Malware Analysis Report

2024-09-09 17:52

Sample ID 240613-h3bmtashkl
Target a4603bd6975a86ea3e8303ff1cfa69cc_JaffaCakes118
SHA256 327c01ee8fadb9e62cafb12dccda1dc3121f8765530e442706d45f955f98314c
Tags
discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

327c01ee8fadb9e62cafb12dccda1dc3121f8765530e442706d45f955f98314c

Threat Level: Likely malicious

The file a4603bd6975a86ea3e8303ff1cfa69cc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:15

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:15

Reported

2024-06-13 07:18

Platform

android-x86-arm-20240611.1-en

Max time kernel

156s

Max time network

185s

Command Line

com.yxxinglin.xzid81962

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid81962

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

/system/bin/sh -c getprop

getprop

/system/bin/sh -c type su

com.yxxinglin.xzid81962:channel

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cgi.connect.qq.com udp
HK 43.154.252.110:80 cgi.connect.qq.com tcp
US 1.1.1.1:53 api.weibo.com udp
HK 36.51.224.49:443 api.weibo.com tcp
HK 43.154.252.110:443 cgi.connect.qq.com tcp
US 1.1.1.1:53 umengacs.m.taobao.com udp
US 1.1.1.1:53 pingma.qq.com udp
CN 119.45.78.184:80 pingma.qq.com tcp
CN 123.183.232.17:443 umengacs.m.taobao.com tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
HK 36.51.224.49:443 api.weibo.com tcp
US 1.1.1.1:53 pv.sohu.com udp
GB 43.132.64.26:80 pv.sohu.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 kefu2.qkagame.com udp
GB 163.171.146.42:80 kefu2.qkagame.com tcp
US 1.1.1.1:53 update.qkagame.com udp
GB 163.171.129.134:443 update.qkagame.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 down.qkagame.net udp
US 69.28.62.188:443 down.qkagame.net tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 123.183.232.17:443 umengacs.m.taobao.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 110.253.189.208:80 umengjmacs.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 106.11.61.137:80 tcp
CN 106.11.61.135:80 tcp
CN 106.11.61.135:80 tcp
CN 106.11.61.137:80 tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 110.253.189.208:80 umengjmacs.m.taobao.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 110.253.189.144:443 umengjmacs.m.taobao.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 110.253.189.144:443 umengjmacs.m.taobao.com tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp

Files

/data/data/com.yxxinglin.xzid81962/databases/MessageStore.db-journal

MD5 df6e7cd9a4ad4d360ca9c32d9e36a544
SHA1 3b2143e9e58c309d8a935ff744b166ebc0b9fc68
SHA256 faa1d9f786752faf7db2efde4df3ef62432022158bd08dd5e24ec7e384c96743
SHA512 6ff980d3cdffd6be3f97506ec3d7faaf9812e74ef594571a35cb70c40b7146c5db8cba06d5e1cea22dc5a26421bb450cfdb93af1a876e19b4794f0bdcf5770ab

/data/data/com.yxxinglin.xzid81962/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yxxinglin.xzid81962/databases/MessageStore.db-shm

MD5 10304e954bab4789e1a99fc85863a04b
SHA1 1e24b3e6acf511de61cfac33321e0c541c185013
SHA256 dcc8c6476d055bc24c71ff603cf18db7f1fed5495896655f623df2e5e575f192
SHA512 451cd4020c0a67c84ee9045c6e5fce7cad0ea165c3225f51cdcb15a4ddf655bd50d25d95ae4b4e166395a4402acb1104b9a6a09cb01d2c9bdc1288b2070c9938

/data/data/com.yxxinglin.xzid81962/databases/MessageStore.db-wal

MD5 74f6f749d4e6d9a5849808f597f48d0f
SHA1 677721630def80fea86609d2c9f8c71b3769e2c4
SHA256 b0958cb13151d30df6ba76861237fa6d08dce1550dbf589a266c1abe04a37e6f
SHA512 d98933e50b9928c1e5202c64f8b324f968c7db0448a655bae874ad2bea4d66abb387563882aa37d36a3b04f34ca90080d8ca8aad88169bdd71970465c79dbe5e

/data/data/com.yxxinglin.xzid81962/databases/MsgLogStore.db-journal

MD5 8083517767d9c0719aa3c7958e2a3511
SHA1 f3b561fcbc6c29c21621ea1c4a2b48997df26ea3
SHA256 2c409ce85a3b0dae71e4559a9e8c710e32a67576230e60a6ae926c00995c3831
SHA512 8ab7959e8adcf43beea8c0c83c704d3d56fbd80f9b3d167437f42cc6d756557543e4245652d0869ed56f8099f748731cdc49ff9a52a2a23a726a834f997631e1

/data/data/com.yxxinglin.xzid81962/databases/MsgLogStore.db

MD5 1705da3ae6a94c0267668dc250273eaa
SHA1 f30ab1583695ab6d5c1b293450fbd97d4ec947d1
SHA256 6f1cd6bbe5126b5035b7e4bc43d3e54c6b75f39bd387b34dc8339d1cd5f57e0d
SHA512 b4d68489130a9316a333f2963819903a14e50a73d0ed1949e2130ad19158a92e1cd40202b100ea3474fa0bcda3468608c75f828cb607b5bd8c31fe36f0814656

/data/data/com.yxxinglin.xzid81962/databases/MsgLogStore.db-shm

MD5 8e506d5c9983685fe7806c8c252e7bd5
SHA1 9ab31c623187498f945b9d45de31e92ffe9dd5af
SHA256 c1b8d78ca15821dcfa0ee7a621dcd635a23bd4a42214eef641e755687c1ee69c
SHA512 29b0ba35ccf58847771c208ac3f287186d80601cb00ef206b1ad05e9c50febfcca00974769ab36902ec3896df1d5a021f4cabdb9ca545208e694c1070eaf1f9a

/data/data/com.yxxinglin.xzid81962/databases/MsgLogStore.db-wal

MD5 d798f36568b7b146e3a7cef5de9fc21c
SHA1 996c9fced7b900dae2854416b1c8e5d9b37b0cd1
SHA256 24e164f89f91bda50c8d605382f7bb0a71b2a18fd14ea8b74533842c2d175af4
SHA512 a3518e7129038345d95306bad1e2ec3097cffdd6e79ea3609a332c73004218ccf4106eab792c7cd6e1e6e499ec7aeb31d728fb4310c1909cd4f55cffc786d782

/data/data/com.yxxinglin.xzid81962/databases/accs.db-journal

MD5 eb8bdd46bf3266253a76cb8a9433dd1b
SHA1 51fbd4eda0c9b4cd4b10f35b7868d013d5d8d5f9
SHA256 f1455bf7c0a0a6c92110a1e1777ff784dae4e40f0e9f3b237637095c9dab4c37
SHA512 f49f8bab9d90150015c9612d73fea4ccb07e1c6bc02049ca9577e43b92af9f4533a94c22e821022edf9afbf0e6a85e28fc2b6068bf341bc430eee35c97393fcc

/data/data/com.yxxinglin.xzid81962/databases/accs.db

MD5 486e2bac2b3e9e1cb411d2838a4854bd
SHA1 81dd0a7537f4af319b830ae834908986be85da8b
SHA256 5644a250fa6cef16c2c802b98275656a5fc39dcf89bcc22193742d85c7313f57
SHA512 c146789563dae163e373489b3df53f22efebd32b69643992969241eb5ad5eec668de67e7cd2aaf5c3a8af57b0842115d00183825734f57643d3fdb09835fe681

/data/data/com.yxxinglin.xzid81962/databases/accs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxxinglin.xzid81962/databases/accs.db-wal

MD5 a89e349134ae86a549f5e8f25d814e9b
SHA1 cd42ebd808afee65d62dea25a473da41251c7ca7
SHA256 bf6139e14cfe2cbbc420517479d78795de7ba896a2b6e104c39c831c804f559e
SHA512 be50b9431f1bedd9bbfa327a0988c35cb03e5f7b56b28f46957d5990edde1be94cfe747cbfe56df5fe9685de41e9235587d1b37705d3656857e430e771a66726

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 04bdaba105ba8cd96292241a784eb416
SHA1 f47a3252711a2a2922d7311a70a802fc4a883aeb
SHA256 fdda60b7874d6c91bd1503cf62a228246f174f9825eb12a974ec2ef5f39afa79
SHA512 343ee93722051e8ede4f1fa34966206acded45afea22ca94bab29bd14f37a482d382dca59defec9bc99171d2524983f1dbfda40d255bf34dcbda2af33ffa10a7

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 d139853ac11e47591a4dcf0d7bf1ba5c
SHA1 b7dddbffe6b0a088546b73040742424a63a87e7e
SHA256 3329b80b45acdc5ed9a4e2c79f33f30b72861718e46da6b2f12c6ad81e0bfcbc
SHA512 64ec66769211da09b627910ce3bb8ea94227bdb6ffd1e34dff08aefbf69f39fff626b082bb77db305e7387ddfd81eb4a90030ebf7a3fca37d41a484b7604107b

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 12c8ea2c9f0ebb0723b20bc2a387aa21
SHA1 70fcf98e31b7f8df3ffb6b92d57e37f1bd7a3eea
SHA256 cdd4910b809b25c0e1924fa7793981bedfd97db38fd2f7e653bd03f5236a8303
SHA512 375831285c44ad7720950d520ae2d77982f01a4d1dec3194be36014114bb0c8cd0af127873ce65264f85c205a12432e9d4a7ef60fb54d3e26f00ca25a01f987f

/data/data/com.yxxinglin.xzid81962/databases/tencent_analysis.db-journal

MD5 eb672e0521dc1a93767d7387f3e89c07
SHA1 510fa30fac17600cabcf9fd1732a2b1fbc8fab55
SHA256 9f9cc40fb4b97f52b6223a8ae7c3d3b967057b042bee8ec3a3237994eba18fbe
SHA512 9cb2d429f534337e1801b70ad826c30b8df760f461106cca831cf18628aa4f08f05c3567d81ad177dfb73b8b9a7ac20df6917d5a5964148cb55caacffe353703

/data/data/com.yxxinglin.xzid81962/databases/tencent_analysis.db-wal

MD5 7ad4c46be34704dc49d4e930edecba06
SHA1 40a0eb3e4ab83a9d820a5287d74c1ea664eb80a2
SHA256 0dc769d4b6e7f85b53b57eed16d796f3b8501ac00f49601df08c7379d32439c7
SHA512 a705bb05c390a3b12e35e2bdc14e2e2921ce42029fe185739ed29af1c430a0cc83e5ce0a43f5e0447f341e0793e7b59cf2824da6accdfe44ca1e46ce18e7bde2

/data/data/com.yxxinglin.xzid81962/files/com.tencent.open.config.json.101400326

MD5 f526172de1566b34fdcea744710d9559
SHA1 000cb54d9a008a807a1c5a3fd2b2e7cb41e7939d
SHA256 8572be02b59f4d514000939ec04a9b4e2380c55265256b724a617d8d0f4c6940
SHA512 dc81f0fe345b18c96b1638c67b9ef4c5e60059dfc4a02f3c30a23645d4847abeef46cf467d044c42597115c48052ce0e8ea24328382114a544c5dfd039a95e7d

/data/data/com.yxxinglin.xzid81962/files/cclogs/2024-06-13 071546.log

MD5 38cb43f9000f6b915e15ae88489b0949
SHA1 71011a73368f2c98969619d808d7257894e93db9
SHA256 2f5ac4a669494956e82465b47661d5bd85667a82b3e44fc7d8b73120d68c4041
SHA512 fe2ded34997c5a878cbb6dd33e1ae6d95fa6459c789a7c6ffa4d9463161825a8324c67e2b43bcdf1b5ef1356a8ad24e8ddb4511027dc7497028aec2158eefb69

/data/data/com.yxxinglin.xzid81962/databases/bugly_db_-journal

MD5 c4a943a663326b1d8a5036b68f38963a
SHA1 ab8e064a63a3f1f997db94a5a854add479954089
SHA256 386a909e720c419712d9c1209bff59d05538259c337604998c35bf896dbfc953
SHA512 e176d731dd75d14c04bd1bc059e9dee1e02579fc01cae8739648f6dccce219f27b6406bdbb3d2c0b517c21373718faac7682e5e00e09b9799eabd04cccbec73a

/data/data/com.yxxinglin.xzid81962/databases/bugly_db_-wal

MD5 3ef644186890402bc14b548f0ad4b977
SHA1 9d26f3e708a9a1f7aa9ab1b221125095285e5fba
SHA256 106907461a88af9db385ae0e7104b182449058de39eb1415b5d7f9a003410e48
SHA512 7a6338d3552eb48ad2c084c7c2d6277b06cdadefde7c02f4ff4f83a0bdab9834c6a9679df1332ce32e5895414a1785c54ffdafd404dcb48fbd2c94d3ff8bf533

/data/data/com.yxxinglin.xzid81962/app_crashrecord/1004

MD5 ea8cd23c8eead36c169d42d3f465b8c1
SHA1 0dbee422461fd860e1c5ec9721193ccebba5add2
SHA256 53006260d2c0cc07645a9c4ea27d9388b75630ec48a53ccf7b38aee9539c901a
SHA512 d6c984151e0b3daf8c8745b6b06753dcf85641612cf7465c618b985dad7b82ac1f5bec76258213b134e02a3ffd8ad9504c72687bd9866254fd1801d46eb0da1c

/data/data/com.yxxinglin.xzid81962/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1