Malware Analysis Report

2024-09-09 17:47

Sample ID 240613-3r7akazcnp
Target a72a2f515264d248d5a8f25a63617b4f_JaffaCakes118
SHA256 1ebc81dd3512c0cf9ef66bd6e73d82f93f3878155badc83008c99bbd581b96df
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1ebc81dd3512c0cf9ef66bd6e73d82f93f3878155badc83008c99bbd581b96df

Threat Level: Shows suspicious behavior

The file a72a2f515264d248d5a8f25a63617b4f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:45

Reported

2024-06-13 23:49

Platform

android-x86-arm-20240611.1-en

Max time kernel

6s

Max time network

130s

Command Line

com.ishow.english

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.ishow.english

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 log.umsns.com udp
US 1.1.1.1:53 check.shareinstall.com.cn udp
CN 59.82.29.162:443 log.umsns.com tcp
CN 120.46.79.149:443 check.shareinstall.com.cn tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 norma-external-collect.meizu.com udp
US 1.1.1.1:53 sec.umeng.com udp
US 1.1.1.1:53 umengacs.m.taobao.com udp
CN 203.119.169.82:443 sec.umeng.com tcp
CN 110.253.189.166:443 umengacs.m.taobao.com tcp
CN 183.60.176.112:80 norma-external-collect.meizu.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp

Files

/data/data/com.ishow.english/databases/MessageStore.db-journal

MD5 e4cab79efd52db65a53eac7f28957446
SHA1 ddc653c396973b98881964e8d9042ef957e0823a
SHA256 8af840429b85722f581651238a1bd4d3ddd7fbbf5fe9f9cda31a1fc212ea616d
SHA512 5407d836113a74bad0e293049f7d6e4295901df27dc765a0119c5b8cecb8f3d335ef06491b8c61349acadb52fd045ac308f09ea9f903a3d07a6c2c4528a77385

/data/data/com.ishow.english/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ishow.english/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.ishow.english/databases/MessageStore.db-wal

MD5 f21989575a56d08a4fd1a558e23d3533
SHA1 3b6403ed49d34438c1702941782db75505f66385
SHA256 7cc66be5b3fdab34c0bd9341e7184ba4c02b0c67f0523bfffa7d01fd852ba08c
SHA512 beb56b4ca09ffbf0e3179dcb0db7c4e7b287494e56aa714f977a4badadb8132d85535d92a830ea62109f6905b198afdc33ac42ed7726790e1ba29a2110de6e1d

/data/data/com.ishow.english/databases/MsgLogStore.db-journal

MD5 0242bfde226afdf086ceb371a22f8a50
SHA1 32277923af4f6edf3ffc1422123e1b7795d8985e
SHA256 3e651b0a09ab4502f43ed2cbe67be944e5a042fee93294f003a98ad845303fd7
SHA512 f56d9c3b0f592ed5fa9efb2c3c113a561583f582cd24fdab97450c2415b38ced03f619112e8d16151c0c8281ccf7ec036e219c637f1f247a6ba211fa553e2ada

/data/data/com.ishow.english/databases/MsgLogStore.db-wal

MD5 2b64378d200e5525a65a7833a4611a80
SHA1 771c7e1adbc65a419d4415a576fc6a5840b68cfe
SHA256 a857332b311b874322f12126f264153fb57f3249e647451d657e1d87f7b2e83a
SHA512 8b4e5b50eb492204d3882b15840a6500c04b4187ff7614adcd87b28f2aafa5291b9961302e5f6028d1aa9595e6f9283560a5b736987303d70246dd9adf5836c3

/data/data/com.ishow.english/databases/bugly_db_-journal

MD5 729b72e18e844a1329f2d3864e9dde6c
SHA1 0c859c05fbe19111e228b67e256d0aa6ad982eef
SHA256 329d1f4a623784a3c1358481bc36ab890ebd6194543d83e299f43f283bb3293f
SHA512 fa0066100d2558a53f1ffcda41a507133f00daee9844cbe3c9af4a0600d8cf4760cf4a414bd0695e2bd3f305fd9e65465e727a82c584849f70bf9143eb379b2d

/data/data/com.ishow.english/app_crashrecord/1004

MD5 91cb9da085fe7cda11f89d6be5536f3d
SHA1 416f24c10dc5c437cc3437737c04ab8d15dd420c
SHA256 952e5279b525a16dd0adabd45e2e1358518ed819305490a881f999e53d90d760
SHA512 3d750c708600d28f0dc4dfc188a8b3d4bd7a40d6500c6679491201503e26662e2af2e1e82ff3a0922fc65b2539de1ddb8b8e3d74930b4f2f9b28593e4aa3a265

/data/data/com.ishow.english/databases/bugly_db_-wal

MD5 d25e895a1b18e7933cb74bb069d16eae
SHA1 99ced7c1ec35fad77c918d20859bb2740a5e89d3
SHA256 40ffb8dd82b13576ce53b845e419c72ba1ed6c7e0c52ca311610eb89c432d4da
SHA512 60869f76916db51f409164dce770dc88a387e5c01c5a6b3079d3c466a44bfc1a2d3b656066b26fc7f789dd47ff9ef89b66841801cbf3e99aebcbe6cd8d4752ca

/data/data/com.ishow.english/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.ishow.english/app_crashrecord/1002

MD5 d07971352b286a9538b2d048fe350318
SHA1 23fe1f974f25058095d4b3aaad30cf59f1080b4e
SHA256 570c24f0e3954898dea7bb4ec1baabd2a8e4226675db43e570b4e979a99db269
SHA512 c3c31e90bd11df1d8e603fada7c215cd47d5a59c744809fb2122274efe7a6cb14648dd1db39dcd3b5925ce91639ccf92c19a1812c955b0f43613a0323984b59c

/storage/emulated/0/Android/data/com.ishow.english/files/tbslog/tbslog.txt

MD5 6a555a33d6ef2c0bd57e0041940b6350
SHA1 1016d099afbd1fb61008d453e91ba4052bfed76e
SHA256 f328f7992ad16c126b35170fa1ff3e9dfaeafb02183c230e377c6bb5a30fa003
SHA512 2b43fd9b46033d843fb5ba7a21d597eaf0614623c50cb262f60ec9ca7207e74d9fd41bd69ddbcd607392294ef7756aebf244356deb619a090868859ba425c1c1

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 c3bb1f2d575e733dbfa055fb8dbd5553
SHA1 e206eecd5d4abb26340aeeea0890e03adc3326cd
SHA256 35995b73a15171ab5af95bc09489ca41bb1957848291be97a8781ac7b5c52872
SHA512 9f81830520103fd5197bec76db6de539562cb8a5a91877684c797f4da3de41315064f9bf570af0503093fbe03d972cd47593ee7677e96e615934e653b205d7bf

/data/data/com.ishow.english/databases/accs.db-journal

MD5 89062ca916edaefcd6f1170abe53bb51
SHA1 74e397f5b9ba661bbba5f066e2381121d33882b9
SHA256 f1f8f0d4d532ffb400d8c06c89cd8c23461a47abcab3e8bc55978dfdc8d8ec16
SHA512 678186449ff67d49116f1a2437b48e180328c5c2126a951eed532edec8ada811e4de50077e8c1215f69a9a9af673cf1ffb5ab448cc308d5b765251ff20e2b536

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 3ca0ace80c8fa21a7d201147dbd11b87
SHA1 21efb3ba3521e84a40459a8c197b8967ebb4b145
SHA256 96c3892f74f1db1fbcd8720ec28f8a9a5567bc0a6816a26b616bf94bc5c6363c
SHA512 c87d98236f86e28446b8d926cb8c198d1a0f6108784e1b3a01743570d88850f45c37c4f3168df5ec29995f206e2cb9f4ff04f7c170fb336fc081602a5556840b

/data/data/com.ishow.english/databases/accs.db-wal

MD5 1694be0bc5713627bcafd15e96143475
SHA1 7091c24c732b2112c93ea2efc8dfdc5708c6f158
SHA256 b4d45c4ecb2c4eda77032d08898c7ccd7322b32d2abd2b690cd65f8da1419d4e
SHA512 33375bacb901cc0d03f5bd3686264ebb2315f862d98b111b0a545727f7840349031c5216ca4c127654b1dff29c8d0cd06a4dfcf795702885322bd2b459913ed8