Malware Analysis Report

2024-09-09 17:50

Sample ID 240613-gecdrswdpe
Target a409ec7ca6d13310480ca5ef56e27e3c_JaffaCakes118
SHA256 076c6dbf7627dffcfa07e7e278437ea17313c3e967a8cc31f8d2f12b3daa49de
Tags
discovery impact
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

076c6dbf7627dffcfa07e7e278437ea17313c3e967a8cc31f8d2f12b3daa49de

Threat Level: Shows suspicious behavior

The file a409ec7ca6d13310480ca5ef56e27e3c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:42

Reported

2024-06-13 05:45

Platform

android-x64-20240611.1-en

Max time kernel

35s

Max time network

168s

Command Line

com.pandadoctor.pedi

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A f.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pandadoctor.pedi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 f.appjiagu.com udp
CN 180.163.249.208:80 f.appjiagu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
GB 142.250.200.46:443 tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.pandadoctor.pedi/.jiagu/libjiagu_64.so

MD5 700c4805546b91b4b67c68d0f61645cc
SHA1 0d95f797434316c92a0ca6ce62f7f7bc8e346479
SHA256 b3e78d93e35c4c35d7e62acca8d7503da85a7c0eb8d8dbce1f3e0f58de1bbe63
SHA512 909a9570f3f90bb8da63b4f387729f284c9f9dde8997f70f0671b0bbb113780f96cd885e3ba01ed6b602cebef2ca406008c486e924fe989ddf5f9470fb4633f8

/data/data/com.pandadoctor.pedi/.jiagu/libjiagu.so

MD5 6c9d83b90aa9c9f904d22eb9b16f8f95
SHA1 4d5e0ce3c55a22475b58a982d67ab9aa84384c40
SHA256 2432ac0b864b33cd599129578c42c43811461dbcb83e2a21301ccb8d0810c5e7
SHA512 07d16f67cefc986c0d6974e3bbc38d95b5b184520ec8f3c9ae59a2f0e76213d359b35dc507d482322d2c045ee75183def8e3d7659ff5fa78f6afff931084e90b

/data/data/com.pandadoctor.pedi/.jiagu/classes.dex

MD5 b5f7b77d9a8ab7fc863080191365d885
SHA1 339187586715e93790154578be54ce295682183c
SHA256 cc1159b69c8ca9a18b458b501d112a4679f56f1934d3d0e67472e48eab5fccc8
SHA512 15f5f0b203cad51c6b266468c7ef9e0b8de23b304fa0969b9bf6dbf1c79f7913a130c581547cc3891522063ceb47b11a89267c338dc8866d04690ec8255e42c9

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:42

Reported

2024-06-13 05:46

Platform

android-x86-arm-20240611.1-en

Max time kernel

34s

Max time network

131s

Command Line

com.pandadoctor.pedi

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A f.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pandadoctor.pedi

chmod 755 /data/user/0/com.pandadoctor.pedi/.jiagu/libjiagu.so

chmod 755 /data/user/0/com.pandadoctor.pedi/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.pandadoctor.pedi/.jiagu/classes.dex --dex-file=/data/data/com.pandadoctor.pedi/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.pandadoctor.pedi/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 f.appjiagu.com udp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp

Files

/data/data/com.pandadoctor.pedi/.jiagu/libjiagu.so

MD5 6c9d83b90aa9c9f904d22eb9b16f8f95
SHA1 4d5e0ce3c55a22475b58a982d67ab9aa84384c40
SHA256 2432ac0b864b33cd599129578c42c43811461dbcb83e2a21301ccb8d0810c5e7
SHA512 07d16f67cefc986c0d6974e3bbc38d95b5b184520ec8f3c9ae59a2f0e76213d359b35dc507d482322d2c045ee75183def8e3d7659ff5fa78f6afff931084e90b

/data/data/com.pandadoctor.pedi/.jiagu/classes.dex

MD5 b5f7b77d9a8ab7fc863080191365d885
SHA1 339187586715e93790154578be54ce295682183c
SHA256 cc1159b69c8ca9a18b458b501d112a4679f56f1934d3d0e67472e48eab5fccc8
SHA512 15f5f0b203cad51c6b266468c7ef9e0b8de23b304fa0969b9bf6dbf1c79f7913a130c581547cc3891522063ceb47b11a89267c338dc8866d04690ec8255e42c9