Analysis Overview
SHA256
c16de6dd0e8c317960b4d8d9798bf7bc0078e4417ca91c0c0f34ca4b7ccd6697
Threat Level: Likely malicious
The file a3dc92f199e42cfc32917137a76af620_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Queries information about active data network
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:45
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:45
Reported
2024-06-13 04:48
Platform
android-x86-arm-20240611.1-en
Max time kernel
4s
Max time network
141s
Command Line
Signatures
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.rxwy.xun
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
Files
/data/data/com.rxwy.xun/databases/bugly_db_legu-journal
| MD5 | 383878954ea93f8ab3dd8ed5fe2cf85e |
| SHA1 | 53ed8ede654393929e936ea226a721879836ac77 |
| SHA256 | f9b3d8dfc5d209c2b2c6291382e87cac746f85051d288ce86ae615faf3dd1eb0 |
| SHA512 | e174e617a4ef1172e12cb15b47a84838697fffe2ca53cc34839facc7428c081c7bbb943a6c07b5cffc101d6f73f0f3375a37b40d1893c44eb0f6dc6f296bba37 |
/data/data/com.rxwy.xun/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.rxwy.xun/databases/bugly_db_legu-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.rxwy.xun/databases/bugly_db_legu-wal
| MD5 | 9f01f6d0b7491bc693b1633f5a921242 |
| SHA1 | f87c467f54f76e8ce456f5171daaac757c1c9803 |
| SHA256 | 9b4fa1479d72184c0119e1b3311227a51b5ab0ce12d437eb6980af637a2048f0 |
| SHA512 | 6b0d5d29f58439e29266616bb68711db3821f05a41a32b73258e4ca193dab7def5f5c2c9ef2b928452a84b51f6bcabe31319164474931f519e8ebed1000b576a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:45
Reported
2024-06-13 04:48
Platform
android-x64-arm64-20240611.1-en
Max time kernel
21s
Max time network
132s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.rxwy.xun/mix.dex | N/A | N/A |
| N/A | /data/data/com.rxwy.xun/mix.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.rxwy.xun
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.78:443 | tcp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp |
Files
/data/user/0/com.rxwy.xun/databases/bugly_db_legu-journal
| MD5 | 6ef13278c7f675264c81b44deba01591 |
| SHA1 | 4030c624275b8c9e9dde2bb9b77fe6726b1afbd4 |
| SHA256 | 2d247df54858e94c28d6ce89aa2b461509002d77269455cc7deddb4e3138dfb6 |
| SHA512 | 7bc326ecd06321926e9d57965f349c8eabe3de855aded14520f13729ca32849d8677d4e4fc22b98f4f13efc0c90c13e4ec31a8f2fa196d2423e658b3f7c7ad89 |
/data/user/0/com.rxwy.xun/databases/bugly_db_legu
| MD5 | 0bd9277620edf31d9bf923040b959928 |
| SHA1 | ec794b740a6d8caf8577f6296e9b69131fcdf8f8 |
| SHA256 | c68a946afa371919e5efca7e8df2a3af7c98dfe634009bf69a75f50e08fff093 |
| SHA512 | 2af875fb6ada28be55ffcfe63c8be2de1ae8d5530ece2402e075f4f0694d79a8e779ce445c57ec94a9569b0275f7b88ea3c5dae3fb94d10649f279420f66b836 |
/data/user/0/com.rxwy.xun/databases/bugly_db_legu-journal
| MD5 | ba14d7d254161a8d5f6ccd4fdee041f2 |
| SHA1 | 14a3f359c5b2de6a0b0287043d32f75cd3c67030 |
| SHA256 | 5eb674a3433133aa5414fe29884931f9bd1ebdc66643a3a6b06c71434d828e82 |
| SHA512 | 50f24d77b2edaed799261db10b9c976a84113a4682ebd7b9a333bea06fcaa0cc4e06f5ffc8d46bd5aae3613280e1ffc70e131d0f08d87360f0254047177db56e |
/data/user/0/com.rxwy.xun/databases/bugly_db_legu-journal
| MD5 | 5175b3d38754a2179595d7a322d24543 |
| SHA1 | 88d9fbbeaee646cb0332bb96eb971b2b46e7cec5 |
| SHA256 | 16035faec6c837bd2118432f09b115fda488c9c884210fb5c66c4d6cf897d8ed |
| SHA512 | f504653b91b819ce32b2816dbbccb1c2fbd27c2984e10649cb9004afc9802ece6489ded94a0e174f105a66a7a33aae3e7d193ceed9dd374c3616ce830a1190ca |
/data/user/0/com.rxwy.xun/databases/bugly_db_legu-journal
| MD5 | 8d0efba1043094ff401694953825d49d |
| SHA1 | 633b85ed0bbe313891f0b16626c3b5dbf328eb72 |
| SHA256 | b34b903354685f24c8b8470b1f3c87cafe9abe6d75a8e9251b64b9b44e34976c |
| SHA512 | 35b8534f09b0dcf0d6b8a2e0e0373b5ab4d3ffc5df79d6572a54fbd347099a73e0cd46cecbed3bfbf5c87df47b3d83b052b4a43b52ea6fc565ecb1abe083fc97 |
/data/user/0/com.rxwy.xun/databases/bugly_db_legu-journal
| MD5 | 5a4704074e79cd4f5d0ce32b3023167f |
| SHA1 | ee37f34656a0a121058c32304afbdbda041baa9f |
| SHA256 | 9b541c7271e1a7ada35ac1968d7e6a3c70f221c1403e525eabd2a5e7c5b7da80 |
| SHA512 | d87cad29573dea5e0433aad3eabcd0f0e3af63ded6d533a17540b842e493eae8ce7ea39a4d6b76c6d316b9296554ba3c13eca5ab4670827c7bbf143a9e885433 |
/data/user/0/com.rxwy.xun/databases/bugly_db_legu-journal
| MD5 | a85b51d9c23ff2257b72d6266ef5a4f8 |
| SHA1 | b9883baa37d2da874db04ed8fafa620e48df97a6 |
| SHA256 | 936f01874f09634a7cf22c6c915c9de4bb3e019d89175033d44079b16074bbcc |
| SHA512 | 106020429074b4bf7c98b27ce162a01679df76f740036fe76371f464db2d9c95c9d21e40f1dbdfeded4e80d89f4638bafe0ef7bfbef933218778d4c73bca19a1 |
/data/data/com.rxwy.xun/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/user/0/com.rxwy.xun/app_bugly/tomb_1718253941361.txt
| MD5 | 3bc9dc58e98681205aabd002ccab913a |
| SHA1 | 181dc1dd82270849e622aeeb2c2f6e58b4cccb3d |
| SHA256 | 955f005ba0b86c51e959bf5424cd36c2c96089c8f6c078f18f3515e305c3e6c0 |
| SHA512 | f7e4fec9c817d76045aa5bdc66985e03d220c2b5dd44012bb8efa2e70d7f02822a628ad992394c91c020f66e8266059711f80a0787b0116b4c76d4e9341f8b38 |
/data/user/0/com.rxwy.xun/app_bugly/rqd_record.eup
| MD5 | 6044bb6e517b1ef4a922aefeb23d0d79 |
| SHA1 | 9e637156f6ec9bca8383ef7df75f348076431d90 |
| SHA256 | 9967d5fabbddc5b93fc58e2b98febc5769f3e4218e52ef9979e2369eb43192b3 |
| SHA512 | db6db3c6dc302d679ec499fd66a356a6f0a44ca505ddec5b4b978031813fa3388e47de0580a262d95bb4ee2f6a895474d463c24f2fe6167904c17ffbe12c0b41 |
/data/user/0/com.rxwy.xun/app_bugly/rqd_record.eup
| MD5 | e7d51b6a3db3a83bb03d9632f00ae5aa |
| SHA1 | bd76d9e26d6817ddf82fec6524fce2e35150932f |
| SHA256 | 9237a4cfe70bd04cb86472a00b78318750eaf1b5b7c1b778543a9152923e14ad |
| SHA512 | f266067a63ec5701935a75b678c0c6fa71c0ec72977356f15a76b7bbddf875548c5d31646f22b8f1388cb5e746521cbf346fd8e26c5baeb847ded09063d68ea2 |
/data/user/0/com.rxwy.xun/cache/tomb.zip
| MD5 | b7d1680602d8f2805a32c0c221e2abc1 |
| SHA1 | f637a2811811bcecaac35eb0f188997aafe500df |
| SHA256 | 211516af4c78fde582cd061aa0483f23dbc26c09764c813ca30cfed6956a3e28 |
| SHA512 | 041ca41db5c9efcf221525b5703ae96f43d817bab100794be2841d80fd5066659cca7827e9ee4eddb00ce087d71eb63820797624f31ab6da9f8a63a42155a90a |