Malware Analysis Report

2025-01-19 07:48

Sample ID 240611-ybkdmsyepf
Target 9f5158aa2231110a09df612e8309bd11_JaffaCakes118
SHA256 a8676d4344ff608433049abb5dab50375d6df887c84e223b92d165de736efcbf
Tags
evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a8676d4344ff608433049abb5dab50375d6df887c84e223b92d165de736efcbf

Threat Level: Shows suspicious behavior

The file 9f5158aa2231110a09df612e8309bd11_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion

Loads dropped Dex/Jar

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 19:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 19:36

Reported

2024-06-11 19:41

Platform

android-x86-arm-20240611.1-en

Max time kernel

4s

Max time network

119s

Command Line

com.xgbuy.xg

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex N/A N/A

Processes

com.xgbuy.xg

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 log.reyun.com udp
CN 54.223.175.26:80 log.reyun.com tcp
US 1.1.1.1:53 a.xgbuy.cc udp
US 1.1.1.1:53 s.jpush.cn udp
CN 123.60.89.60:19000 s.jpush.cn udp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.78:443 plbslog.umeng.com tcp
US 1.1.1.1:53 downt.ntalker.com udp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 182.92.245.193:80 downt.ntalker.com tcp
CN 54.223.175.26:80 log.reyun.com tcp
CN 54.223.95.86:80 log.reyun.com tcp
US 1.1.1.1:53 t.gdt.qq.com udp
NL 43.152.42.165:80 t.gdt.qq.com tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.92.77.21:19000 sis.jpush.io udp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 54.223.95.86:80 log.reyun.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 54.223.175.26:80 log.reyun.com tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 downt.ntalker.com udp
CN 54.223.95.86:80 log.reyun.com tcp
CN 182.92.245.193:80 downt.ntalker.com tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
BE 64.233.166.188:5228 tcp
GB 142.250.200.34:443 tcp
GB 172.217.169.78:443 tcp
GB 142.250.187.227:80 tcp
GB 142.250.187.228:443 tcp
GB 142.250.178.3:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
US 1.1.1.1:53 m.data.mob.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.47:80 m.data.mob.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 110.41.162.127:19000 s.jpush.cn udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 119.3.253.130:19000 sis.jpush.io udp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.135.156:7003 im64.jpush.cn tcp
US 1.1.1.1:53 easytomessage.com udp
US 1.1.1.1:53 139.9.135.156 udp
US 1.1.1.1:53 139.9.138.15 udp
US 1.1.1.1:53 119.3.188.193 udp
CN 139.9.135.156:7000 im64.jpush.cn tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 113.31.17.106:7000 tcp
CN 110.41.162.127:19000 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 139.9.135.156:7000 im64.jpush.cn tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp

Files

/data/data/com.xgbuy.xg/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.xgbuy.xg/.jiagu/classes.dex

MD5 c25c89a5587148b3a963153cdfbfb761
SHA1 2c6bf466bb1ba117aba20bb5533d9ec65e1f58cb
SHA256 d47b6981e0cf4b32b3b96eddadebea301665f19fcb835cffbb134d7756f72f77
SHA512 61f66b85451c6e0590527eeafbd69ea0bea001497f941331f0f3cd48681257bc2b81a58a1e263ce5ea0f15bfd7c9bfd2d6289eab95805fa6b8117b3980f456e2

/data/data/com.xgbuy.xg/.jiagu/classes.dex

MD5 9c33af77eb7f73508adbf25b158483f8
SHA1 1093a84162f117961ad414e46d5f27cde57cee07
SHA256 2677b6b24ad39d9f8a6cdba244af4ea612f268cd639980d9bd6c71b1166cc8f4
SHA512 799ae6d71db1b9bdef122d89a26c36124bd3b7f4c74de730bf6893a57e999eb328b1750a6a1a43601667b0848bc070e90799566e8a5a7731567ba1f48dceeab8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 19:36

Reported

2024-06-11 19:38

Platform

android-33-x64-arm64-20240611.1-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A