Malware Analysis Report

2024-10-19 11:54

Sample ID 240612-qx1nrazhlm
Target a0dae5ce261f7d7a971f09c21aec67c2_JaffaCakes118
SHA256 d5715b46879d9aa0aa344e21a94bb906fe16a80ab38e667595cfb17df5ce087b
Tags
discovery evasion impact collection
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d5715b46879d9aa0aa344e21a94bb906fe16a80ab38e667595cfb17df5ce087b

Threat Level: Likely malicious

The file a0dae5ce261f7d7a971f09c21aec67c2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact collection

Checks if the Android device is rooted.

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:39

Reported

2024-06-12 13:42

Platform

android-x86-arm-20240611.1-en

Max time kernel

98s

Max time network

131s

Command Line

com.xiaoao.car3d4

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xiaoao.car3d4

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 y.sh.1251131001.clb.myqcloud.com udp
CN 111.13.49.36:1286 tcp
CN 111.13.49.36:1286 tcp
CN 111.13.49.36:1286 tcp
CN 211.136.82.178:85 tcp
CN 212.64.120.18:8080 y.sh.1251131001.clb.myqcloud.com tcp
CN 111.13.49.37:1286 tcp
CN 111.13.49.37:1286 tcp
CN 111.13.49.37:1286 tcp
CN 111.13.49.38:1286 tcp
CN 111.13.49.38:1286 tcp
CN 111.13.49.38:1286 tcp
CN 111.13.49.36:1286 tcp
CN 111.13.49.36:1286 tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak0.pkm

MD5 52df33d6502d7a51d64b97dcf2a81116
SHA1 b315d3f065eeb73cca1a14cfba7e7c76cc79d283
SHA256 0a5e91fc3739bd0278c7f0335269e33da607784edcfb7420c13490c3b26fa965
SHA512 9be7061f8c1a8fd468e8347fb0d0f5d0c7c815713394d04a63edf6ca838d3873f78e470e046286ff876ae07266230f899134a3a4f194c9009fff70bf9ffd574e

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak1.pkm

MD5 99af44840d446bc23f978d9b4c8dd2c1
SHA1 1e6e20bc4450d77467d187bd152ef356051903f2
SHA256 1d089c4523e866b12af71dfe9fe6bdf8f475414b18dfee0b751b77a90133c775
SHA512 db5125c9867270061a4084c31dd42597c8963a610ef226b7c484c0307a60d798a15bfa6077d7eb2647cd28fa3835dc202bfa3b2999d9a6e9347c988266a64290

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak2.pkm

MD5 5ddc915fb5bef6c752466a62fb9b20d9
SHA1 283b0d22fafe5ff55e749fdd8bf93f09dd23d872
SHA256 f1b54680cfc7fd590e5e32ba1372bae1a1d45787f6bca519a0818b5c30f4df38
SHA512 7df5bb1565f6f3f76761e741b293a2c8fab3fe4fc444561d4edc0ad9a941fbdb69d103d0d1d3353d2410ba271992642cd8b5a9996a82b5be807cec3662a483f7

/data/data/com.xiaoao.car3d4/XiaoAoVertex.xa

MD5 693fc57f69d6509137029f08af094865
SHA1 2f87329a9c86688a6cdb18ed25b02085e8a9d3f3
SHA256 5bc5287b925801db9d6a56e1ac94cdf3fbb82217e3b0618833736e954793a1e4
SHA512 7aa3ea86fad965a68905b918ec0db2e342030c9b7bce50079eee89ed0df47aa157e026ca74872c25b389f55019473868feb58d37e3497c3cb9fbdc57901620fa

/data/data/com.xiaoao.car3d4/XiaoAoFrag.xa

MD5 c8ff4bdf9cefc934f209acf81789ae00
SHA1 90a0dac8a06d909240774b239c8206bd3b64e242
SHA256 d9b693303630d744f5fef6d0d52fb8ca79e449db9920cf480a558117f8bee6d4
SHA512 b3b490368bf2f289d597732991dc3ad54371cfcad45dca128766b7764394d5cfdef54ecfd672be3c98644a9ea86e3930db8241bd81769a1167ed6d127c099970

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak3.pkm

MD5 5372ac3d3d4fa4b040231f3040156ed4
SHA1 2fc37c918d2dfd9ceedcfff09baeba5f20fd884b
SHA256 6fd493e55b811328ae0506a2b86ba2bb7f6a2e0043d3850c5d83f162b191bcc0
SHA512 0e9bd131f63ba903738e9fda2f244240a24e441e34c9c5e01451610ecec606352e129a034e5bdecf98c9ec4f7b497ff7b44e0ef70da6e959bd27b333f0f8c2c2

/storage/emulated/0/baidu/.cuid

MD5 a11207b984303f13bcc17e8f147e61c2
SHA1 103f677b010e18a1c165825a185a268a64299ae0
SHA256 9fbba5f0a4c65dde60fcdd9b262a6a8aa210b27bd6797c6653416d6b6549ca45
SHA512 3fc517d8608489117c7ace6842bb63a73dff9dc0da663a87974f64f96bf8006c7830fe100ae71860d54f4957a38a602a5b88fea242e206a2f2ec356aae6ac878

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak4.pkm

MD5 5d63703aa5d9422b685136cd2db7ae04
SHA1 31b5b140be77505b2a6832912ea5f7c7bdcb3aef
SHA256 8ecaf9cb1a1b216e763e4ca6151fa18857e929e652684b5d6b900ee6955a6728
SHA512 23a33adbbfe001e8729379903b4935cf60e94bf454ce003c5e44aac60d7bec1fd40e7abf1f8700ca14a5310113abcae71d840d421089012308dfb1235b9a1e36

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak5.pkm

MD5 45bab34c12c61d5d070549beb887a36b
SHA1 03790914e652cca10280b509c139f071596173ce
SHA256 7caf021d9e060a6ebb168601ce8b20d3d99681992015c0b4a37e0794cbb8bf68
SHA512 1b39ac4bf5953ab5475d442d6b7ebbe0cedfa936ee996feb7d050858cd5fef595bde1dbc6763cc1bb21963e019a7c2e0f12682525a63a454d73922cbe446ef10

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak6.pkm

MD5 241e0143e7b14be93a492edb43e0abf8
SHA1 fcf19b75b4514441caa420d48cc042a950daa6ce
SHA256 d76d6265adde972b688d698e5f8650af6b00993e562457dd67d5de833a6c3a2c
SHA512 5e57215d98e7591f8dc06aa6023e55a9582b23830d316fed72f7ca2d11d5dff9ca7970a435f890b8363c0f5f3aed6c1fdc9daf44a7978a4bad15c08ee7f13505

/data/data/com.xiaoao.car3d4/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak7.pkm

MD5 6e519e64050e1d406b010763c8d3240e
SHA1 13aecfb110d226ee6eb0b0a82b6c4696eda37401
SHA256 d99643902a6dd86f80e3b14358811a95837e136d7ca7e0449f564274412c6d4c
SHA512 9685fe4f20ff1430a6d31d15207fe415ecb62a385ceb51de87c7afab99a2487916c78ed1f3f6604319d52fffd4597c5f5cf0faff5825cfbd226983c0791cbbaa

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak8.pkm

MD5 dfd58846d0f61d744ee9ced5a2b280e6
SHA1 b11ccc25c2d3f3a932098492a4f8053d10ff0518
SHA256 e11ce3724ed926817cf12c36d3a21a489b5557fd38e756fed0df88f544223eeb
SHA512 61b0ca46bc680df61e314abe7b744ee542aabe309a51369edf1f3c9bb117695ce5cb61cd70c169712b3fbd22fb134c5f1d0e5f971d47b7a319d0ede505a8c1be

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak9.pkm

MD5 66bd649400c21b30086a27e8ba6c4138
SHA1 fe68be8ccbe02483b50607e9d596d032defd1c01
SHA256 ec6f1de801ec4effb546bd2fa4431922f1ce66843af4dc764c00a9614d617fb0
SHA512 809dea0d79fbbbf21e3a24fb44f1376720da51fbf0f4ffe2ab2033607b67f6b1b4f98560d5ee03f8b1c3d10746eda543556ea862112bfa5c384b01cd8c438ce8

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak10.pkm

MD5 c013bbda464b94bfdeaf13d1a0796e4f
SHA1 9e40a55465ed4de16f6500b4ec5170b038c158ec
SHA256 abde10767e770f83c12512061b9a7eb7fc3d633095145121b7bca5e3b20513d8
SHA512 ea0aae4515cac512ca338583c3528ff4189a12e1c7788ffa3165300ad3081784d744dc61204f47069843dc89c1b448245ac75c9f24cd0376bc5ff10f718e14a9

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak11.pkm

MD5 779aa15b2324e0351063865028d287ab
SHA1 84e23d014265304c35dfc31c855e6539ff34960f
SHA256 ec603600132c777dc58fda02814077af2ecb124d5e93a2f74e66b3ea95c48363
SHA512 e96d132a3269e610c4c7a180ec3a68c75f4f7b814eb7e7844900bb67af4e96c2b7eabcec11d243acf05ecc6f7f7a6415aac9b51fbd930aee4cbdbf48520b4960

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak12.pkm

MD5 89de6b4abd846c7f0264638c480c4012
SHA1 54db91a18d0702be31ce1c97084766ac0710b8c6
SHA256 36dd670875d59207d6793f1bcb4dc8b758eb893609108a5b758393792b548694
SHA512 fe1c32edffd2b396594e24c50b96943a344735cf8ab193b334b172f6fe508a4435c31f1700219a420e069d00788be252e218dcd2bf4b2a1d890249ad37e80e0e

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak13.pkm

MD5 794ffd654732ce3c967a2cd584c36322
SHA1 9979f7ef48c70886901065262032548f2e4523da
SHA256 47daefb87af272bb729aa2b9e3fb76fe6f0155a7b24ab9ef980db0fa7be3bb61
SHA512 7eacdf5895d0dee4549eedbafa17add6548ed00eada7a88c5b20523d655d3892470d317e12000e2ca2bef7ce940e8022054ba444d67638448f69898d4aa408e0

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak14.pkm

MD5 b869b1593bc90dd12a9590af29e9fca0
SHA1 7d2ca872f949ddca4861ef0f9609e643c61dd317
SHA256 a9068662182e50c363f4741cf343a9a0334a8b49102afec8cffc41a99e9556c5
SHA512 1b0a782094d3795df12b5d24da1decd9ecf2727e57a8218c4ce7a8537309275c2cdef38f3b84dbe6076efe98ab76200b4210bdc1444ca21126322ea6df8378dc

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak15.pkm

MD5 bbd56b9809bf95e020f1c7978898ab84
SHA1 008cd0eec7fbb3acb565e1447f46f6344591f732
SHA256 28dda0c5a342fd7a97a3002eeb65e151974e257fabe7dec0569e70506c980716
SHA512 308f5f87253df5f7d0467fd50e0ae25029c0a180e83ab362885192cedc87d6b85fca06606a9d6576a681e0699a0bdab0ae0243f8dcf80c9ff07e75fea3f0d963

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak16.pkm

MD5 3ab79432f544ae691cf25182af72ab83
SHA1 da18a48eb9f9aa4cdb6bf536e6e0e253e69a454e
SHA256 da3acf1ba673656a6b340c4795e8014b1a866bac89d88665b3f4feb79cb79c1b
SHA512 d29b5b106d0fcced855097873778a328d4e1b2271a97ba5444432c72b8c42ec6cbd080a502b70e2c50c9e797ec9d531bfb4360423ad5f854db58c755fa502888

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak17.pkm

MD5 c06be7dddceda763bd5bda989b581d9b
SHA1 594dbcf8f088d9fbc7b11335e4ae7dde84289f2e
SHA256 6fcbcb77d9bcca9a1ec5430542d1dbf2ed65d6bee2e14aa66811f641e13d3876
SHA512 b4f0575c79b18d75a266ea8de81d5771940f33ef53f916eb045a64d20617f4d587fe9cbfef5d262d25c3b7b6b9fc8d9814cbcb1c1e716a84df56ba5626914c65

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak18.pkm

MD5 09a8084dd5670288de5b3bdd6e9c1004
SHA1 3b776e21922e4ecfb50b4dd6f784d6863fec9f78
SHA256 039a529f25f3d49a2ab8cd1883082c6860bf467a6f39512e7d69acf8f0eb7e74
SHA512 82a2a62dddf6a665d31bf78135eb4bacbf2d41ca6860a8e8fe07810447edb1f5c588dea48a1a0576f383982e24c3da4b9c5c0b424ff36a1dcb68d77b9d502d44

/data/data/com.xiaoao.car3d4/files/_vir_0_69071534_z_.dat

MD5 67a965aea083900175b29fbc9c8cd0f6
SHA1 e8d1268d63d93f6099c15e8fb718ddddb529bd4c
SHA256 175a3dd0f06e4d49fdbeeb9538765eaeecbbe711a54a6364fa01ccda30695114
SHA512 354430f0e150e3c53b86403fd9981b80721b6e4b56871a4a120248d4a1fa43de65302173490f9eac923d7deea2fb78baa31b8cfa5c0c380a041d9f446455c5db

/data/data/com.xiaoao.car3d4/files/_vir_0_104680412_z_.dat

MD5 8c6733e843e8c64d592d244e3d530ac8
SHA1 29fb48f01b63e2a9d47fb597e983308bff593134
SHA256 53edfcbb5a44545fbd5c4e8242749be47fa31e149e3df2f710aa6b7beebd2718
SHA512 736499eec72e3b664c12fd19ea34a14abfd5e2e170b2a7c67e62a128aaf2f61b12d47fdad4e4c0d2f6e0e40faf4c16baf8d2bd3725a6faa7f510f659eefbf17f

/data/data/com.xiaoao.car3d4/files/_vir_0_198871994_z_.dat

MD5 6a85f3d05bc26f89d7ad9f243fb4adb5
SHA1 fdc39e9557259ddcc7d34d1ce7043bd8242f8e15
SHA256 53f7b5aaed85790a35988abf807aea31c57c1d5320935e8015164f97551b8a5e
SHA512 7be70de91b90b3710924fb4e77900d6cfd76626bfd89ab8ac346c3e4901177d0e4b00b9bd693eac8844f11c04242dcb2ab724b24cde6100d5df608e707295aa7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:39

Reported

2024-06-12 13:42

Platform

android-x64-arm64-20240611.1-en

Max time kernel

5s

Max time network

139s

Command Line

com.xiaoao.car3d4

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xiaoao.car3d4

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 y.sh.1251131001.clb.myqcloud.com udp
CN 111.13.49.36:1286 tcp
CN 111.13.49.36:1286 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
CN 111.13.49.36:1286 tcp
CN 211.136.82.178:85 tcp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
CN 212.64.120.18:8080 y.sh.1251131001.clb.myqcloud.com tcp
CN 111.13.49.37:1286 tcp
CN 111.13.49.37:1286 tcp
CN 111.13.49.37:1286 tcp
CN 111.13.49.38:1286 tcp
CN 111.13.49.38:1286 tcp
CN 111.13.49.38:1286 tcp
CN 111.13.49.38:1286 tcp
CN 111.13.49.38:1286 tcp
US 1.1.1.1:53 hmma.baidu.com udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.3:443 tcp

Files

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak0.pkm

MD5 52df33d6502d7a51d64b97dcf2a81116
SHA1 b315d3f065eeb73cca1a14cfba7e7c76cc79d283
SHA256 0a5e91fc3739bd0278c7f0335269e33da607784edcfb7420c13490c3b26fa965
SHA512 9be7061f8c1a8fd468e8347fb0d0f5d0c7c815713394d04a63edf6ca838d3873f78e470e046286ff876ae07266230f899134a3a4f194c9009fff70bf9ffd574e

/data/data/com.xiaoao.car3d4/pkmfiles/texturepak1.pkm

MD5 96e8cf55f5589df0e75c40249f2a82f6
SHA1 a44e7934415020d3726ec102efcc73463f1c3b88
SHA256 1227be62150a8fd79a7b9587368b2d1f42edf5c618c75417c5f46a36398c0cc2
SHA512 89a0b9ffe4c9f9337d401c1335e5739dc7f3aa2efe230b90c9c75d3f7910ba666b8f938c38afb1c366d6869bc1136407f26606da58ea2e7723027b12874d3b10

/storage/emulated/0/car3d.txt

MD5 de73519adee1273b799833f85f68e1ce
SHA1 66ebcb809f9ca594180ea4560d560fb7dfa44117
SHA256 374a33442689ebfabb01ca3e54b2e346b5c58190c54e7de6e822d0fe1e917bad
SHA512 dd41bea147b2f6b98c40b99fcf220b18ec7251932780f935d203ee6b985c96ecdc8cd5e40c4d51c8525adc4362781ad9e350932500cf6b59afc54f60826dcbcd

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 13:39

Reported

2024-06-12 13:42

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

158s

Command Line

com.alipay.android.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

N/A