Malware Analysis Report

2024-09-09 17:53

Sample ID 240613-de7ywssbjg
Target a39a5581150e155695044c77f19b3bd4_JaffaCakes118
SHA256 f9d3921ed94b8445ac78fa208f84566350e191d98c7ac786a401a5512a337e7e
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f9d3921ed94b8445ac78fa208f84566350e191d98c7ac786a401a5512a337e7e

Threat Level: Likely malicious

The file a39a5581150e155695044c77f19b3bd4_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:56

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:56

Reported

2024-06-13 02:59

Platform

android-x86-arm-20240611.1-en

Max time kernel

125s

Max time network

141s

Command Line

com.up591.android

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.up591.android

com.up591.android:push

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.108:80 alog.umeng.com tcp
US 1.1.1.1:53 utop.umengcloud.com udp
CN 140.205.160.70:443 utop.umengcloud.com tcp
US 1.1.1.1:53 oc.umeng.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 userapi.101.com udp
CN 121.32.243.77:80 userapi.101.com tcp
CN 140.205.160.70:443 utop.umengcloud.com tcp

Files

/data/data/com.up591.android/databases/exercise_new.db-journal

MD5 82090ac68be3d8b69b0f38b2b7834e72
SHA1 f2cfd6f89597739e48428b270af118cd7824b684
SHA256 2d5c7fb3ef089b5691421b1ce390148ac39140347a361d99288507a6069bab6a
SHA512 577d6eda778732d67ab916dc56b71d0ef6f0f132c563288b19cc73bd49bf65bd309fbcb4eb12b23b6bd119d3be832f63971112e880cd39acc55c3f2d7eb00556

/data/data/com.up591.android/databases/exercise_new.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.up591.android/databases/exercise_new.db-shm

MD5 20ab5dba2cba984f1536d86977cb5f33
SHA1 3a6b5982e3c7989f6b737dca97b4f11c7b3c49db
SHA256 e36aeca675eb6ce6d44881061f613f8476007f0b9cc896eac362b825c8f7247b
SHA512 4feb89dad41755ea59126a3edcfa11c00d6648cf2eb61b43e7f5bb709a26172d594a6c8e7bf012800ec9d67eeeec60e58e7b407971ec5986ed8e2eeeb8ec0042

/data/data/com.up591.android/databases/exercise_new.db-wal

MD5 b1c4657f7bb4ff6c5945fe13e018e2e5
SHA1 f292318bffdfde4df397a2feb83d2959f66a5244
SHA256 342f43a4ac1141f4962c7a1c93d8a1c5132e5608cb37f448ac860ac6e38782f2
SHA512 b103feaf8c0c2e81e2d169afc85210f5f3475af29d2938975a8eecba4a8bf1c57830239bf6b729217c6cbd72b1e3d0d9bab62a22727ce2def6ac4dd28413cb7f

/storage/emulated/0/Android/data/com.up591.android/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 442ebd3889038f91f70d89656f390f31
SHA1 1de1184de5648ecc2dc814e6b21cee9d242b8b4e
SHA256 95de46feae9889b9d761d5717b7884f76577d1b2123f9892c56c0aea83db3f87
SHA512 7646ad0b28cc76a77c49edfc3b9ffb4b511ffa581e653df3d90889089d64159797f2f20989496a76f9f407afdb80a7dfe9c557480c489630d1a3b41a7a15b736

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 871eda3f29e7af9a465b8a4e7120604f
SHA1 0c5082a6dc2ae4be09f9b4f95cb304582fa36000
SHA256 412fab1f75d90dde59f4d2a9cc7f2dfdd4919ca5c75d5083f47e3f1393c4350a
SHA512 64ac0f56edcc8662fa1ea569d06e3ccb20b8da3ab7f2ccb1272d3e4ee4dd290ccb24f0085abba48c2de1b6bf754246ad43db1b4049cfdd368d75e9cfa9d95a83

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 c77e08a627162b719c1328e5edbc2c74
SHA1 151c2bf788ffde51876248d84f2a7e787a2776f0
SHA256 11d6c70dc0952d04a745aaee3dc367543caff6dd0fbffb0b05af43a25be2183f
SHA512 b7e34fb2cabce2e987917b63a8e984de0882e0c735091aea9edf4b1b0e4bbba898288e3edcb12aa9609fd5a1cbd20a90a8681971d30a44158aad65d3bb9c0362

/data/data/com.up591.android/databases/UmengLocalNotificationStore.db-journal

MD5 2b65c7a522cd766d3416cd9460931350
SHA1 b7d08ff173310ff604a3f61c6ffce93e15ca1de3
SHA256 48955d931ca7fd799807c2c18cb979f4ca47da4b9073d5480d442ba14fd54fe7
SHA512 e3b492df7d97a2d11527bfaaeebf4ac391bea8b4ac234d6629627212a2a61772927b085b1e49b9283ffa174698381223eda7ada50d99056222eb41354df1d306

/data/data/com.up591.android/databases/UmengLocalNotificationStore.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.up591.android/databases/UmengLocalNotificationStore.db-wal

MD5 caf8ece951612a3aa4eeed5cf9900297
SHA1 1bb26b50be92aae2030b4087b018c5b2f5c306e1
SHA256 6cfc229235b61a3f1573d9f662103136c3fb6a3d9875fdfe27b36355a5e3628b
SHA512 8c858845a98e165812bd93f87ad2a09fa832220497803a788e509a910f4191b3e4c19f4ca0e70c0a351a06c874651406b976a238f364379123cbc8d51a79455a

/data/data/com.up591.android/files/umeng_it.cache

MD5 a2794a3e5f1d123262eece29295906fc
SHA1 03d0b6eb6fd16045cf3980a32c7199952f3cbc11
SHA256 8548158cd67653beb6335c4729cfdd18a0fc68120a2137baab427850cac13168
SHA512 23cbcd18216c205b2f3136c8dd64a127b1a576c3d74520d85190b3d97b233e1ffb3105cc5a6d4ef9129e1e7573acf71c4c079aabf915402a3149cb6ed4c062c5

/data/data/com.up591.android/databases/bugly_db_-journal

MD5 5cccb2423fd1fa4049e73022106f8f17
SHA1 51205e0f0f3dcc7d15cb6410a3ab3f9d9aa1f572
SHA256 7cd32ef6d47cb124b476d2ca5ee84158d515574474eed4f53005069eda30f420
SHA512 021c0b798773d1e07991ded13e5a89b9f5e45f22b78a47c051b607e832b8ed77a791204f42215259365a2441bf8123c546532f809ae5493e54d8e81d7a43f08a

/data/data/com.up591.android/databases/bugly_db_-wal

MD5 545d3bd2809c337d60dc48d0797b5061
SHA1 b0aedee938ee8e0d7b144b8bbc72610bbecb7b6a
SHA256 d1524ad1de3f9aa440f2c8e667094695fffb314427a88bd11f1c73db98a35c9e
SHA512 421c14d18767209eecc1563f6307359f91c626179c68a178130218d6b249e4340a895ebd90f515a5733f8b1a613fd11e3f83284b5f4f8f931a13efd6d9016082

/data/data/com.up591.android/files/.imprint

MD5 69981d09c06d86a028593626aa348612
SHA1 c9cfc42e14d66c6d50ee509e7477a17654efb892
SHA256 265a39f70d7d1c7917696fbe7c0972b6d2cb2ec4340897f012345b4b6939eac5
SHA512 b25dfeee45ca873bc50a1d5e47c04577949000cdbb5a384a3351cb2ae4faaeee11681fe11560b6f8d07525891ebd5ba2fcf6cc0815bbe617ecda2253d4e623cf

/data/data/com.up591.android/files/umeng_it.cache

MD5 e4d9d3b4676e0f965966e59eecda0fd6
SHA1 8bb4c5e7db48f1eb0cc1d35037a6bdd885a1a216
SHA256 98029eeed62032f6836786a28b6fdc969fbc65f60c37fb1c766a94ee401e30b0
SHA512 8e3b53d011e5b27013796250edb5c278db4318efa62cb440af33e54d79a8aa1c8a890333aa3c6eeae14e3ed2ca8063a15c07c1beada35911efc8ec1f173085fb