Malware Analysis Report

2024-09-09 12:47

Sample ID 240613-267n7sybqk
Target a70c947131cfe342ecc986f1f56798c1_JaffaCakes118
SHA256 dd39d632bddfd184d7350916b36f8ccbc3bc9f475f73a71db6876f70d2cbb7b3
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dd39d632bddfd184d7350916b36f8ccbc3bc9f475f73a71db6876f70d2cbb7b3

Threat Level: Shows suspicious behavior

The file a70c947131cfe342ecc986f1f56798c1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Queries information about running processes on the device

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:12

Reported

2024-06-13 23:16

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

187s

Command Line

com.leoliu.cin

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.leoliu.cin

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.hg707.com udp
CN 101.200.172.200:80 app.hg707.com tcp
US 1.1.1.1:53 log.umsns.com udp
US 1.1.1.1:53 hxqd.openspeech.cn udp
US 1.1.1.1:53 data.openspeech.cn udp
CN 59.82.29.162:80 log.umsns.com tcp
CN 101.200.172.200:80 app.hg707.com tcp
CN 114.118.64.119:80 hxqd.openspeech.cn tcp
CN 117.48.148.47:80 data.openspeech.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 116.205.165.66:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 124.71.170.130:19000 sis.jpush.io udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 121.36.205.81:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 1.94.2.18:3000 im64.jpush.cn tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 116.205.165.66:19000 easytomessage.com udp
CN 124.71.170.130:19000 easytomessage.com udp
CN 121.36.205.81:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 1.94.2.18:3000 im64.jpush.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.92.70.140:19000 s.jpush.cn udp
CN 124.71.170.130:19000 easytomessage.com udp
CN 121.36.205.81:19000 s.jpush.cn udp
CN 113.31.17.108:19000 udp
CN 59.82.29.249:80 log.umsns.com tcp
CN 113.31.17.106:7000 tcp
CN 1.94.2.18:3000 im64.jpush.cn tcp
CN 1.92.70.140:19000 s.jpush.cn udp
CN 124.71.170.130:19000 easytomessage.com udp
CN 59.82.31.154:80 log.umsns.com tcp
CN 121.36.205.81:19000 s.jpush.cn udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 1.94.2.18:3000 im64.jpush.cn tcp
CN 59.82.31.160:80 log.umsns.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.94.9.210:19000 s.jpush.cn udp
CN 124.71.170.130:19000 s.jpush.cn udp

Files

/data/data/com.leoliu.cin/databases/database.db-journal

MD5 bea762a9c20746ced8c5d72e8630b59c
SHA1 dc93daba04d23ae8e90d521b352b1128e08014b4
SHA256 4c7054d5bb11485388b93057578cbfc49757180333d88f7f84074d820840c3d5
SHA512 24bbc99e9d489b81743f29fdc8c72bb0d8a8d2a129cf8f5cf4af7994de2ecda2e358f4f9839b1b2153f2ea85865e841f3328ec610c5c6652069b2a1903fea1c2

/data/data/com.leoliu.cin/databases/database.db

MD5 1e6d96b5f80955f2c38f7fae2ec98fda
SHA1 6064a94563dba48a0c32b7421e538869ff2cd907
SHA256 f009366b6040edcaf7062d0e96d25272ec6492de256e3a0cb4abcf7352d33458
SHA512 5459cb89507fefa8dff2fb7d86bb5d1243590403a9c82396afffe1413a64887bb4692a5bb0de60cb07742b4598e3026503fede25370d1ee34e040435e25a31d2

/data/data/com.leoliu.cin/databases/database.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.leoliu.cin/databases/database.db-wal

MD5 73ca34a09aaa5b05d941dbfb7553d452
SHA1 cb5a7eb556b1f34d7a00b7ee0e68f41c60b0b2b8
SHA256 1ea23e8241279a025f3c66cb1ade61366f8b0b5ba80fd651ebe6c39bdcc93370
SHA512 e410f29e3044836e6b580b1905a8c9210afb91f3b9a42358f52b3ef6631b0701f32b9e264b24d00c1ff928065b290b7f54a74e308c74f25f60e329b6d909d99b

/data/data/com.leoliu.cin/databases/database.db-wal

MD5 e3d9705a3cdbee16d67d4fafa448e9d6
SHA1 aee29171f074412fcca10f4e5418fbcc6d07702c
SHA256 4ad6ac07f88cc079f6785faac1d3a0f4d5c557068bad72825029666b38ce308f
SHA512 bf2774dfae3390cab37bf85ce321d3dd229de811e55e3d8891bf8e00e955d7e2c5a5c3758915df60d5cc0b81bdea3c6161cf36915979807457a231b1ef51abfe

/data/data/com.leoliu.cin/databases/database.db

MD5 829d6cc8f10eb02b626f2b5990ade69c
SHA1 156c79b33f494e7cf8e4a1c61fee7c751918a15c
SHA256 8ba154719fc85de040fb293c26adddc2fdfbc898a96908736dadd43165bc2cba
SHA512 9f1ac611d13fa02df1bd6d41b3a8d67e443436060720274373525d7d54ee35458bcf51d289f69218a985b9d4b0c85acf72200719c7cd3d808be87bc704c2a13e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:12

Reported

2024-06-13 23:16

Platform

android-x64-arm64-20240611.1-en

Max time kernel

176s

Max time network

185s

Command Line

com.leoliu.cin

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.leoliu.cin

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 app.hg707.com udp
CN 101.200.172.200:80 app.hg707.com tcp
US 1.1.1.1:53 hxqd.openspeech.cn udp
CN 114.118.64.119:80 hxqd.openspeech.cn tcp
US 1.1.1.1:53 data.openspeech.cn udp
CN 117.48.148.47:80 data.openspeech.cn tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 s.jpush.cn udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
CN 1.94.9.210:19000 s.jpush.cn udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.112.112:80 log.umsns.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 139.159.137.254:19000 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 1.94.137.47:3000 im64.jpush.cn tcp
CN 59.82.29.163:80 log.umsns.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp
CN 1.94.9.210:19000 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 124.71.159.41:19000 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 1.94.137.47:3000 im64.jpush.cn tcp
CN 1.94.9.210:19000 sis.jpush.io udp
CN 124.71.159.41:19000 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 59.82.29.249:80 log.umsns.com tcp
GB 216.58.201.110:443 tcp
GB 216.58.213.2:443 tcp
CN 113.31.17.106:7000 tcp
CN 1.94.137.47:3000 im64.jpush.cn tcp
GB 216.58.213.4:443 www.google.com tcp
CN 1.94.9.210:19000 sis.jpush.io udp
CN 124.71.159.41:19000 sis.jpush.io udp
CN 59.82.31.154:80 log.umsns.com tcp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 1.94.137.47:3000 im64.jpush.cn tcp
CN 59.82.31.160:80 log.umsns.com tcp
CN 1.94.9.210:19000 sis.jpush.io udp
CN 124.71.159.41:19000 sis.jpush.io udp

Files

/data/user/0/com.leoliu.cin/databases/database.db-journal

MD5 3f2ba968e82c9c30e519db729bc6dbfd
SHA1 aa4fcc983fa5c71e0cf5a522407df0cf42c25411
SHA256 275b7740f25b747bb2e3e384cde98d1b448d749f5f444c10ef8226e8d068f810
SHA512 075a83a8da66a547d3affbf382d6bf229ccf7196195aac965e596fd9c44015d0d3d4fdeca8ed2aebecf12d8a45cc580136fa45bc87f68725a49d48e84653731c

/data/user/0/com.leoliu.cin/databases/database.db

MD5 e8ed189188077dcea175e565ee91a47d
SHA1 94a5bfec434cc118c013d95107153efe00c1ba65
SHA256 8ca75c49ee29b5023226f383da0c887540e619d7f84a10a038064e5eaf5377b8
SHA512 55aff36e81ee09128c4f53897b437a005259b537efcaf2d45c21379437069640df5395d3b073fc8ea203a67ec4d2c0a2b0fb61a3131bfb1a1a96d2c7d1befb75

/data/user/0/com.leoliu.cin/databases/database.db-journal

MD5 21a795ce545c052dc03cc579d001998a
SHA1 98b2f4a910e38c21b0d4af8780bdc81c15ada1f6
SHA256 dd71c820c0dcfb132c04886de0efd75436349e559361565133aa5b4f22ec361d
SHA512 14f9489104aef43fdab6bf7cbc6e7fbb353237f7120e20187c3ec1dc7fa9632760b27e1a1bc365d94fa3f7b39e1f347e6b71388e0bd4074cea9aa21fedc9f379

/data/user/0/com.leoliu.cin/databases/database.db-journal

MD5 dbfabafb50b8b8c2ecf3fd0a4d23901c
SHA1 460b8f894e3983ae1ad0071f5eabf1bbe16f18ef
SHA256 20d8767ff2d01e63207e619c3ed496af8f870c8cf9aa45c9bca923f7f6e430ef
SHA512 562de893c8dedac491f0a33eaac7942dc2b11b317ecaa422dad64b9a91c489773ca237b156f3040cfcf76197a65c8fdbebf334b257e5523d4eef25511f6e32c6

/data/user/0/com.leoliu.cin/databases/database.db-journal

MD5 0ad3bab6df3ff3a093a92e5f11b0c80a
SHA1 7367f6a0acaeb3a6302f370a1b737de8f28c131d
SHA256 a1cf5870d56e466c085b3c64388d54811236704a45d4a774a43c2107c6815f42
SHA512 181c3e007b1837bc02c11ca69e21b585296632ef7f44e24bd9b2245ec197206a9d1f515642128260321650c1f8c297b13e8a18906a2a5955f80fc09676dff7b5

/data/user/0/com.leoliu.cin/databases/database.db

MD5 90114958a98da341697163658ebff011
SHA1 70c5ff66d47f05c0dd3d4d51eb55b45ac026c913
SHA256 00e806c2bfc7063f6f2188a63489ac787f2d5f19012f73e18d5d5763fc249f54
SHA512 063083286f610f0f6d55684d2e3abd16c32ea84d561213e1fa7d3aeddfd9b60acd8a444f94381e7598967cc7b60ff09f110832b1e044357c8b0bc7d54ce84d5e