Malware Analysis Report

2024-09-09 17:52

Sample ID 240613-grttks1aql
Target a41b8f977592b36f9839177e7f923f66_JaffaCakes118
SHA256 3ef2a12a465615e35e64af0c90a694bb0f95f12ca9eb43169dfe3ea48da58451
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3ef2a12a465615e35e64af0c90a694bb0f95f12ca9eb43169dfe3ea48da58451

Threat Level: Shows suspicious behavior

The file a41b8f977592b36f9839177e7f923f66_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:02

Reported

2024-06-13 06:06

Platform

android-x86-arm-20240611.1-en

Max time kernel

88s

Max time network

140s

Command Line

com.ledong.princess

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.ledong.princess

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aos.wall.youmi.net udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 stat.gw.youmi.net udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 6c7a2240efdc3ea81777d574d061ae40
SHA1 619a2f8385db739d3115385cae03f364f4d997c6
SHA256 a215a913617efbd7d7ed3df45db2d79f7356a8fce4166a4d6a5238ffe69c04b3
SHA512 8758530acacc32d0a3f9c7dcd1e2cb71c96cd3247dadbfa08822ec0153d5ea1f211c6dd1aa3a7d3a942ca04f8dc737c15db21fb9e65d79ed0b1ccc64ddf17c34

/data/data/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf

MD5 77ed0b4e11ab1de85e99a654750e17f5
SHA1 3b926a62333fc90771e1069a5624f2c552e27e54
SHA256 0e2922ca6593a8f733373472435a2754fc1cf6368e1f91b392e8968fdedd61c8
SHA512 1ba48541f11ffb15c5c564a56d9a0f988b66c04ce2ee9404dbc6fcc607456f6dcb4be4c5aa64f3055465b366bf302d1009cdf8d07af4f5ac3fd85cf2ff2ffecb

/data/data/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf-wal

MD5 273869c96f5b6fe35ef5628eea1f897b
SHA1 99846241cd18607186e776f0049ea0074a7b375f
SHA256 c082b8725c7f215dd5a339d20552c8d20bd94608128a3b2ac2b1f30bf8a3dd74
SHA512 90e54c3dee505cd578fd5bcc53d85852e230508ed0feb38eee9894457c7056ce86aefbe1e8e84b76df75683859d3ded321743feff19421243ab1460c7e6ae392

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 47737703bf800101fc2a48aa4e0d26fa
SHA1 3516fd73923a6dd90e7e0d4bc61a8c9b6a5c2e22
SHA256 c669cbd6380ff9884e2581fc73c81ea52eeee601a2a9077b5958f2b04f91b3ed
SHA512 535838226bb62d50ff5b9c50231d4b33da96dcdef19718dc53f396b9e4f9c6891c708b9b18e912b5cc835c4c65e8491e919732c173b017d3268f241e594f37a5

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-wal

MD5 f2e65b68805ba8dbff16608e19b52cf6
SHA1 e479c4d4c29b7041105b7c1ff907ce83ffbd1f3d
SHA256 edcef8d129b67cc97b296eedad77f5e8f63b0fed2b231df095a82a822504bb54
SHA512 e6c69be6177ff2227e2d0a0cb3bda34157c6a68a42465c577f64f71e7e248bf28737161b23241a19c239906213cd14b92b20362d7704a9363fe2285e29c52ae7

/data/data/com.ledong.princess/files/mobclick_agent_cached_com.ledong.princess

MD5 99a3f09d5f5b7465a832caef70a659f2
SHA1 a5eb5ee4afa98c6debf26472e4ff7990f98ae834
SHA256 4780def359d49d3579f9164051cfb8fe32c09cccb928d07a6c373049c136ccbe
SHA512 3caa63208d26ce65e72e69bbb4ea3bff3203f9a03a2db8ecb963d0385d1d8a7ef190dd04302b660062baef8a8b792bcaa38d893e54efbc1b32e42af4d0e0a8ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:02

Reported

2024-06-13 06:06

Platform

android-x64-20240611.1-en

Max time kernel

120s

Max time network

149s

Command Line

com.ledong.princess

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.ledong.princess

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aos.wall.youmi.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
US 1.1.1.1:53 stat.gw.youmi.net udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 23759d9ac1bef3188fba4af603e388b7
SHA1 36d8c51969970bc2d70dd452e30f05878701331d
SHA256 0380b2cee4fcaa74f4b6123923fb0dc88e2a78f5a90ae7ca9acecb9ec496e270
SHA512 f2af39fb3f14ab9072a61f6476461cd3b011b1349e8e9871d21780c5adccbe45fd827c3791b9c5ff3c0072470da703f9bfb127ac5a20ec662279986e8a93c0c0

/data/data/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf

MD5 ec9105ac6fe38232bea556a6596867c3
SHA1 e14eca8ddd65ebc5fd6772ebf5bf154c3cb9cdeb
SHA256 7957a328f413a0febd1721935c6e8ac4563af990addd551012f035922f5abd5f
SHA512 db9b1fccfd6ae3bcac17a22b26996e12f96cf5bea1260f937403a1e0272c43eb9d269498d56411d4b6e8e3c11dfc637d78f7ee5051a422af0cc0864f4d72cc95

/data/data/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 4ee1f1da74b952db0c3cb92c9958af9a
SHA1 9967f1b9c9ccb1688541191308ad44d65aef7b30
SHA256 09378eb50d45f36233af57f25522664cbee73efc5e644482051d35a7746fbcd7
SHA512 974863e8bc3b813c5d8bea40c2e77f055111aadce19f744d3e36c8a746bb0d0574da9f9a19b40f633c1c5e7d0f70043b39d39a380a2137e75ff0e6beec9ac625

/data/data/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 36030bf4f1dd5b6c6af1eba4cc683271
SHA1 8452034ecef78f17d493267c6e74198c61656ad5
SHA256 c3d3f5c8ac9bd31c1eee1dab1e93b15c34dd3906d697b2bdd51e6097ffcaa0c7
SHA512 4b578d354cb8ec5ea5b80d31b862b2efe040fdb1694ec62f66d1a8e2a9abbceec0a6f84d7389c9fd38d71f5c36a2d79c2a5e855f2b363757a74402866e9e2c29

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 6eb4d5e2d5903ce75c893f3b768823d1
SHA1 88122737cddc5c56918ec5290505617cacfc9ba7
SHA256 91050e6ef26aa285a52ea3a8295956d42a9ac2b0e41ecafd532d308755243023
SHA512 6bac56d709406246eef732f66d5aa2eaf36d13eeed15b3e281399b3ebf4f80ba408329522cbc04ecf495436ef57eafb76e3d673abe45ec49e1f1a6f8cef358bd

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 898406a169db135c3586167cdc63eabf
SHA1 da9ceef5d2590af9afecba14dfca04d86a0536df
SHA256 9079a8d3fc3792583f14e5ce80e2e9753ceebb17d95e745d0f36a60480516b50
SHA512 f7e815585a79b2d92f53cd2e7d16f8689b39f69e6bedc29c21e44f9be6e843fc8b07422e495361ee8c60ef2fdfd5ce0d20407b7188136dd84a33d762ddcf353c

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 9b33782472af321a8c101f3a3a3bd465
SHA1 bf078369cefe23e900a38444a69d18d70dd1bff0
SHA256 17a209ebb11db1ebf3fc2e8e1c9b73f590fa82942f91267c815752e7de65238e
SHA512 ec9699d866c67e81c977f004cfbbc76d853dd693f46d94828c941bbc77e8457d499d7e63bf4b91c347bf2ef789920d6d265938d13211c0398f327add7e6b1fa5

/data/data/com.ledong.princess/files/mobclick_agent_cached_com.ledong.princess

MD5 678cd75e9a11618b5aa79f4b700e02fa
SHA1 d6dcd2d64b77036973d12e0624f093038388902b
SHA256 e469720cc56deee9bb45d4e1617485a37674aed9384485d1c637b29b2e03d0f4
SHA512 47d2eaa7c7cf01ad4eba0922f7b6ff652b032e3995ffb4c2a4f9f6d469d567e6f1851a4f418f3c8b331a59e73fdb823136cb0c321353c8b33fe6ce1ae8bb2845

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 06:02

Reported

2024-06-13 06:06

Platform

android-x64-arm64-20240611.1-en

Max time kernel

133s

Max time network

170s

Command Line

com.ledong.princess

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.ledong.princess

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aos.wall.youmi.net udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 stat.gw.youmi.net udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
GB 142.250.180.14:443 tcp
GB 216.58.204.66:443 tcp

Files

/data/user/0/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 78a449b7fc0baa815f39264b47c2f54e
SHA1 6dab4264d5121193204a29415c097dc3805f7b91
SHA256 a9aea65764d8db5216ec42822d2b8f7cf5a48ed5806097c90ff1ed2e5228275a
SHA512 f70ddc5b373786a191f194c3a74f625cccbb3f6bab40977d3f7468bcde4dd7fd3bddf1773dfaa2aed5e82aca8253c0419cb42d4ec302516fd4d04c7b9f9940e6

/data/user/0/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf

MD5 299664f403673d7af081564c31fafb96
SHA1 00e450d26905cb157dafb19d46eadd56839f3d88
SHA256 515a6e6cfe05d6ff08d7e96da23d6b2558cbd5d312d53d7b40ac993ef07075b4
SHA512 a0abe683736f20fdbd79bdfcb66b8927509360109fcfb7b808c9540fd534a86d43c4fff57f3d82468b70710fabb32c7573722c0cbdf01907beab9bf5d025f7f8

/data/user/0/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 a1cdb4aa74e0e5df3f69088d6de27801
SHA1 13d0de3a1a30e7c8f05da710a270161a01e3001b
SHA256 7904c4eecf1d8442168a21381627bce6f07d2ed340f895488f63c2a54bf5c0bd
SHA512 a0db02c048042042d55f03f62ba84dc344008db28c604bad2c3387317b11df35f2ab0a892b8248218f03a3514b9e7111528cedb892e2a07ceb8fc5b69c92c0be

/data/user/0/com.ledong.princess/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 98abe0027af1d3893e861527e565647d
SHA1 ca3cbdaf2ae32c6ecdd5c072e42b1b89561f9e13
SHA256 f8a4019d8b00bf8e873facc4708f1ac7ff3bbb5a787ff624e92993046d33bb3f
SHA512 1b1c1c941493d4119a5e26b084b3d9f81969384f43100b0e5e6a56b464f1df446bd7816b8127a6c60311da908a5424d670cce0a716daf5b89bce0dafe4ce6521

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 236068228c2bf96fff84d394eea91ade
SHA1 2055bca7c07eca7a361ed1a64414b9eebdda2a20
SHA256 9ce34a437727bf24335abcf2b6d305cdd74d2503120edbf5e8abf8e76dcc5310
SHA512 9d2db04bdc0fe0c783921d5eb299b889e62624353a8c9cbede008971bf72710332160db7298d833baa96a42778e84d4ab6070c1a47709c15af2c631159699fcb

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 16b0bafb70e3bfc9f6b8c32db6eea994
SHA1 4ba65a71aa77d270e5e0ddbd3a90bb7f2a2e79c4
SHA256 d0d8c55da861b3bbe08a1357528257677a785f046fd1bb96073aa30f8d61ff7c
SHA512 e71001dba32cb710fb83a0b59b971643384097f6b99def87abb8cff19552121a584800cdf15f16c8ddba56cc3ded129aca3b9b201f441caade3ef5364c55a4c9

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 3dd03e3ceb0e7e987f55148ae43be258
SHA1 3e0417d71888cb34626a001a971dce5d9282e290
SHA256 01255a8aee96e2845147fc4d5be517d401760c9d04daaed0d4cb96fe30e6055b
SHA512 8eaf0adce3ea0e9388fee792d74a7c7fa322a159001dac5c3630cb567906a33a474c5ca37bfe6fc5a77bfaf316bb886454e96088bae7f743c181bf445e289dfe

/data/user/0/com.ledong.princess/files/mobclick_agent_cached_com.ledong.princess

MD5 85edcb9c0ead25dd638b1497856d08d5
SHA1 1f9cb9d2c69ab42f8fd6a02200849c37bcb7f55a
SHA256 00eaeefc607de06cb1751947bd9b8a7e41a9ef323b7586d3f6ce19f5733c0efb
SHA512 4503008447b3fbc2c7afb142cee7be208dae7b8813a37519b54c186b9841bfde4853d99c759bdbf1b19f6e9cbc274803d5cdd38117f4a4d1b7c3813e635d0838