Malware Analysis Report

2024-09-09 16:21

Sample ID 240612-jk7szavdnk
Target 9ff03f062bb0c58fa11380c290183b5d_JaffaCakes118
SHA256 9f2043d5389728cb360c132e260c6fc61da58faa040dfca8f92395d6f4d87d6c
Tags
collection credential_access discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9f2043d5389728cb360c132e260c6fc61da58faa040dfca8f92395d6f4d87d6c

Threat Level: Likely malicious

The file 9ff03f062bb0c58fa11380c290183b5d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks if the Android device is rooted.

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Queries information about the current Wi-Fi connection

Queries information about active data network

Queries the mobile country code (MCC)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 07:44

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 07:44

Reported

2024-06-12 07:47

Platform

android-x64-20240611.1-en

Max time kernel

64s

Max time network

146s

Command Line

com.yxxinglin.xzid129039

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid129039

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.78:443 plbslog.umeng.com tcp
US 1.1.1.1:53 c1726.f28014.cn udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp

Files

/data/data/com.yxxinglin.xzid129039/files/umeng_it.cache

MD5 ced7dac096653c637cd92b7485248b92
SHA1 adc2fef2c7eb29759341783518ed7301bf10529a
SHA256 4ac5a75ebe2d61f396eb1566a1fff950e49f3eea5b3c14352c89252f919803bd
SHA512 3a4b5ed495406fd09a125a53a417ae180225709e1e50ffe7833cb093e552d31d516f34ce41c53b93d89bf0b33619f1a8acd82bd39c00d5638a3a48502920a29f

/data/data/com.yxxinglin.xzid129039/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTc4Mjk2OTI1

MD5 8de25b28b4e023ebdd42b7f270e107d6
SHA1 e67f440c90a94c61b65833529bb8d69ca26072a8
SHA256 f20f1fa9b639e54a05377f1605b5d155be339d6e93a6b06bebe307f8fe1debef
SHA512 9a25cb9be94a2fbffe2c3a8f79b24e2d3ff052ab82043afd6dd61a4928538c1f9ec0b3e53fbd78d9ad80cebce36dd5e1effd19d7adb4d02d90dac23bd9f5c07e

/data/data/com.yxxinglin.xzid129039/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTc4MzI3MTMz

MD5 8a83450066960c2312265e6bd57c7325
SHA1 8de0741d09b77af092a0e05360dc5bd687ca6478
SHA256 86f9f07f0f3b387651190b77f9256eeb267f61dfd6439415034cd416d1830470
SHA512 28e3ef21f1a66685588de7d7b98e594d65f513fa9af7325789fceaaccee6b02ff3d21d4875945f927b299e100c2e6e974e4d107540dc4b489f7ab83a48135b5f

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 07:44

Reported

2024-06-12 07:47

Platform

android-x64-arm64-20240611.1-en

Max time kernel

63s

Max time network

177s

Command Line

com.yxxinglin.xzid129039

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid129039

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.78:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.177:443 ulogs.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c1726.f28014.cn udp
CN 36.156.202.78:443 plbslog.umeng.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp
GB 216.58.204.67:443 tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp

Files

/data/user/0/com.yxxinglin.xzid129039/files/umeng_it.cache

MD5 f89d2bde2beaf64fbd7a98c309ff49d9
SHA1 cb87a886da1842b1cb9c64119e396667601aad3f
SHA256 c5bf6b4dcf622648ce196e5d34f0084ae910a7415e83fb162bb84b6a89c7ce70
SHA512 b2c7e6ca7fa9130569ad66cb743689cda85de4c30da3abdf1d4115cec4336c04b45a334eae510c972d7dda5b1bcf5d904772ec7cba7ef10792f0e495bc92da45

/data/user/0/com.yxxinglin.xzid129039/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTc4Mjk3MzU0

MD5 befcb1a78cc1ef2580b2c04383cf385d
SHA1 fcdd225345f8b43207524a52d94969baa25136d4
SHA256 ddc4a71da2894788f9fa73e6bb1abca8fb4aa6cd113b73441741ec5b82ed8cfb
SHA512 7581acf7e33b5f889d3d73a6e3c2d915bcefdd87de7f5388646e3df704b3a0aec95fe148662dd35e9333c1f5a9ce827a92d9e12f397a67893364e6f768854e04

/data/user/0/com.yxxinglin.xzid129039/files/.umeng/exchangeIdentity.json

MD5 872f72c196dfe1d6a5811166a1ded1f9
SHA1 0c6f6d153052e4482ae3d93be4e293056b4acf27
SHA256 da55f232337496316ca6d25b7c7c7c82b3e0e3b4c2010427f24a216dd8de2558
SHA512 948820c24331a7ba709ea531c7c2ce724abac4d3350b2539f676af58666bde9a48e236685033b3b706c3075de1fd0f12c4055d34b58f5e5ff5d0303a6b345013

/data/user/0/com.yxxinglin.xzid129039/files/exid.dat

MD5 83dd220016a3c388fe9da5dc4d927f8e
SHA1 cd1f4745d6c3c137677a7f1afffa54d041fe81cb
SHA256 d2eb491f387dc2b179dcf59fa4213be29c8d31a9d71cb2951a4ff1ed7caa0e16
SHA512 97487aaaf614ccdf559fd393e3f1c01ae419c1ca5617cd57428f366e806bc4577300ad716c8b2cd8a475e535ebfa61868b037bc067161a17006c7b0b5e2c56d9

/data/user/0/com.yxxinglin.xzid129039/files/.envelope/i==1.2.0&&1.0.0_1718178297428_envelope.log

MD5 e7b18f256f8d2c37aec11f8381a038d0
SHA1 1ce1ffca4a8db19fd8773a6a8023e1e97edbc8f6
SHA256 ca484bb9f090157d4dd5d8bc711b49fdb2afb6b66bd77f21552f3531c2832e75
SHA512 2d6d5a188a57f10f923fe43ec21d4d52334dbebb33d4666ee8ac83b6396dc20f392d3a4dee3d00dcb28e398105f1f4552059ac05d2d7b7ddfbc6e909c39eae46

/data/data/com.yxxinglin.xzid129039/databases/ua.db-journal

MD5 8500349544c8c4b8599cc63d9438595c
SHA1 c2c0b2515152042790958370263761b2deda4975
SHA256 99fc1637a5a88ad6489fc3f6c15298b9254524a37fb03f8231ea39d1888b253c
SHA512 a2716d2b36bf5b00b9c321dfc962ae9c4fe048d65d1b501598c81c6832486f368eb81d932b9b02c58ecbfa25a65cd3535bba7ad4126983b4c31d47636f72e2e2

/data/data/com.yxxinglin.xzid129039/databases/ua.db

MD5 4a8120c91e3143b2db43971dbc77cf8d
SHA1 37c5700d35059c4e0a718ced73b3d73ba5d2b277
SHA256 1fa1b6e6bd75bcef64d35785e2fd6f2e73dcdf92dce73c8b2a8fed49746d53bb
SHA512 465cd282927e30a0a894a75ad261feddde5a31869c8cea6b548362afce08fbb7cff7a784bd1d62c3e4c95916ce30e758d3919dd4cdc13176f29d68c2620c185c

/data/data/com.yxxinglin.xzid129039/databases/ua.db-journal

MD5 1b0b34b8fb7c0b5db55629c1f93b774d
SHA1 35582c00b63d84bb977ee613e97ffdbe5cd608ee
SHA256 a7b5733c9f3d282d8ac258c8326418f124d1a5e01bf7e6fbfb5a7ef5aedbee28
SHA512 cffea1222ef3929fe86ceb3f7d8c78307e61feaa77e27ac1a5b73e87d7ec81f65dd8f20699f6d0015df3697d939cf7049e1a87b65b5951a2df8e7f97ee6b22fb

/data/data/com.yxxinglin.xzid129039/databases/ua.db-journal

MD5 a04d1efe3bd48052469920b3d002bbb2
SHA1 80e552715f5be55df089ee7a4e37668ff488c9e8
SHA256 c412f664e221ffee6a86abf6ed02a191b567033bb851ab537e26414d9fe76bf4
SHA512 e407374c905573fc8b5ffb1a84c7cef77e3c8ee50bf188360dbab009803b0b38851d29fc8cf999dd77ffb7020d6b3facff55761376d15705a8af6b8e9c3edc12

/data/data/com.yxxinglin.xzid129039/databases/ua.db-journal

MD5 886eae9704d2450c93d265f034940014
SHA1 32d9470e9493b4838cff4d3b53c81f5cc2dd3996
SHA256 59a6437b43313f8fd45b0aa92b23f71186322a6e7b0f7c49d306865ef54470c0
SHA512 06fe45bf6698efdb3b0203422d8f369b851d9eede7eb9a0e9ddabeaa54e7e340f092cb1b9cd5fa5b54a8371e73698f42ad9cebe17fe5c3286db3ffe8b03b80c9

/data/data/com.yxxinglin.xzid129039/databases/ua.db

MD5 41029b77da6a967339f3f027b3c82a10
SHA1 b2549d0aeeaddb6fe8a98af65607199e6db34388
SHA256 8fc31e26e81e0e079d35d08c0cc5010adfb2fcb6cc61e112615b05ddac7e4686
SHA512 9af784d7abde7ce1ad0f20686b825100b9438b51c2444615d7da6e1d81be1f3198c01bd811dd66e86e7a3952ac24139647942a3b8cadbbabe4545542bfae2015

/data/user/0/com.yxxinglin.xzid129039/files/.envelope/a==7.5.0&&1.0.0_1718178302456_envelope.log

MD5 8d96756b2279e688e36c302325a63135
SHA1 cab20200de34104b2e79d9e9f549a7b74e75bcff
SHA256 6783aef0b7d674884204fc5dfc608aba38bce43fb22b8065e3e08c25ccfc6696
SHA512 7ffbbd248a9286d8a2ed5d99b68f62792d62a368c707e34ed3c806b1e1b9e8effddd8d0088e257153db9f4b999170f9c47cd1863c319b3980ea081bf7746229b

/data/user/0/com.yxxinglin.xzid129039/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTc4MzI3NDky

MD5 cb664dd57f577c499eedd07002b3ed9f
SHA1 3ecf60a36ab7c12299ea41c9d4440e5d3daf971f
SHA256 fac2354ce3117cdd5933671501eecdd7b9cc2546205266b496f7e04e291d4179
SHA512 e8753a19694f48a33bc4768ad12f6b49bba5390bd3c8000f3b085e390e213925b2f62e41d17ae5915138c3f25b001267c3bfd4ee67921d0b7893775165bbec4d

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 07:44

Reported

2024-06-12 07:47

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

139s

Command Line

com.yxxinglin.xzid129039

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.yxxinglin.xzid129039

ls /sys/class/thermal

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A