Malware Analysis Report

2024-09-09 17:47

Sample ID 240613-2tgx1stfjh
Target a6faf75cdbf483b3607d4198939c5ea3_JaffaCakes118
SHA256 1c947538583b1464f9c849a46a73fcdd5e0a6491a37d5f78395a2675c645c1f3
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1c947538583b1464f9c849a46a73fcdd5e0a6491a37d5f78395a2675c645c1f3

Threat Level: Likely malicious

The file a6faf75cdbf483b3607d4198939c5ea3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Loads dropped Dex/Jar

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:52

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:52

Reported

2024-06-13 22:55

Platform

android-x86-arm-20240611.1-en

Max time kernel

88s

Max time network

182s

Command Line

com.wxb.wanshu

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.wxb.wanshu/.jiagu/classes.dex N/A N/A
N/A /data/data/com.wxb.wanshu/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.wxb.wanshu/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.wxb.wanshu/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wxb.wanshu

sh -c ps

ps

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 app.wanshu.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 47.98.47.124:80 app.wanshu.com tcp
CN 47.98.47.124:80 app.wanshu.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp

Files

/data/data/com.wxb.wanshu/.jiagu/libjiagu.so

MD5 50750315eef281575611bc425174b939
SHA1 acaff02526d7b4c257e00002ed09af364f66a401
SHA256 c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef
SHA512 60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

/data/data/com.wxb.wanshu/.jiagu/classes.dex

MD5 273df2d826ff5362ac6e48f4e8a4540b
SHA1 b2f5c5537f4fcf7daabdc2517198ea83d300111a
SHA256 674e3cbb5480111732c55b4c9744e8eb516a08949fa7ca76902697e6bacb8d8a
SHA512 a2dded3ae6643bcff58ba22d5451516854b13693e652b1ee585b6a636d6b629d754c6375af519ab6da5e7b3f5f49098da6b2fe42562a69caa15d210a2a587773

/data/data/com.wxb.wanshu/.jiagu/classes.dex!classes2.dex

MD5 ed887caf429e958b51d5cd41e42c721d
SHA1 a8ad2170c8dc71315428b9b07aa0ec35c5a7a4e5
SHA256 88020c063fafadb32f5a9160cf173c1d29233927de599224ca0ae81a9f23e97f
SHA512 87d7eb12229047ed29e7c0d5f2484150448a73e6b76fbae127e9a18cdaa7440b5ea24cb1eefe26c62964a9716f566a967f7a68f5a0c56465a89f8df7236edefe

/data/data/com.wxb.wanshu/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ri

MD5 9474e590ca6dbb0ec0af7dc4c57b5dee
SHA1 249bbf09e88c0f0b0db45d79ea8f42a350b6c05f
SHA256 e76a74391e647daca107746add1b58cbe6bd4ad635dbc528fcd67c1518016716
SHA512 4b42ee63f6a5da2c3da8d2b67e8f8a0551cd3e9fafec18f52c3bd14a198db52457bc9ad5a167f2fc401f449f6a833e833c7a2c8b4d74555eb6097ad30cb14d6e

/data/data/com.wxb.wanshu/files/.jiagu.lock

MD5 65cb4b069b609273aee7a5423c3bce15
SHA1 d32758fd4e00e6ac9faf209c8706a1fb2dfa54c9
SHA256 44fe48a4b7dafba06406d0144f4de7d499cfc31970a6c91e78d92f03f00dd6a5
SHA512 e3743915db0be63f76333c74d319e8168046a92ce8e40cfebfb8cc86e8c362e8a40792244da6c16f6f3f5931f27222c604193621edce4bace35b445ce90f85fd

/data/data/com.wxb.wanshu/files/.jglogs/.jg.rd

MD5 038b4b5c478b6f4d977aa971b0e60e5a
SHA1 b173355e92124c87cad10c6b2a7e9621c55db348
SHA256 578dbfbddebe3d8eff4cdf847f7236d88b469282ad79272533563f1f2306a59d
SHA512 5601f8ee83dadee9bd6f6eb804f78e931e7da4a2605ab1a70210b89eaefbfd7d09667c9e14296a01d89f4510a093fcf01ba8ed8170c545580f9280dc8d617391

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ac

MD5 fbcf3f617d068d6ec889a8e7a1605e6f
SHA1 8158c03dea8d89b613ec7d62bdab6981b06bf767
SHA256 46ea3a62bcbb4f3db32fd1be2da85f242c4c8ba366dda060bc67e30540726d51
SHA512 f4b83958acaa00bd1774ea26d0b2f601a616cd0fecdcf58e88031717e31e9df0580747cc16f5225101dc0847dca64d000ba53cb777cc626a2d8ea4771e675860

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ic

MD5 d40942531c7211169bbff9d833cd6cef
SHA1 23e3313a4130c1c4e05bdb263b2a2988e026a6f6
SHA256 54cb89e073722baaeea5a8db118d42ec4c60bceb65b894010159149b2d883bde
SHA512 40b0a6cae08365f49cb4fc04905cc0e2c194b6138e5d386f70d810579fb27a074676c06346d7225adc028e722cf40e750776f542e446715a2cce55a9d8b508e3

/data/data/com.wxb.wanshu/files/.jglogs/.jg.di

MD5 51ccae637ceaebaca2cb17fd171a2174
SHA1 cea2778497768e14c4a0980641abdfa7ab91d992
SHA256 135a501e3d1e4392147dc544e9956646945827c60b7b0addd4f1f207e87d302c
SHA512 bc9b3b215f8227738beb9d4d998841204d009027c03cf0a63618490c5c0cab997eaeb42168cbd733cb01a1cc45733e3d8d8daeeefbcfef80ba896175e34cdd32

/storage/emulated/0/360/.iddata

MD5 edd14f2c10516de3a094da37fbb57572
SHA1 e763c22b04e9aa595fe424e76fa993abb5fa6db5
SHA256 0c3d8cb672876f7c001fdf6eece8f67fda76e0a75cd5b4ffdf4a4b92b4b95c78
SHA512 002914440e47445d4ef3a50df5fd843dc6dfe0657c3513a8e813100deb6b727925a97c3aa51af9c4bc62147e17cab63e99349040d38f94b36f61b476fb48fdce

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.wxb.wanshu/files/.jglogs/.jg.di

MD5 cf4e272442f7f289dd7e629fca2c15f7
SHA1 04e060f461f46a73a0c9c32d75b44be0174ed6af
SHA256 2ddcc8fdc6036f06afc3667e23d9ddec409575bad74a2186c64951f28991a841
SHA512 d3cfd1a0f9ddf3b6e1239980e1ce436108a09d72f932f71fbfd956888ce586fa7da441dee4ea49f610aed6975e03876d8920ec7453034eb3f64f16d96422e636

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ac

MD5 e707843ed4d92554fd281be9489be0b6
SHA1 5e4454dad8e015d2cef7eaad1c3a1392de7f9d76
SHA256 4b921e50762d76e2318ce23ed3daf0070a33ad517d8400c76a77f0d750d31494
SHA512 70b872b9726a8a556115418d681085a0c811c1bb0f856a21609106dd6ee8e1a4e6226624f0f3846f210fbcbef19bccafe205f1ade9c4d82c863f8508b24e829b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:52

Reported

2024-06-13 22:55

Platform

android-x64-20240611.1-en

Max time kernel

80s

Max time network

180s

Command Line

com.wxb.wanshu

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wxb.wanshu/[email protected] N/A N/A
N/A /data/user/0/com.wxb.wanshu/[email protected]!classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A
N/A b.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wxb.wanshu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 log.umsns.com udp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 app.wanshu.com udp
CN 47.98.47.124:80 app.wanshu.com tcp
CN 47.98.47.124:80 app.wanshu.com tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 59.82.29.248:80 log.umsns.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp

Files

/data/data/com.wxb.wanshu/.jiagu/libjiagu.so

MD5 50750315eef281575611bc425174b939
SHA1 acaff02526d7b4c257e00002ed09af364f66a401
SHA256 c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef
SHA512 60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

/data/data/com.wxb.wanshu/.jiagu/libjiagu_64.so

MD5 32a8cba7e6fac645ea3d1fca87cba90f
SHA1 6b01347c0d6777ea644c9859214decf5a00431b3
SHA256 ec2270b007c53f33ec3ae7c49e78fde28a64bf2eaf4309ce60abf9e03035227f
SHA512 018c9c65ed954c48b98d6a42e28f6b2e5850179079497367bca849667fdd69a96a2182b43c2a865ebcbfd8548d6973d9b0d2f9570644a36bc7549b1a420557d4

/data/user/0/com.wxb.wanshu/[email protected]

MD5 273df2d826ff5362ac6e48f4e8a4540b
SHA1 b2f5c5537f4fcf7daabdc2517198ea83d300111a
SHA256 674e3cbb5480111732c55b4c9744e8eb516a08949fa7ca76902697e6bacb8d8a
SHA512 a2dded3ae6643bcff58ba22d5451516854b13693e652b1ee585b6a636d6b629d754c6375af519ab6da5e7b3f5f49098da6b2fe42562a69caa15d210a2a587773

/data/user/0/com.wxb.wanshu/[email protected]!classes2.dex

MD5 ed887caf429e958b51d5cd41e42c721d
SHA1 a8ad2170c8dc71315428b9b07aa0ec35c5a7a4e5
SHA256 88020c063fafadb32f5a9160cf173c1d29233927de599224ca0ae81a9f23e97f
SHA512 87d7eb12229047ed29e7c0d5f2484150448a73e6b76fbae127e9a18cdaa7440b5ea24cb1eefe26c62964a9716f566a967f7a68f5a0c56465a89f8df7236edefe

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ri

MD5 f022826d02c98a9d4e0a3819c0419a29
SHA1 764d9629820b6d1a501a5e5ac9a2cd6d97e14e5a
SHA256 8de35ad74127b6636bc97e8289678fcb44f28c8953ef522430a7f2bf43ba9e01
SHA512 06940285c40268f3033b7dabd15bf5b72c50576b561d9acb039c213b3cae315073d1b647e996db828b35a346bdffbdf0845ecfad3adea2224a7d9c0e10d8fc5a

/data/data/com.wxb.wanshu/files/.jiagu.lock

MD5 3115dfee7d0fc3fe2f34f773d177c0ee
SHA1 eba0c44799cd641b1487051b585d7f14af163b78
SHA256 ca40dc2bde6775d0352fdff123a158803269a0cef6225b2d22bced8198dcca60
SHA512 ba39779d1d1b675781e53c3ec1bf482331c4930e6f57b8ce5bacdd9f5ecdb9e89774263bfc9d182d3cbc3837682a304dfb41a6d46fa4329ab3f5e5dadc8e4164

/data/data/com.wxb.wanshu/files/.jglogs/.jg.rd

MD5 e425b863819b55401dcf3adba5120d02
SHA1 11fe34d3322ac9ab00a0156516c2669fe7ea97c8
SHA256 d45d614f3102a20fb18fc4f9525203a781f61c28e409980a39506e098d01511d
SHA512 3fe1c6efd76a1e7eea4241182ca5ec137d19be64f84e347983d21ccda333c7cc30ccc6326533f8489d010904ca75c6ea30bdd0ba68207f9dd2e2751b559600fa

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ac

MD5 fbcf3f617d068d6ec889a8e7a1605e6f
SHA1 8158c03dea8d89b613ec7d62bdab6981b06bf767
SHA256 46ea3a62bcbb4f3db32fd1be2da85f242c4c8ba366dda060bc67e30540726d51
SHA512 f4b83958acaa00bd1774ea26d0b2f601a616cd0fecdcf58e88031717e31e9df0580747cc16f5225101dc0847dca64d000ba53cb777cc626a2d8ea4771e675860

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ic

MD5 d40942531c7211169bbff9d833cd6cef
SHA1 23e3313a4130c1c4e05bdb263b2a2988e026a6f6
SHA256 54cb89e073722baaeea5a8db118d42ec4c60bceb65b894010159149b2d883bde
SHA512 40b0a6cae08365f49cb4fc04905cc0e2c194b6138e5d386f70d810579fb27a074676c06346d7225adc028e722cf40e750776f542e446715a2cce55a9d8b508e3

/data/data/com.wxb.wanshu/files/.jglogs/.jg.di

MD5 68dd600df106dad1856a37a511ae7a66
SHA1 3da51186fbdd83f6078a883cfba17f61f468a037
SHA256 f44bf9cab4d18b1df3e4c95b38f703e88445fc756d8f9cf815838740eb505b4f
SHA512 e3809cf4b0dc48863240716473d1a00627947a124d56c53f3b20619785593402fe9a209f904413ba06ceae59c18dc1c2698547ed106e61f4ffb7ea11be86b4a4

/storage/emulated/0/360/.iddata

MD5 28d247c3d4618b28633defa050f55cc6
SHA1 3fabefadc0ce9064bb6518aaeac5e76f0804e82f
SHA256 20a36898bd2e936fc7edd1bfdef693864fe45630863335c3c7966148a12f33bf
SHA512 af3831f4893c05fb6b26c464f0c95f529bb02fa10bbf0d0b2dba990924e354284973d7329d9464a59973fd93b1935d160c4321c0612976700e230c03f5c99914

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.wxb.wanshu/files/.jglogs/.jg.di

MD5 8fe72874dfe644dfb9675515f1f515b6
SHA1 ead1583bee552e7edd7fc79ffd61b2d577b37bd9
SHA256 4043476086d384d7252e866753bb8fca9483739f21fb86300a42bba684aed46f
SHA512 0c3b13415b30723f94e0b4a75988280953028e6be043e0dbf004e1bf683b57e4afd583db7c2fa4a137816547ae464ef506a2a95c6a2d3cc03103446cedeba790

/data/data/com.wxb.wanshu/files/.jglogs/.jg.ac

MD5 e707843ed4d92554fd281be9489be0b6
SHA1 5e4454dad8e015d2cef7eaad1c3a1392de7f9d76
SHA256 4b921e50762d76e2318ce23ed3daf0070a33ad517d8400c76a77f0d750d31494
SHA512 70b872b9726a8a556115418d681085a0c811c1bb0f856a21609106dd6ee8e1a4e6226624f0f3846f210fbcbef19bccafe205f1ade9c4d82c863f8508b24e829b