Malware Analysis Report

2024-07-28 14:37

Sample ID 240613-2tgx1stfjh
Target a6faf75cdbf483b3607d4198939c5ea3_JaffaCakes118
SHA256 1c947538583b1464f9c849a46a73fcdd5e0a6491a37d5f78395a2675c645c1f3
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1c947538583b1464f9c849a46a73fcdd5e0a6491a37d5f78395a2675c645c1f3

Threat Level: Likely malicious

The file a6faf75cdbf483b3607d4198939c5ea3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Loads dropped Dex/Jar

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:52

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:52

Reported

2024-06-13 22:55

Platform

android-x64-20240611.1-en

Max time kernel

80s

Max time network

180s

Command Line

com.wxb.wanshu

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wxb.wanshu/[email protected] N/A N/A
N/A /data/user/0/com.wxb.wanshu/[email protected]!classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wxb.wanshu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 log.umsns.com udp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 app.wanshu.com udp
CN 47.98.47.124:80 app.wanshu.com tcp
CN 47.98.47.124:80 app.wanshu.com tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 59.82.29.248:80 log.umsns.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp

Files

/data/data/com.wxb.wanshu/.jiagu/libjiagu.so

MD5 50750315eef281575611bc425174b939
SHA1 acaff02526d7b4c257e00002ed09af364f66a401
SHA256 c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef
SHA512 60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

/data/data/com.wxb.wanshu/.jiagu/libjiagu_64.so

MD5 32a8cba7e6fac645ea3d1fca87cba90f
SHA1 6b01347c0d6777ea644c9859214decf5a00431b3
SHA256 ec2270b007c53f33ec3ae7c49e78fde28a64bf2eaf4309ce60abf9e03035227f
SHA512 018c9c65ed954c48b98d6a42e28f6b2e5850179079497367bca849667fdd69a96a2182b43c2a865ebcbfd8548d6973d9b0d2f9570644a36bc7549b1a420557d4

/data/user/0/com.wxb.wanshu/[email protected]

MD5 273df2d826ff5362ac6e48f4e8a4540b
SHA1 b2f5c5537f4fcf7daabdc2517198ea83d300111a
SHA256 674e3cbb5480111732c55b4c9744e8eb516a08949fa7ca76902697e6bacb8d8a
SHA512 a2dded3ae6643bcff58ba22d5451516854b13693e652b1ee585b6a636d6b629d754c6375af519ab6da5e7b3f5f49098da6b2fe42562a69caa15d210a2a587773

/data/user/0/com.wxb.wanshu/[email protected]!classes2.dex

MD5 ed887caf429e958b51d5cd41e42c721d
SHA1 a8ad2170c8dc71315428b9b07aa0ec35c5a7a4e5
SHA256 88020c063fafadb32f5a9160cf173c1d29233927de599224ca0ae81a9f23e97f
SHA512 87d7eb12229047ed29e7c0d5f2484150448a73e6b76fbae127e9a18cdaa7440b5ea24cb1eefe26c62964a9716f566a967f7a68f5a0c56465a89f8df7236edefe

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ri

MD5 f022826d02c98a9d4e0a3819c0419a29
SHA1 764d9629820b6d1a501a5e5ac9a2cd6d97e14e5a
SHA256 8de35ad74127b6636bc97e8289678fcb44f28c8953ef522430a7f2bf43ba9e01
SHA512 06940285c40268f3033b7dabd15bf5b72c50576b561d9acb039c213b3cae315073d1b647e996db828b35a346bdffbdf0845ecfad3adea2224a7d9c0e10d8fc5a

/data/data/com.wxb.wanshu/files/.jiagu.lock

MD5 3115dfee7d0fc3fe2f34f773d177c0ee
SHA1 eba0c44799cd641b1487051b585d7f14af163b78
SHA256 ca40dc2bde6775d0352fdff123a158803269a0cef6225b2d22bced8198dcca60
SHA512 ba39779d1d1b675781e53c3ec1bf482331c4930e6f57b8ce5bacdd9f5ecdb9e89774263bfc9d182d3cbc3837682a304dfb41a6d46fa4329ab3f5e5dadc8e4164

/data/data/com.wxb.wanshu/files/.jglogs/.jg.rd

MD5 e425b863819b55401dcf3adba5120d02
SHA1 11fe34d3322ac9ab00a0156516c2669fe7ea97c8
SHA256 d45d614f3102a20fb18fc4f9525203a781f61c28e409980a39506e098d01511d
SHA512 3fe1c6efd76a1e7eea4241182ca5ec137d19be64f84e347983d21ccda333c7cc30ccc6326533f8489d010904ca75c6ea30bdd0ba68207f9dd2e2751b559600fa

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ac

MD5 fbcf3f617d068d6ec889a8e7a1605e6f
SHA1 8158c03dea8d89b613ec7d62bdab6981b06bf767
SHA256 46ea3a62bcbb4f3db32fd1be2da85f242c4c8ba366dda060bc67e30540726d51
SHA512 f4b83958acaa00bd1774ea26d0b2f601a616cd0fecdcf58e88031717e31e9df0580747cc16f5225101dc0847dca64d000ba53cb777cc626a2d8ea4771e675860

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ic

MD5 d40942531c7211169bbff9d833cd6cef
SHA1 23e3313a4130c1c4e05bdb263b2a2988e026a6f6
SHA256 54cb89e073722baaeea5a8db118d42ec4c60bceb65b894010159149b2d883bde
SHA512 40b0a6cae08365f49cb4fc04905cc0e2c194b6138e5d386f70d810579fb27a074676c06346d7225adc028e722cf40e750776f542e446715a2cce55a9d8b508e3

/data/data/com.wxb.wanshu/files/.jglogs/.jg.di

MD5 68dd600df106dad1856a37a511ae7a66
SHA1 3da51186fbdd83f6078a883cfba17f61f468a037
SHA256 f44bf9cab4d18b1df3e4c95b38f703e88445fc756d8f9cf815838740eb505b4f
SHA512 e3809cf4b0dc48863240716473d1a00627947a124d56c53f3b20619785593402fe9a209f904413ba06ceae59c18dc1c2698547ed106e61f4ffb7ea11be86b4a4

/storage/emulated/0/360/.iddata

MD5 28d247c3d4618b28633defa050f55cc6
SHA1 3fabefadc0ce9064bb6518aaeac5e76f0804e82f
SHA256 20a36898bd2e936fc7edd1bfdef693864fe45630863335c3c7966148a12f33bf
SHA512 af3831f4893c05fb6b26c464f0c95f529bb02fa10bbf0d0b2dba990924e354284973d7329d9464a59973fd93b1935d160c4321c0612976700e230c03f5c99914

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.wxb.wanshu/files/.jglogs/.jg.di

MD5 8fe72874dfe644dfb9675515f1f515b6
SHA1 ead1583bee552e7edd7fc79ffd61b2d577b37bd9
SHA256 4043476086d384d7252e866753bb8fca9483739f21fb86300a42bba684aed46f
SHA512 0c3b13415b30723f94e0b4a75988280953028e6be043e0dbf004e1bf683b57e4afd583db7c2fa4a137816547ae464ef506a2a95c6a2d3cc03103446cedeba790

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ac

MD5 e707843ed4d92554fd281be9489be0b6
SHA1 5e4454dad8e015d2cef7eaad1c3a1392de7f9d76
SHA256 4b921e50762d76e2318ce23ed3daf0070a33ad517d8400c76a77f0d750d31494
SHA512 70b872b9726a8a556115418d681085a0c811c1bb0f856a21609106dd6ee8e1a4e6226624f0f3846f210fbcbef19bccafe205f1ade9c4d82c863f8508b24e829b

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:52

Reported

2024-06-13 22:55

Platform

android-x86-arm-20240611.1-en

Max time kernel

88s

Max time network

182s

Command Line

com.wxb.wanshu

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.wxb.wanshu/.jiagu/classes.dex N/A N/A
N/A /data/data/com.wxb.wanshu/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.wxb.wanshu/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.wxb.wanshu/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wxb.wanshu

sh -c ps

ps

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 app.wanshu.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 47.98.47.124:80 app.wanshu.com tcp
CN 47.98.47.124:80 app.wanshu.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp

Files

/data/data/com.wxb.wanshu/.jiagu/libjiagu.so

MD5 50750315eef281575611bc425174b939
SHA1 acaff02526d7b4c257e00002ed09af364f66a401
SHA256 c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef
SHA512 60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

/data/data/com.wxb.wanshu/.jiagu/classes.dex

MD5 273df2d826ff5362ac6e48f4e8a4540b
SHA1 b2f5c5537f4fcf7daabdc2517198ea83d300111a
SHA256 674e3cbb5480111732c55b4c9744e8eb516a08949fa7ca76902697e6bacb8d8a
SHA512 a2dded3ae6643bcff58ba22d5451516854b13693e652b1ee585b6a636d6b629d754c6375af519ab6da5e7b3f5f49098da6b2fe42562a69caa15d210a2a587773

/data/data/com.wxb.wanshu/.jiagu/classes.dex!classes2.dex

MD5 ed887caf429e958b51d5cd41e42c721d
SHA1 a8ad2170c8dc71315428b9b07aa0ec35c5a7a4e5
SHA256 88020c063fafadb32f5a9160cf173c1d29233927de599224ca0ae81a9f23e97f
SHA512 87d7eb12229047ed29e7c0d5f2484150448a73e6b76fbae127e9a18cdaa7440b5ea24cb1eefe26c62964a9716f566a967f7a68f5a0c56465a89f8df7236edefe

/data/data/com.wxb.wanshu/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ri

MD5 9474e590ca6dbb0ec0af7dc4c57b5dee
SHA1 249bbf09e88c0f0b0db45d79ea8f42a350b6c05f
SHA256 e76a74391e647daca107746add1b58cbe6bd4ad635dbc528fcd67c1518016716
SHA512 4b42ee63f6a5da2c3da8d2b67e8f8a0551cd3e9fafec18f52c3bd14a198db52457bc9ad5a167f2fc401f449f6a833e833c7a2c8b4d74555eb6097ad30cb14d6e

/data/data/com.wxb.wanshu/files/.jiagu.lock

MD5 65cb4b069b609273aee7a5423c3bce15
SHA1 d32758fd4e00e6ac9faf209c8706a1fb2dfa54c9
SHA256 44fe48a4b7dafba06406d0144f4de7d499cfc31970a6c91e78d92f03f00dd6a5
SHA512 e3743915db0be63f76333c74d319e8168046a92ce8e40cfebfb8cc86e8c362e8a40792244da6c16f6f3f5931f27222c604193621edce4bace35b445ce90f85fd

/data/data/com.wxb.wanshu/files/.jglogs/.jg.rd

MD5 038b4b5c478b6f4d977aa971b0e60e5a
SHA1 b173355e92124c87cad10c6b2a7e9621c55db348
SHA256 578dbfbddebe3d8eff4cdf847f7236d88b469282ad79272533563f1f2306a59d
SHA512 5601f8ee83dadee9bd6f6eb804f78e931e7da4a2605ab1a70210b89eaefbfd7d09667c9e14296a01d89f4510a093fcf01ba8ed8170c545580f9280dc8d617391

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ac

MD5 fbcf3f617d068d6ec889a8e7a1605e6f
SHA1 8158c03dea8d89b613ec7d62bdab6981b06bf767
SHA256 46ea3a62bcbb4f3db32fd1be2da85f242c4c8ba366dda060bc67e30540726d51
SHA512 f4b83958acaa00bd1774ea26d0b2f601a616cd0fecdcf58e88031717e31e9df0580747cc16f5225101dc0847dca64d000ba53cb777cc626a2d8ea4771e675860

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ic

MD5 d40942531c7211169bbff9d833cd6cef
SHA1 23e3313a4130c1c4e05bdb263b2a2988e026a6f6
SHA256 54cb89e073722baaeea5a8db118d42ec4c60bceb65b894010159149b2d883bde
SHA512 40b0a6cae08365f49cb4fc04905cc0e2c194b6138e5d386f70d810579fb27a074676c06346d7225adc028e722cf40e750776f542e446715a2cce55a9d8b508e3

/data/data/com.wxb.wanshu/files/.jglogs/.jg.di

MD5 51ccae637ceaebaca2cb17fd171a2174
SHA1 cea2778497768e14c4a0980641abdfa7ab91d992
SHA256 135a501e3d1e4392147dc544e9956646945827c60b7b0addd4f1f207e87d302c
SHA512 bc9b3b215f8227738beb9d4d998841204d009027c03cf0a63618490c5c0cab997eaeb42168cbd733cb01a1cc45733e3d8d8daeeefbcfef80ba896175e34cdd32

/storage/emulated/0/360/.iddata

MD5 edd14f2c10516de3a094da37fbb57572
SHA1 e763c22b04e9aa595fe424e76fa993abb5fa6db5
SHA256 0c3d8cb672876f7c001fdf6eece8f67fda76e0a75cd5b4ffdf4a4b92b4b95c78
SHA512 002914440e47445d4ef3a50df5fd843dc6dfe0657c3513a8e813100deb6b727925a97c3aa51af9c4bc62147e17cab63e99349040d38f94b36f61b476fb48fdce

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.wxb.wanshu/files/.jglogs/.jg.di

MD5 cf4e272442f7f289dd7e629fca2c15f7
SHA1 04e060f461f46a73a0c9c32d75b44be0174ed6af
SHA256 2ddcc8fdc6036f06afc3667e23d9ddec409575bad74a2186c64951f28991a841
SHA512 d3cfd1a0f9ddf3b6e1239980e1ce436108a09d72f932f71fbfd956888ce586fa7da441dee4ea49f610aed6975e03876d8920ec7453034eb3f64f16d96422e636

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ac

MD5 e707843ed4d92554fd281be9489be0b6
SHA1 5e4454dad8e015d2cef7eaad1c3a1392de7f9d76
SHA256 4b921e50762d76e2318ce23ed3daf0070a33ad517d8400c76a77f0d750d31494
SHA512 70b872b9726a8a556115418d681085a0c811c1bb0f856a21609106dd6ee8e1a4e6226624f0f3846f210fbcbef19bccafe205f1ade9c4d82c863f8508b24e829b