Malware Analysis Report

2024-10-19 11:55

Sample ID 240612-plxbhsvcjd
Target a0a8c2c4ecb10586562d43084bb4554f_JaffaCakes118
SHA256 d5fce18f90dfdecbca27ed4c7549163f2b4ce2bae98f1815eb05e81c80d07046
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d5fce18f90dfdecbca27ed4c7549163f2b4ce2bae98f1815eb05e81c80d07046

Threat Level: Shows suspicious behavior

The file a0a8c2c4ecb10586562d43084bb4554f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries information about running processes on the device

Requests cell location

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:25

Reported

2024-06-12 12:28

Platform

android-x86-arm-20240611.1-en

Max time kernel

170s

Max time network

184s

Command Line

com.xgbuy.xg

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.xgbuy.xg/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xgbuy.xg

com.xgbuy.xg:pushcore

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=41 --oat-fd=44 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

cat /sys/class/net/wlan0/address

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 m.data.mob.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 log.reyun.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 54.223.95.86:80 log.reyun.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.71.170.130:19000 s.jpush.cn udp
US 1.1.1.1:53 a.xgbuy.cc udp
CN 120.55.96.240:80 a.xgbuy.cc tcp
CN 120.55.96.240:80 a.xgbuy.cc tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
CN 124.71.170.130:19000 s.jpush.cn udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.94.137.180:19000 sis.jpush.io udp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 139.9.135.156 udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.119.173:7003 im64.jpush.cn tcp
US 1.1.1.1:53 139.9.138.15 udp
US 1.1.1.1:53 119.3.188.193 udp
CN 139.9.119.173:7000 im64.jpush.cn tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 113.31.17.106:7000 tcp
CN 124.71.170.130:19000 easytomessage.com udp
CN 1.94.137.180:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 124.71.170.130:19000 easytomessage.com udp
CN 1.94.137.180:19000 easytomessage.com udp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 124.71.170.130:19000 easytomessage.com udp
CN 1.94.137.180:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
US 1.1.1.1:53 tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp

Files

/data/data/com.xgbuy.xg/.jiagu/libjiagu.so

MD5 015df5724b50b4fbc6dd0caf7ccb817c
SHA1 980780e98c9958aec97ab7a0de8d28a4c5fd9429
SHA256 183990718a96d742bc6f1bb04c313e04db6dc62d445ecb294a7f15babd3281c6
SHA512 fda8f5343cac8102aade5f1aeac7c5b028ea5d8c92e3d12de92e1ffce30bab47a446f215c9cff7dd1e1bb88980ee0d27b5241e856719fcc1f6a5c25e062e9d40

/data/data/com.xgbuy.xg/.jiagu/classes.dex

MD5 bc7b7cec4c2313b65f6d767a77164dd0
SHA1 f0a2fb5db284bc60f424c2084984c830cf4d2ca1
SHA256 84906c5a9b057b44e0df1fb8030d13110748ba30ef7a8017abdd3157ef349ffb
SHA512 379bec4a7a82a83c32e93cb3d5d0e0622d78ec79a5e17861f9600069283ffeac13340003fd2323c884a114bd45102034b3e5e609b3390ce099db6ef71a144432

/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex

MD5 f1e1513c1caa393fe8e9a3f9fff03e7c
SHA1 db053d40d0ead70c10b229d129359601a8b5debd
SHA256 4e81f36348e9d21ea9121450a9c68817efadedf40bf365af9d54a6033b363934
SHA512 e9c0cb206d14c55f3bf375fddd0d1edcf2e4540c24ac5df6e1c4884e87be9861a87b4fa5a49162fd054bafac7ed223e6f79686ffd71224f64f7336173298c03b

/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex

MD5 e0cdaf1a37a325beb335128a913ce71e
SHA1 1b4f9eda9ff72406032655f7a7f97e361d90bb2f
SHA256 444121cbd8f09a2461d84bcdecea5c61c0a5bc7b0fd3671d6a1ba5a91281cbba
SHA512 2f24d69d48c4cf889db9b6d2d5c867b8ea758663e0e83ce1e7ecf650a6b5850669d35d46df3355a643bb2732b590d4609eabbe4aa74d4a4b076c3bb8e8a17d8b

/data/data/com.xgbuy.xg/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.xgbuy.xg/files/.jglogs/.jg.ri

MD5 66db60f4ce13da6a6d8d794ddbdc8be6
SHA1 6b7b1932696a9da002d93302f4a33d1592cccfc8
SHA256 312684aaf6623368477c222f6e50fb4170f94ee59a13edf87322beb42c6be473
SHA512 ba879d50e3076a745720baa7e1623605611d851dbb7890c795ee9c336f2b7230f42e5d5b626fe81b5df995799efcc2ecd7b8466fb67f32a41e288682f04b4036

/data/data/com.xgbuy.xg/files/.jiagu.lock

MD5 46ab1fce613d6f2a78e36d7998c30892
SHA1 4550a5b8d6d98971b2dc9d3544408ff532af9df0
SHA256 42bf5a12623cbbb0daf9a933a68486bcb56171ad857bff712b9b627bf006a6f6
SHA512 8498b3a92278dbea6fc3480a494f40e046ff5ecf81d9710e712acb9e7b9e5a54c92276cfc2c40ab6b99aa3a66be7e6060d4d04aea3298b62ad25836d09f58301

/data/data/com.xgbuy.xg/files/.jglogs/.jg.rd

MD5 1a5d276d1e61ef6ab8262f83cc23eeb4
SHA1 d0979b7b2304f4a8540b132a87ce728637359431
SHA256 54b74f17e1010d576783577bcc52009aeaae6f9c58f3b29f6becd0bbd248091d
SHA512 dc3ab8cdd7c8b549601253ecc5612c6efbd8bddd0fc26f7a463e94eadbea5c8c42e531996a3826bfa6760fd9676f5ece376d8020dda0896f024cd5427fa62f05

/data/data/com.xgbuy.xg/files/.jglogs/.jg.ac

MD5 1264f30db5bc978090c891fc9ba97820
SHA1 22a1664ca5bac8af36bdaf8e4098c02c7fc9c1fc
SHA256 6383110e70c2cf20a67539bbf759d99229ac2dcd214cae6a3c5de840497bab2c
SHA512 f3ec53223344ea4763479b39ae62a3dde4b83e0db05d4707c9e2c914725943063706c6c53e6fc043ee13640ac98242775c901b84ec76eb3edf11615bd0084488

/data/data/com.xgbuy.xg/files/.jglogs/.jg.ic

MD5 70a42cba408700f9a6c01c7941a8829e
SHA1 eab01cc2c0671538795fb0b1146017dc099d0984
SHA256 499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA512 8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

/data/data/com.xgbuy.xg/files/.jglogs/.jg.di

MD5 f8b90bbbe8dafd132d61971702713007
SHA1 b0218e3a752661b2f7db0721bbbf31e85f5e995f
SHA256 e8108d9b07062e69eee94d1fa3cf702143b6a23bc9404bbb79d4a92aa8739e6a
SHA512 78982401f1c6388319cee97a53180d40d9d703daa3a4bbba1fbfa8182b5b72490b0f4b80755afdbd7652770262fd04546ab73d192e1ad3b902920e76b27baf8d

/storage/emulated/0/360/.iddata

MD5 19402718bfb1c685a726b4e1d846ad98
SHA1 02a7e30044a67085f2f1da24e16e4ecfede65b72
SHA256 079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0
SHA512 25254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/storage/emulated/0/Mob/comm/.di

MD5 acc2a2f5cb76c41d2e97e0d409b53bdd
SHA1 ed06f22ff10e0912f50d53bc775ed2ae70f85d5a
SHA256 12ee2ab25175281fd1efab755eb5a5b442e91d263646c52118e6b1e97856f448
SHA512 faed72411dfb1546a82a302b6aadf921bf66a09aa4641a6d1d523e5b58c063d5210089ca2d7dec8aadbe1efec4748a8abb36ab9fe1ab18539a92b76730b85419

/data/data/com.xgbuy.xg/files/.jglogs/.jg.li

MD5 3c03799d3c1c27f4d60e83dae14468cc
SHA1 f7be43bf86f5f72798ce1c75ca4789beabcc4e71
SHA256 d01fddee228a0e8c965de70de8f3a2f491f083bd32d7e605df050e941d999f80
SHA512 fe4b988ad1226f8a114bd5b660d48a5f4f2666996a341ee6d092a5f601eddcfaefef192197fa07e3a648ceb867da9b6a30d25029e650ce53a9c3f0f75fe1f2a5

/data/data/com.xgbuy.xg/databases/xinggou-journal

MD5 27b16d83c11004128f7cdd339bba3066
SHA1 fa2b420d8d210b1927675295a34e8989c52790f5
SHA256 62db79e621bfa15d0dee904b5115774cb829fe80fcb46382e142d8adcec42ea6
SHA512 b8d481b49a4b25cfccf97e4ee35c30829aedb1360d4f34a2ec77b4b6834d79ba93037bae74c4299e8d7edd923828aa845bfe51b8b1726d49c29734b90b443705

/data/data/com.xgbuy.xg/databases/xinggou

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xgbuy.xg/databases/xinggou-wal

MD5 fd7e7c06da28b66625794306f6e5eb68
SHA1 03f6007a59aea531a84f0276fd75b12e8090c66c
SHA256 450e562deffff8fe055b1a5f54b4f3d0ce988e140f985084b3de4253ba28ce5e
SHA512 75aa55ddd5037f1201e54beb0d1b164998241fd22de0b8c7d7286a070bed82277f44b46899dcc9fbd780313d61d31cf692edef4846a3784614cf8db8ee5f225c

/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db-journal

MD5 7e27048b9843eb8ee2864bdcb71965de
SHA1 5d136b2bdcb4d8db9cc7778c2a190e204afd3f9d
SHA256 4cf29414fdaf385172556e2c3ce9b801f8852bb7630c108f3312b868474e65c8
SHA512 5fd31745398ea8856a45001625a03c3b04792c614e1977ab8bdfd9e1bf74ab19f754b4b4843dbeec9063e68e5a2b5c54e50fed72b7ffa3320508397c6e29ed01

/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db-wal

MD5 42a91b8c65c4e3dae56b06bbf42a838e
SHA1 d618949f51b1773e4d1d908eee99d54b7cdf8f58
SHA256 0a6d710e299b70288d66964f4d613d29d36cdc43b535932b20735b30cfcff2f7
SHA512 bbb7169ab063d19e948fc4febb2e5c49ea21f8532e0f589e621f6a3019d72bf99982824d0e950dee00e6dc38e3c3564f28eeacb923a6f9603b0b9498b080d750

/data/data/com.xgbuy.xg/files/Mob/share_sdk_1

MD5 8e24e79baab91c4d0604eaa9006a0cb3
SHA1 e427afc94a4b957a7096f73e395a10ea404c076b
SHA256 65ee797326cb9d94a4c8b13fb114a7273d80af9ae547496bf56556c479f75e4d
SHA512 45bde5e1b5da5e54f7f5baf24cf4d9158ccf5813f0babc05677437bfedf1d54c4707090a1c425089e8f9582a85fed80b25c1e1f30ec2051afc6fe68bb8a76bae

/data/data/com.xgbuy.xg/files/Mob/mob_commons_1

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:25

Reported

2024-06-12 12:26

Platform

android-33-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 216.58.204.74:443 tcp
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A