Malware Analysis Report

2024-09-09 17:54

Sample ID 240613-jq6svszelc
Target a4827e3572a24be2d42215ba1c7aca28_JaffaCakes118
SHA256 37523835b8275921cc8da9a2f3654ba0635fe2c40854fe349b65acf2c61733df
Tags
discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

37523835b8275921cc8da9a2f3654ba0635fe2c40854fe349b65acf2c61733df

Threat Level: Likely malicious

The file a4827e3572a24be2d42215ba1c7aca28_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:53

Reported

2024-06-13 07:56

Platform

android-x86-arm-20240611.1-en

Max time kernel

172s

Max time network

186s

Command Line

com.yxxinglin.xzid403062

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid403062

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

/system/bin/sh -c getprop

getprop

/system/bin/sh -c type su

com.yxxinglin.xzid403062:channel

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cgi.connect.qq.com udp
US 1.1.1.1:53 api.weibo.com udp
HK 36.51.224.49:443 api.weibo.com tcp
HK 43.154.252.110:80 cgi.connect.qq.com tcp
HK 43.154.252.110:443 cgi.connect.qq.com tcp
US 1.1.1.1:53 umengacs.m.taobao.com udp
US 1.1.1.1:53 pingma.qq.com udp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
CN 119.45.78.184:80 pingma.qq.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
HK 36.51.224.49:443 api.weibo.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 pv.sohu.com udp
GB 43.132.64.25:80 pv.sohu.com tcp
US 1.1.1.1:53 kefu2.qkagame.com udp
GB 163.171.146.42:80 kefu2.qkagame.com tcp
US 1.1.1.1:53 update.qkagame.com udp
GB 163.171.129.134:443 update.qkagame.com tcp
US 1.1.1.1:53 down.qkagame.net udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 69.28.62.188:443 down.qkagame.net tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 110.253.188.241:443 umengacs.m.taobao.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 36.143.252.67:80 umengjmacs.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 106.11.61.135:80 tcp
CN 106.11.61.137:80 tcp
CN 106.11.61.135:80 tcp
CN 106.11.61.135:80 tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 36.143.252.67:80 umengjmacs.m.taobao.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 36.143.252.67:80 umengjmacs.m.taobao.com tcp

Files

/data/data/com.yxxinglin.xzid403062/databases/MessageStore.db-journal

MD5 ce962cd679dc8ed6ec5603460b024b2e
SHA1 1f9204593e1ad812177d5525499fbf592a7e8865
SHA256 c71244b16a33b06a0c7aa50e563a40cfbf14168d81b360c95473ee3f1c0c0342
SHA512 5643453457048b95858d3a2d318234ccd72051ce8952b0c757ca6e39c8380621dab09deece7868f32da61c17bb3db791e906dab3343e731ab1c8cb141f54f2b8

/data/data/com.yxxinglin.xzid403062/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yxxinglin.xzid403062/databases/MessageStore.db-shm

MD5 8305101a58a9bd103fe2bfa6f38200ae
SHA1 9f3b536935f37bce9214896dd659b00e2b869c3f
SHA256 102bfb76aac9a4e68c26bcbcf97f8498bc06987e5b68f5d7e8855579eae58a62
SHA512 642f6d42e4477aed9ad0c0e8aac6b38900abc84a5f05f8f5b36041b32c96331055c66961c2d34514acdb611bde54931b3432e8390f010d57d034193ac8e912ee

/data/data/com.yxxinglin.xzid403062/databases/MessageStore.db-wal

MD5 907fcc9e9f57495ec5b6b118e1111c94
SHA1 dcdb8f845b93eb6f1a86d9e9541427b5eb92a4e6
SHA256 49efac3d3d3505b82e394a9a1043f05807a3736f4773f1f53b9c9f6dd2688671
SHA512 903e67617688ef6e8c550d9683228a5571ac3d1513b75d0ee082d409dbcf121b24b600a052c75ab08855b9069a2bc1942d3ebbc8042a346c915f775367c228f1

/data/data/com.yxxinglin.xzid403062/databases/MsgLogStore.db-journal

MD5 1bdd502beafd2b81a6b658fda0582492
SHA1 f54712e566d7d9bc6053e1a77aeb91447127fc4b
SHA256 9bbe15711ce4e3beb1efc9ec7241291e13b13b05dba93085a6b360e5530c058a
SHA512 ee8b0bde15cd9ca66075cad5c31f705be8ed2586c6c59f60c3a83f87df799068b3f58187451ed593c73d13e63bb5e0a28228878ebd3ef41a213ffd9bbd80995c

/data/data/com.yxxinglin.xzid403062/databases/MsgLogStore.db

MD5 f56ee37cadc0560430d6e64a1a2c20ff
SHA1 daef90940e345324df49a44818b6c9f1dc71b674
SHA256 a2139d75407054af2423e81d7ffa63edf8fae44e41902535d454207bd026b9c9
SHA512 aad81bbb8294f59ebf0b63901c3eb362a604ec5286d47c706eac83b0f2fb16c4077062545b3b493ee47c09f2dbe0d73df2edc2b199e9189ba40c66b656b18f6d

/data/data/com.yxxinglin.xzid403062/databases/MsgLogStore.db-shm

MD5 c563a9d422e1ae39774d06c5a563446a
SHA1 cbef4249e8728590900f5837923fc8408fd4b3a5
SHA256 8fc82cf9055eb325bd57cf3a95217202e3154554bbe4fb905e1c631801388e21
SHA512 8e6a5f3d31d7c554c85e657f226811529a078a50bc8cecd77a55d649eaa7c461cf86468bee1cbec7ac4ed797f6294494ae49934f9b9a3660ab7e620490c571d0

/data/data/com.yxxinglin.xzid403062/databases/MsgLogStore.db-wal

MD5 26073325a678f799c145eff99ce984e8
SHA1 1a77c40abebeb73ee7b951f4ec18885233e3e35b
SHA256 a5bd18fea2d93e02ca2dad85bac85785dfdf1a7559c907eb5b08e7adfd790110
SHA512 9f242f5d24cca3ba13786e78ff2aa536608c445824659fc12c9bf5bf62ca171855dae6bb7867f6b1ca891a0a63c8e82b17c2d883b860f5358d130843e8a2c180

/data/data/com.yxxinglin.xzid403062/databases/accs.db-journal

MD5 771e1a02a1be8afd7fcc8bebe405fcb6
SHA1 f3bfdf99e427cb7dcd41103390a94a98eae1a2a8
SHA256 2225032b25b570c32454e2693c4c154ac6ecf5a5d8a5c13ed4f5f8ab19cc5853
SHA512 75513bb5af34b559d582cb093135792b86b508e675d7704175e85aa324f24384e2dc4021a92e1087dc15fe17426b22da37391193625147d205faa467582ac387

/data/data/com.yxxinglin.xzid403062/databases/accs.db

MD5 486e2bac2b3e9e1cb411d2838a4854bd
SHA1 81dd0a7537f4af319b830ae834908986be85da8b
SHA256 5644a250fa6cef16c2c802b98275656a5fc39dcf89bcc22193742d85c7313f57
SHA512 c146789563dae163e373489b3df53f22efebd32b69643992969241eb5ad5eec668de67e7cd2aaf5c3a8af57b0842115d00183825734f57643d3fdb09835fe681

/data/data/com.yxxinglin.xzid403062/databases/accs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxxinglin.xzid403062/databases/accs.db-wal

MD5 7a77509d2a8aa38c4b5f297e179ceb06
SHA1 7b78a7489546e3827089c0a8e05deeed51707c33
SHA256 cb99aa76a44fc0724cf914e592598eaf49d1f9a0d3842f067bb34587d0825575
SHA512 0a1098e237053ab1417b9c2b1c7151918ae8c7eab177228830a7ae91961baaef6b4fd3d1a75d6c91eb0495ad7aff015e76b9da09cee59acc7e9ce150f7af5226

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 b8aaa91b6b352b16457e094c6696c063
SHA1 1464a4a385ac7bb246a208a4ba35c776bc912348
SHA256 8f639acd896bb0024ad1a4a425c83da5eedd9f3ef19980121d2d7569b70e2b1c
SHA512 d7cef82d26264b0e1ae3a0fbe593e8336a851c9b79ce415b23bbd22511935364ae88ec0647c850604180ff6f72b1dcf569be4b888e18f70af72549165e1ae25e

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 0f019e74cd3b724f62a654ef23113659
SHA1 ea096cf8b7bf1d41d27e64ab03c4f405cf0cb647
SHA256 c8ae90bd0483a57012f18e5ba16a899ff529aeac59e330367e2b93cffd0b32ca
SHA512 d116f6a8a81c138b6f32633f5ba114fdbbd05528514002fcfd9d9764880efec982ab849918ba6cde4585932ef57368e8064c28a182813d42b998118a9dde1eb6

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 b13ee8be10af5f7fa172a81ba2859b3e
SHA1 7a19c46376a2cd89b30a5318214b19890e8b71c4
SHA256 1f69a53c11a5cabeb6af48a18ad4da96edc1ee75b6dff732285cc6759ddd531e
SHA512 1d8e1cedb9ea3bf3e2de553f75fd81376087c2d134941c212aed7cecae659a81be1e8e5a0a543a70002c1e5ad186fbe510acce985e733981314774791fbd62bf

/data/data/com.yxxinglin.xzid403062/databases/tencent_analysis.db-journal

MD5 38cb8ead5cf2054b51be1bdc725ceef2
SHA1 f81cb9b3469d7b4c8081049a4af5de07e98dd8c2
SHA256 8a2436dc4b7e4e5791bf77748ede6a586a4401dd38e42858e07090317f57ea3b
SHA512 57a38f78b68f15c88bfcf778c90ee7090fde6c2d3d3983b608fe2f0930d10f09f68286dadc5477fdc3708c4930365ac60e57cec8e3b904c04a90b8a6b0d449fa

/data/data/com.yxxinglin.xzid403062/databases/tencent_analysis.db-wal

MD5 fe0d5d8dcbb90559ab9ad0416d7cc99b
SHA1 b57f4ed473f95318e087698ff2cd6e8a52faa1b9
SHA256 8f830bea3d01e717f4dc9eece821d6f9f6fcd3ccd927103298af94aab85e3381
SHA512 63fc422b54246bef75ffe6b48e9ee386e9ad88f01139f8791dc06f0f8c45c53999d49da18ab5e7ef60d267e1b2321dc249b67092482136e7baf2407313a6ebb1

/data/data/com.yxxinglin.xzid403062/files/com.tencent.open.config.json.101400326

MD5 f526172de1566b34fdcea744710d9559
SHA1 000cb54d9a008a807a1c5a3fd2b2e7cb41e7939d
SHA256 8572be02b59f4d514000939ec04a9b4e2380c55265256b724a617d8d0f4c6940
SHA512 dc81f0fe345b18c96b1638c67b9ef4c5e60059dfc4a02f3c30a23645d4847abeef46cf467d044c42597115c48052ce0e8ea24328382114a544c5dfd039a95e7d

/data/data/com.yxxinglin.xzid403062/files/cclogs/2024-06-13 075359.log

MD5 ed8a16148107f3d03adb90bf6bab5c5c
SHA1 ee4ce0231af93367da4f827ab103b731a8f1a9ec
SHA256 239905f807b941d64f83f4142296a3e1d4a3c45a30cf5dfb63a1d545c96c66d8
SHA512 8e48f62d9d3ae51a75860a690593dea361597d9fe2004770f5a7a8de2e95ab71e666447ed67f634fc57c59e0dde08e2f9aad8993ad5d0b32f5128bf662aea030

/data/data/com.yxxinglin.xzid403062/databases/bugly_db_-journal

MD5 584846a4b78dfe9891c49dd590d7f107
SHA1 7122aac4a5a856974bc78b6cd4b90c0ac8d0c11f
SHA256 a9d5a76cbcfffb428bd0124eb8445971abf32bb4b4068cda166e8bcf242a4aec
SHA512 69775440d88e9a21462737c5dfb78b19cce3d8b7b5c2a57d5aeeb0b5a5d67fae8f34d2598d51adb7ec887d97ec7aea30bbdb2335438ce871128d54400a668df2

/data/data/com.yxxinglin.xzid403062/app_crashrecord/1004

MD5 66331718dddb57a6d0473c1892873b81
SHA1 62c149bb9901c43df8f693f0c6354d4c0475503f
SHA256 f1a86c6b74172839f5d12391dfb0dfb90fd79c100cd61b3d7c5b28b9ea9c7b08
SHA512 10a4b78c9f7e7274e13dc7704b0ed879ba5cecc451380039b0ce4213ea8080d9d142b3037427bb9f20eff1ef0e27c42fd9200785ec7e9473566c098a04bca96a

/data/data/com.yxxinglin.xzid403062/databases/bugly_db_-wal

MD5 6f54387b09055541482553944a1d0eef
SHA1 76d64c94b6a052540176d7e1d71eebef80cf5253
SHA256 06ff8c0d25bf9dae762a898d76db5037a2d0fd104d5b055f413a78006a599c86
SHA512 6983670fbcec26f6a1695c0d134e7ee203ce4707c2120114ca83adaf264101021967ad048ceb2ac909ff8d46a82176c9d15b1dc647bca4f8dc3f62eaacacb5c6

/data/data/com.yxxinglin.xzid403062/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1