Malware Analysis Report

2024-09-09 13:22

Sample ID 240613-ggy1jszflr
Target a40e179d159c6e6a166a2edb73070fb9_JaffaCakes118
SHA256 586e921c229acc774595068302904195de5b8d52774d5c4f550acd42e251d625
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

586e921c229acc774595068302904195de5b8d52774d5c4f550acd42e251d625

Threat Level: Likely malicious

The file a40e179d159c6e6a166a2edb73070fb9_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests cell location

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:47

Reported

2024-06-13 05:50

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

131s

Command Line

com.ys.news

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.ys.news/mix.dex N/A N/A
N/A /data/data/com.ys.news/mix.dex N/A N/A
N/A /data/data/com.ys.news/mix.dex N/A N/A
N/A /data/data/com.ys.news/mix.dex N/A N/A
N/A /data/data/com.ys.news/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.ys.news

sh -c getprop ro.yunos.version

getprop ro.yunos.version

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ys.news/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/com.ys.news/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp

Files

/data/data/com.ys.news/databases/bugly_db_legu-journal

MD5 c4557666652ee4b472bd62c58e2bf1b6
SHA1 f0377eb1c198f0582ce9461e896956ef4b81af28
SHA256 0101b73791b4962e3656cf4fc0f26411d7989dddc0052b2c4a8d796b0f7cbce6
SHA512 72dd639cd2dfade99de66fbb041a6ee23c1c0e2d6756a8e5054f86fe0ecf411e45339d01bc9434c17c64640e2c8e07cb1269394688c4aec03aeaced726cc91ae

/data/data/com.ys.news/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ys.news/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ys.news/databases/bugly_db_legu-wal

MD5 88ff868b329e1144786ed09b3bccadeb
SHA1 4921af0b3b82118f8a67167d2a5a56048f22abef
SHA256 d6f85938eb7eeaeea682ab9efba4c130d06ba2caeacbd8677bd186d53136a1f6
SHA512 6a3e7eb932574a95d6b357a4310676be5d4e9fae106ff6cd303ba2956c7efb54d5eae9718ad8c98d2a2a45b631bb55100dc8e1600578546f961001c44c78f5d0

/data/data/com.ys.news/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.ys.news/databases/MessageStore.db-journal

MD5 5e9d6dd3e261ddce32b57d80286673ca
SHA1 9f475b8ee3d16e7992f7fcf2617190da17750a2d
SHA256 f3d4d2c0d24aa1f2ef5e2854c672d648ccee470dac6534205ba473de4cea412b
SHA512 184f5fd2cc3ff310da38e5c9b9c5358831c52f55f0874b4ed39fce13496a8a81410015ddd3af034eaea0007f6a5593be680ed193df030d35a4e97731673c7c2f

/data/data/com.ys.news/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.ys.news/databases/MessageStore.db-wal

MD5 54574d247a8d7d2f9b74388b6c2d27ed
SHA1 1688c970293359f6e56613674dae9e3911635be5
SHA256 bfd6c74ce43ff91a0628263fef2d1294ef77546322549702b086d0329d391541
SHA512 ff4461e07b080d14cd69b1ea4275421883b585b2319568246a921d856db214b4ac0eec2f63c65206b180de4ba4e1962a95d7e4f27ff602cc11102cf1de4d0459

/data/data/com.ys.news/databases/MsgLogStore.db-journal

MD5 80734f0d7f37a1865952fd265c4ffb48
SHA1 7a96272f142b33793362cb060a1ac14335188abb
SHA256 5ceeb7aa880909dc386e95f7992fcf1e7d0dad9a0c975018f95a4eb09b1e94a0
SHA512 8a73244c4924e1eebf788fb84d5cd802d57586a09161f971331b9998e87d1e227276909a118ca54ac78d0d4514031433a523e35d67b7b42a62d9233f0d22ab49

/data/data/com.ys.news/databases/MsgLogStore.db-wal

MD5 ae32f3d6ce49976e265ac4dcc739c483
SHA1 170a57fcaca11cb4237cb94e1a5113a9f196d630
SHA256 6980e6a4341b7ce1bf3e447fc2da1a4724b1da6f382d3917189e0aefcdba605a
SHA512 4e9d42a7aaaef4a128eef8090e18781ce8c5fb52f2cb83e618207c252192ae5ad39958c8d69cd0a37d02f3f7c8a97c5ed543d000b9c12db8617c04094bf1d41c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 e8b7b4065dd85793b73688ac69796a0f
SHA1 05935c2bf7e0d8a5b9ad27fccc8e2969759950ce
SHA256 a264d632aa84e82274cb62b796b52cec828a8bb0c3fd7b684c0a3ea1aa32df47
SHA512 c19ed55c99f2051d35ba51341d090561f6dfb181ac6cae3fb1b78ad7d752af23d24222008f1e1481f83ab0a084e670f4954acd7b15c9561b041685ee4710aade

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 1c911f5025e7048ea0f8da2d254d0d22
SHA1 a7c434e81286e2d82176dfd3bf5928f89463054c
SHA256 41b22d2207f0bf01569f676f31c9d3f630dfd6d3ddf3d988cc17a593e02123c6
SHA512 6666b7d65931c3b2fa47c1a2d1114287d6681e5d9ae63115f5b9766c6ae9339164538193bd465791c3f1e656f7f25e726d2022ed6b08aa93ad67d09cf142f0a6

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 b76054731760b769c043c4f68a3f9d98
SHA1 6e3f31a3fd40d042b4c8b2cbbe0c95d81745429a
SHA256 faefccc7034b93e9a23ddebc827d87b9eef72ffffe2d33cc79814352b587efb7
SHA512 872e52fcc33a514ea6a2cb9956249c1f4215ff1d8b1396da376e21c77543e81d5897a6bb936f09a6c162abe690e922107fae13f15f4dc48a458d92aa810bc388

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 ba4abe690a2939216d986a21939666ef
SHA1 5802cb00f37f3f00bf8f394e357b34774b6427a8
SHA256 083fc025af04db100a4a6f07a12c38376a79942fd144d8a32ed6fd949e437329
SHA512 296c739c0ed3caebf07ab96b863621037afa5626e2f46b225e0e9ef1ed8b8ed97d07a23a2af6cfdc40e6d4e1e2518d9f4a50eb4fa64087c27f99e5912851ce42

/data/data/com.ys.news/app_crashrecord/1004

MD5 29b311c06c0e3296f570273aa8f96b77
SHA1 c21c85be7317bb4fa0a08a3741b887c0e4e6549c
SHA256 9f00abb0dff126784c7f73b4900a643bbb1b930a0423919ff3cc59a256283ef5
SHA512 17f35f1bbdf39f67c8e998829f8f738c187f867ff28902ee700c4147576d3db3221db76648960ab65b5e81bd40be35fdd12725bb22b1bf69445a72e7d46e7086

/data/data/com.ys.news/databases/bugly_db_-journal

MD5 643bb2b710a8f55044f2862e838473e2
SHA1 47f5ca335aa6e27f27d4206082a6853c49e185e3
SHA256 03f3f5997f4b156b1839bb05cccbb00642ad15b427fd18916d8b8c1e79792c61
SHA512 539b65d048e8421775126c58d763c585e8614b1bb7a0c2820b0abc118f53fe5b2a1948149cd14c21ff8764845494bde27f0d3bade5a20bbea0136fd02cc4ed8c

/data/data/com.ys.news/databases/bugly_db_-wal

MD5 c308d9cf264b20d23b4dfd30dc2f1005
SHA1 4db69932c2cbee9187bfdb5c855173d11e9d6002
SHA256 7564b69988b8ce0f652ad51ba5e25360626a1dc83b6d14c3b92cf4e5ffa7bc48
SHA512 7911cb6674df2a056e2cf56d5212cefb7788813106d6444f70c9a43f2862599d127628d83f78d3e13c948c71402e4269f2f5190ea72ff4d9717cd1eaaa3bfff8

/data/data/com.ys.news/databases/accs.db-journal

MD5 6afa3c89a538005f5918e573b9ce2987
SHA1 080aa97219326d481d3fc0c73dadf4afab2b32c3
SHA256 24f781285694e0c624898be1492b0449399c3de4ba9437f050523a9dac7674c1
SHA512 1ba6131d5adeef6316a6c7fcfe9c8f6559ca5b7a714bf897481f7f9b6811e6ff31c93c042543d3c0b6a4ececa2d29b5f17478d81be00d7c3657b5be5f773f4b6

/data/data/com.ys.news/databases/accs.db-wal

MD5 03b90193ef09a75552e1b0ebe8d18bf8
SHA1 04ccf654a30ee344a696794203627a190e325038
SHA256 00bf00838c3b9466477c71a16e39c264d1f25d49e74bf6548c5cecccc78291c3
SHA512 1dbdf769b08a4af329900505ff46cee22faedd8da45047c94883d3b45fbb058e38970c16f8b4a4490d340df4e1c9ddeb67d63cbc6d52f557fe0d4496396b4f3a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:47

Reported

2024-06-13 05:50

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

46s

Max time network

178s

Command Line

com.ys.news

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ys.news

Network

Country Destination Domain Proto
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 tcp
BE 173.194.76.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.36:443 udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.16.227:443 tcp
US 162.159.61.3:443 udp
GB 172.217.16.227:443 udp
GB 216.58.212.195:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.ys.news/databases/bugly_db_legu-journal

MD5 f52d8d77b36a4a2d83960a3b91712af1
SHA1 b2841decf057215e0c49d79704d94af37674c618
SHA256 b5422a0486fd6d7b3b97b966554ef79be9d331462dcf50d9b11526dcf1fbc55a
SHA512 df5c51b9eff9f875aa2fda35dc9299967f1333840735d0041a061f9b94c97ed025d5c73d7ea8a80328a05b93785ed7ea3717e8e199f7b9e100884740546e3af0

/data/user/0/com.ys.news/databases/bugly_db_legu

MD5 ebec1e66fa9dcc86a3f43df8584fb1a9
SHA1 34c9012420f76525cf8657e3e0d998cdac41dad9
SHA256 83bcb0edb34c32e85226d95cca7a9b9447a6b8f0f4600034f671f397f6c1b3f5
SHA512 f4c651479b8f8713de70892c93a80c54a89c64502f5aae849572c8b4d81ff072fc195b0e5b8cf9f9c157d5e65806e95d2e03734dd3f5201c76e0b8c02a67d72e

/data/user/0/com.ys.news/databases/bugly_db_legu-journal

MD5 bc57f67983a43e4a5b0da0a3cdd74fa7
SHA1 f53dc121e9718e64383adb64e7eae459dfdc8983
SHA256 dce6abe701022ef981ba40ce95e4b9705b245bff18a408931ec701d7473aacd1
SHA512 d539f01055bfd24008610ff30b364473b8785e18e534ebec0a1de4946d4c4367bcb3f20f95e9082640e788a25da360b2317a207938f917d7eeb1a97b52d5da6d

/data/user/0/com.ys.news/databases/bugly_db_legu-journal

MD5 2f119041b4ec0fc5e6c81fb82435b2a5
SHA1 152729f117b01b11b0145ec9465846c7dcbcc947
SHA256 3f796ec3a3c6128d453bd9e977e6d25af6c7ac061e8d52ce5c164d443351c164
SHA512 09ebebb941a9fbbcaf6f033c222e645a619ecfd89ca7867c83896cdacb82223c763244858ecd7a12e8d30c3134767714fdae912d9c5b6e3f2a3a8676cc2fa0e6

/data/user/0/com.ys.news/databases/bugly_db_legu-journal

MD5 baa5eb9fac0fa3e823667621da74f005
SHA1 b1450b2512f1acbc6996da76077aad138f934787
SHA256 eb5b4e9524c2f22762f93d17a28082d09533d4fcdd4395d3310a0555f3e2dd9f
SHA512 53b823442ddcf500dac255576f1f96c18c72717166be2448e2430153fc131bbdca08d171888ffcfecf6e8480deebbe4835983254b04e5d7dc77f75c83170720c

/data/user/0/com.ys.news/databases/bugly_db_legu-journal

MD5 584331a2d3d3f990e72270b105b67cef
SHA1 7a3023ee1b2748925147d074eebdb11927ba91d3
SHA256 734d5439b912d48395c8694bfdb32cb8d976a0d854868eb9e36514a56f68e453
SHA512 551c83d855a4e4e63657696996b7ba0c075e58395a3e05d0f131d3a36f6f5a2f9a2ccd102d15e5bd0cc1f8ff5eda540c81a0f919b7a0b6daf202780421529605

/data/user/0/com.ys.news/databases/bugly_db_legu-journal

MD5 a30fb0f9c614ae67121ebf50b3b915f2
SHA1 39ae2cd103c7e9c460ac1681d0ab1271df20f580
SHA256 9a6140cc734605aa86f58c653b15df4f313e6c5c6e647ff6769b7a91bd5ea998
SHA512 2e34fbb91561459f90319d9f9f5eeb8a70266fc69689816735ee1d6b32b117fdde9592972b44ef614db09fb924922bf1cb2e29e3bec0d9008830ea4960e60ffd