Malware Analysis Report

2024-09-09 17:50

Sample ID 240613-f69mxazcjk
Target a4002b055e02fd9f38ec7c99fe8d9071_JaffaCakes118
SHA256 9060a4ace4dd571f6e480c3521dd85f0800818e2dcfdc7f3712a8aad7ea28727
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9060a4ace4dd571f6e480c3521dd85f0800818e2dcfdc7f3712a8aad7ea28727

Threat Level: Shows suspicious behavior

The file a4002b055e02fd9f38ec7c99fe8d9071_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:30

Reported

2024-06-13 05:33

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

130s

Command Line

com.iwhu.newguide

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.iwhu.newguide

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 v.map.baidu.com udp
US 1.1.1.1:53 sapi.map.baidu.com udp
HK 103.235.46.245:443 sapi.map.baidu.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:80 api.map.baidu.com tcp
HK 103.235.46.245:80 api.map.baidu.com tcp
US 1.1.1.1:53 au.umeng.com udp
US 1.1.1.1:53 au.umeng.co udp
US 1.1.1.1:53 client.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
HK 103.235.47.88:80 client.map.baidu.com tcp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 utop.umengcloud.com udp
CN 140.205.163.73:80 utop.umengcloud.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
CN 140.205.163.73:80 utop.umengcloud.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 140.205.163.73:80 utop.umengcloud.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 112.34.116.1:80 v.map.baidu.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 140.205.163.73:80 utop.umengcloud.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 140.205.163.73:80 utop.umengcloud.com tcp

Files

/data/data/com.iwhu.newguide/files/imei.dat

MD5 748d9beeaa1899252a7365b780b95fb0
SHA1 2158cbe9044f2b138df0094615afe6616e526c9d
SHA256 59290d2d5a77605f8140feb82e44e8438115fb2f93dc56ed4c225b88c21baaa8
SHA512 cdeb0c4cebf1cc96ebda6940763a940df76120ee991bc7f003480caf055a970f16e4a19ef2ba2c56fa056d539b981e16542ec7239a7b91dd3828585bc2d1e440

/data/data/com.iwhu.newguide/files/imei.dat

MD5 8bb17f660e42c949ed6fa09239ddc67f
SHA1 e56e1310f56fba51d4d7d13771e951723b34a67c
SHA256 d95ba367eda7afa9d322095968c2cb9ee30f5abe85776ff01f50144e804c6cb8
SHA512 a8890e78c6108a4babdac40e6e579ef4a4ab606542dc9e72e883479d15a62efbb85898e2e510bce9072d4c36b9910ecdb3fd806e86f5360d5e7460654e80522d

/data/data/com.iwhu.newguide/files/ver.dat

MD5 5f7335045aed321b93c6ebb7a4d7417a
SHA1 35fbd4bee538b385d7abfc56df4e701615f73784
SHA256 f9d1a10b6885f6c28d841e07df992a2f620dd69e65d0a318523c232982158ed9
SHA512 ae94d011816076c988605e82e75c18ca6cb1708a20f079ac6dadc4c874c16b653a9ade7ec1015deec39bf98b840be69eb6e0d3705321e0bc59c8460c4de6ec4f

/data/data/com.iwhu.newguide/files/CMRequire.dat

MD5 25e57636aee83606d202f04f26c2913b
SHA1 1ef0ade456ba38aa31584d0fbce647d0ba74b399
SHA256 89c56da41f0046c9e733fed330d2636d623510c217f72c2d025df3343dc66783
SHA512 3a8d294b8be98abe4d18116cbf7c16d44a541d1d20dd4dfbbbf3bbd8cb7997abcbaf51790bbc1978135d888c4e89868a9a2575d9cfed65a331969de77ba07326

/data/data/com.iwhu.newguide/files/VerDatset.dat

MD5 caaa975d7bf4952bd5dd695ade33f1da
SHA1 119373fbb2db036712df72ec9b26c0c2840dfbb1
SHA256 d0f94264a6b5c355dbf5c0516202c732bcae471a2401542b2ca43307727a0d02
SHA512 db2acdecd236eab67cb67151032f53e51c9c04e754f3c21d74e05cacb1ea5edecbbccbd66ee760624b9cac97b8dd77f568324e8abc2b9c16aa73131db81c8b06

/data/data/com.iwhu.newguide/files/cfg/a/ResPack.rs

MD5 37c7d7a469620c696b8812831a527d62
SHA1 2e54375cde7ad35666184f5c7aeb65d5887f746c
SHA256 f3f542caf19e546f5cc1d265d5e6e35fa5ff32bb24e9282a60ef21d4c8588d9e
SHA512 8726878886379a8174b1ea11bb0c21dc6ef9bfe0ff2eafdfc4260a8c8666be82e3fd95309915aa0b40ad1a34b2f8f62f7c33860247562e84cac7e156dbf995bb

/data/data/com.iwhu.newguide/files/cfg/h/DVHotcity.cfg

MD5 6c495e47c754a9b25437ff9a88c7a51e
SHA1 8c4e36fda1e1f80918a3a8f1812c4e68b2326a4f
SHA256 e68e66e643d690d203a5153156e9cd6383ae1b3c481afa4b19e903d4a82289a3
SHA512 f3c030504cf50fdbd284acbdd893c948fb7ddb7544ce01d11c94fb00fb554f878949b1867fd5ab6c25e76c4be717aa819a917d4f25c8eba904df1a2819becf1c

/data/data/com.iwhu.newguide/files/cfg/l/DVHotcity.cfg

MD5 1c6abcbbd253448057930ad1cc59ac75
SHA1 a5845d1c4bc87b8b4785b456d76edcb8309eda4e
SHA256 a46b498ba6586aaa2f246bb34e47f4290ac60273cb86ff662475b0def7172136
SHA512 71aba5b2a1020d1925b3844c861cbe595de3b21d665eedb13f1ef0d80477fc091663e0625b09c5f49d4f9d0770970dd0d188b84635e9c75c1bdba9f2a7171631

/data/data/com.iwhu.newguide/files/cfg/h/DVHotMap.cfg

MD5 c16f5ca1517683c46e02a6b71aab3c00
SHA1 2d09a048d1b8d556d89d4d723947e9e234b5e59b
SHA256 13d4fbc0d1cb7c2761641a3632c440f6f1d919dce731b8c32cb35e652b0b39f9
SHA512 a692b79382747548fd8be8ed94c06198b143c167be1e96f60d8ea7ee9432a0eb1a0cd73d0704523e487d59443bf7ad13eb36e47b67864e227917d33225e3e62b

/data/data/com.iwhu.newguide/files/cfg/l/DVHotMap.cfg

MD5 cc3fad9057e0940ad4d4c7ad27922023
SHA1 403cbbcd7b819733b5caf49ed2a58d654441e99d
SHA256 f6d90bd8621889ab994374b4f51a1c3f9b028aab1a2129b8b3b0e1d7c5c37864
SHA512 ebaf2b8c56bc15826ef38b36e72ae41765fc723470c6dcc40bf9f31118f252777072ad39a535a79f53b6aa29811b4b21cebbc9810c47e34ef9400246d789ab21

/data/data/com.iwhu.newguide/files/cfg/l/DVDirectory.cfg

MD5 65685a117c72fe8fbf5a92b07073c99e
SHA1 b115b527f74e4c291edcaab19b316a446aca8f5b
SHA256 19bcea79613a5c3bb71dfe6b311241fcbf3534b538f0b147c7e849b58b24b2b8
SHA512 e5821a5212f0790db33ec7274f018b08f499557ff7f2f118021a7905573e8dd66e716fb02144919d96eeec7da9db921c756a88cf0a050f65a9f8de3894dcc253

/data/data/com.iwhu.newguide/files/cfg/l/DVVersion.cfg

MD5 e962c995c0664b5cd8d067db1561cad7
SHA1 263524863998525598f663ba7134ecec2ab592b2
SHA256 b83792f572112503fa2c542595047271d632318a775061ae3a964948738639f8
SHA512 7337967c5759f8a078eed90adc45054e5642b1e319800549c80395dcdc1956baa8d9741348e1dc0be931f24cdb899b95d4beec35e52995703dad8d0feb04ab26

/data/data/com.iwhu.newguide/files/cfg/h/DVDirectory.cfg

MD5 4baa4ede52eacda76bd26d5838cc2de3
SHA1 38b65c75440581f43ddb32ef17480e5c87f0153f
SHA256 c0f2b002adafe50265789ca04bc8dab8c176e6a7eaae164fdb98ebcb9ff98eb2
SHA512 58fef595b1db5f8fa7dbfcaa3b6b676bdbec8931ffa833858e2452c2f35a1b192746d2315acd27551594377ac121ec80574deee632d4bfa94b6315b8a0d33feb

/data/data/com.iwhu.newguide/files/cfg/a/mapstyle.sty

MD5 db362e36518c847ae80caca571e3c8c8
SHA1 610911bf7869016fb7c9a2026b3024eacf0b4593
SHA256 95549560fbb3d96dc791c2d16fdd5f098784eee75ac293556fe9688fb2f0ec9d
SHA512 41fa2b9b61c131b0926d0f47f86eea56859ca0d4e44ac23647a73ff4b98214183cb0a523336dcae4e2ddb4be932e994e1950365fd3590eb2f7c3b96bd4bb8a41

/data/data/com.iwhu.newguide/files/cfg/a/satellitestyle.sty

MD5 6034f2a3f8bc9639ae820bd977bde4a0
SHA1 599f7994853b61bc5ee09a75b6383a13a5a685f7
SHA256 753705cb1ab2a676a9ef48881cfb036f212c4a7e7a5d34d9f8708075078e5818
SHA512 acaf0d146e4e3739eeaa40d46f7002776ebc4074bb89d12a5c25b12f53190a0e367ef0bd3225835e7e4b39a70b06e9f7328b1e342a9c5829af7610c14d41898f

/data/data/com.iwhu.newguide/files/cfg/a/trafficstyle.sty

MD5 1e4b535871c4feb2010b614713def5c7
SHA1 4c5dc67838d12b795b6882c6dbbcc6767e42184f
SHA256 efa3ec85127a21a8c8a74640acc5fe1d992952964d4f257682f832f63c2ad3fc
SHA512 0c5443dbfdafab2e6cb7740587f48ca9a2c971b93afafcebccd17691edaa7c7fb75dfd1b6c939dd591a5aa65977f55e64b6c3690ab0a660432269fc43bf3133c

/storage/emulated/0/baidu/.cuid

MD5 86f5d5f2c5dc8e2f3b690e50fdb698d4
SHA1 c0c7f36a66459ca55db1809dcf7f3b39d391f93e
SHA256 7725cf52c8aeed4a9c2d8e098159da5562ec932c5aaddf971d8ba4665b211ff0
SHA512 b515b0482220781d2d77bcd04dea8e6f2341b6773e7a052135f962bcab2669405bf961bd9ec7a103965bb6dc36285caa8ec6c2377b76e49d019963798c85e397

/storage/emulated/0/BaiduMapSDK/cache/tmp/DTTempdat.dat

MD5 66d92b5a5b8be5c668ba3c2e2a02d7d0
SHA1 d8bbfdb14b391ef8c51a9f55e195385a430a64b9
SHA256 775e095ffc6de484c273e032c13df55cad57356e3749ae48bac9763f9d296d1e
SHA512 69f5e77acbc11c11e3a8cc6d8f03b02c736709bfc455cbc8eddcf18c20df7973a08b34680a8394d74aa80fb4de02e1d5ae3b7866175d4f6917743b0861041419

/storage/emulated/0/BaiduMapSDK/cache/tmp/DTTempdat.idx

MD5 9821fa9bf06a0d5162dcaa8b76421dcc
SHA1 921532f0899bceb3d4573c6c1af5c5781f182db4
SHA256 d6441b5f22170d11a2cb15c2b58ab912734740ff3c083e6ebfd83914ea2ca6a7
SHA512 54f2fd30be645b1ab1b4ef3a4cf052642ccfb6f7ca461f8f97ad7a6d674f609e2fe3e815b00e2cbf421fd2123eda59faad451767d8e8479fa54d7f8d59ca9664

/storage/emulated/0/BaiduMapSDK/cache/tmp/DTTempdat.idx

MD5 7dea362b3fac8e00956a4952a3d4f474
SHA1 05fe405753166f125559e7c9ac558654f107c7e9
SHA256 af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc
SHA512 1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

/storage/emulated/0/BaiduMapSDK/cache/tmp/DMTempdat.dat

MD5 8ee6b1a6ca5206766ddd381415e4cdb1
SHA1 c55e24a17a93536d122a3d5347b9ae834e781ea9
SHA256 c102581b88cbdf39aaddfd7e4be8edb6fd9e29ccf60c4e077cf353a5cf8c0a7c
SHA512 50013738bb1d2cac26f70b6c3de7914eaa42d4292f99c0929d15708360011cbe92ffb0918fc8837ed8a0a161eb065c3309d5b17bafcbac3eb1802ffa840b5ee9

/storage/emulated/0/BaiduMapSDK/cache/tmp/HMTempdat.dat

MD5 dec05a11eb0489af94585f6be49f678e
SHA1 d2a7e08cdff0e486120e3dd43039eeae161faa23
SHA256 77a818fd951c9f55e379c80b41a0004247b8eabfdc3d8a9dadeecd39afb9ad9e
SHA512 f678e851e8b3ae0a2c3f58592993e44ca2fdd61f1351627e7213ac470dcc1575eb4885dafa0dfa33ff1aa6c6fb6b5c13e72258e20f131ced4c95d5510426147a

/storage/emulated/0/BaiduMapSDK/cache/tmp/ITTempdat.dat

MD5 99b421116ed04f062a1ef7efe7d8b8c2
SHA1 e4c173532b9ce2c96cb308748e3a884b111ee255
SHA256 ff149d0de811ac9f52bc7439343cc31571e18cf93ea45bbab65945b0e7509c9f
SHA512 b98fc4b104bd480b378fbce01f228ec153dda325a85d38d80c89f0eba2c8ea49901fb3a0de079c071d2a91d723d90747a3e541eda4eb7212d64c49b989eb5957

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 380e82b31ed32e177aef31937bafbba5
SHA1 d01f9848aa27c609f6796c34015cbbcfb2ddad08
SHA256 5fefc347fd42bf422d8c697d86c3a9e45218d177e1499cb2e51bccc9f1575ed5
SHA512 6051ec14d49207dadf048792c24f0a709a58aa360ffe1a6ac0a1355da012b7af683c4aa3e2c09720f0d8a4697e95a3b2bab2e6895c83852446ed4ab5fbae21b2

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 847a24c4139e0b981302d65672702d88
SHA1 985c090bbb079280e6be1a5247128f0c1525cfe1
SHA256 c857534050acd6e3a63830ea73d6cf09d6c8b5b8561add92051d349c162cf3fa
SHA512 e354088a3c60e8d2a5887edf24229d81260ea9b573a00b40ca9562871fc11490b748e9f9c48e647219ae0c7a1f70c5ff88216f86a5a4767f970f52fb9faa8137

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 fa2543ddba2e4e67e0ebf1d01bad0c0d
SHA1 42a450c12caafd76c09e9bb3bd881cb69510e473
SHA256 2247f8b21396bb44b53bcc653a42a3e6020326fe072ea7513e56381ea955ceae
SHA512 cce9ef035f390e931fa44fe492dbdc1d62cee45ca30836fe3927e1a00258a86ef5b326797e19f959e12e6ce574a45d838a4f4285642886098a75d707eda94f23

/data/data/com.iwhu.newguide/files/umeng_it.cache

MD5 7a57e7322b67477627f16a2005c868cc
SHA1 277aaacc1383308367d423b8cefc8ef8171e2a25
SHA256 b08b0792a4f031b058cdcb1dc82279d9432a118408035fec55a622914cb5fe3d
SHA512 9dc29670a7f663e921833133be564176c751c84ff2f99d17f5f92c55e2ce28cbcfa63178fd7ef029cfb092237e1458fee8bd41ddeba905f6a5c7995cd998f25f

/data/data/com.iwhu.newguide/files/.um/um_cache_1718256699301.env

MD5 445da5f990e97772112e3a871643d706
SHA1 39a399f5fd04cbcb6060043e3a4ccafcdb72e704
SHA256 a8cb9896912ed046f821592ba0e6fde1e11b9152ecb521150dbe71cf449b6c2b
SHA512 5a5b315f517586a0f072721d02578155fc6955ef54d1886dbd251cb3c8e74a7f1229484c2de469ff11fbaaa2c6cf0f2f77899a5f1207ba17faef3c8cd670f66c