Malware Analysis Report

2024-09-09 17:51

Sample ID 240613-gc8n7azdrj
Target a408440e12dd4d74902d09911ea4832b_JaffaCakes118
SHA256 9c91f511a4c6d71f59cac878c6948143033e0876a30d8f83090777f58c6b98c6
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9c91f511a4c6d71f59cac878c6948143033e0876a30d8f83090777f58c6b98c6

Threat Level: Likely malicious

The file a408440e12dd4d74902d09911ea4832b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:40

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:40

Reported

2024-06-13 05:43

Platform

android-x86-arm-20240611.1-en

Max time kernel

105s

Max time network

178s

Command Line

com.taotaosheng.optimize.picasso

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.taotaosheng.optimize.picasso

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

logcat -d -v threadtime

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp

Files

/data/data/com.taotaosheng.optimize.picasso/databases/bugly_db_legu-journal

MD5 9c083f795c172a533029e602822c541a
SHA1 8e7cbadc3296a841fb5ba5409b06e4ace79c0938
SHA256 cfc24e4fe21cf88059c9b1cd3b302d2a6b39dbd6e6549ece026012c76bd88fda
SHA512 ce560081d68fa8729fb73088134c6bcfa3da3aa746b084187ce0c1ca3c7fa31bb5b0c22a693c3e2fdec91b071393fb5b25b1e8c844844a25c558e62728c91f59

/data/data/com.taotaosheng.optimize.picasso/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.taotaosheng.optimize.picasso/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.taotaosheng.optimize.picasso/databases/bugly_db_legu-wal

MD5 514238b0c8ba81716f363c273b8122e0
SHA1 735925bc60e506ecd63bcc341c4fd8cd24f477e3
SHA256 5cb09c666fc58ac96fd508c07c31eea1caf17c623780f7cad3e101cf40e7a0f8
SHA512 e20f0c28d0f1e5199bbf58dc61e5c96a8c8924e6a99813f33dd2d43ccf9c099d986c6a6b70e223bff88448931c5e47286f4c0e54dd9c6e512b10efc9d3959bed

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:40

Reported

2024-06-13 05:43

Platform

android-x64-arm64-20240611.1-en

Max time kernel

3s

Max time network

132s

Command Line

com.taotaosheng.optimize.picasso

Signatures

Checks the presence of a debugger

evasion

Processes

com.taotaosheng.optimize.picasso

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 216.58.212.234:443 tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/data/user/0/com.taotaosheng.optimize.picasso/databases/bugly_db_legu-journal

MD5 e8fe664a13cbaf23bfeb16af9a69fe59
SHA1 08cbdcf2dcf1a2055f7241e64e60b765d0134c52
SHA256 0fa6589b9a15b8a047168c6e397789f3bbbe77f047f6acec57dab15cfc97f6ba
SHA512 1b86179734b5ca154dbb4a806fa2b8ccd595e3a1b3abf159eba146d57dae167450701ceac009cfe969de6acd54246362af66e15242140d524cb2c3f5e47fd81a

/data/user/0/com.taotaosheng.optimize.picasso/databases/bugly_db_legu

MD5 69c81aac919582263c22e2f201e3d357
SHA1 a55e198c7b40c4543ab41b6d2cb2af83b245d3b8
SHA256 2a142f29d89ef9f2b24d392bcab046a44b33a76222f138590aa8bbb2fc2fb3a7
SHA512 98e24e3245002b215c108014802f16c85cd58dfd3f5163a9821718bcf9741aa14223d65b78242fdc020d11e792377ce1cd4d0404ed5ebe474823429b52bb5b98

/data/user/0/com.taotaosheng.optimize.picasso/databases/bugly_db_legu-journal

MD5 96874af33711e62dba1df31483cf8080
SHA1 facd17d1fc7ead60aaf1fd5eea29bef4cf266b3b
SHA256 3d53acade8e6cd97c5b15cc34a4c9e211408f954b22595dfc6e3e72dbf3b4be2
SHA512 115224f91b26297a51b48f5fa80c4d7504943a88a5d224e343ec817a4367a3ca11a70e3e9cd3b34353690f61b3b5a482616fb88f115416330e9aaae165d68a14

/data/user/0/com.taotaosheng.optimize.picasso/databases/bugly_db_legu-journal

MD5 68817ddb92a7b6e1f210bf65875d6b50
SHA1 fdf9f07d54797c32a48e51e390cdba2ff5b28716
SHA256 12309336e718f59bed9dcb702e17a0b91b5f99b56828f8c75d02431093ad9e8f
SHA512 ba0e6fae6df7284310aa3a8a6086595140cd3ab6a421205cbf2f429fd726788a2df80507308cf5e0dd5fa63d4eae2b5cf2a3c11877d850b68e4453cda135f3fc

/data/user/0/com.taotaosheng.optimize.picasso/databases/bugly_db_legu-journal

MD5 4bd9fafce687151c9eeb5070e9be56d9
SHA1 4fb6f6c741e057a99f31b3c2fbd9bd9aed19a60d
SHA256 daf90c8616262ed76fa2cc3daef10c233d1cd6349380d1acf26054d1be4c595c
SHA512 7b0628564da5a360a9d304f49fdeec16ef383164b1a7712fce224bee60ff4233549dcd76ed1d6d96f70d9efd58db1681787cffe06227be99f163657d1697c14a

/data/user/0/com.taotaosheng.optimize.picasso/databases/bugly_db_legu-journal

MD5 1081875d5c157882c7b9ae002b555927
SHA1 89c064e5c66a82b78b9e96f2045b3323c0974a67
SHA256 afa785212e9b1b6edc00a41b31079734aedbfcc951954760ccca4142b65149ed
SHA512 d37b14fa31169ac2feee9716260f8ee05013894826f8a22485c964a0523b74243f1fbc602e7ca12b2f0f3c3bb9d617ffe90c5fd73aae81bf4de3b78b1bb4dea4

/data/user/0/com.taotaosheng.optimize.picasso/databases/bugly_db_legu-journal

MD5 44bc3fea43c0e424b47494f79a937164
SHA1 f21d888cfc032f92efe38c05b9fc4e1da019c337
SHA256 b56b35d0e1d86d19174036017f44612e0c75ad7b81f54b75c82c1841a69865cd
SHA512 9fb180c952db51e5df0fcdadd3f8c3ee668a4f518a8b9a82b7471f4b7baed5b33bb9ed7bfb857451fe3347d90ab95e85509d64458629380adfe9409efd2b47a7

/data/user/0/com.taotaosheng.optimize.picasso/app_bugly/tomb_1718257258376.txt

MD5 bd0f8f8f3ad93fa07623422ec6e72003
SHA1 c3589295e7a4ddcf35bcd7a2c13bfd381783821a
SHA256 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647
SHA512 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b