Analysis Overview
SHA256
f7271d10cdebd6d732aa9a457d9c40776fa2a00e202e2754fb1c7b8104808a1d
Threat Level: Likely malicious
The file a47b5895669345bde99cf7870c890fbd_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Queries information about running processes on the device
Requests dangerous framework permissions
Queries information about the current Wi-Fi connection
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:44
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:44
Reported
2024-06-13 07:47
Platform
android-x86-arm-20240611.1-en
Max time kernel
149s
Max time network
179s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
| N/A | /data/data/com.qianbao.qianbaobusiness/mix.dex | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
| File opened for read | /proc/meminfo | N/A | N/A |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.qianbao.qianbaobusiness
sh -c getprop ro.yunos.version
/system/bin/sh -c getprop ro.board.platform
getprop ro.yunos.version
getprop ro.board.platform
/system/bin/sh -c type su
getprop ro.product.cpu.abi
com.qianbao.qianbaobusiness:pushcore
com.qianbao.qianbaobusiness:watch
sh -c getprop ro.yunos.version
getprop ro.yunos.version
com.qianbao.qianbaobusiness:watch
sh -c getprop ro.yunos.version
getprop ro.yunos.version
/system/bin/sh -c getprop
getprop
/system/bin/sh -c type su
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | log.tbs.qq.com | udp |
| HK | 129.226.107.80:443 | log.tbs.qq.com | tcp |
| US | 1.1.1.1:53 | apis.qianbao.com | udp |
| US | 1.1.1.1:53 | v1-auth-api.visioncloudapi.com | udp |
| CN | 47.96.192.190:443 | v1-auth-api.visioncloudapi.com | tcp |
| CN | 211.155.89.130:443 | apis.qianbao.com | tcp |
| US | 1.1.1.1:53 | adash.man.aliyuncs.com | udp |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| US | 1.1.1.1:53 | hotfix-api.aliyuncs.com | udp |
| CN | 47.102.52.8:443 | hotfix-api.aliyuncs.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| GB | 142.250.178.10:443 | semanticlocation-pa.googleapis.com | tcp |
| CN | 47.96.192.190:443 | v1-auth-api.visioncloudapi.com | tcp |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 47.96.192.190:443 | v1-auth-api.visioncloudapi.com | tcp |
| CN | 121.36.193.140:19000 | s.jpush.cn | udp |
| GB | 172.217.16.234:443 | semanticlocation-pa.googleapis.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 47.96.192.190:443 | v1-auth-api.visioncloudapi.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
Files
/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_legu-journal
| MD5 | 6c15adfc62f66a26bb59b810ec8af2cc |
| SHA1 | b3737b5417ae47a68c086af3948de2de6e72f47c |
| SHA256 | ef290fb966eef26dadfeb9b6123478562512294221b85ba6cc8cec8a4bc65b90 |
| SHA512 | 2a6fa19b0060ab8d944195e38dd3937c270d3204d81bf9ba15a006fe41c0e12bfa135acba1af5e99a6cdbdb411d1e99931ad8302fcf84881bf3b1e6e44798ce7 |
/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_legu-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_legu-wal
| MD5 | 23cc5154a4934cbf753f12d978b39798 |
| SHA1 | 6790a74decaea786d8a28d9c44efd5cb5e0360de |
| SHA256 | f5ed07108950987103aa1aeda122ea1e4b568ea646655eb91ecb4611091797ce |
| SHA512 | 1b917ec9464f3b1e38f9160b5086f696a17b75e13cab075a7ff22eae9ad93df977c783a8176bd88ba68733f80dcd1094a50b10041969f79821377cc8e024fcd3 |
/data/data/com.qianbao.qianbaobusiness/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/storage/emulated/0/Android/data/com.qianbao.qianbaobusiness/files/tbslog/tbslog.txt
| MD5 | fc735fe8ee41fe1296b6226bbcf53fa7 |
| SHA1 | 2379dd0ce7e66f782d4fe298e5bdf2801b81e0b1 |
| SHA256 | 9aea6a03abf46fb91732293897abb611d76e7bd9903712091cb118f8cf2a35f6 |
| SHA512 | e419e63546f7c97edd9c967875735871d1646269045a1803f5cbfc641a59cbd8490034a2982eeb8a8e2c0967c2d3a0d8eab824315f73c95e45f8ec59c156af8f |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | 6e0d38737f080e0ceb2694fb44eb2ac4 |
| SHA1 | b66fb2b32ea19ec13d6902eaa52da23b93292d12 |
| SHA256 | 0b46e64e2ec3080f255ac8c277f0969f8a5e8335869d11f99b263fd01eb5e569 |
| SHA512 | 64f912b7baca4c7483cd5135e796149a1b2b248028bac8942e3b702a108ddad0d12e1eec5fff0ac864f10915251dea89ba86e4786ef85796df96630fe7f4491d |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | 92f0bd59bd85e4e6cd876e045c82066f |
| SHA1 | ee832d63f9386c9903c1f97054bf3768c5cae213 |
| SHA256 | 7545e0bf4f55ca7bc283229c4866a55c9c403dad15930038b67850000a70c223 |
| SHA512 | 988751d9bf664da8843c901cd4f480ccefbafd56267c455bcf90f3877a86d6793fa6704a5fbba4c6c16e6657650badfc3545b4f0a3cd98d70511125bf6c4d4fb |
/storage/emulated/0/.DataStorage/ContextData.xml
| MD5 | 724144a71031e7cc8b4df4f2d7854316 |
| SHA1 | f7cb81c562e4dad3e8d346330652497ba2bd414e |
| SHA256 | 8ee8e88c186191cf8441cecfea9c87b99d2a998c6bee98cff420269cec6ade3b |
| SHA512 | 8a2da37adafe96710deb649c02fb58eca270837b822aa5d00291506fff1e010c719f8b657dfafbb1ed6e9b650763386f2d8863612f10bea78104da9e5e747c5c |
/storage/emulated/0/.DataStorage/ContextData.xml
| MD5 | 5d54e11ee39c97466d4caf0f0ff6e876 |
| SHA1 | 6564f55db2607e28dc78c3989a1e30acad5eae31 |
| SHA256 | 0b53d91eca713c2f70f820fd5e381b3aa1ec5da6f56fcc692828329b2c848e9a |
| SHA512 | ceb1343cafb847980f27164967f56f6961e4689e5dc6d1da24f8306bdcf4e7149ed537c4b1ecb923ad884931987b21a36ca0cf849f84912c88e75de52207f828 |
/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_-journal
| MD5 | 2d5290e6d06f11d3425cc308c36c9c96 |
| SHA1 | 8e1fa706e3bf1926eeb6d324fe12d5a754989782 |
| SHA256 | e47e8031793a1587c0b49e27ac019c2e0a89ff1f63073b9bb2d036d4c1f97b4d |
| SHA512 | 76a16a316385bb9fd53b82fa0d4b709bc09c9c18d5aa78bde8799aff0e282b58fcfa03f1a551c493387e4cd5514a18fbbcc8d0be66a364dab10a8cc5f9d6b2ab |
/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_
| MD5 | aa99281ce0cd69a9302f8b64b918ad75 |
| SHA1 | ccafc0e5fb16198e466b209a888301f4100fafe8 |
| SHA256 | a3cde8388c50e78c7b3c8dab1d0c46c64c375248031adbb6a5802e3da65bb431 |
| SHA512 | a8b80f09a555652d3e4b9775b6aa58341dad7fb120509e128df417533ba361353b19530306e8691f1ce5fc0c69f1a89d29bd2eb176291a5e85b945d14c9eb085 |
/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_-wal
| MD5 | 86eeeaa8e45355b39a0d21ff7e05385f |
| SHA1 | c1cab02b4b643696e0770076a7771e5e5837a4e4 |
| SHA256 | d6ea0b1d627bc666b7a0b5b110ecc1d487eba4af66b11e7514735c911df276f1 |
| SHA512 | 81c83cc5684243cb373d19e0b20897a0bb1f647d7fd5c7e7e6b0c196447b9bec0da349d74b1212faa5c71ff748671f17baf682beb869ba88285c12e238d348f5 |
/data/data/com.qianbao.qianbaobusiness/app_crashrecord/1004
| MD5 | 13f31b59741bdd5b1e8eaa6902a95e30 |
| SHA1 | bd6abaa9d21e3870c9e80606788bf449f223b7d6 |
| SHA256 | b507dc85345d3170f5577fdac51b627ce595431dc3efe8d4d287b7dbfdcffcd2 |
| SHA512 | 3ed0e56f9e4b6c37cbf2caa9b6e5711fbe1fc1f86e50c5b9a4484f983b91bb392283e61e229064f025a5e797ded3b54f82a26a4b90ac1f19aec5833efd83e65c |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | 091d1319dc73bc8de28152bc61a64c24 |
| SHA1 | bf92c90665d31f214eaa8a085c1aae1e1fdd6a38 |
| SHA256 | 92a0c947dfad5cf00fa4dff59363bd39d1a300ecb808f38146d2bcc909b1bb08 |
| SHA512 | 04256a3e2c3bb0797a55403336c0942bd7084ba0a5ea2ed91fbf62e0bf796c796ca8b9360009b839a9bd52bbfd1f83454dfe40b8df965ca27ee24a5e64c228b2 |
/storage/emulated/0/Android/data/com.qianbao.qianbaobusiness/cache/storage/emulated/0/Android/data/com.qianbao.qianbaobusiness/cache/okhttp-cache/journal.tmp
| MD5 | 37e8e716e0e2f4a0b05cd9571d95b84d |
| SHA1 | f8d068f6931707bddb8cd69f706f2224ad1fea3c |
| SHA256 | 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca |
| SHA512 | e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6 |
/data/data/com.qianbao.qianbaobusiness/app_crashrecord/1004
| MD5 | 0d210bfb2a0e1f1b4c082a6a0f79de07 |
| SHA1 | bb8ed9e364db79d1d9f2fcde3f15091893222faa |
| SHA256 | 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d |
| SHA512 | 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1 |
/data/data/com.qianbao.qianbaobusiness/databases/tencent_analysis.db_com.qianbao.qianbaobusiness-journal
| MD5 | 9b7448efe03dc39740170fa4c33dca1d |
| SHA1 | 02e33ff26509bba77c914cf1850dfcfe13306993 |
| SHA256 | e28c776da4216adf12f5c8e2044aa5c3e0f244d4930f47316f8b819a5921726c |
| SHA512 | 75bd4a0483cf01c50f2f111a0a426a5cf10ed6b4f4c1f5dd0f704414cc424f853ee6430066d8de1f6ff82c4e1cbc53e252c83a95c83071dc688e336577827f81 |
/data/data/com.qianbao.qianbaobusiness/databases/tencent_analysis.db_com.qianbao.qianbaobusiness-wal
| MD5 | 80716f315527a7efe0219b2d08ce2394 |
| SHA1 | 7f84649860a22c95251511a192770b530641fd8d |
| SHA256 | 364114c115c7e089541ae01c619b8377786682c64aa66fb3451abd502d74465c |
| SHA512 | 94df1c7b1396115ea41d6c93ee6c7e705dd80bf57c5f9ccfd8335d13a63ec7d30207d03f577e8d27ee9eddab9c8e32016243a095ef0b03d06d224cf895e09d89 |
/storage/emulated/0/Android/data/com.qianbao.qianbaobusiness/files/tbslog/tbslog.txt
| MD5 | 009f6857f62944695dcd1a302255d8c2 |
| SHA1 | ef3f0a94229a0b1e39d4d42baae744d080552071 |
| SHA256 | 37271c86f1d8212fa01d88c1de47f23b7863b1cb780bfbe03bb7e355a69510f3 |
| SHA512 | de1e6224b245bc45994d547261861b30899afd88ca7dd6873596c527eab88980dfdcfae55f7b238bfcf916b6c17049a6912a316071fbb1462acaf8e074612fcf |
/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_-wal
| MD5 | 9f1e216b1cb31c3b0b915748730e518e |
| SHA1 | 5422d91214221d0ed6acb810c8cb0e7670c36cc9 |
| SHA256 | 2b14079b09363e591263baec1c888a306a9ca87e63ea486c77edc5cf0ce0d0f4 |
| SHA512 | a044e33db0f4d51726c5ff64c7b309e45d258877c85b4eab30c048ee862dc786ec2e9bba01345d9d732024fa1b447ced26666fc8d1c7347e3d10cb08a52b8a52 |
/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_-wal
| MD5 | 15605fc031d3d9ee57edb29dc39883d3 |
| SHA1 | be0e997671ff96701e917f940f9895d8dc479239 |
| SHA256 | aad40f7d9edbb80478a955b8b8ead49e4f258275641d19f5fbec950d513056b0 |
| SHA512 | 750985c9547e996523b76f2b4a0743c57695c09e1b269d07333f1ca505cb3f9ef282a7050f2c5bf2e89619acc460bde5f9cae831bc5169a45e0b32d11261e7ff |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:44
Reported
2024-06-13 07:44
Platform
android-33-x64-arm64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.212.196:443 | tcp | |
| GB | 172.217.16.228:443 | udp | |
| GB | 172.217.16.228:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.202:443 | udp |