Analysis Overview
SHA256
dc02e94bc4e00c7b69212568007a2427f54e3d36ffb9c1c20bcb3ac928c5bd60
Threat Level: Likely malicious
The file a6fa730887d390c8d1cc491426255540_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Reads the content of photos stored on the user's device.
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Makes use of the framework's foreground persistence service
Queries information about active data network
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:51
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to monitor incoming MMS messages. | android.permission.RECEIVE_MMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:51
Reported
2024-06-13 22:55
Platform
android-x86-arm-20240611.1-en
Max time kernel
125s
Max time network
177s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/xbin/su | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Reads the content of photos stored on the user's device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://media/external/images/media | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.cmcm.transfer
sh
/system/bin/app_process /data/app com.ijinshan.ShouJiKongService.daemon.Daemon 4246 com.cmcm.transfer /data/app/com.cmcm.transfer--1KI4XxgDdyb7SDWqnlHZA==/base.apk version=1.5.0.323 vd=1500323
mount
mount
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | helptransfer1.ksmobile.com | udp |
| US | 1.1.1.1:53 | cmtransfer.cmcm.com | udp |
| US | 1.1.1.1:53 | helptransfer1.ksmobile.com | udp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | cmtransfer.cmcm.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | helptransfer0.ksmobile.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | cmtransfer.cmcm.com | udp |
| US | 1.1.1.1:53 | dl.ijinshan.com | udp |
| CN | 180.163.207.108:80 | dl.ijinshan.com | tcp |
| CN | 61.170.79.234:80 | dl.ijinshan.com | tcp |
| US | 1.1.1.1:53 | helptransfer1.ksmobile.com | udp |
| CN | 180.163.207.109:80 | dl.ijinshan.com | tcp |
| CN | 61.170.79.235:80 | dl.ijinshan.com | tcp |
Files
/data/data/com.cmcm.transfer/files/kfmt.dat
| MD5 | 8178444e82c8b22a5ba89cb60d6a8679 |
| SHA1 | db107ce1afc5d4a942002b358489ee0312f4e015 |
| SHA256 | 20661231b11d2acd75cdba9d3449104172c5f03651606caff1d4a6cd3029852a |
| SHA512 | 649116177b835a20b9404798281b874176280efead4550ecf816d820e910ff87792d7b2cd61afebb79e1cb23a2cf68cdb06d7cbef103099c46267197e1d38f61 |
/data/data/com.cmcm.transfer/files/kctrl.dat
| MD5 | be06bbd5ff4ebd90eadb38cf2a719f5a |
| SHA1 | 39b88d80a190872336518de9aa5718242dfaf316 |
| SHA256 | 2cb54ff4152dbd8986fb2b9dd5de4004ad73df2e6deaa5cce07c953f17ac5b05 |
| SHA512 | 61eb1a350b638f65666c11afbd19d9abe9512e8ac11039a2e568b42b30417160bc61dbf67154706b3b88ca9ae44554506e956cd64ba519776b06e911feb98187 |
/storage/emulated/0/Android/data/com.cmcm.transfer/files/sjk_cfg
| MD5 | d3af517c16b9932e30a38bbc18f9bfe0 |
| SHA1 | ffb841d506a70728d76a0fb9b53a6b3f1a186eee |
| SHA256 | ca36030b47e198639220acd5f3216e7fb48d1058543ec80fded89ef26815a23c |
| SHA512 | 4459b4cd0b8b1bc1ee7e3b1f17ff60bfd6d37d3a05ea752c281f6ef46fd86785590b4f2c2992cf642fd987d537fbfe6c2a49ca0d755ddb6db1ee09395c10c11b |
/storage/emulated/0/kingdid
| MD5 | fc0fc0121a8c8e47a4a26fbe98ade8c4 |
| SHA1 | 38d823249d5159bcd9f1aff992f4e00abc296467 |
| SHA256 | 14d9b5815df6eaf5a951f1095ad119f7b1896dcb714654a10295f7ddd5a865ff |
| SHA512 | 9d6e342bec713a4e4098d3ddb31d9830c40a91dc216b9b1ab15b8b8597e985b71fe10b790f80166bec9a0b677e6e4d7bba64f792b64449e3a103f627117baf3b |
/storage/emulated/0/Android/data/com.cmcm.transfer/cache/ThumbCache/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
/data/data/com.cmcm.transfer/databases/album_classify.db-journal
| MD5 | a7e6db909c381ebe4112b87a7e61da92 |
| SHA1 | 8c455035a21e48b8133b28ab6a515afcf15f53ae |
| SHA256 | b0d6a9146f969607c1b551a270ab711f9db1386af37683f225517f5045c682b6 |
| SHA512 | 78a2a983846155ffdc3ff007bced2e78de663bfd886780c23e6a11be7d67949fb1cacf739632f8d68d0ab55414c563b477792d317b75a79a89682bb7c3ceac88 |
/data/data/com.cmcm.transfer/databases/album_classify.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.cmcm.transfer/databases/album_classify.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.cmcm.transfer/databases/album_classify.db-wal
| MD5 | 0b71bb81aac61fc32f6ab1b46bda7e07 |
| SHA1 | f97d35c096b0fcec0a1c49ba76ba6efc70d607ba |
| SHA256 | eb639a78efd91964c8b8aae3bf1c6ead60ebe705d19c24df09e7d849f9da4ef3 |
| SHA512 | a910f9fd49a5318cc6654f74994733d29ddf508b62940edb288528b2df98e6c64682c77aa781339ae522090b89cd1c841d87521143e38b949f601f93eb3ecccd |
/storage/emulated/0/cmTransfer/app_thumb/com_cmcm_transfer.png
| MD5 | 335ce03f6dac1a6c1b7f3778bc25da6c |
| SHA1 | 10574436363392c63e56278c10377af031b76e49 |
| SHA256 | 555813770ee5df75fcf95d89a72b2eea8047895b1e2b8b4b6e472dbc023dcaca |
| SHA512 | b7aebed77e87802a8703f7d9a76943f062d5e07fa8a508a000ec1122ea39fedb95c8129ecf68826bfa627f585a6b6e82962a4400eea51a0d564afadf6fe68702 |
/storage/emulated/0/cmTransfer/app_thumb/com_google_android_syncadapters_contacts.png
| MD5 | 182704d186ca423b37c8c9f6d01614c7 |
| SHA1 | e01f4364232e3c667729561e06b9f6da0a06f183 |
| SHA256 | 6eb0e4f06ac588562cd3b448c37b3f1925f22c765aeb3a4cccb48cb163d7a64c |
| SHA512 | e2717f5f9392a3bd14891af3a7718cb0d5f29bbdb41aa0c4991e4eea1335a506e2f9a8651c0d72b0b35a250f94f592fcd755b5da2a44d08474633e85be7c7d41 |
/storage/emulated/0/cmTransfer/app_thumb/com_google_android_gms.png
| MD5 | 6b5c9f04923d1e0e91fa38342631c410 |
| SHA1 | 1aee3d3c1b15544d073e029648d444d1bca9ebd0 |
| SHA256 | 07c65208d4a32249b5d20c5fa4f2554307b11fe3f412b403973ede3e2e6e43e1 |
| SHA512 | 35b310bfa01f286fa25dc878893cf3d4b91844092ef415a65c33942d34107afbf9ced297cf6b28d0f375de8a29c024e9ea3c76e0186182bf61ecbdbf493cede6 |
/data/data/com.cmcm.transfer/databases/video_audio_classify.db-journal
| MD5 | 593f0f8cbd039edc565507cbde0849b3 |
| SHA1 | 79798ad328f465bb61e4fed6b1199540ea6c9435 |
| SHA256 | 242e1d344a1a8d3e8bc40842df6b7a3df02ee71b70e7ed92587d0af6cecdc579 |
| SHA512 | 46b178e941d49d44366b5bead954be6018027c63250abb56841137157a495d298d10bf7130149dd4212c36c9f65b58a1b38207ff6a61e4b77b2eb6b131b714fe |
/data/data/com.cmcm.transfer/databases/video_audio_classify.db-wal
| MD5 | a81f74bd4d4ee124c7f1db3ada174d61 |
| SHA1 | 49b5007d8899cb287438062e6815e5e2f8a7fcb0 |
| SHA256 | 658ddca2151df2276328e59a06ae39c5188fb1bcc17386c138cfc5b3d3a660c8 |
| SHA512 | c62cb45975e936a67af52bc47bf4b760d4c55a46aed8a7720ccfe140817b5e561ca7da4a705b106abdca53de1270d0b4bebe56ab5d9c8fb3806a77fb3b9cc13a |
/data/data/com.cmcm.transfer/files/infoc/transfer_hit_packagename_1718319128579.ich
| MD5 | 50fe10fc94631ee6958a4e1aae4d4537 |
| SHA1 | 11803321e2cb66755633940f59abfd8fc4826851 |
| SHA256 | 582991cedcb445f1bae17b8a7faea5573036c12964d87caa5b36100a1aa395ee |
| SHA512 | 5b18428a885c58250759421c2c03f36cd03c238e23a4a6043ac9c2e4336a6e8703f495b64070484f9c7ef146aad8b50949389d2f9b40a6273fb76c4d78aca55c |
/data/data/com.cmcm.transfer/files/infoc/transfer_hit_packagename_1718319128595.ich
| MD5 | bb33f3f01cf69e7d7d1e125ca8aadcb2 |
| SHA1 | f6c69a1053c4cf122c289b1bcd361ba12da4dcfe |
| SHA256 | 7bfeaa008887ee41a25f600c12907da21ee56ed1ca7a4f49e9b5a2d0ed3ac777 |
| SHA512 | e79b0c9b1171795c7ad2346479c8337bf0ad8cc28052c1e63e2e96eb4b81529a6a735f22afd5e1822c53730726844aa0b6de147b5a24a88e823ab4eee750973b |
/data/data/com.cmcm.transfer/files/infoc/transfer_hit_packagename_1718319128612.ich
| MD5 | ecd66833813937876d959c6452e648a7 |
| SHA1 | 512239577d7df4efceba8a0a41ce96b685fee19c |
| SHA256 | 34ea241577b4c7141fb83c86e612889a1e67b435aa1935b8a38b21c36662e505 |
| SHA512 | 3d5246ad3dd874032dfa7c3ef6a8417e55c097745e1d1c135c2895c0ec13a9e889f25e97fb12cdeb637989d94583c51b923981f210a04464f4fbc08bf319a1d8 |
/data/data/com.cmcm.transfer/files/infoc_force/transfer_homepage_1718319146220.ich
| MD5 | 17d872fde4ebc2bddea15a019edc9406 |
| SHA1 | 4a6f8f71296d887aad7de86a1f4b97abe051134e |
| SHA256 | 4a1f75c329d3c7fa7de2ac92cb45e663fd7e9190abb83281c011f62f22abbe44 |
| SHA512 | fbbd05c797b1ddb91a150a5122d7ffecf8a2981605bf1c8933cb6e2a37a7e2e5a9adfcb800ff1b6b5fe629644a3df84fedbd5056af32a459ceb933c1b44166a7 |
/data/data/com.cmcm.transfer/files/infoc_force/transfer_main_1718319147455.ich
| MD5 | 4c5e9d24744bdbaa79ce58f5b93549fe |
| SHA1 | 0ec89ad499dcdbdd39dc949207295acb69fa46e4 |
| SHA256 | 09611f17d67397d4fcc8c6e4ac89863b3f6c4b4f1572fd0e370a9bb3a8aaa4d3 |
| SHA512 | c8a05600710d6951afbf96205eceab576fb02a6c40309b811d84f47372f99c31a0d3f6fc821846ed8ee354420d27002cc2cb4ac6a9edbc820459cf99e239f7b3 |
/data/data/com.cmcm.transfer/files/infoc_force/transfer_active_1718319149046.ich
| MD5 | 413d658ec8d5dc993ccd4f6671518f5d |
| SHA1 | 58484edacd515ff4158fba7d13769b2ca759865f |
| SHA256 | 2a98274db1290123e2c28eb59c93d19bc205c710c41be583e788534f90f6feb5 |
| SHA512 | 59812c964b825f9613502780fc9bf9adf46203dec3b8a1518fd3f3dee75cce80d6dfc60c6c6f6bdee186e2232355f2add7034cb95c4b7f83acb3841a5883a00c |