Malware Analysis Report

2024-09-09 13:19

Sample ID 240613-an1pdsxaja
Target a31fb5638450b4390fb43954bd847342_JaffaCakes118
SHA256 91139952f4945ceaf9461135a296a06ec7c35ff28b7f7c30c84aba16b3c0d4fb
Tags
banker collection discovery evasion execution impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

91139952f4945ceaf9461135a296a06ec7c35ff28b7f7c30c84aba16b3c0d4fb

Threat Level: Shows suspicious behavior

The file a31fb5638450b4390fb43954bd847342_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion execution impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the contacts stored on the device.

Reads the content of the call log.

Queries information about running processes on the device

Checks Android system properties for emulator presence.

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Reads information about phone network operator.

Declares services with permission to bind to the system

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:22

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:22

Reported

2024-06-13 00:25

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

181s

Command Line

com.aio.downloader:process.main

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.aio.downloader:process.main

com.aio.downloader:aio

com.aio.downloader:daemon

com.aio.downloader:remote

com.aio.downloader

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 app.loveitsomuch.com udp
US 1.1.1.1:53 topdata.downloadatoz.com udp
US 104.21.78.215:80 app.loveitsomuch.com tcp
US 104.21.235.147:80 topdata.downloadatoz.com tcp
US 104.21.78.215:80 app.loveitsomuch.com tcp
US 104.21.78.215:80 app.loveitsomuch.com tcp
US 104.21.78.215:80 app.loveitsomuch.com tcp
US 104.21.78.215:80 app.loveitsomuch.com tcp
US 1.1.1.1:53 movie.downloadatoz.com udp
US 104.21.235.147:443 movie.downloadatoz.com tcp
US 1.1.1.1:53 app1.loveitsomuch.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 104.21.235.147:80 movie.downloadatoz.com tcp
US 1.1.1.1:53 www.youtube.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 gomovies.to udp
US 216.120.147.200:443 gomovies.to tcp
US 1.1.1.1:53 android.downloadatoz.com udp
US 104.21.235.147:443 movie.downloadatoz.com tcp
US 104.21.235.147:443 movie.downloadatoz.com tcp
US 104.21.235.147:443 movie.downloadatoz.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.202:443 safebrowsing.googleapis.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 104.21.235.147:80 movie.downloadatoz.com tcp
US 104.21.235.147:80 movie.downloadatoz.com tcp
US 104.21.235.147:80 movie.downloadatoz.com tcp
US 1.1.1.1:53 security.downloadatoz.com udp
FR 163.172.16.15:80 security.downloadatoz.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 104.21.235.147:443 movie.downloadatoz.com tcp
US 104.21.78.215:80 app.loveitsomuch.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp

Files

/data/data/com.aio.downloader/databases/download2.db-journal

MD5 2bf3b9c0bbaff37894e97f2ba8c09d28
SHA1 0cc2517d5f69e542fa4bd2d5e7d6f114738afab8
SHA256 2409e340c6fe8d0543458e696218e5f1c00672b85b78517bab249386f275afa0
SHA512 5c6082aea5c5d18682b746bfd0f768d57b6cfc93c95cfc5128b31d094ce3e16ca64814a2bfbb6024d1e683726159d2ca2f3e8ae62ff905641439e48090a1b67a

/data/data/com.aio.downloader/databases/download2.db

MD5 1478b8cfa2aaca256493a3d0f907e5ac
SHA1 d9a16eb07b30a73ee05d5f85722f385b975f5d88
SHA256 df0f26be38f33e2b81c5d813f4311ad6e1471d3a167d099e1ac5c9c985c21d58
SHA512 36446fde898cf4801a312b9ad3c75da8d20e20fcb0ebb6f5f61b07fdbef505173a3cddb87c26884b82fd4a150b64ab302b603b84b17e5021133578bc813661c8

/data/data/com.aio.downloader/databases/download2.db-shm

MD5 4b5ca46986a21b38a636b13158455c90
SHA1 c343767bc05070ae3e0ad0319594d48ed9908ff4
SHA256 45e1621eb2061f8c95341d7187c16363ef35541a714d3edca084033a206c9532
SHA512 629acf1b33c6869eb6e18995d24e00263bfd7a656766603220745bd2bf78576561354014e7952d9d2feecfdddc90bf15d340761c448f047961bfcea3777fdf29

/data/data/com.aio.downloader/databases/download2.db-wal

MD5 7a53be6f1efe2931148432f2c0a6be38
SHA1 5f8fc39bf7f8f3f05d530076c965677957e8d91b
SHA256 b40b7537eaa367fc26c759ac006af4086745a2f3bfc73231b9585d6adb841c28
SHA512 053c1d6f9b276c26d2ee2007ba81664b4859f6e110f4c89246e0abb1ee3449b4e20dc61cf1622684f4ee3706f5cfadf6a3a324ba36d8015cc2ab552ce8518026

/data/data/com.aio.downloader/app_bin/daemon

MD5 3fc73019a250522ad89598ed334fb9dd
SHA1 0311ce2ae0bf8fd85b6421eb31154d33b2d62d26
SHA256 c9b3f2c1f1c1012881aafdf61465aad5866f0052b74978127d2d1eda9dc690bf
SHA512 07593085777a99571eca9d8b0f6749e5afac6d92ae0ffdcb98e167715dafc4b295f83df09c72cc4cbd36eb5f3c9c894f6dd0303dd24726c82d7c37f9c6939bb1

/data/data/com.aio.downloader/databases/cc/cc.db-journal

MD5 6ce2ddd3886e1ca84e514b026c0d2357
SHA1 7c44c88865095650d5fa97f67d0ba37b2d2f5cd0
SHA256 141211ecb52adfac9f89fed0288610bf12e8dab6dd8db72bd5dcce5bdc180ab9
SHA512 ff20fca394bbdf008c07175027de5db65341d1a742f5d2b0fc7154536ba7c341f1b2dc228f1686c298a3d2075a1d9c0d9e482d5118cc921f163d134a17a17031

/data/data/com.aio.downloader/databases/cc/cc.db

MD5 f549edf1e94e0b32ca161bd574e6f7f7
SHA1 8065981ad67fe8f1a0cf1d520af438814279851f
SHA256 7d9c969515fc3e171e189f13caf58e819fb98e57e103b3f9793457adfa3e1078
SHA512 0683fa47f9d24bfae5ba8b263a126682bcc45bee9ee49389790fe36f541d5c61dc4160235976cbcd9cec63dd938c9fa320f5075d781957c0db7c36bc4bc5a9ca

/data/data/com.aio.downloader/databases/cc/cc.db-shm

MD5 119041def51cb69b93e2027130924ab8
SHA1 89d45fb319555b1a8201bdfebccf563056e4dc99
SHA256 0df90dbf3dc5520e8375d903f867ab6d46d56e56d9283c84043748b755529145
SHA512 6d6d107d9126d9e39be66631b36aaa7e0fcaf7539d0ed9a58db18ad43cfa0c2f66f7c1c3b0ad7f824fa38e5b86fe2fedb8ba39450978995da609d13b65db5584

/data/data/com.aio.downloader/databases/cc/cc.db-wal

MD5 62dc599431bb453e1788afc2a46d2aa8
SHA1 cdff89cf513597883766cd7e67dec38bde78a6e4
SHA256 e027918c40bccb898230de53eced54b7b39b90007039aa4f141e87324eecea1d
SHA512 046dc943857a71beb9e7267b34c56cc1cda5c86a994938d65fab2b1eaf0eb42491670df3216ff73a7ee51a4ac1f17e533a5ed0d37474316686dbd95176c78416

/data/data/com.aio.downloader/databases/runapp-shm

MD5 c6c58521dcb6cbf0751ae50d4afb7d4e
SHA1 97c2a21fe750993032d59f19f5981ea9faa4edd0
SHA256 e07f99ee0171c464a7a5fe3877aa9c01ed9c7db26fed2632061ecdce9fbb1e48
SHA512 2cdca5988c04b3107f4fd6237cc804d7fb4fce21dced793d7085f0ff24b7cc129f9c9c12f2677f32fc37d0f5d91b3ceb0a13f9ec6fa34093c225b0aeb97c3323

/data/data/com.aio.downloader/databases/runapp-wal

MD5 0cd39c45bb914b3d324c1ee7dcb0a63c
SHA1 89485eed956e64c9ac0d43dfb4cb29fc67187c02
SHA256 a0439a7e3ff0153951715b6daf780a760e6ad02d65c354b3cbc9944e2c00d4c2
SHA512 1536b395a134f205f67d6701990bf1b7ec8e060df6a5ce197ebdf793d6aefc3d29b1da1e7e98ddcb0fafec2f0218c9f255a0464bb2549b6e842321d9a5011878

/data/data/com.aio.downloader/databases/.ua/ua.db-shm

MD5 e819768502d571ebea083ff10f436d87
SHA1 a982da91127c492f31630417362930d237423d87
SHA256 21f0ca8963022c61c57b3a7311ab13a9f90a9eb0279d95646057d54cde156170
SHA512 265669851e19c192dc1a6eaced8ead6914d634c17b04ae2a009d76d739e9b5b28818d8b05d381115b2a1312781b881dff0336b85d44c8b2e16ebb73ff002e707

/data/data/com.aio.downloader/databases/.ua/ua.db-wal

MD5 f053c3e9f5d05b82d5170fa6616803ed
SHA1 224e541f31cd5674eebbd09db5def890d34b2a73
SHA256 68828e45521bdb1a1129ea15da40aa8bfbe499d21abea5778468ff790f235215
SHA512 18c404a2d4d5279ed76bd3c7a273427efb3c97062737da75e774b83233c588650844cb853a069e31ffce3aeb390f721456bcfc6685507af428b92637df9ed7f7

/data/data/com.aio.downloader/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.aio.downloader/files/umeng_it.cache

MD5 cb19a194a7bc647aa2dd976803268d01
SHA1 68d991d72bec953cf0597a907396b04e2f42a7af
SHA256 e8818e318b5b1e3d5546edb703daf486602fde54237a4afa874044c6e05ba7c4
SHA512 83b50402f2023c5ca9326b0211167a132601e06e32cdcc7c4a4ee09b32b7c6091ecbd7c9e06e377eaac117f463e4e93c630a7c6e1d835e2734d4be4e2bfa8df6

/data/data/com.aio.downloader/files/.umeng/exchangeIdentity.json

MD5 9069bb19b1703251fd2ee639bcc2c694
SHA1 6d87154ede3cd4aa4f4f47cf98405d5158b106b2
SHA256 5e86d8eae1a49efdf903a16d4d3b60ffe7168da825c8ca89f93b8c5aad15ae7b
SHA512 c4c98f700c671ef1c0f1edd83508d15d32ae69994a3abeb899c530c83ace953c0455177a9cc6e59a6a141d622c58b85a982325a6986b5d7ed562d0db2fb631fa

/data/data/com.aio.downloader/files/exid.dat

MD5 7d35f67cbaa1ebe4acef01c93c198ac3
SHA1 0b9d7ac7ce7d4b611a748b3d97041a5fdb7071ce
SHA256 40dc1e7ff334efd5b7160d87b0d3f32d32a9e38e4289d5d5943be73d170b6342
SHA512 93c2967d61d1aeb8b633b4d240b3efcc014d6052e6b13ee0f5f1f6f2460ade66d99aedb2173fdb351d8336269b7e27195a7a8e55e0aac4e9d41e04da9dfc5f05

/data/data/com.aio.downloader/databases/.ua/ua.db-shm

MD5 c9c43a2eb35067b8824e98ceb0ff0f9f
SHA1 2471858704533f0439543e11ad24ce91ea7f0792
SHA256 efa2670507d2cda8dc582f056a77d1b3874239b9af97ca58d5436346f5e53f88
SHA512 1da4953a72b61d41e280cff2c0a385d299509906407ab6c4ad81be03e5ebe3f5ef47909d83aaa85bf68c590505c930c76e923588c4c29c5e9a28829db88ee1f4

/data/data/com.aio.downloader/databases/.ua/ua.db-wal

MD5 3c9bd9e70734b62461cdf37e5466032c
SHA1 060ac54de8cc22d944ed71dfcdb53e7ed20f9054
SHA256 1cda89ec8d1a8da9e8d2c48a5fcfef951d09f67a882e9ea132e6b67cb64e3720
SHA512 108a217111f1bf60f6d9fc2988116642b6403ecce300e81d1ab03bf538d48ac97779d9aff92e90290cdc047c1bb0bb9228fcf855d33494e894400203dffb56b7

/data/data/com.aio.downloader/databases/cc/cc.db-wal

MD5 51d1cbf14f03c18f3577acccf34ce660
SHA1 c1b5fb5fdce2a84c5b7e25afc0d2615f6456e809
SHA256 89274677150077bb0ada2aa49277a31421ce1abcd68c6332b3f5175de8cee936
SHA512 5155db12b1f0653c4bae1d2d3ef684454641857b39030b9a4859ab9c68a940c8c141e4cd2472fc6314335afa5b3ed632503a1a708e096b86b1640b1afe7de088

/data/data/com.aio.downloader/databases/cc/cc.db

MD5 54a7df9ccfe01a4f20b8ff826e737186
SHA1 c38fc0eb95df073662e0b80e8d212def41d4974a
SHA256 5584b6dd5e6eccd55adb0d6dcba085e7d9088baf89f16b9d70f94dfe3e6b2473
SHA512 165fec7144d653b33e5d6ee11f2af281ef02a6af150da4c9b4ec53bc147d851cc75d3f5e6a2894ca0520ff287ea2f56517c64514ef03c0b09dbc6634917ecda6

/data/data/com.aio.downloader/files/.um/um_cache_1718238276832.env

MD5 7be443c20865aa5b19e72f593676287d
SHA1 03bc5079cf3e026bc4e277d145dc681d003823f6
SHA256 5cafa2273769a2e1409aac542befb22cbd2bbaae93b253a843ae6b1200926687
SHA512 498c5020fec66a92d508615a333f2b66195f509c837bea48fbf579cb790a43c9b9453f6b77d835ffa25d05fe1d485b1f1a42445fc99e816939a78c88dd64eb1a