Analysis Overview
SHA256
3cab376c6efa6caccae51b5a2c9f9d9d451dc9360b046cce2354b43fb96fd234
Threat Level: Shows suspicious behavior
The file a02a0521554e6a3e2f600e85cd7240af_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Requests cell location
Requests dangerous framework permissions
Queries information about active data network
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 09:22
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 09:22
Reported
2024-06-12 09:25
Platform
android-x86-arm-20240611.1-en
Max time kernel
4s
Max time network
183s
Command Line
Signatures
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
ky.bai.woxi
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| US | 1.1.1.1:53 | www.wash98.com | udp |
| CN | 119.3.253.130:19000 | s.jpush.cn | udp |
| US | 52.86.6.113:80 | www.wash98.com | tcp |
| US | 1.1.1.1:53 | www.hugedomains.com | udp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| CN | 119.3.253.130:19000 | s.jpush.cn | udp |
| CN | 119.3.253.130:80 | s.jpush.cn | udp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| CN | 121.36.205.81:19000 | easytomessage.com | udp |
| CN | 121.36.205.81:80 | easytomessage.com | udp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 123.60.92.210:19000 | sis.jpush.io | udp |
| CN | 123.60.92.210:80 | sis.jpush.io | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.108:80 | udp | |
| CN | 113.31.17.106:3000 | tcp | |
| CN | 119.3.253.130:19000 | sis.jpush.io | udp |
| CN | 119.3.253.130:80 | sis.jpush.io | udp |
| CN | 121.36.205.81:19000 | sis.jpush.io | udp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| CN | 123.60.89.60:80 | easytomessage.com | udp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
| CN | 123.60.92.210:80 | easytomessage.com | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.108:80 | udp | |
| CN | 113.31.17.106:3000 | tcp | |
| CN | 119.3.253.130:19000 | easytomessage.com | udp |
| CN | 119.3.253.130:80 | easytomessage.com | udp |
| CN | 123.60.89.60:19000 | easytomessage.com | udp |
| CN | 123.60.89.60:80 | easytomessage.com | udp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
| CN | 123.60.92.210:80 | easytomessage.com | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.108:80 | udp | |
| CN | 113.31.17.106:3000 | tcp | |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 124.71.170.130:19000 | s.jpush.cn | udp |
| CN | 124.71.170.130:80 | s.jpush.cn | udp |
| CN | 123.60.89.60:19000 | s.jpush.cn | udp |
| CN | 123.60.89.60:80 | s.jpush.cn | udp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
| CN | 123.60.92.210:80 | easytomessage.com | udp |
| CN | 113.31.17.108:19000 | udp | |
| CN | 113.31.17.108:80 | udp | |
| CN | 113.31.17.106:3000 | tcp | |
| CN | 124.71.170.130:19000 | s.jpush.cn | udp |
| CN | 124.71.170.130:80 | s.jpush.cn | udp |
| CN | 123.60.89.60:19000 | s.jpush.cn | udp |
| CN | 123.60.89.60:80 | s.jpush.cn | udp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
Files
/data/data/ky.bai.woxi/databases/rep.db-journal
| MD5 | dc7c57fc027f3ffba3316ecfdfa5e692 |
| SHA1 | 79c23da7f7043cd82979a4f07cd41ed32df4aab2 |
| SHA256 | 338cc22ec0c313177ff111e2cdd468532bb940e1ac4d6bcce0505daa5bc4babe |
| SHA512 | 548a485248340d65aa5a14f0392da98f5f408d797fff3e08b82a5d8377ffc00c134cceb1f104daaf8cd1d262b4578e0469fbd5d0fd5c0036847e34bb5447a916 |
/data/data/ky.bai.woxi/databases/rep.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/ky.bai.woxi/databases/rep.db-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/ky.bai.woxi/databases/rep.db-wal
| MD5 | 6c79fc87670c0d8007df638bbeaabbde |
| SHA1 | cdbe39650940e11c60f0ebe8a38aa4973910b1bf |
| SHA256 | 9e4b2157c4ef5f5caf9618c2958a1f1b63318fd45189bc9975a5d94646266f66 |
| SHA512 | e2396d799259c559aee27a43d1bb610988aab98c7c9aae3b88860a6ebb845a0db626014ff892be5d519641dea03174e4c70c5e45879fb7ef5230a175e1db19f9 |