Malware Analysis Report

2025-01-19 07:50

Sample ID 240611-zg8tvs1brp
Target 9f73d70a5645fed3661eae61d9261db8_JaffaCakes118
SHA256 b847be7178d00f7dab3007f17c3ed3c70deed6d41f59e6178e53a545322a1823
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b847be7178d00f7dab3007f17c3ed3c70deed6d41f59e6178e53a545322a1823

Threat Level: Shows suspicious behavior

The file 9f73d70a5645fed3661eae61d9261db8_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 20:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 20:42

Reported

2024-06-11 20:45

Platform

android-x86-arm-20240611.1-en

Max time kernel

6s

Max time network

166s

Command Line

com.xiaozhilc.app

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.xiaozhilc.app/.jiagu/classes.dex N/A N/A
N/A /data/data/com.xiaozhilc.app/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.xiaozhilc.app/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.xiaozhilc.app/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.xiaozhilc.app

chmod 755 /data/data/com.xiaozhilc.app/.jiagu/libjiagu.so

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/data/data/com.xiaozhilc.app/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.xiaozhilc.app/.jiagu/classes.dex

MD5 9db166176d3183dfb3e3c24e31f16c9a
SHA1 c3b77e60db6f5f7d7aec68c96a96ed7c5e4a83ce
SHA256 a7f5231c413810b1a41578fbe80d2a2f5a146075ac763888d2be35a5fcc2348d
SHA512 8478ea2115ebeb90937bf320b0d1ea66e2c7955b1c364282fab3747a7577526d6e26f598c99ed856c45563cba7a6c6819e9ea7bb08ef2ef046b2b07651505605

/data/data/com.xiaozhilc.app/.jiagu/classes.dex

MD5 6534055060d74b0d96c07accf8c07c52
SHA1 af138566a2297ec11c3151c33fe3aac6d4367661
SHA256 3220e4cab4261e033c667c8c6e03ce67af22acd883102091b25e52dfb9aaf474
SHA512 5bc5a1ff99bb36fe33134aec8f2956e99393cb287de3a13426150b93e9ebd32d415b283f4a31d676bcf57f2dbecb49966e57c48c51af0e6a034d4a97596fe5e9

/data/data/com.xiaozhilc.app/.jiagu/classes.dex!classes2.dex

MD5 c3db23fe20574189cd1c3b941243fbaa
SHA1 6cc98494e61610a9c07950cf22395ce43ea66f30
SHA256 de2afa7fe226897d0a106b6a99c9f9ee71cbecfcd1c26c3cdd1aaa52d93138ff
SHA512 f9807b037e97c692ad63768120c945baad095fe11b4fb6bccf6ee50c16df6c7412dfcf3601e475fc2ab3134bef181fc7864478b76122e31555cf3054cd48ec3d

/data/data/com.xiaozhilc.app/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.xiaozhilc.app/files/.jglogs/.jg.ri

MD5 c1e49c00b9791313fc93d19d3f5e1b1b
SHA1 5e10c9a6d1854ba7e0e331144a2bd5c5632d12d0
SHA256 70c336ef02ede7173e223253dde4d0456600ec549bd59cb513818f8521a495a6
SHA512 0710e72c984f57a9480cff7ed02ff7b24c829d01099215f853071a1fb9d7597681bcc3c49ada70bb0f7e497d3d6d53543bf9b7dc05326a6500d5505e0716051f

/data/data/com.xiaozhilc.app/files/.jiagu.lock

MD5 e38723ed39235e6670a26240ccdb5f89
SHA1 b00046a8da057733c651af10deb5742094b24f79
SHA256 6e70fbaaaeeaadae119ff9ce8e0707c288bf415935981acd6eca1bdf31c8705d
SHA512 dfcc0d09389d3af3c3d035c39d1603d22dc8ae66bd537cc5c91216b41cc06545df6ceaf7290ffc3aea27cb9d65fddd967008eb65b41106e589d5943c4cd5c91d

/data/data/com.xiaozhilc.app/files/.jglogs/.jg.ac

MD5 f7bfe666032a7229d233a01031daa755
SHA1 401652eab7a64896cf9ade9d68afe6a9c73552cf
SHA256 832edc37aa493bf6a151f69cfcb55093b2b690df15893cbfaffaa4222f657ee8
SHA512 cc0aa5e09b87b19ff9562cb3f8ec67c1d17a892991418e087ed3673bacc6d80cc9687ae86ca28893738731f9a6dd0b97749b105580ef7264a25672ff49d34c71

/data/data/com.xiaozhilc.app/files/.jglogs/.jg.ic

MD5 8d3d75c2b206fc4b0a8175fc0679bc90
SHA1 57ed0f3f7b9f87230e5b95b8c10460f373b31b79
SHA256 5a5438487b3838d3001e5895fb0e0ced67493d041b2387ec9e34ea3733b69648
SHA512 96bd9ba9b8c6256bc555428b8baf092408b2fc03ce9b5a41dca17478e55cc6c5fbb4cb6d785a4ab55c3e0f7f81df4e7c4b97544fad45a331f28db705d3322b22

/data/data/com.xiaozhilc.app/files/.jglogs/.jg.di

MD5 d647859ac6eae26d792ffbe487d16fd8
SHA1 1bdafd737b10b30c40fd18d51e2649ae1096fba0
SHA256 e7f5c21e8c2940e383f73026880a01709d2d183a3a3c55302f78d4ffd7065ce0
SHA512 b2c5a374b60b274a55b9e765f67bcff2c5570e9672668487cb77fee786e5d27d899d2a86e539c41aac1fcaba795bb835bf3a9150c72cbf8fde8028f699985b1f

/storage/emulated/0/360/.iddata

MD5 1546b4d0d6fb7764c5f7e114c8324786
SHA1 7d8e47c38cb0c0a80875dde01c37fb86bfa820e5
SHA256 0251b5e572ad469da3ec374f4fe2096c90f84987d409c0dbf9b7b449eed084db
SHA512 2e40e5b5a5079ca0ac5459eb0021feb8eb7cb0792bbe2ec8bfe90545ddaa0737b8416c703513c532d57c6ec81ea52bc0e4ab25f30ddb22934ea40a989c314e11

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.xiaozhilc.app/app_crashrecord/1004

MD5 cd3133a94883ced9de74f197e3e98d37
SHA1 396f9750537f0f0f1a73b51294b143c90fd4aba0
SHA256 57435c8725887369644da5743c159f35e6d0395e1ec40f994749fd30c9413a99
SHA512 67efe3e27dcafed89d479b2759897a22448fff2c32f30347a7306f850eaf0d6dddcb1a5f91947186479ebb862d9603ed217462af897494c3c1750461185fa633

/data/data/com.xiaozhilc.app/databases/bugly_db_-journal

MD5 55e5bd5aa6e4e62e2cf1f57e56631196
SHA1 bfe976c40a0a80afc3877c2039e77ea852d12338
SHA256 fcf382db7384d917209baf3a3c1c4c49911ec0090d09ba49bc9a86ec184ddd5e
SHA512 5ad0aad6bc1684b38def414fbb7fee8428769d93e9bd03a5a5905ba10f8e7f38fde8283de7899a2b78e15d70fba0cba9ea7af0014224eb76ed4c264a5d051364

/data/data/com.xiaozhilc.app/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xiaozhilc.app/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.xiaozhilc.app/databases/bugly_db_-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.xiaozhilc.app/databases/bugly_db_-wal

MD5 29b742a956b291e23f059e0db8cbd7d8
SHA1 4f2761602dca89d6acf0237b03f4e0c135c27a59
SHA256 bf14ccd490cec5b47252ce291c4d67ea6b66e856f7324b57ae95cda69c72d01c
SHA512 9d9e095975385381d606e11ff9b4754f03f679d23842032a085a46aabdcfc3f20668aa6d482e10ef512bfb63c06ca86f23e3d3ffd8265d2630ba982ae7797c4a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 20:42

Reported

2024-06-11 20:45

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

170s

Command Line

com.xiaozhilc.app

Signatures

N/A

Processes

com.xiaozhilc.app

Network

Country Destination Domain Proto
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 udp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 udp
GB 172.217.16.228:443 udp
US 162.159.61.3:443 udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 142.250.179.227:443 tcp
GB 142.250.179.227:443 udp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.xiaozhilc.app/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/user/0/com.xiaozhilc.app/.jiagu/libjiagu_64.so

MD5 05a8c3ca16893f4e6cc997a82d987fb3
SHA1 76d6c6d19e0bfa83c847e5d330bd144f58994bff
SHA256 82e708e200cebe270ec57231729413621a8904e907efac8cfe71cb2cf16a3c10
SHA512 2a878c39e713fb6ff5b457f94a1fe2b5adc456924d087a1b6abd59afc0b0e9bad68852eddd34c6441e8996e66eb5fdb711ed6f477d6e447dd48cfd151d89fe96