Analysis Overview
SHA256
12d20d05a95e61c4cda9313e55bbed3b4b0cdf1462208abddb7c35f17013ece6
Threat Level: Likely malicious
The file a482b9b704ada039f2ea9bb76e554fe9_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Checks the presence of a debugger
Uses Crypto APIs (Might try to encrypt user data)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:53
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:53
Reported
2024-06-13 07:57
Platform
android-x86-arm-20240611.1-en
Max time kernel
3s
Max time network
158s
Command Line
Signatures
Checks the presence of a debugger
Processes
com.yunpos.haojingapp
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.106:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
Files
/data/data/com.yunpos.haojingapp/.x86lib/libbaiduprotect_x86.so
| MD5 | a2c108086e8b213f1a02fe89a9f2b900 |
| SHA1 | 64151eb01f864a618a3e8dc862c6c8ad15f3fcb0 |
| SHA256 | 0d0615c1d818a668c3850f73762c3524f86c8481650276d61dad734747395122 |
| SHA512 | 7e8799b1a8dbf7e50de2eb91041842b69a9787a26ad6576aea592e4a5acbafc221f78f72f486b4123e565771880919e95fe7097cc42e2f7875d353820fb01d81 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:53
Reported
2024-06-13 07:57
Platform
android-x86-arm-20240611.1-en
Max time kernel
7s
Max time network
148s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.allinpay.appayassistex
/system/bin/sh -c getprop
getprop
/system/bin/sh -c type su
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.allinpay.appayassistex/databases/bugly_db_-journal
| MD5 | 8547892c14f7a7465d3dd7195c0b2983 |
| SHA1 | d800db83071e5dd3a9574e7197a21e8d01e29c27 |
| SHA256 | 36062e84112fb15ac3d53d4f6d6b203e70db4f4639031302cf13a90625d242a1 |
| SHA512 | f3ae0cd33b84fa63504c62a51818e729c5be2256fb8aad8dd6c7ba464e6bc4d896cbb33f7b5ae42ea125903816d582e380b16c603f0be58295da7c7db7985aca |
/data/data/com.allinpay.appayassistex/app_crashrecord/1004
| MD5 | 583688d7733be30a8301fd6f023d120e |
| SHA1 | 70febda905d881f8c9cb4394cf429c8c9ee050eb |
| SHA256 | f3af43d6b5449cfe997e182b733749249e801bc3fdfa462fc7016ff5eb9d8c34 |
| SHA512 | 9a027eb2bd029a8ec7a03bbb0659379f60888ce72ce7a4ba93273010f444bee5203035b1dde9135faf46f10778e9a64df9ec84ea136e6fce9c84c25233449108 |
/data/data/com.allinpay.appayassistex/databases/bugly_db_
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.allinpay.appayassistex/databases/bugly_db_-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.allinpay.appayassistex/databases/bugly_db_-wal
| MD5 | 1bc860c4bfe67e8717eba32e76e69409 |
| SHA1 | 4099f135b3d3c312ff9b7be2190709a1f20fb1ca |
| SHA256 | 30d1f59577d014fae5ece1ec891095b7e4ca2d69ed2bc2873224387eb8c680a2 |
| SHA512 | 1fd3ae4093279ad4da38f8096a0a10669ae9188a15dd48f438a91b8c473b6281398cf275e4ab9d25b777a0508a8813271faa97786585c2f6fe8cd8e5c4aada5c |
/data/data/com.allinpay.appayassistex/app_crashrecord/1004
| MD5 | 0d210bfb2a0e1f1b4c082a6a0f79de07 |
| SHA1 | bb8ed9e364db79d1d9f2fcde3f15091893222faa |
| SHA256 | 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d |
| SHA512 | 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1 |