Malware Analysis Report

2025-01-19 07:49

Sample ID 240611-wmqzfswcnn
Target 9f125bf86519db0b6243e18dacdaac20_JaffaCakes118
SHA256 ad902ca1dc5c2930f3aac5ad9ec25a489e8474e731e574b5fbf566fbe7259f80
Tags
discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ad902ca1dc5c2930f3aac5ad9ec25a489e8474e731e574b5fbf566fbe7259f80

Threat Level: Shows suspicious behavior

The file 9f125bf86519db0b6243e18dacdaac20_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion

Loads dropped Dex/Jar

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 18:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 18:02

Reported

2024-06-11 18:05

Platform

android-x86-arm-20240611-en

Max time kernel

147s

Max time network

130s

Command Line

org.blusteam.lhfree.wildprism

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/org.blusteam.lhfree.wildprism/files/data.jar N/A N/A
N/A /data/user/0/org.blusteam.lhfree.wildprism/files/data.jar N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

org.blusteam.lhfree.wildprism

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/org.blusteam.lhfree.wildprism/files/data.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/org.blusteam.lhfree.wildprism/files/oat/x86/data.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.187.202:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/org.blusteam.lhfree.wildprism/files/pay.data

MD5 b3318d0f9efefa37d789745f55ec3b6a
SHA1 62794c6e107c5d6bd248fd1c883a5ab02da2d7df
SHA256 62e0bdbf50e5684c6ebf48c10491b662f1662d26c9594e852c34849bcaec856a
SHA512 bbbb19ed4c7f427e1399c2d18a4e104812514feea1bbdcda927c593e9d9d987a72051e133c94fe4c3d15d24716299dae53f172eb32b02c79f0d3c885fe748f1d

/data/data/org.blusteam.lhfree.wildprism/files/data.jar

MD5 43aa6e671437df7e21ada10b9ca9c76e
SHA1 21603addc58ee1aacd36fc5a065a6c28d8348957
SHA256 bfb16339a70adf336c93d4eff1854ce69ec2f23e8473743721bb83e6c2816bc4
SHA512 42e9caa35a717e4522bc4f2c69db219762338d66ae68d3b413e1c369952e9d05e5651d9b7c52e13f4beccb597c909c4d71884ec8cdb36323094cbeada9cf05e6

/data/user/0/org.blusteam.lhfree.wildprism/files/data.jar

MD5 1cc8518346734dd6224a76390abdcc47
SHA1 6b008b0bfaeb1f96b7e146cf90e6d5cdea251405
SHA256 f57bd8ca4cd7c881b8c304dad6e2530613bb287296888f5ffe1bdd39ad1d4f1d
SHA512 7c824d52c4ef673f437811315d2e2aab4fa9c84050a5814cba780eeca21ed2a82759e88d9bd36f9a402a53f64188ada8c78718d26919f14a8954624e9e939248

/data/user/0/org.blusteam.lhfree.wildprism/files/data.jar

MD5 7b77931bfeb2f5c8b0337fbba9a8b528
SHA1 0e6906a326f3921beedd676f7f0bd7c3eabaf2c2
SHA256 92b9752d6ae65eeb948653cf5f27ab83438b787d5601845974c976f492df21d0
SHA512 c97a3e2063c68103a5298a1a5d8c740f6ec44b60e836092438fe6295964955d2c99d1e4a113d3dfab7eff2fb8c4caca09cca6ea516f0be20b02c57e51767c900

/storage/emulated/0/InAppBillingLibrary/log

MD5 fc648417b4802c5028b9f83114bed62e
SHA1 a4557b096b208b396a413371be3b4d8a440f5357
SHA256 be608ca48b518caee3e850942a6fdfe0750ca1a6d8fbd84241bb3c5f86b7329a
SHA512 3004048176b4f0a24a764cecee177ab6479b1a5339222b702de177b884b8843791ba65521d68c5ba0b157eb3e05fd3ade9c0597cea090a40ee6b846b99b27f36

/storage/emulated/0/InAppBillingLibrary/log

MD5 b3c96e48b03a0438d91c59ffc05bebdb
SHA1 587cf3d9158f3174851789d7d11005f1935831da
SHA256 79b1b4f67c8c991b7bf9d0e8da863288e6ae111b6e2ed8e296e8ee4e58e3790d
SHA512 94e8e7fd184f6712257dea1adf6714dc93ad26d5917e42dbd5dc753be164541f5c37208e94038955c2686570b1f9f6cf0c4c0d4ad0b71793ad530a983c253cea

/data/data/org.blusteam.lhfree.wildprism/files/iapSplash.dat

MD5 c6f057b86584942e415435ffb1fa93d4
SHA1 8aefb06c426e07a0a671a1e2488b4858d694a730
SHA256 2ac9a6746aca543af8dff39894cfe8173afba21eb01c6fae33d52947222855ef
SHA512 bdc247a1a0e28a586ed40744d281993d519abe981aaef33277d4877d167e1150816e9723d068a59509991ed0cdd8c5cea0f9ecd0ef23664db7cb85db5a0dbe12

/data/data/org.blusteam.lhfree.wildprism/databases/license_data.db-journal

MD5 4e438664f3ad2e604c4a9ab60fa3b6bd
SHA1 d9d774694e25519b4684c8ae44e79ec35bd01f2d
SHA256 28cbaae209d45c4f789543e5530933a86b3809bc303df9a54a9830be9711f8a1
SHA512 9286ff48dee82c59594d39210b5900ee9aa3de38da5343e0506f4f189e1a6b97d535f7e35ceee6ebbbb10801882c2cc8cec17bbcd6bbf812a33f395f42015b50

/data/data/org.blusteam.lhfree.wildprism/databases/license_data.db

MD5 ca2bcc7a502ebe854deae37d6952b481
SHA1 29d9cacf79b5eaea6db50402bdb19fd17454ad1f
SHA256 b8c2639c6e290d8880b1ecc74cd61838439860efa104c9d68c578d8fa3da85d2
SHA512 0a6b1cb290da5bfc7641cf4df4df4a6b332f0cfc9db45a8bfe36379c8dbfb06ed6267792ef397be193d601e472b8607f441035e9a05b85546b626b90346443f5

/data/data/org.blusteam.lhfree.wildprism/databases/license_data.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/org.blusteam.lhfree.wildprism/databases/license_data.db-wal

MD5 ef04120b223864d574cef915fa4138cf
SHA1 fe734e6a5d879cca8685bb4c5010688539e7e324
SHA256 fea760b8de2389dcd87d70db612debd128901fb9668c18d0e784ae7f7bfa1656
SHA512 9bd93d6b8f9522ba15f0997ad5bc80a071cd4b58e2812d5b0b3990962d9bf6222c8718a5ffb918a535fa96a37386c3a47570ebbe1dfa8554ab8c79e1824d76c1

/storage/emulated/0/InAppBillingLibrary/log

MD5 57e67f8686238591a351bc9324cebdef
SHA1 d65f158b8a92726c0d2e0d01b76d84677178e8d6
SHA256 f630077bfd562a7743d80aca10e306bdf3aa27e5d451ca5210ab4d9f051bbe30
SHA512 431267ea0150c00bbd533731416d4a074d2d3308fde25418d82fed0c7a720b98e4633cf5992b1ef66e2afb6e8d3df81e1917e0cd74ac81c70df73ee26567db07

/data/data/org.blusteam.lhfree.wildprism/files/umeng_it.cache

MD5 49cc01bf78c51feceec770a748751441
SHA1 3d671e35de477c9593047065f1219edb3855e5de
SHA256 cd12ffeb310e1455b732db2a63c64be572675ef20a396514ea479b37365ee963
SHA512 5569c3b20c0621d7b2f14ae41fbd013c01e9aa5c66f84a753b6596d6be8cd0fe46543424f0efb26aac6c4dbc1763cf3d1336b9c1b153f146328e563fd6998a1a

/data/data/org.blusteam.lhfree.wildprism/files/GameClientBin/Config/CustomTmp.cf

MD5 60608dcfeef53d633d264bb76a63ca45
SHA1 4dfa54474d65992c700189d52285b0563c82ceca
SHA256 db2b2e2ff0cbf636cf66571cf5ffad0c153ffbb898c402ec6fe5281aadfd19ec
SHA512 ad1c1bbb2fb6eb5247deca3297e0a2121d05d3498df49a7d76a6a7d9620d7f165cd757ee2fdd0cdb98c6656c22cbb0542470c6c6a934590e4ec126018f8e6d64

/data/data/org.blusteam.lhfree.wildprism/files/.um/um_cache_1718129030366.env

MD5 764738831633981ebf151b4a26448ecf
SHA1 0662e3c3373e38d8bb472af91fa0234497657437
SHA256 ffdb0a963fd6e8763ae96789ef47df3e2fc919801f277b025d978d0e4ba0259e
SHA512 ef886d1f652bfa04a44e415ba0d93f393e1c8458b913d114c44da5267d4337815abd5457fcd9e0dc7b4733d6fcc3625c9c25059fef86c731ae27801274790b97