Malware Analysis Report

2024-10-19 11:54

Sample ID 240612-lb667axcng
Target a02a0521554e6a3e2f600e85cd7240af_JaffaCakes118
SHA256 3cab376c6efa6caccae51b5a2c9f9d9d451dc9360b046cce2354b43fb96fd234
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3cab376c6efa6caccae51b5a2c9f9d9d451dc9360b046cce2354b43fb96fd234

Threat Level: Shows suspicious behavior

The file a02a0521554e6a3e2f600e85cd7240af_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Requests dangerous framework permissions

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 09:22

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 09:22

Reported

2024-06-12 09:25

Platform

android-x86-arm-20240611.1-en

Max time kernel

4s

Max time network

183s

Command Line

ky.bai.woxi

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

ky.bai.woxi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 s.jpush.cn udp
US 1.1.1.1:53 www.wash98.com udp
CN 119.3.253.130:19000 s.jpush.cn udp
US 52.86.6.113:80 www.wash98.com tcp
US 1.1.1.1:53 www.hugedomains.com udp
US 104.26.6.37:443 www.hugedomains.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 119.3.253.130:19000 s.jpush.cn udp
CN 119.3.253.130:80 s.jpush.cn udp
US 1.1.1.1:53 easytomessage.com udp
CN 121.36.205.81:19000 easytomessage.com udp
CN 121.36.205.81:80 easytomessage.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 123.60.92.210:19000 sis.jpush.io udp
CN 123.60.92.210:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 119.3.253.130:19000 sis.jpush.io udp
CN 119.3.253.130:80 sis.jpush.io udp
CN 121.36.205.81:19000 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:80 easytomessage.com udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.92.210:80 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 119.3.253.130:19000 easytomessage.com udp
CN 119.3.253.130:80 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:80 easytomessage.com udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.92.210:80 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.71.170.130:19000 s.jpush.cn udp
CN 124.71.170.130:80 s.jpush.cn udp
CN 123.60.89.60:19000 s.jpush.cn udp
CN 123.60.89.60:80 s.jpush.cn udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.92.210:80 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 124.71.170.130:19000 s.jpush.cn udp
CN 124.71.170.130:80 s.jpush.cn udp
CN 123.60.89.60:19000 s.jpush.cn udp
CN 123.60.89.60:80 s.jpush.cn udp
CN 123.60.92.210:19000 easytomessage.com udp

Files

/data/data/ky.bai.woxi/databases/rep.db-journal

MD5 dc7c57fc027f3ffba3316ecfdfa5e692
SHA1 79c23da7f7043cd82979a4f07cd41ed32df4aab2
SHA256 338cc22ec0c313177ff111e2cdd468532bb940e1ac4d6bcce0505daa5bc4babe
SHA512 548a485248340d65aa5a14f0392da98f5f408d797fff3e08b82a5d8377ffc00c134cceb1f104daaf8cd1d262b4578e0469fbd5d0fd5c0036847e34bb5447a916

/data/data/ky.bai.woxi/databases/rep.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/ky.bai.woxi/databases/rep.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/ky.bai.woxi/databases/rep.db-wal

MD5 6c79fc87670c0d8007df638bbeaabbde
SHA1 cdbe39650940e11c60f0ebe8a38aa4973910b1bf
SHA256 9e4b2157c4ef5f5caf9618c2958a1f1b63318fd45189bc9975a5d94646266f66
SHA512 e2396d799259c559aee27a43d1bb610988aab98c7c9aae3b88860a6ebb845a0db626014ff892be5d519641dea03174e4c70c5e45879fb7ef5230a175e1db19f9