Malware Analysis Report

2024-09-09 17:15

Sample ID 240613-2h2s2stand
Target a6eaf84475925f4153205f25ebf2c7b1_JaffaCakes118
SHA256 7bd2eb8813be48062ee42adf29bbb26931e8a90c3ed83a3934f0494f2f75722a
Tags
discovery evasion persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

7bd2eb8813be48062ee42adf29bbb26931e8a90c3ed83a3934f0494f2f75722a

Threat Level: Shows suspicious behavior

The file a6eaf84475925f4153205f25ebf2c7b1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Queries information about active data network

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:35

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:35

Reported

2024-06-13 22:39

Platform

android-x86-arm-20240611.1-en

Max time kernel

64s

Max time network

141s

Command Line

com.namcmbmpmemnjgji.dadaofuzhuworld

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.namcmbmpmemnjgji.dadaofuzhuworld

su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 logapi.mobileanjian.com udp
US 1.1.1.1:53 update.mobileanjian.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/eventservice.jar

MD5 459559bac3be2277f344b469c1c91aa5
SHA1 b2dba0f45a260664d700750a4c57dc3bcd2bc4ab
SHA256 23ad1ebc36c58fad8c9b6ca80c12f588173a091c5ff2e938f3308d6cfc07ec05
SHA512 a1e8e53687a6c0c3b06a79d9f72e367f631a3c9eb909fd218df71aa7ae6a416901d386ff48963aa7ec8851cd0eeecb14531de75c8efbfa36ffb6e0701d80137f

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/start_eventsrv

MD5 10714a3dec300104239025c78b85ec14
SHA1 dd46c27020eadd92e267a06c4d822ac886a09e2e
SHA256 e06d08ce273a852dac3b8b284e954c6d4b357d17e10797abd370ec365eb051e9
SHA512 2b3bc70dedbdd706e4a9efd1bbbf5eee25583ae7b1a3070307233266ef64bdb681c585141e15876b7a585644f47aea68927ed96918a69df7678e5b2b68f089cc

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/umeng_it.cache

MD5 b48c7c429b3acb288d5bf8205a1fa50f
SHA1 aa4c9fb44ecdec62b1ae8b0a6479e2f0f544b6c0
SHA256 f056cdc675c43a0a616e63481bd1a0690457644d5dea4e1590cbde84235022ec
SHA512 69d79a2217f03d9a814cecf33ed17e8685431be74c23a8c3a8114770bc36d22a7746544b6ed1c0ee760bd8f3b0dd52934a00e744ad74986bbf58c3a4e958094f

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/script.lc

MD5 f8af2888960c16689eb1717632bf9925
SHA1 fc4dcbdf7a5e813c93861c905f48057f707a17bd
SHA256 1b46ce0ece4ed5e191ae10daf7a62219d5aecbe83d2f87315616f0cc3b6352d8
SHA512 b7264203a914341ff1833312017b7dd4bd7195d5a9289bec2d1182a62ee8c04900363194633a25aedeae2743a8ab7b39cded150be03a7be8f93e50d755cd5904

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/script.prop

MD5 d024be5953723e047913ad04a9301480
SHA1 6b827073d39a4b851117177215e146243256aa0d
SHA256 c66a12c17ad09a9cb46f9443232910ed44207a1216627d8f0d25430f401e8d00
SHA512 0c80f9f1b3dc97d9c140b34806fd9ef589e5b8d78a660039f0b8a529bac65b528ac6806c07516c64e8a08dce69333ab629bca9ae3c1b46b81963c93e017152c9

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/script.ui

MD5 b6109e8f4b051b2f16ac41a254fa970a
SHA1 33081a1ed4b7e8fe3005f8282f47f1ca70d21321
SHA256 b0593354c5caa9a3390f6c93ccafd90d83221160c4f0758fa3544dcdb6a6a3d3
SHA512 364225d9ebb9505907563748f5347e07a4676716b9eca737b9136dec1a0ff274db76a3e9801bfffd9864ad3d979c0ab7ea3d88a13e7a3057f47cfc7c95840e9c

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/script.rtd

MD5 9437741be627d1ea727bd87bb2b2c264
SHA1 daf98055a4127d5466ff546afcc586aede7f8de9
SHA256 3645edaf60644d3f242cfad51c251ce8dfed986ba6b638ceeb5b69970cc04dc0
SHA512 6e18646aaff2a1090911577a0e0de05e2ca3b6550ca80c23f1f25d6d4b57f53a05a01c75016ed79471c25da8305d9bc8a131a958af66cafc86e5d3c3857b21cb

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/script.cfg

MD5 a18ca2b536a531b1aac67b7dc55bc99a
SHA1 fd2769dd38831a39802fd44413fc9b98fdbe6898
SHA256 2c4636f4ab490a570916144b799708249ceff46c2e8248e09815986cbb2bc8be
SHA512 a6e49372bfd014d8c9eb80b4992177d76d2504e3332974e671d6c4e1ed094662ba5bf2a8b95cc011662937244f2615910d958251549e7a9827370b89fa87a547

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/.um/um_cache_1718318226649.env

MD5 920a68934d5ded468301923938731831
SHA1 a30cf147ed0b7f0c0b7b76ca046deb688b898713
SHA256 dd570d44a0a08978c55b004c48a686cb210b28717e352340b5e037e4c6689263
SHA512 6897b86e051b6473ea5aeb5f511b690b3b21c47746cfff036ac00529860c13512419f8bdc8df27ad690a6f6d60d427952b1b8feaabb7bb052dd0e4ed6ffb7b70

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:35

Reported

2024-06-13 22:39

Platform

android-x64-20240611.1-en

Max time kernel

55s

Max time network

152s

Command Line

com.namcmbmpmemnjgji.dadaofuzhuworld

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.namcmbmpmemnjgji.dadaofuzhuworld

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 logapi.mobileanjian.com udp
US 1.1.1.1:53 update.mobileanjian.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.194:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/eventservice.jar

MD5 459559bac3be2277f344b469c1c91aa5
SHA1 b2dba0f45a260664d700750a4c57dc3bcd2bc4ab
SHA256 23ad1ebc36c58fad8c9b6ca80c12f588173a091c5ff2e938f3308d6cfc07ec05
SHA512 a1e8e53687a6c0c3b06a79d9f72e367f631a3c9eb909fd218df71aa7ae6a416901d386ff48963aa7ec8851cd0eeecb14531de75c8efbfa36ffb6e0701d80137f

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/start_eventsrv

MD5 10714a3dec300104239025c78b85ec14
SHA1 dd46c27020eadd92e267a06c4d822ac886a09e2e
SHA256 e06d08ce273a852dac3b8b284e954c6d4b357d17e10797abd370ec365eb051e9
SHA512 2b3bc70dedbdd706e4a9efd1bbbf5eee25583ae7b1a3070307233266ef64bdb681c585141e15876b7a585644f47aea68927ed96918a69df7678e5b2b68f089cc

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/umeng_it.cache

MD5 c74d9fe18d096310626a39b51c92d38e
SHA1 ad9eb5e363a6c16cd1d6f88c5676635fff020797
SHA256 04e0ea4df0c35f21fc4dd2862ae9ff7d385816855fbd1b6eb3b72a1adc2d0e34
SHA512 e31a38c8629cda415eb14eba607c8227f4391f9481194c99318be571965f0a04fc5b5bda30c0b35536baadebe01b6605ce7139ae4d1540e764017929f25a9815

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/.imprint

MD5 84eb2769782f51d3ae9979b8583d681b
SHA1 4e79d0848658441cd654c5dc3b6f679f1316dff4
SHA256 b02d04e28070e916f2583e9e1d687e223b4fa0a978b4bb3af05928ed033cdb51
SHA512 5699471f7cb1f6f0a0a4d6d85bd54c02138b36d7d10ee1a59d40fe46f961d76c737750af66306a0444b29a42e80a6abe71d89e3bd5420217e87c81c661de1e12

/data/data/com.namcmbmpmemnjgji.dadaofuzhuworld/files/umeng_it.cache

MD5 ef49ba1feb82525ab6770ac75083e30e
SHA1 5db6df6f82734e19af9043fc5d0ca14e8f2d9234
SHA256 a4455bea3f9e5bee436bf15aa7171a114921c6f5b55cba7da386f0caffa6e34a
SHA512 7d81112ac5917c0222ab690862b94a9fd9048fa7c9283ada5f72521c8e3b391938093971a4595fb14d33effc148922c3f2242693ae6fd4f33fa250c8923fcb55

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 22:35

Reported

2024-06-13 22:35

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 22:35

Reported

2024-06-13 22:35

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 22:35

Reported

2024-06-13 22:35

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A