Analysis Overview
score
7/10
SHA256
a8676d4344ff608433049abb5dab50375d6df887c84e223b92d165de736efcbf
Threat Level: Shows suspicious behavior
The file 9f5158aa2231110a09df612e8309bd11_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 19:38
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 19:36
Reported
2024-06-11 19:41
Platform
android-x86-arm-20240611.1-en
Max time kernel
4s
Max time network
119s
Command Line
com.xgbuy.xg
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.xgbuy.xg/.jiagu/classes.dex | N/A | N/A |
Processes
com.xgbuy.xg
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | api.exc.mob.com | udp |
| CN | 180.188.25.46:80 | api.exc.mob.com | tcp |
| US | 1.1.1.1:53 | log.reyun.com | udp |
| CN | 54.223.175.26:80 | log.reyun.com | tcp |
| US | 1.1.1.1:53 | a.xgbuy.cc | udp |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 123.60.89.60:19000 | s.jpush.cn | udp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.78:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | downt.ntalker.com | udp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 182.92.245.193:80 | downt.ntalker.com | tcp |
| CN | 54.223.175.26:80 | log.reyun.com | tcp |
| CN | 54.223.95.86:80 | log.reyun.com | tcp |
| US | 1.1.1.1:53 | t.gdt.qq.com | udp |
| NL | 43.152.42.165:80 | t.gdt.qq.com | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 1.92.77.21:19000 | sis.jpush.io | udp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 54.223.95.86:80 | log.reyun.com | tcp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| CN | 54.223.175.26:80 | log.reyun.com | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| CN | 113.31.17.108:19000 | udp | |
| US | 1.1.1.1:53 | downt.ntalker.com | udp |
| CN | 54.223.95.86:80 | log.reyun.com | tcp |
| CN | 182.92.245.193:80 | downt.ntalker.com | tcp |
| CN | 120.55.96.240:80 | a.xgbuy.cc | tcp |
| BE | 64.233.166.188:5228 | tcp | |
| GB | 142.250.200.34:443 | tcp | |
| GB | 172.217.169.78:443 | tcp | |
| GB | 142.250.187.227:80 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.178.3:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.178.3:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | api.exc.mob.com | udp |
| US | 1.1.1.1:53 | m.data.mob.com | udp |
| US | 1.1.1.1:53 | api.share.mob.com | udp |
| CN | 180.188.25.46:80 | api.exc.mob.com | tcp |
| CN | 180.188.25.42:80 | api.share.mob.com | tcp |
| CN | 180.188.25.42:80 | api.share.mob.com | tcp |
| CN | 180.188.25.47:80 | m.data.mob.com | tcp |
| US | 1.1.1.1:53 | api.exc.mob.com | udp |
| CN | 180.188.25.47:80 | m.data.mob.com | tcp |
| US | 1.1.1.1:53 | update.sdk.jiguang.cn | udp |
| CN | 180.188.25.42:80 | api.share.mob.com | tcp |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 110.41.162.127:19000 | s.jpush.cn | udp |
| CN | 180.188.25.46:80 | api.exc.mob.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.200.10:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 142.250.187.206:443 | www.youtube.com | udp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 119.3.253.130:19000 | sis.jpush.io | udp |
| US | 1.1.1.1:53 | api.exc.mob.com | udp |
| CN | 180.188.25.46:80 | api.exc.mob.com | tcp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| CN | 113.31.17.108:19000 | udp | |
| US | 1.1.1.1:53 | tcp | |
| US | 1.1.1.1:53 | im64.jpush.cn | udp |
| CN | 139.9.135.156:7003 | im64.jpush.cn | tcp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| US | 1.1.1.1:53 | 139.9.135.156 | udp |
| US | 1.1.1.1:53 | 139.9.138.15 | udp |
| US | 1.1.1.1:53 | 119.3.188.193 | udp |
| CN | 139.9.135.156:7000 | im64.jpush.cn | tcp |
| CN | 139.9.135.156:7002 | im64.jpush.cn | tcp |
| US | 1.1.1.1:53 | m.data.mob.com | udp |
| CN | 180.188.25.47:80 | m.data.mob.com | tcp |
| CN | 113.31.17.106:7000 | tcp | |
| CN | 110.41.162.127:19000 | easytomessage.com | udp |
| CN | 119.3.253.130:19000 | easytomessage.com | udp |
| CN | 123.60.89.60:19000 | easytomessage.com | udp |
| CN | 113.31.17.108:19000 | udp | |
| US | 1.1.1.1:53 | m.data.mob.com | udp |
| CN | 180.188.25.47:80 | m.data.mob.com | tcp |
| US | 1.1.1.1:53 | _im64._tcp.jpush.cn | tcp |
| CN | 139.9.135.156:7000 | im64.jpush.cn | tcp |
| CN | 139.9.135.156:7002 | im64.jpush.cn | tcp |
| CN | 139.9.135.156:7003 | im64.jpush.cn | tcp |
| CN | 113.31.17.106:7000 | tcp |
Files
/data/data/com.xgbuy.xg/.jiagu/libjiagu.so
| MD5 | e5a53000766ebc433b27d6a66ec4f555 |
| SHA1 | 2c8f53f1c03aec2005bcad67d731f07261dabde0 |
| SHA256 | 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e |
| SHA512 | 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d |
/data/data/com.xgbuy.xg/.jiagu/classes.dex
| MD5 | c25c89a5587148b3a963153cdfbfb761 |
| SHA1 | 2c6bf466bb1ba117aba20bb5533d9ec65e1f58cb |
| SHA256 | d47b6981e0cf4b32b3b96eddadebea301665f19fcb835cffbb134d7756f72f77 |
| SHA512 | 61f66b85451c6e0590527eeafbd69ea0bea001497f941331f0f3cd48681257bc2b81a58a1e263ce5ea0f15bfd7c9bfd2d6289eab95805fa6b8117b3980f456e2 |
/data/data/com.xgbuy.xg/.jiagu/classes.dex
| MD5 | 9c33af77eb7f73508adbf25b158483f8 |
| SHA1 | 1093a84162f117961ad414e46d5f27cde57cee07 |
| SHA256 | 2677b6b24ad39d9f8a6cdba244af4ea612f268cd639980d9bd6c71b1166cc8f4 |
| SHA512 | 799ae6d71db1b9bdef122d89a26c36124bd3b7f4c74de730bf6893a57e999eb328b1750a6a1a43601667b0848bc070e90799566e8a5a7731567ba1f48dceeab8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 19:36
Reported
2024-06-11 19:38
Platform
android-33-x64-arm64-20240611.1-en
Command Line
N/A
Signatures
N/A
Processes
N/A
Network
N/A
Files
N/A