Malware Analysis Report

2024-09-09 13:19

Sample ID 240613-aq2z8sxapb
Target a32256a4e8df9bf4e998bdda1548eec4_JaffaCakes118
SHA256 fa9a8bcf4e64ae0d0fdcc039fb7fd3c5f1ce137363ead69311138407efd6a86d
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fa9a8bcf4e64ae0d0fdcc039fb7fd3c5f1ce137363ead69311138407efd6a86d

Threat Level: Likely malicious

The file a32256a4e8df9bf4e998bdda1548eec4_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Requests cell location

Checks Android system properties for emulator presence.

Queries information about running processes on the device

Checks Qemu related system properties.

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:25

Reported

2024-06-13 00:29

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

157s

Command Line

com.unionpay.uppay

Signatures

N/A

Processes

com.unionpay.uppay

mount

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 00:25

Reported

2024-06-13 00:29

Platform

android-x64-20240611.1-en

Max time kernel

7s

Max time network

131s

Command Line

com.unionpay.uppay

Signatures

N/A

Processes

com.unionpay.uppay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:25

Reported

2024-06-13 00:29

Platform

android-x86-arm-20240611.1-en

Max time kernel

5s

Max time network

159s

Command Line

com.tqhy.gameshop

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.device N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: ro.kernel.qemu N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.tqhy.gameshop

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
US 1.1.1.1:53 v.6.cn udp
CN 59.82.29.162:80 log.umsns.com tcp
GB 163.171.146.43:80 v.6.cn tcp
US 1.1.1.1:53 fp-bj.fengkongcloud.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/com.tqhy.gameshop/tinker_server/7e939543b615e894_version.info

MD5 7d84c3eb8e3b6e7e7867c7269985a2d3
SHA1 b9ad29a047bd80588891d896873c6d3e47254572
SHA256 3f92dce1f8d41c30b724cea7b39937fcf6e925d39c0d191d80b9a6280cc24db2
SHA512 2e6574c225a6bd8018b6abf04c197f5db08e80c7b5405fe1beda50567fd97dcea8c4a16dcde5d6ff39bbb855b554f1ddbbb342cfdaa5e6d1436557737150a79c

/data/data/com.tqhy.gameshop/databases/okgo.db-journal

MD5 a9bee019c1615b77d66a62a80de38d28
SHA1 7810d9e3dcd1a732cc16e8320b4d33d6ad79e106
SHA256 fea0203c993f4a8237c4b9b3ab8dfa50d33b8886fd7b863bc673b5e34e62ac23
SHA512 e8d8c46cba3253168c1808ce943371231c2527985e915b27eaccfed94885d8e2fe6c13b33bc57bc976d500afe477eec726fd2f148c737c081a4b7e9281285f87

/data/data/com.tqhy.gameshop/databases/okgo.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tqhy.gameshop/databases/okgo.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tqhy.gameshop/databases/okgo.db-wal

MD5 df0c38ae324d4d8058b55b1fd31407ca
SHA1 f7439268b70d8c806afeb9c7d954d6bee023f741
SHA256 bc1320c1a0d38c64e07f3abf49db7084ee71e2bd6e0f67b2ea92af2f0fadf0f5
SHA512 e49d778cbb438c91a49b56cde6f8bd16edc95a39cba585bbb27a58d8b373e291419df8e8666a705ab5e3220180e06c286d298f83e97da4b5e93bafb3a5c14a5c

/storage/emulated/0/shumei.txt

MD5 9b2959cb107bf78c653fcde7e21230d7
SHA1 e18868ddbfd858c1d38d32c2b9b1ff6e3baa0c32
SHA256 1d0c9761709558d62cc01871ec5a0a8d1423c26c88628589e424b6afe99eee7d
SHA512 3681f968d2358af19bd348ef2f9afb40829b18f2d0c5eb845f751d022db2b0b842c807b9e7192e1eb40f1240f53bd1fac6ed9780377743e0747529bbd1e46cb0

/data/data/com.tqhy.gameshop/databases/ua.db-journal

MD5 c3497dda43f5b6fc001c6fbd3b581733
SHA1 ae3229215565d0eb90c37d4cf2eaf40eb53f7036
SHA256 f42e7c3248ddde895a55c5705818dbd79e5bfc9e9dcb5a0946261f492c8aed5b
SHA512 a6c9dccc29084136921e3f5e2d3dda2aa5f004720c745f5ae7fe8175b11bd04ad0d59a1e58b65ded621c8d7598bcccc06b8842ebad49562eae7f9df2b9e1c367

/data/data/com.tqhy.gameshop/databases/ua.db

MD5 3aa9b298a40c3dde3c6ed2504649b7c9
SHA1 09dc8e1f07fb288e4efa87150925e08ad08af2d5
SHA256 9cf11ef5df0c5698db89bd084659df93f0842da8f831a13a5430e50a935a0433
SHA512 c4f4b7f913b888f2e759e069bae9a1e4fa0b95800d38bd66978ed605a699b515197229bbf23aa2500320736aca367c562c5fc08ea4847007b4acb3531a534cdf

/data/data/com.tqhy.gameshop/databases/ua.db-wal

MD5 3129cde92fd230d9bf4dae7c8d631ed3
SHA1 9d566dfeec5c1c3c27355e478312a345d23db5c7
SHA256 7eff56716092082faf4bcd5477b9d66ebd749ef9d9f5bcc2307f91d01b5d9f6e
SHA512 ae0c222998b49302e8c672939b7d775ba43d23d2cb97e7af982bd4015985bfb4dc186368549b4e084dceed537b37f47a76234c68eaaec1a2261ba40d10e69c1e