Malware Analysis Report

2024-09-09 17:49

Sample ID 240613-jk11eszcnh
Target a47b5895669345bde99cf7870c890fbd_JaffaCakes118
SHA256 f7271d10cdebd6d732aa9a457d9c40776fa2a00e202e2754fb1c7b8104808a1d
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f7271d10cdebd6d732aa9a457d9c40776fa2a00e202e2754fb1c7b8104808a1d

Threat Level: Likely malicious

The file a47b5895669345bde99cf7870c890fbd_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:44

Reported

2024-06-13 07:47

Platform

android-x86-arm-20240611.1-en

Max time kernel

149s

Max time network

179s

Command Line

com.qianbao.qianbaobusiness

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A
N/A /data/data/com.qianbao.qianbaobusiness/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.qianbao.qianbaobusiness

sh -c getprop ro.yunos.version

/system/bin/sh -c getprop ro.board.platform

getprop ro.yunos.version

getprop ro.board.platform

/system/bin/sh -c type su

getprop ro.product.cpu.abi

com.qianbao.qianbaobusiness:pushcore

com.qianbao.qianbaobusiness:watch

sh -c getprop ro.yunos.version

getprop ro.yunos.version

com.qianbao.qianbaobusiness:watch

sh -c getprop ro.yunos.version

getprop ro.yunos.version

/system/bin/sh -c getprop

getprop

/system/bin/sh -c type su

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:443 log.tbs.qq.com tcp
US 1.1.1.1:53 apis.qianbao.com udp
US 1.1.1.1:53 v1-auth-api.visioncloudapi.com udp
CN 47.96.192.190:443 v1-auth-api.visioncloudapi.com tcp
CN 211.155.89.130:443 apis.qianbao.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 hotfix-api.aliyuncs.com udp
CN 47.102.52.8:443 hotfix-api.aliyuncs.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
CN 47.96.192.190:443 v1-auth-api.visioncloudapi.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 47.96.192.190:443 v1-auth-api.visioncloudapi.com tcp
CN 121.36.193.140:19000 s.jpush.cn udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 47.96.192.190:443 v1-auth-api.visioncloudapi.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_legu-journal

MD5 6c15adfc62f66a26bb59b810ec8af2cc
SHA1 b3737b5417ae47a68c086af3948de2de6e72f47c
SHA256 ef290fb966eef26dadfeb9b6123478562512294221b85ba6cc8cec8a4bc65b90
SHA512 2a6fa19b0060ab8d944195e38dd3937c270d3204d81bf9ba15a006fe41c0e12bfa135acba1af5e99a6cdbdb411d1e99931ad8302fcf84881bf3b1e6e44798ce7

/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_legu-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_legu-wal

MD5 23cc5154a4934cbf753f12d978b39798
SHA1 6790a74decaea786d8a28d9c44efd5cb5e0360de
SHA256 f5ed07108950987103aa1aeda122ea1e4b568ea646655eb91ecb4611091797ce
SHA512 1b917ec9464f3b1e38f9160b5086f696a17b75e13cab075a7ff22eae9ad93df977c783a8176bd88ba68733f80dcd1094a50b10041969f79821377cc8e024fcd3

/data/data/com.qianbao.qianbaobusiness/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/storage/emulated/0/Android/data/com.qianbao.qianbaobusiness/files/tbslog/tbslog.txt

MD5 fc735fe8ee41fe1296b6226bbcf53fa7
SHA1 2379dd0ce7e66f782d4fe298e5bdf2801b81e0b1
SHA256 9aea6a03abf46fb91732293897abb611d76e7bd9903712091cb118f8cf2a35f6
SHA512 e419e63546f7c97edd9c967875735871d1646269045a1803f5cbfc641a59cbd8490034a2982eeb8a8e2c0967c2d3a0d8eab824315f73c95e45f8ec59c156af8f

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 6e0d38737f080e0ceb2694fb44eb2ac4
SHA1 b66fb2b32ea19ec13d6902eaa52da23b93292d12
SHA256 0b46e64e2ec3080f255ac8c277f0969f8a5e8335869d11f99b263fd01eb5e569
SHA512 64f912b7baca4c7483cd5135e796149a1b2b248028bac8942e3b702a108ddad0d12e1eec5fff0ac864f10915251dea89ba86e4786ef85796df96630fe7f4491d

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 92f0bd59bd85e4e6cd876e045c82066f
SHA1 ee832d63f9386c9903c1f97054bf3768c5cae213
SHA256 7545e0bf4f55ca7bc283229c4866a55c9c403dad15930038b67850000a70c223
SHA512 988751d9bf664da8843c901cd4f480ccefbafd56267c455bcf90f3877a86d6793fa6704a5fbba4c6c16e6657650badfc3545b4f0a3cd98d70511125bf6c4d4fb

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 724144a71031e7cc8b4df4f2d7854316
SHA1 f7cb81c562e4dad3e8d346330652497ba2bd414e
SHA256 8ee8e88c186191cf8441cecfea9c87b99d2a998c6bee98cff420269cec6ade3b
SHA512 8a2da37adafe96710deb649c02fb58eca270837b822aa5d00291506fff1e010c719f8b657dfafbb1ed6e9b650763386f2d8863612f10bea78104da9e5e747c5c

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 5d54e11ee39c97466d4caf0f0ff6e876
SHA1 6564f55db2607e28dc78c3989a1e30acad5eae31
SHA256 0b53d91eca713c2f70f820fd5e381b3aa1ec5da6f56fcc692828329b2c848e9a
SHA512 ceb1343cafb847980f27164967f56f6961e4689e5dc6d1da24f8306bdcf4e7149ed537c4b1ecb923ad884931987b21a36ca0cf849f84912c88e75de52207f828

/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_-journal

MD5 2d5290e6d06f11d3425cc308c36c9c96
SHA1 8e1fa706e3bf1926eeb6d324fe12d5a754989782
SHA256 e47e8031793a1587c0b49e27ac019c2e0a89ff1f63073b9bb2d036d4c1f97b4d
SHA512 76a16a316385bb9fd53b82fa0d4b709bc09c9c18d5aa78bde8799aff0e282b58fcfa03f1a551c493387e4cd5514a18fbbcc8d0be66a364dab10a8cc5f9d6b2ab

/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_

MD5 aa99281ce0cd69a9302f8b64b918ad75
SHA1 ccafc0e5fb16198e466b209a888301f4100fafe8
SHA256 a3cde8388c50e78c7b3c8dab1d0c46c64c375248031adbb6a5802e3da65bb431
SHA512 a8b80f09a555652d3e4b9775b6aa58341dad7fb120509e128df417533ba361353b19530306e8691f1ce5fc0c69f1a89d29bd2eb176291a5e85b945d14c9eb085

/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_-wal

MD5 86eeeaa8e45355b39a0d21ff7e05385f
SHA1 c1cab02b4b643696e0770076a7771e5e5837a4e4
SHA256 d6ea0b1d627bc666b7a0b5b110ecc1d487eba4af66b11e7514735c911df276f1
SHA512 81c83cc5684243cb373d19e0b20897a0bb1f647d7fd5c7e7e6b0c196447b9bec0da349d74b1212faa5c71ff748671f17baf682beb869ba88285c12e238d348f5

/data/data/com.qianbao.qianbaobusiness/app_crashrecord/1004

MD5 13f31b59741bdd5b1e8eaa6902a95e30
SHA1 bd6abaa9d21e3870c9e80606788bf449f223b7d6
SHA256 b507dc85345d3170f5577fdac51b627ce595431dc3efe8d4d287b7dbfdcffcd2
SHA512 3ed0e56f9e4b6c37cbf2caa9b6e5711fbe1fc1f86e50c5b9a4484f983b91bb392283e61e229064f025a5e797ded3b54f82a26a4b90ac1f19aec5833efd83e65c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 091d1319dc73bc8de28152bc61a64c24
SHA1 bf92c90665d31f214eaa8a085c1aae1e1fdd6a38
SHA256 92a0c947dfad5cf00fa4dff59363bd39d1a300ecb808f38146d2bcc909b1bb08
SHA512 04256a3e2c3bb0797a55403336c0942bd7084ba0a5ea2ed91fbf62e0bf796c796ca8b9360009b839a9bd52bbfd1f83454dfe40b8df965ca27ee24a5e64c228b2

/storage/emulated/0/Android/data/com.qianbao.qianbaobusiness/cache/storage/emulated/0/Android/data/com.qianbao.qianbaobusiness/cache/okhttp-cache/journal.tmp

MD5 37e8e716e0e2f4a0b05cd9571d95b84d
SHA1 f8d068f6931707bddb8cd69f706f2224ad1fea3c
SHA256 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca
SHA512 e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

/data/data/com.qianbao.qianbaobusiness/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.qianbao.qianbaobusiness/databases/tencent_analysis.db_com.qianbao.qianbaobusiness-journal

MD5 9b7448efe03dc39740170fa4c33dca1d
SHA1 02e33ff26509bba77c914cf1850dfcfe13306993
SHA256 e28c776da4216adf12f5c8e2044aa5c3e0f244d4930f47316f8b819a5921726c
SHA512 75bd4a0483cf01c50f2f111a0a426a5cf10ed6b4f4c1f5dd0f704414cc424f853ee6430066d8de1f6ff82c4e1cbc53e252c83a95c83071dc688e336577827f81

/data/data/com.qianbao.qianbaobusiness/databases/tencent_analysis.db_com.qianbao.qianbaobusiness-wal

MD5 80716f315527a7efe0219b2d08ce2394
SHA1 7f84649860a22c95251511a192770b530641fd8d
SHA256 364114c115c7e089541ae01c619b8377786682c64aa66fb3451abd502d74465c
SHA512 94df1c7b1396115ea41d6c93ee6c7e705dd80bf57c5f9ccfd8335d13a63ec7d30207d03f577e8d27ee9eddab9c8e32016243a095ef0b03d06d224cf895e09d89

/storage/emulated/0/Android/data/com.qianbao.qianbaobusiness/files/tbslog/tbslog.txt

MD5 009f6857f62944695dcd1a302255d8c2
SHA1 ef3f0a94229a0b1e39d4d42baae744d080552071
SHA256 37271c86f1d8212fa01d88c1de47f23b7863b1cb780bfbe03bb7e355a69510f3
SHA512 de1e6224b245bc45994d547261861b30899afd88ca7dd6873596c527eab88980dfdcfae55f7b238bfcf916b6c17049a6912a316071fbb1462acaf8e074612fcf

/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_-wal

MD5 9f1e216b1cb31c3b0b915748730e518e
SHA1 5422d91214221d0ed6acb810c8cb0e7670c36cc9
SHA256 2b14079b09363e591263baec1c888a306a9ca87e63ea486c77edc5cf0ce0d0f4
SHA512 a044e33db0f4d51726c5ff64c7b309e45d258877c85b4eab30c048ee862dc786ec2e9bba01345d9d732024fa1b447ced26666fc8d1c7347e3d10cb08a52b8a52

/data/data/com.qianbao.qianbaobusiness/databases/bugly_db_-wal

MD5 15605fc031d3d9ee57edb29dc39883d3
SHA1 be0e997671ff96701e917f940f9895d8dc479239
SHA256 aad40f7d9edbb80478a955b8b8ead49e4f258275641d19f5fbec950d513056b0
SHA512 750985c9547e996523b76f2b4a0743c57695c09e1b269d07333f1ca505cb3f9ef282a7050f2c5bf2e89619acc460bde5f9cae831bc5169a45e0b32d11261e7ff

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:44

Reported

2024-06-13 07:44

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.212.196:443 tcp
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 udp

Files

N/A