Analysis Overview
SHA256
ac495363199b70ef6639d73ab64856d378df66b41ca1ac3069ba8c977919265a
Threat Level: Shows suspicious behavior
The file a46c186e760bf7960be0b99d3da341d4_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Queries information about active data network
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:28
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:28
Reported
2024-06-13 07:31
Platform
android-x64-arm64-20240611.1-en
Max time kernel
2s
Max time network
132s
Command Line
Signatures
Processes
com.hawsoft.mobile.speechtranspro
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/com.hawsoft.mobile.speechtranspro/.jiagu/libjiagu.so
| MD5 | f7f5e960db0c8a6f3b5b8d1a0427a042 |
| SHA1 | a8b623f9f87a6e785508befe07314da2fa903bfa |
| SHA256 | 17ac5b03f2a51ebdf2cce66314bc8e3e1547bfa0dde61357fcc07768aaaecb3c |
| SHA512 | ec889d1d9428cdbac082d0b5ab81cf33ac417874a416daf27b02af3d207b1b02ed794fc0b3f0ea266c8edaf3bfeb8f3cef7c631af689405fa629fee948ae8cba |
/data/user/0/com.hawsoft.mobile.speechtranspro/.jiagu/libjiagu_64.so
| MD5 | 0733255e286b6e6dbaba9cd897e6d6a9 |
| SHA1 | f7050b691709a83633b7d3cde1b91bd6fff1c2b0 |
| SHA256 | 8ebf467743eb1ac1c31eee127d4d37e3109c23b856e7de94de04a11f8b9f6432 |
| SHA512 | c3349d02dbdb02e3c0bcf52a752df5f142866aedfedca01cfd52a37166b50acd5159488260ee8f43a7b59da1288dc50bbabb6845a67135c919de1083ef9d678f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:28
Reported
2024-06-13 07:31
Platform
android-x86-arm-20240611.1-en
Max time kernel
18s
Max time network
138s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex | N/A | N/A |
| N/A | /data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex!classes2.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.hawsoft.mobile.speechtranspro
chmod 755 /data/user/0/com.hawsoft.mobile.speechtranspro/.jiagu/libjiagu.so
/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex --dex-file=/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | www.hawsoft.com | udp |
| US | 163.181.154.239:80 | www.hawsoft.com | tcp |
| US | 1.1.1.1:53 | translate.google.cn | udp |
| GB | 142.250.180.3:443 | translate.google.cn | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| GB | 142.250.187.238:80 | android.clients.google.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/libjiagu.so
| MD5 | f7f5e960db0c8a6f3b5b8d1a0427a042 |
| SHA1 | a8b623f9f87a6e785508befe07314da2fa903bfa |
| SHA256 | 17ac5b03f2a51ebdf2cce66314bc8e3e1547bfa0dde61357fcc07768aaaecb3c |
| SHA512 | ec889d1d9428cdbac082d0b5ab81cf33ac417874a416daf27b02af3d207b1b02ed794fc0b3f0ea266c8edaf3bfeb8f3cef7c631af689405fa629fee948ae8cba |
/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex
| MD5 | d0b7202efeb6bee8a5afb6297df81d72 |
| SHA1 | 697cde476cb1dfe9a47735905fd5d099a1b706b5 |
| SHA256 | 5e18323b2b2077801ef8362f3282dae9c1b3a88475f87a4e0c5e5298e017b4de |
| SHA512 | 4d81e3a9c7f2dc58a54e70bc70ade8980260b0a63cfb2b4a210835ec28c5f39d54872083d506bf7063279ab9cd9e56062f5986f4790519788de5a0662a45b59e |
/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex
| MD5 | 307ba6e9a7b07b6e5638d8307f70e5c2 |
| SHA1 | b842c091aa372676f400eb6cf8712a9390b17985 |
| SHA256 | 3076109fcedee1b883cb792b9002f22f08c0d6e94442a52807dd0a64a56c52ef |
| SHA512 | 6a98ae3c702283671ef027d4da5f432ff17a233eb5c6bf93b19d55b9a32025603b67b8271317f61f659edfabac48910956ce9e706627336c45c2da0a2d382e1b |
/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex!classes2.dex
| MD5 | a417924065c5b782a0b6edeaaf434508 |
| SHA1 | 54b1392e679a00bec9e2dfc67731084dc20f6df8 |
| SHA256 | 942c05452e32dadef583eaf6ff6cf08a0fd4487ade2a932e4e2512b135aa0b50 |
| SHA512 | 4441a2b6d87fbb1ec7863b169cc784d187622a722ea0595255742cc6d6f516d5e6f917e95d5ea853faa7f10ffc401eca038a32d2bfa3844f1687d41ca5f99aab |
/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS
| MD5 | 99e15a6be2fc42640cebe5f57fdaf820 |
| SHA1 | 16aa400bfac3cfeb670630589e691bc3fa62c4ee |
| SHA256 | f7b35fd979583865fca867252d3cd050a6cf86be1f3b00c5566af4ad6f10a07a |
| SHA512 | 3052ab79c10f5b78ac2ebb74bdcbca530912662a7f962c411b55a0be7458a06d5d48ce71af5e80f36dc95904e49df6418c924b8902c9b338a4c1d254addfc1b8 |
/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS-journal
| MD5 | f9e20cac0d011cd5f8c6f77fbb6167f5 |
| SHA1 | 494eee74b59ff84862923d8ca84ff1675c614c00 |
| SHA256 | 19891626b85358a8f20033af20aa2dfe686d5948005586f21e5bd68914e7c379 |
| SHA512 | 365ac937b67318564ba85dc10f9a3458c054e2d9483ac0cfa8a68a4f9a0e3b77a08583bb73f8d63788349b17bfbf33521555cd16013f591e997c4f5e940348bb |
/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS
| MD5 | c76cabc8947effc4de51f39b167145a2 |
| SHA1 | 730b68b0d27dbd59d0ebb94220b58bdd559ccd53 |
| SHA256 | fea6632554e00e79ba6056c50e58fce2296e7cb2d568581c94f20129f7cd1ae6 |
| SHA512 | f8fc039f7339405cdd3e7065e8f6861b7b3cf4e564af2c3c9891ef7b792e716758ea0951fa2b52db8f2613370c01d51d3c214974beb5876f4c31ac024fafebf2 |
/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS-wal
| MD5 | 537d1df9c98b6a44ce31aa448a863492 |
| SHA1 | ce7a7316bb92c9759d7a9c68035c96225e197266 |
| SHA256 | 729f8064c7b18cb33952be3c2ba98449190e8cbfb359cc2129852f516151ee46 |
| SHA512 | 59cf76c4a29e1098c9c28df7d6049d03e14353ec2347e5bae8e0fd3b380dc9a0d27056f38dab9136f9fe8470c0529ee618efeb43bf6aef6f9218d723afcbb9a1 |