Malware Analysis Report

2024-09-09 17:53

Sample ID 240613-elzfrstdne
Target a3c4a7e99f32434bf4e10b096dc73401_JaffaCakes118
SHA256 c686f5f38b52aff239d744bd382712b4d82b6847a6de342cd2dd1155b227998c
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c686f5f38b52aff239d744bd382712b4d82b6847a6de342cd2dd1155b227998c

Threat Level: Shows suspicious behavior

The file a3c4a7e99f32434bf4e10b096dc73401_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:02

Reported

2024-06-13 04:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

177s

Max time network

184s

Command Line

com.gikoo5

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.gikoo5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.easemob.com udp
GB 79.133.176.222:80 www.easemob.com tcp
US 1.1.1.1:53 job.gikoo.cn udp
GB 79.133.176.222:443 www.easemob.com tcp
CN 139.198.122.162:80 job.gikoo.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.92.77.21:19000 s.jpush.cn udp
US 1.1.1.1:53 a1.easemob.com udp
CN 47.95.246.247:80 a1.easemob.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 1.92.77.21:80 s.jpush.cn udp
US 1.1.1.1:53 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 119.3.253.130:80 easytomessage.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 124.71.159.41:19000 sis.jpush.io udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 124.71.159.41:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 113.31.17.106:3000 tcp
CN 101.201.233.110:80 a1.easemob.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 1.92.77.21:19000 easytomessage.com udp
CN 1.92.77.21:80 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 119.3.253.130:80 easytomessage.com udp
CN 124.71.159.41:19000 sis.jpush.io udp
CN 124.71.159.41:80 sis.jpush.io udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 1.92.77.21:19000 easytomessage.com udp
CN 1.92.77.21:80 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 119.3.253.130:80 easytomessage.com udp
CN 124.71.159.41:19000 sis.jpush.io udp
CN 124.71.159.41:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 1.92.77.21:19000 easytomessage.com udp
CN 1.92.77.21:80 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 119.3.253.130:80 easytomessage.com udp
CN 124.71.159.41:19000 sis.jpush.io udp
CN 124.71.159.41:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 1.92.77.21:19000 easytomessage.com udp
CN 1.92.77.21:80 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 119.3.253.130:80 easytomessage.com udp

Files

/data/data/com.gikoo5/cache/com.parse/applicationId

MD5 a689895f98eeba3ad54c857fb7d3d491
SHA1 7b4bbe717287a91a5a6ab19a0bfd0a314fcca556
SHA256 898acf5a8ab518b0b83c6df22462def9085de719e0f25dbe6097acf4fd140206
SHA512 6e3594e8dd35521f5b8aea180ec54b6a09365a5f418241a0eacbd131cb41883b3a60f23fe0cbaa216ade13b29e73a35283ded1c5c4330c07e85068af0e17b803

/data/data/com.gikoo5/databases/ParseOfflineStore-journal

MD5 f82fdff836072ae6b4d881484b530bd4
SHA1 051c6832e26484fd01b74f146bf5c2bd66824d2b
SHA256 941ba1e0190577a20741e129b037ff17723bc3dab88d82b992bff57d60c9dc1f
SHA512 04350b56460bc63e72f8142744738614f93ad2126326d5b8e28db83b20da0b1edda1d4e44f333a0b68612b66092b85a0d640f6ee52a6e831d4322d465b5ad2d3

/data/data/com.gikoo5/databases/ParseOfflineStore

MD5 cb82aba1c84a4838189ffb3e839f0424
SHA1 5b56390c9bdae34787a06ef93a4e72a4db218b54
SHA256 2010e5743590b7c98cba19d7fd5241fca270cbab520e1c8fbabe51fe540972c8
SHA512 f2d29795c2f979a6f19fdbd136d639912e3bb1d945409a4bb1275396d5aa163eec0ecdf14af077f3edde260330a8eed42f204150b4238b7801f7462173efef75

/data/data/com.gikoo5/databases/ParseOfflineStore-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gikoo5/databases/ParseOfflineStore-wal

MD5 f577d1b8e52a7af7c8a0e6847e88c2ad
SHA1 77703a606bb4f9e023efc3feee671aef83ea5dd9
SHA256 b1299c516880e78658d59199674a5a5dcc431e6bf8f35dd3df86fd34e0e36ddb
SHA512 8e3f74e08b29c951badd3832380268cf568463e4271e5d2112ae5925b06f300d4a877e6603dbacb26be36cc33bb9aa3fbae4b15de39087269feb3af581ade94a

/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html

MD5 08ca9898d3256420c5fbd383bdff5798
SHA1 8469f0e2a432896cd92ac76bb845b890852fa674
SHA256 21d5f7c12757c8e9b57d1cb7244fd70d5f0e18b76c98ce270ad58826d7f19a3b
SHA512 c2f07815705e8eeb6f3dfa09b5aa4d7126957d5276af5618fe7e563c83fa5adfd6f852a2aed7a24e79f2ff8da82bcf9ad4eab4003660d8d455078a29e7fb0dac

/storage/emulated/0/Android/data/com.gikoo5/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html

MD5 7486bb38eb4534d1a39efa1483e548ab
SHA1 4d917b2368d1dffcffb97fa7974f6bc82a78fb64
SHA256 ffc6bb04b4714ab69347a3233953fff1d966e891354869ace3ae68aa46343973
SHA512 c0965df0992598133ec93f892a56812793285394c97e5d7733a2c4f5d9e4b184b517f398beb73011494cd160ba5071bf75346e1faa9c2573449b815e76b6d7e5

/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html

MD5 54684f064c62caea0f70c12d06bfb8e4
SHA1 ebc504ec9d35ab8dd7d21b905f2d4db7aab8219e
SHA256 1a4bc2406b7a295e67a85225dddebcc2bcd04597bb48bffd71f14f2af369890d
SHA512 21dfeb49ba4a243dcf901c44b66c51dc4946a7f4a48ae9861a257c412f4e647f73b251fbbfa2697593b1dd5bef25c31de59d003213d8cfadaaefecd25f4335a0

/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html

MD5 c68a4c9b11f51aab7d175ed095a38876
SHA1 e9b7a4c2979ddae878a9094b7265381b7c27fbb3
SHA256 5de77f62257806a3ca12563f7177611aca817be5a3c19a5f6cd70cf5b1e72d1e
SHA512 5116064fb9268041d2c3dbe96bba6a71a7bec9d1b581bbb4aa28bab8a1f17d42fd05c32a7842d4c0057cd91637e57a06e44838f5477f55a0e2130c0886d92049

/data/data/com.gikoo5/databases/rep.db-journal

MD5 db0e5b4190a737cc825b2731cde80185
SHA1 188afa8ca93c3df4b31a175b48f037961a0e3aa0
SHA256 3bd19b9511f0460d794914a10f91282b103323ebf2c648ec7b318c42f7b1a8dc
SHA512 633e7fce62d947ddebb5e90b4f279fa72d852ef1be12b97b4ad6d24efd9685d088b96fc77f9923f87d6b822afb08499b330ee8b3136fbd967e4dd4a87b2a4bf6

/data/data/com.gikoo5/app_sslcache/www.easemob.com.443

MD5 a0122b61da078ddd118b917ae62ba411
SHA1 bbee36ccbcac96d3ffaa95a5a77d54ca0d66b9a3
SHA256 cc9e1087bc91c4aadf26130d086df96be54c55576f8c6bfbbad29c0d416c343f
SHA512 142f9b600dd57b984d2084ff04bf5064f49e962e73cd694d348236759bdbabb043f76723deea42c1506cd3c9f9f8051f632e73de0f716ac357b66b6cc03a9342

/data/data/com.gikoo5/databases/rep.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/storage/emulated/0/Android/data/com.gikoo5/gikoo#gikoorecruitment/log/20240613/000.html

MD5 05415b1053f3df4cc8849f07602333bf
SHA1 b777e5275b635a35d26eaba9702076c17e68cd8a
SHA256 c970071ee1bc3bb2808e902ab53345f994319f6d59e825895714c293b15f7173
SHA512 91b8fd53c3cfe7dcf6e4d8e6d2e69bf18ff0c60821416a3735ea5f9f0428862ed9fae84e4191a2c33beb270a6caea787c59d8a80c7f377488a89a4ab4be0e71d

/data/data/com.gikoo5/databases/rep.db-wal

MD5 60199292b1bbb56350ae54d1be10eac6
SHA1 8cb8f7a9ab7198206d7d9e9e2eeb5f115d899388
SHA256 39d4310ccaa955240587cf1e207f7dd4707a52430dc424e17ad09aea92329ac5
SHA512 848044501ac4817bf509c6085e8902fa848ef88fc50f09fad3a9298e062405180c7996bab943e547a68c4ccab2299b3d2641857582d73b8f520c0ae5ac0e8297

/data/data/com.gikoo5/files/jpush_stat_cache.json

MD5 3e00310e0f34f52a7b0c3ae2ccb8b5fc
SHA1 340522bd7882ec495199645f32cbdfea2c41967b
SHA256 b9291baec451aba7703eae5cc1139087b342a606c61c4e051fb486e121d19cf5
SHA512 29dc1582d41d68127d3ec57e2d9a61e42c589de2cb14c3420141595fabd3398f6b824d348f75bbb0ccc068a8339a17c9a6a1e7f054c16452c4f3a80cc022034e

/data/data/com.gikoo5/files/umeng_it.cache

MD5 97369c027f855d10e9bdfea6c3772efe
SHA1 b27f356d97859394bf8d6cc2beac036552799270
SHA256 21ca424388aae3c7ad29469a85125d14964029542913ac1e1f3c67b8ef69bff2
SHA512 648f1b5f628a114a765a72478e3aa36f3b35d6b27937fa9e71f6ce655f98181418121200638e124abf62c8cc278a011894e8a41b79ea3000942ddc47c2a54beb

/data/data/com.gikoo5/files/.umeng/exchangeIdentity.json

MD5 bdad2aaaf63207ebbe66ad7ba95220b1
SHA1 c7131b047b6909da7d1cb3502b06090f7622066a
SHA256 ab53737a0697344161ca557afbd8a7d26882e192fda52ce43c8c6feed985afb4
SHA512 5e1aa40a99beec23e6d788c17eb025e3a8bdc990ec1bc29177219ff0186f5b014ee7ba7aefc010263f52e87a99a77bb675b5ac07c07079f53d619f98d91c8444

/data/data/com.gikoo5/files/.um/um_cache_1718251425452.env

MD5 f1ef26d93d3ae9dd2a50b25f8c97f971
SHA1 c02033b9f2a8c5b1a10d639aac716a74ff5c2bbd
SHA256 1540c564634250d31fcc207325253a772128d2a4115bba7044932158c12ce612
SHA512 54f42c69b8ac62e7112ae48423ec2d28399635f00b7b6e2171753bc32d99fc5bf4ec918d616bb876bd01eb8b47c69978267470fab88d1c8c14d94ef86a9d21d8