Malware Analysis Report

2024-09-09 13:22

Sample ID 240613-dasy6svhjl
Target a396e03d71076f107eef467bb20718e8_JaffaCakes118
SHA256 966bd3727bf14b5c4445281b51df448e2b9e8424f6a4a705e0668de19aa1f17a
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

966bd3727bf14b5c4445281b51df448e2b9e8424f6a4a705e0668de19aa1f17a

Threat Level: Shows suspicious behavior

The file a396e03d71076f107eef467bb20718e8_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:48

Reported

2024-06-13 02:52

Platform

android-x86-arm-20240611.1-en

Max time kernel

168s

Max time network

157s

Command Line

com.xiaozhutv.pigtv

Signatures

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xiaozhutv.pigtv

com.xiaozhutv.pigtv:romote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.xiaozhutv.com udp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 120.53.213.17:10000 api.xiaozhutv.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 203.119.169.174:80 apiinit.amap.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 restapi.amap.com udp
CN 59.82.132.217:443 restapi.amap.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp

Files

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 5008fb9bf75c41cd1bb3fcc4f1f0fc53
SHA1 ec1bb1c98c15cc1f7c40c008cc04c11e4df95938
SHA256 0fcae6f2843e37ee2fe4b30676409285fcbff66ca1c0d35e3aa0a6f20e7e7a43
SHA512 2fbee37ffe6fc96249ec6304e5f88e6cb57d7b14244639d76b990d004172288dc8f37bdf11b628f63c1531d9a0efd37c0f4803deb2b546f1be5342d5fd3e3e05

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 5707989a96d4e0bde1d75c04cdf15448
SHA1 18a3ca9d2ed3f8eb135aa24a9d887b8d07af4adf
SHA256 fdc6b8a00aabcccf372171513a9c66074115ac34e4b9d54bad615e9e4ed0f2e4
SHA512 92ae47b610f738652faf16566a5c8d2c03b0c2767b72281097d8f92c698747ca3281e5978d4a9f459ec0cca05f693235980d4b09842c2c726ee6a0a340a6f862

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 1acdbcbb51626baf5042bf804c4d44cd
SHA1 995a6ca32f40e43a8afae31f25a339855fc66e8e
SHA256 143bd83e37ddeb599c5ce58012e125825b78b802e1292b7eae506928ca88aaf8
SHA512 592e890756c93378f8ecbab87db0ea91366484b544070a8c944db90a8774b210857813e415984b518aa1f112a54c61677e82ba6558703ad380cb42f1e161edd2

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 cf12bdf1782f2b4c9df30384516c0250
SHA1 6a8801ebf102516eeb97ff1905489362af91e83c
SHA256 4a2ad2721da0d7ec19135c856b0ccdaadc539219d134f39b1846b2cf4e0b811f
SHA512 c5580d34fd8dea81080f560a7e4ded381070b8eef5dc55ca7faa35ff4010b24a6a7c1ef6665cfcee904bdd55f3200e08a8494bd489cf45b64dbd3d1547690932

/data/data/com.xiaozhutv.pigtv/databases/cc/cc.db-journal

MD5 7c4687652d00fb607fe9c076240cd08f
SHA1 b3aec71af67c73fe23a8658aa6d6648497203430
SHA256 765a46c29cb8e797b1013ed78d0ff0d4ef7b8791db80eb36269c44a201ba9672
SHA512 59e9ee4d456792a79d524957443030656afe4a4e6d7235006b22f1715f963c10c2ae80e6b0f4547f2685716e86803dab42c05b43deb30450652459b60a180a4e

/data/data/com.xiaozhutv.pigtv/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.xiaozhutv.pigtv/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xiaozhutv.pigtv/databases/cc/cc.db-wal

MD5 43a4b4a3bf930d5a406abef004ee423b
SHA1 60ae43bf994fd6ae36e91ab51a8a8f00a168b45f
SHA256 d594093c2ec3e13929778c2ad07c368afe8c9ff74acabe60cbd7cabd1e8c21d7
SHA512 177ce38069b37010fcd3e3e9d289a23e52730aa75f4d4dd3ec85a221a70ba776785e1becbd810a473f8e861bcb9e7c8b286b942316b27b59263f92f894127c18

/data/data/com.xiaozhutv.pigtv/databases/.ua/ua.db-journal

MD5 069e047a9114fc2516b4fbeb55740bf1
SHA1 82191cac883d4d92ba3d15edfec86cae66e979c6
SHA256 86b6487f5e32c3d6a6ec04b46b044be461481edbcee4534efb9a550547131d56
SHA512 1c6d83de8e61059683593557b738e09cc5945cd110eb967b4854a321a3b7b4d23f4e696f5a4f9090dcb177fb7408a9aa7d6e20d130f190a64cfe1c246601979e

/data/data/com.xiaozhutv.pigtv/databases/.ua/ua.db

MD5 dfa742fddce558e29eb869ea5ebc7e65
SHA1 6daded8176ba9253737d41490108332f9f64fff0
SHA256 430aeaf5267965d52da2320255ef1e7569773ce2eac9f9db3ffba3738a98493a
SHA512 7072a0e412065b34f00276ea2f14dd1992e50cf93d031e105db5e5797d558582e19e25f2700f32e84246f6758fc0849706b979dbb4c6b63bc717ec01c45b900a

/data/data/com.xiaozhutv.pigtv/databases/.ua/ua.db-wal

MD5 9469f19c8b7acdb876a544cc89574f39
SHA1 0a94cd48f82195f85d9a4f787e694b006d23de87
SHA256 d143c3b22b05cd6a4c40ed3d9b279d034f3c022efc154b12f05b0673bb58bae0
SHA512 2b5d0150d666f763b4ea07ca1bf3b48dea04326de19b09ad2208ae788802b0d800b40d22d4b1ebb89a5318a99670dd3ae3b6b9be73597b160d5797ec0034334f

/data/data/com.xiaozhutv.pigtv/databases/.ua/ua.db-wal

MD5 b7272ee3408090bf76298ba6bee08247
SHA1 0c6d7ff9ce13a84ab9066abe317b5e76fc84e3d1
SHA256 35706b85afab721b4ad4d7a951244a91654deafb6f5fa50116cb74bbc3ccd5c6
SHA512 b93627ae6087e85922f0581e5eeec00ab43ead8e6758e6d1d55b0d6af861c09741cb03d6e66d698d47adf09041e3a6c3f5f5e4e5c1b612c369745aff32019d8d

/data/data/com.xiaozhutv.pigtv/databases/.ua/ua.db

MD5 c38ebc0bb438e94054bafbed202081b0
SHA1 cfb88c966710fb981e368ab2a493518aa6d07cbd
SHA256 263dca744e18915fbfc01499e24005269384d9f770116680f1b0b8ac75304981
SHA512 a6ea2a27f3b53d232c5f0f3efdc1fd295658b96147f8138cf91b517906bbbd69d1b7d16d7f8f11c33c2d49f72830d26d125e88a8c3540ff57a573c634bbbfdb9

/data/data/com.xiaozhutv.pigtv/databases/hmdb-journal

MD5 08b9c14328968b76b81b2f31c1dfcb60
SHA1 0b496b1ac8b4733626c7b9b8b92935561b2aefd4
SHA256 6b259e1e211fc61de8cb4bab17e72e15ec2f9e4d437a4ee8f677d85cc3253fe7
SHA512 1a6cdcf212b93b8b8849c6c302b3913ad37c4e32b9a0d35589b427607a9b5a0b1a873ac392ca550928a264314161512cf077e55184644de7e29f17dad89c61f4

/data/data/com.xiaozhutv.pigtv/databases/hmdb

MD5 3fe30614d7e0d11db870b4624f6c50e0
SHA1 053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA256 67c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512 c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae

/data/data/com.xiaozhutv.pigtv/databases/hmdb-wal

MD5 b6b82c9fb3c1ac95f4e0302620575b54
SHA1 9e7770d6e01990dc85f14d7ff8c4f3c3fe0666b0
SHA256 1f77634eccbe31e88de548322381cd0552ae3d353ef67076e3e882823407f6f8
SHA512 63f40a21fba94aa913c234a9a96d7a06a695d8e421b87daec0b3666d1b362977ed657bf946dd40200d7167c66696eb4b47d9b44650f2d43d392e0d88ec6d51d8

/data/data/com.xiaozhutv.pigtv/files/umeng_it.cache

MD5 7466ca916a986eb46345448dc07ff1af
SHA1 d925b733a5558757b909b5fc70d6727db9e0e668
SHA256 5c4b93d2b3f1d006652ed7fa39f95d6239249cdf097750b8630495579cbc29d7
SHA512 db5e650f6c9737a38e07c6d764124c30f367d6e24f49f806789813f2a8b37ca366ebe51e80b66feb34475dc4cf635785c7644154bdee2565169e32fb457879de

/data/data/com.xiaozhutv.pigtv/files/.umeng/exchangeIdentity.json

MD5 75640f7a82922a7a944c2bcd2c6fcc91
SHA1 8fd2001509f712ed504db910831d15d91cd2a6d4
SHA256 5c635b0cce8962b8269a0c988a0e8409da4df338b39e9c3517e29d659f15dcbd
SHA512 abd64b262c9f86f047ec4850cc24482cbb47b7e2e4291d4b0a323475eb51febbb7d85d4270773c027f5374375c9ba639bc6087a3033b4b83cfb2b46b83636fd3

/data/data/com.xiaozhutv.pigtv/files/exid.dat

MD5 06b7d8fe0f96ce6e758d03442b42f928
SHA1 b557be80f3ce6500bbe4e4ca687533d0c126bc0f
SHA256 cf10f6b6db3f44e4b4ebedcfcd6e2b75c624f5444f09f52030606f7b31adea36
SHA512 534f72a2f18853c4bd8329001dc27ea47906eb4e2338d9bb5133d2500d47fbee9d1e7c6aab1011455d8032f151e381152940501374fad58707d002ddb6ed78f3

/data/data/com.xiaozhutv.pigtv/databases/.ua/ua.db-wal

MD5 b9e8f80101311259aa371ceccc463b59
SHA1 a02ee40d5f907dc111c317f61784b3c5d8b4e0a1
SHA256 5cdd344e8c47692b7027f1e5527904ec00a84ba8b887fbe87e5e96bedcdef69a
SHA512 58c3958616c9aa0f5f66151486e7d46d52d143e5620aad1f5c19c3e969653d96f84ed5a921d38001340ca8708559a57fe5b8a091541ea1737dd75738180d4708

/data/data/com.xiaozhutv.pigtv/databases/.ua/ua.db

MD5 d604a3bf1f8d992cc320ea5b1f7609bd
SHA1 247f88df0b55c7d523ea5398637711a0e4a483a4
SHA256 329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17
SHA512 67e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab

/data/data/com.xiaozhutv.pigtv/databases/cc/cc.db-wal

MD5 0754bf046c49856d0242350ba3e73bd9
SHA1 c2b2a0a0103c703a34ecb37a31d420bdb3e42fd4
SHA256 12f1441aedfdcf95a2c792cdfac080197b85f8f01253a8cdf2a4298dff25a683
SHA512 215730d5400e652ced792e702d312eaeccb20efc1fa3dae39740c700119bd5b7e4df80ad4ab5009e71d670a228f048d13ac1194f103c0f0c996d8adf114bbbfd

/data/data/com.xiaozhutv.pigtv/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.xiaozhutv.pigtv/files/.um/um_cache_1718247078792.env

MD5 f0be096855c632e41f38d5e9b5e8809b
SHA1 45214ec12fc7643d9d8b927866c5ff62b58224cf
SHA256 2a339d3b6e403d1ba19fcaa6a00d2a70dfbaddba07cabd0bfabc468c2cb197e4
SHA512 07fae2ca174d7d9a30c1cdc24e8a6650d436a603965bacc9a07677c92c1c1fa0965ffcecd25be5d9ad8111c57c4c8c5c623a19cc8fe76abe1b3fec427882aea9