Analysis Overview
SHA256
49837c8a99e29ba8a14cf9e0e2abd3770e5c289862d6c0a9016e0983aa9f3294
Threat Level: Likely malicious
The file a725eefb2c39e77f5577de62e0240b92_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Queries information about running processes on the device
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about the current nearby Wi-Fi networks
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 23:41
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 23:41
Reported
2024-06-13 23:45
Platform
android-x86-arm-20240611.1-en
Max time kernel
37s
Max time network
178s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/org.github.magnet.search/.jiagu/classes.dex | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
org.github.magnet.search
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.74:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | apps.xiaok1.cn | udp |
| HK | 149.88.69.93:80 | apps.xiaok1.cn | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.75:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | ulogs.umeng.com | udp |
| CN | 223.109.148.177:443 | ulogs.umeng.com | tcp |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| CN | 223.109.148.178:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.179:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.141:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.176:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.130:443 | ulogs.umeng.com | tcp |
Files
/data/data/org.github.magnet.search/.jiagu/libjiagu.so
| MD5 | 98736de515958ae37ae93a0a0e997098 |
| SHA1 | 72d0f9d43f7c9bdc9f19d13834c0872f5652c0f9 |
| SHA256 | 335091dfc73a9f792cb720389c5d94eb6642764a38d70d4b6b7a8afd34038421 |
| SHA512 | cc4974ce398bf7f4a20160ad30e4c4b5821ff0d7f2cc9fa0aead73ddc036585266edf429add276b53d6db8dd24a344d709469b9c839451deead6b621e70c92cf |
/data/data/org.github.magnet.search/.jiagu/classes.dex
| MD5 | 922a7d316e17debf88142a756aa18e57 |
| SHA1 | 2cfe2d4f130740cb4493326a7b41cc7965500188 |
| SHA256 | 021775204a5d9facb8a5ae5cc1fac28df8c5c0b2aa485cea0791fc79e8be61af |
| SHA512 | 243dcc1f9513c0d942ef2a3761998fc92475564cb9bd224793e58d58db0c2e3ca9c489300717d5377abf46faf67e03e816245de5035f9b6942fe0dda413f792d |
/data/data/org.github.magnet.search/files/umeng_it.cache
| MD5 | a6148547df22f16fc3afc4bbab762f39 |
| SHA1 | a5295e639be76486743cec6bbaed503f2f8a70c6 |
| SHA256 | d7379cec6f02f6dc3c9480c2f6b7ea471ebabaeaeddb20abe48d3be9e800a322 |
| SHA512 | 030a1c814973e6656c4ba0a854b397812b79bc65529f82d94a8e9deb72df7b559fb7d067fceb7372610317fb04af127bb77da531e9bd9b9002005cf0798bed38 |
/data/data/org.github.magnet.search/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzIyMTUxMzkz
| MD5 | 723c7de364f3f827f46d1b2118f4d8ce |
| SHA1 | f5eeefc6b5837c57e920fb45548e1db3cbabc591 |
| SHA256 | 26ad8a9f5c06b787e68b582afc31ea9dd810bf475cba1f4d9056600a54737d5b |
| SHA512 | 43c2fde7048373dd999077386981f5403b54d07f2710835f9be57358da965683045d3206d01cbc12477ded638ca834bd547fcae62509fbb1e2e7d0b6f77b6aff |
/data/data/org.github.magnet.search/files/.umeng/exchangeIdentity.json
| MD5 | c2816792c53d3b2088095b70ac4a2537 |
| SHA1 | 9e715feb4111f77b07e965bac8adfe3be2fc0d5c |
| SHA256 | 8633f2c6e02662d7ed5cbc6ee7dd206d71fa165c1969a2be0c1f24255c74dc95 |
| SHA512 | 610ff59060b713ede2781961d5a5e59c902cd39dfe50e7916d8e00d8f6a00f2bb6e26ec7950e8c41a9fb72dd01827eacca2f8a0b61294f67d6fe6b33cee1c381 |
/data/data/org.github.magnet.search/files/exid.dat
| MD5 | 96dce3764fce893406118e5c1be6505c |
| SHA1 | 0b77fd9452067a3b6996271181ffc4d378a19396 |
| SHA256 | a68d5589a2f238e5b7a1860155294ba028852df00bbbcda3abfb5dc33b8ef6f9 |
| SHA512 | bc23b164fee5bf073fe9f5e34a04f62d0bdd1b156b4808cf2254e723d763fd554edc3cbb80c9e99c1ae397e87d5917cc165a2f88055d463a4c9f896a5dfdf548 |
/data/data/org.github.magnet.search/files/.envelope/i==1.2.0&&1.0.1_1718322153065_envelope.log
| MD5 | 53527e695a6804c8bb6e1fa71a34e645 |
| SHA1 | c173c65e06b5a886682a9d8171ff849361e92d6d |
| SHA256 | 071e1b843775709c13b206c806af900fe374b58d829211a88e51484c6dd5c5ee |
| SHA512 | 92f3db0b40b89401f18de0869d00de1b774f122a2db5c2a27ffdb4322c7ddc5e7b7b3329b09977e9359fbf45e73c7506adc208dc0b833381b3fca3644fc189e7 |
/data/data/org.github.magnet.search/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzIyMTgyMTk2
| MD5 | 9fb5cf6db8679a42e3f09bf822def110 |
| SHA1 | 3978dbe531bbbd6f726978c46f30bb7e0bd829e9 |
| SHA256 | 386d84d6471bb168a278670e365f90d938a42b21784cbd0f42f5518b6fb889a2 |
| SHA512 | 82a62c1a7688e558fd97dbb75add40313133052174762b85e55ad8f11674b4e539c5d4d718527a84a9f127b3cf4582ceb15957c24aced72b72c56a6483944e0c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 23:41
Reported
2024-06-13 23:45
Platform
android-x64-20240611.1-en
Max time kernel
48s
Max time network
154s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/org.github.magnet.search/.jiagu/classes.dex | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
org.github.magnet.search
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | apps.xiaok1.cn | udp |
| HK | 149.88.69.93:80 | apps.xiaok1.cn | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.16.234:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| GB | 172.217.16.226:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 172.217.169.46:443 | tcp |
Files
/data/data/org.github.magnet.search/.jiagu/libjiagu.so
| MD5 | 98736de515958ae37ae93a0a0e997098 |
| SHA1 | 72d0f9d43f7c9bdc9f19d13834c0872f5652c0f9 |
| SHA256 | 335091dfc73a9f792cb720389c5d94eb6642764a38d70d4b6b7a8afd34038421 |
| SHA512 | cc4974ce398bf7f4a20160ad30e4c4b5821ff0d7f2cc9fa0aead73ddc036585266edf429add276b53d6db8dd24a344d709469b9c839451deead6b621e70c92cf |
/data/data/org.github.magnet.search/.jiagu/libjiagu_64.so
| MD5 | 64f0958be2a8e6862b90faacb40129e0 |
| SHA1 | 389c618137db70dbf84adffcdc3c5d4850a5ff24 |
| SHA256 | 4f38bee50f32a8c64f4f9c671b7cece34d4a1cb926087fec8ef505327d4edfaa |
| SHA512 | 793cb7104013b7841c38e4aa14f4d9246aefa61aa9803160e6398c4115a2df5c6af304bad045c687467547deaab3bb77272a675b0d673f81f2df3dee2d1fe94d |
/data/data/org.github.magnet.search/.jiagu/classes.dex
| MD5 | 922a7d316e17debf88142a756aa18e57 |
| SHA1 | 2cfe2d4f130740cb4493326a7b41cc7965500188 |
| SHA256 | 021775204a5d9facb8a5ae5cc1fac28df8c5c0b2aa485cea0791fc79e8be61af |
| SHA512 | 243dcc1f9513c0d942ef2a3761998fc92475564cb9bd224793e58d58db0c2e3ca9c489300717d5377abf46faf67e03e816245de5035f9b6942fe0dda413f792d |
/data/data/org.github.magnet.search/files/umeng_it.cache
| MD5 | 8879d5d5fd5e93aca7804e0ae4ab4fe1 |
| SHA1 | 608ed42e0c82b5840e95a78b56848dd0c8c48a2d |
| SHA256 | e1bdc6f755d46a2aa2db007502de1994df217e26b66b3ef37361b724d8dcf863 |
| SHA512 | 8e9b58a1b2be9245bab8c5af8d92fb7e9d1daf5da69f566444e50a2afa87b08e9e3e3b2784c706ca0d4b0cc447e0867057652feab8f74400d40d967133cec64f |
/data/data/org.github.magnet.search/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzIyMTYxNDI3
| MD5 | 0ad240097a40ec1a1412827dd11ed676 |
| SHA1 | a1c0af45e03c8dc4c8963e45a465783dc48d7ac9 |
| SHA256 | 87252cf8ba98388e3761a2a6824db7fb943f31c8b5d7036fc700059d19ffc383 |
| SHA512 | 452333e6d1a9c4ab849c254e7c943443090525d6b20be370a7bcae48fa4e16880041d997eba72f1eb7ea9e647df3e2045c389915227af5c8bc09482489ad021f |
/data/data/org.github.magnet.search/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzIyMTkxNzAw
| MD5 | 6714567429ff1fc8d2343156bfee6063 |
| SHA1 | 880f72c41a21ad13944e50f57322558d55b3e136 |
| SHA256 | 6838ecde57b32109bf1d802482cd13848938baa6c240f02eaf706c92a7412aa4 |
| SHA512 | 766d324a6d76b347f08c20129a6b62d1180ab919b8b390b47a12be4c0f0cd9fdf950c470a81a9bf38dcee6ba749eace17bd7c14e60660ba195c08ff271d44a13 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 23:41
Reported
2024-06-13 23:45
Platform
android-x64-arm64-20240611.1-en
Max time kernel
9s
Max time network
132s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/org.github.magnet.search/.jiagu/classes.dex | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
org.github.magnet.search
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.106:443 | tcp | |
| GB | 216.58.201.106:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | apps.xiaok1.cn | udp |
| HK | 149.88.69.93:80 | apps.xiaok1.cn | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp |
Files
/data/user/0/org.github.magnet.search/.jiagu/libjiagu.so
| MD5 | 98736de515958ae37ae93a0a0e997098 |
| SHA1 | 72d0f9d43f7c9bdc9f19d13834c0872f5652c0f9 |
| SHA256 | 335091dfc73a9f792cb720389c5d94eb6642764a38d70d4b6b7a8afd34038421 |
| SHA512 | cc4974ce398bf7f4a20160ad30e4c4b5821ff0d7f2cc9fa0aead73ddc036585266edf429add276b53d6db8dd24a344d709469b9c839451deead6b621e70c92cf |
/data/user/0/org.github.magnet.search/.jiagu/libjiagu_64.so
| MD5 | 64f0958be2a8e6862b90faacb40129e0 |
| SHA1 | 389c618137db70dbf84adffcdc3c5d4850a5ff24 |
| SHA256 | 4f38bee50f32a8c64f4f9c671b7cece34d4a1cb926087fec8ef505327d4edfaa |
| SHA512 | 793cb7104013b7841c38e4aa14f4d9246aefa61aa9803160e6398c4115a2df5c6af304bad045c687467547deaab3bb77272a675b0d673f81f2df3dee2d1fe94d |
/data/user/0/org.github.magnet.search/.jiagu/classes.dex
| MD5 | 922a7d316e17debf88142a756aa18e57 |
| SHA1 | 2cfe2d4f130740cb4493326a7b41cc7965500188 |
| SHA256 | 021775204a5d9facb8a5ae5cc1fac28df8c5c0b2aa485cea0791fc79e8be61af |
| SHA512 | 243dcc1f9513c0d942ef2a3761998fc92475564cb9bd224793e58d58db0c2e3ca9c489300717d5377abf46faf67e03e816245de5035f9b6942fe0dda413f792d |
/data/user/0/org.github.magnet.search/files/umeng_it.cache
| MD5 | 6b797b4d5c0fe9b4042ee9e8f230088e |
| SHA1 | 1d79109203f4d076c561f9de9359b546b6d23c5c |
| SHA256 | de90d37a695e3366d91b5428ba2a44ff6c1470e40e7636e2fe8c318a7437180d |
| SHA512 | ef47251d0c569eb13ddef16a185df3463de4684b7780442657c42e635f7e729679554b8820c4bed39596675ccb2ea02470c30c843805c823fd45473985aae656 |
/data/user/0/org.github.magnet.search/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzIyMTYyMjA1
| MD5 | 85a9be19c09391511c53bbba64ab4af8 |
| SHA1 | b36175af0bb351c85a9ac14ca11dd86e369cb0d6 |
| SHA256 | 89dd1633f6b0d88f4fcac2470d2d8fd1926baef5e3c200fc361ddc5f89c730bb |
| SHA512 | 82cff134ce0777142fe9d623d1aa9bafb1a332f65530c3f9d715fc114ef3f4b714d5391f098691059379d63ec60035571ce9330d0c6dea5ede4bcddff2a2a61d |