Malware Analysis Report

2024-09-09 13:22

Sample ID 240613-jjytnstdrn
Target a479eb5cfaada9ca907f259f52a85e78_JaffaCakes118
SHA256 ba8135b2790c2855ebd098c0228937ae4016e17af153f5092d2900634c5e11af
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ba8135b2790c2855ebd098c0228937ae4016e17af153f5092d2900634c5e11af

Threat Level: Likely malicious

The file a479eb5cfaada9ca907f259f52a85e78_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests cell location

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:42

Reported

2024-06-13 07:46

Platform

android-x86-arm-20240611.1-en

Max time kernel

152s

Max time network

177s

Command Line

com.pusidun.pusidun

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.pusidun.pusidun

ls /sys/class/thermal

ls /

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 aip.baidubce.com udp
HK 103.235.46.47:443 aip.baidubce.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
US 1.1.1.1:53 sdkss.shitu.baidu.com udp
CN 180.101.49.104:80 sdkss.shitu.baidu.com tcp
US 1.1.1.1:53 www.psd119.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
CN 59.82.29.163:443 log.umsns.com tcp
CN 36.156.202.73:443 plbslog.umeng.com tcp
CN 59.82.29.248:443 log.umsns.com tcp
CN 59.82.29.249:443 log.umsns.com tcp
CN 59.82.31.154:443 log.umsns.com tcp
CN 59.82.31.160:443 log.umsns.com tcp

Files

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/data/com.pusidun.pusidun/app_idl-license.face-android

MD5 11eb30b22575ebad21594c7a068b85b8
SHA1 04f9171f2be96ba4f454d21e2ee62e936f61b807
SHA256 13241439e36d8de3e36c7c2a681d7b7fecd8f9d59751c37ef00feaa79e5a11e5
SHA512 09cf82a2ea0b68493c4c700ec852a472280403dfda30c0ffa90590ac63416d749403effe276bacb86da93505aeda33ada57b01f803a3fc10c7bc9241d9f34c57

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 7c43ee500484c2c30edb8d9757c15b7e
SHA1 d098629ce0e5bd4af52710e4fd2d50c84b24586d
SHA256 0f1343989328b09945311f2e4feed9f3f9b195631cfcaa4cadfc28bcf60f7dda
SHA512 54b08b9cc27f2f450c281fa040cb06b3be0e2a49c85e887df6f61e15b35cca50b1e43879c5eb6628901c4831612b6c24a31064b9f8c76ea46ae89dacf2b16ff3

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 c593c621f42d1b73b1f807f5ade14a45
SHA1 49058c8fd4ca564c44c1240599ddfd9f9008660a
SHA256 b9d10802f1ba265c9d30147a04a435d17fef180048378c7cdbf5d3e5b4edcec3
SHA512 ab47f20d43e717e1d379a0caeedfd8ae90eb263768d5ed02ef9f636ef7c03d396d3fbfba0af595bab8f54ad8f1809fea57809b1d4ea3a718b1c5cb8dc9fd149c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 f11a9ec24f6fcc5ddc24aeeae0e45c3e
SHA1 4af6c46794481db5318ede495851e35890f6a027
SHA256 83702f05bbfde3d0d36a61cd30530a0951c32bc299baf100fe30d0a408338201
SHA512 d07c02940e288de91e992796c1438d1a86c7cb228a103a75fad5729beebdc3fc80fcdd327165b055429a46489b8dadf7db626d1f2401260b53814b3a295911ff

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 672f345db1d1e539aca631a9b238b7fe
SHA1 c20a2a9c50e34591f58920cd46fb640a1f5913ec
SHA256 d48b4d027b5d8e4c8b1023e6279a018cd18b846a6570dffa7616c25b12cad8a9
SHA512 7c7abf63431f736fe0ebb5a238fd619b014fae070d70e77b9fffb7caa8f432a707be49ae9e6a60a0da0aed88e4ea2f1d5f01a65d7168c7027adaa148178ed069

/data/data/com.pusidun.pusidun/files/umeng_it.cache

MD5 47fa611f7b63e2d5d87c440bedac9596
SHA1 91fd63655513235f3ea127e8a49f8c1f76e3bee1
SHA256 8888b76378971ab6424a1f32b427be3b52cecbb86f7bc665e6a485300bab79f5
SHA512 9fb128a5698485822c82e9f5e1331485429e049a99d308a3943dd54f62a59453bd0eb0735460e51c17f8034cf2b174d60341098cdb3c61832cc065c92c1347ff

/data/data/com.pusidun.pusidun/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MjY0NTg3Mjgx

MD5 51e65c39b7a3b144efbef4a8e3d2026a
SHA1 e97ccdf99387cc932c72c821a5d76f44ec389940
SHA256 86e318febc19def0b05df56e63cd1e15c0c4eecce57ef2e98d41967527a253d6
SHA512 d557d2a3b9357bf40decbd71a2d71ed55d483dc7c3733e597540b05b93cd23016e446c361d7a6d41d3ff96b25a81146c077142be96aa303ff5ba54cdf2852889

/storage/emulated/0/Android/data/com.pusidun.pusidun/cache/Glide/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/Android/data/com.pusidun.pusidun/cache/Glide/journal

MD5 0ab57df63fcddb1f8c7bc64236a69be8
SHA1 8ddb1b12e079d89b7bb4545b5e5355bdc5d16bfb
SHA256 c28301ce8465ee0603ce0586e028ebbef435fb7b9b006b744fe963248cfafb23
SHA512 9aefbdd4f7f68e74d1d664817c295f70bbde28131fba7d1f60874f6ac13d7f34996e62b42ab5fa4fb7f82ba380d5b63ca47a603653dd5d274c4975eef802b1d2

/storage/emulated/0/Android/data/com.pusidun.pusidun/cache/Glide/322441e4c58cd2e9c2e1b8adb245238fd74c0d5c78e9324097bf8d5ceab1cbcf.0.tmp

MD5 b9071aadaba8214206f433ea01cab89d
SHA1 b3d6ce30da9767426042f8260e428adfd1e732b1
SHA256 f7dbb08fd81d9a717307a4e29e8a401bb14cf94e7e94bd4efaaf99c57ce9e7e6
SHA512 9a75278d5aee839c2fa18a5eae35b8cd129c28e8b287b96ce0e1c8f02b58f6ede9c653533f4f1ca517ca9708ddaec3a8b102a33ce849252d1c3228fbe4f94cf1

/data/data/com.pusidun.pusidun/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MjY0NjE3NTEx

MD5 f43e4ffc57fbfd85dad7123a46a70f55
SHA1 7297af8e4f5c771b8dd4715680b53d968ea4b993
SHA256 cde95207df1e5e174e1fe29cd1b5b129fd2e63c3e5442f51a735b25221350f64
SHA512 fd63245e347d1cad89c5b96232b50f0c7c3da7b91eb24e60a3eca5de535cc940a7881c64426f8894fcf67977a81bc16d8bacabcbdb981af801bddf9ff901e4c0