115d6c9c4ff2
SHA1 a58d9be088c3f6a1c084b2dacba03a8d69e8e357
SHA256 daac821a6f167c1a9600a2ecf9eb12bf644920ccefb6bae8ee75fddff7dbc487
SHA512 be11979ebe5911fa3ae7374a806ba6944af506d9b2f573d58dc0e8651235da71b5527d59637c685ccce5ed60cd97465b6f0eca5f830ef40f2713927e25c1ab7c

/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal

MD5 5d6663443802a815c427c2736b0d3e30
SHA1 a207e0985e7e3b7b2e8c28aad6d684d53cce72fd
SHA256 b3daed0deeb00ce82e9070f41771c3bc69239b054671aaaf42aee3cf4d3a8de2
SHA512 47474a7a8ebeac9c01f4ede166a8e22a942382a250724830985ce3ed388423c8bebea3ab77d910fd37d15fa90740b6ecad1a4e1a983d79a3d266c0d40f342219

/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal

MD5 d770658f328cde75efc63d3cd37d9b2c
SHA1 6cb2b7213f4802651eea4b8be95b326249653e92
SHA256 706778a35a900ef2aa801267af0a4621ff40ea93bd291cffff58438848e39e20
SHA512 9031d13a334efa6d5f9d1aa1477a2b9f15f136f0496085b12e165de0a2cfb82926f680a3f00bc837d357f8ab5e68a735210fb885a1ff81e20a83460e2d9b3786

/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal

MD5 324c48dd73d1a7307083fe81449e638b
SHA1 b585fc64e6d49cf7841e8904333bf7147a45f72f
SHA256 4f595add3d25f0925baf3cccb8b4b72294f9a587e83bbcbaf944bf2355e8a7db
SHA512 d8a352bcbab8f4ab157288151cb36e43ac1ec97e89d1b78027d386d1938ab4639787954616d53e5d5c637088587f1d76e54af49a19a666fae7a4f80d9517401e

/data/user/0/im.xinda.youdu/databases/bugly_db_legu-journal

MD5 3de56f305b1d2129728afc083b93ba49
SHA1 300cb883cab266527f86152cf24903bd8a05ef66
SHA256 e613cfdff5486a5a02d95729736da3eab52276ce78e14212cf132c588351364e
SHA512 5e01e45b41508a632c84b73c9118e3440e7c01d837119f3ca763f17c2b8e6e79a1458488763e1b2d8f3fbc0c82cc1db9d4469235333477906ca217ca3558dd3f

/data/user/0/im.xinda.youdu/app_bugly/tomb_1718125809509.txt

MD5 7f76c7869448c20433688e0ef3762390
SHA1 4164302f73af89a0fb73e1c73e3b5d92eb0182cd
SHA256 d7a0148ac73e6fc56ff1a75096a144c25b9a5cce46d7a665542b812d13e9d97f
SHA512 8f92f9630d7611c9e2f9fe6c4130f107227903c87bc56ca250770d2ad0e20e87e6da6ffd325a3a2b3fa3d47364ac27801f81645a57a3895eb9aa8212a4743e61

/data/user/0/im.xinda.youdu/app_bugly/rqd_record.eup

MD5 b3500d86fa4d3f2bb1a4ebc5f29d07c2
SHA1 5eef64d259b5818e8ed1a93cee3520ed2e9bd976
SHA256 166cc7709eab1e085b9e879e89968e4823244601b4176cce0dd6c657ae39a9af
SHA512 3ea8a5a8fe36807ac37ec47eea722eea070a9ebdfc6de60882cc9793cbb4b16e5dfc986f311d96b92be0a5a7aa7cc326885e4528eb26cc3235c30a62a8ac797d

/data/user/0/im.xinda.youdu/app_bugly/rqd_record.eup

MD5 abb75604ff62f1afe91601af5b501466
SHA1 ebfded699c9a230177953ceb9a1cb7cb4117bfe1
SHA256 d8eeeba3c883ba45481f3aa6beca9d6d3d311ccb38d18526db434e2eccfc9f6c
SHA512 2da5b483ac587ec10752fd50a735674f78b3c0c2d02210c9ab7c8871573137c197c10132422c30414fdbd04cabbd9c409116849d798826c00e02ad0ff4891ebc

/data/user/0/im.xinda.youdu/cache/tomb.zip

MD5 0f867b02e6edc3cd0672274b4b6b227c
SHA1 05b8d0b4923ecd1f34c96f2b9837053bfe452879
SHA256 11cffa4d4fbaab3b0e155d68762dce6f0e43ed6a7d12eda9cc3fde29f2c4fe94
SHA512 3a44a472eb968b27396db6e4b4896643f0cf5ebef45942186dcdc9ca876dd1e1463f4046738ac8b9bcd54eadc9c888ed21d24db5ff1c028d60d8733150609a9a

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:09

Reported

2024-06-11 17:13

Platform

android-x86-arm-20240611-en

Max time kernel

16s

Max time network

135s

Command Line

im.xinda.youdu

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

im.xinda.youdu

logcat -d -v threadtime

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/im.xinda.youdu/databases/bugly_db_legu-journal

MD5 3fa3cc60269fb2b14edbd1722ade3326
SHA1 3b63bca51741c254bc3bda54914f302043126ce2
SHA256 5b57eac3345213626e5d64af1b41e61a4945dd50bd0a96ac74367c38c1202572
SHA512 2f04f72af74fadf1f5547c8cff0f094ee1026c06f3ae91419a016c9e2175cfecbec18a130f21ea2d7b7529feef4a21ad1845e732e61bd8ff1a3bc39a249c0a11

/data/data/im.xinda.youdu/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/im.xinda.youdu/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/im.xinda.youdu/databases/bugly_db_legu-wal

MD5 42730d914918b6c73c87960e26a1ebf5
SHA1 4131acfc92ee574f9a85e2a9157496a65c3022e7
SHA256 032139f03c53e6a78aab87df36dbc610ca33519a09def77616f515988ea252bc
SHA512 a281600bbc55f7058e6ed458630e79eadaead07d05a589ec47ba09dfcdb567aea40cce2a890ce4252d48db0a8abfddaf5a0045382a87dee058d3e907066d2833

/data/data/im.xinda.youdu/app_bugly/tomb_1718125806691.txt

MD5 e668e44cce65a4069cfc1524f23fbaee
SHA1 8c239bdae7d26bf7fc1af0948698ed624f915b65
SHA256 886c19fb6dbbb49fdee9ffba81df64557a1494691ff19752906627172c47345c
SHA512 3cc2750cc6a5358e9e57f4aedf929acb99d4706761b626a58245205f67db041d86877b7dbd8486f0520d3711415459f64b088b0eae4755f06e067e3b9b0d4257

/data/data/im.xinda.youdu/app_bugly/rqd_record.eup

MD5 d6b0dc20be7cc1078ee281bcf1db092f
SHA1 621d5ed4e197cc5b80c4cefc4f1cac617e2c21fc
SHA256 f17d8563fbf085d7865b699f24f5c61507efe82d8804f15909f301184f14a60d
SHA512 869a280fa44531b2b3bfcff619339ed015109765d009870b57f0ad03c3c46e72c2884a1b005996967c9dc4393500fbdeb53dcfa166cb49d0f5d6cc804f1214ab

/data/data/im.xinda.youdu/app_bugly/rqd_record.eup

MD5 83936f1c6324be4255042fa5c6860d89
SHA1 3a519cc2293278ca3c209645dba0cc97fa583b25
SHA256 a6fa528688a6cd6c09acf6e628996547b40a5ed845f51b0422617ac0c3a2f52c
SHA512 154b268dd5fd75016f5a417f7b86e4769e05c10f4642eb0245902690472194ae3db3f62345289a9937b037d93c4ebdf4ea7a0d4b174c2dc1bedda8e69559de73