Analysis Overview

score

8^/10

SHA256

a0d01e4b3d205f5f10fa7e7370779d33e06febcbdc823d3f66f10b20bd0a56b8

Threat Level: Likely malicious

The file a4cc53b58e0343643e277f2e15e9577f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Requests cell location

Checks Android system properties for emulator presence.

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 09:14

Signatures

Requests dangerous framework permissions

Description	Indicator	Process	Target
Allows an application to read the user's calendar data.	android.permission.READ_CALENDAR	N/A	N/A
Allows an application to write the user's calendar data.	android.permission.WRITE_CALENDAR	N/A	N/A
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE	N/A	N/A
Allows access to the list of accounts in the Accounts Service.	android.permission.GET_ACCOUNTS	N/A	N/A
Allows an application to read or write the system settings.	android.permission.WRITE_SETTINGS	N/A	N/A
Required to be able to access the camera device.	android.permission.CAMERA	N/A	N/A
Allows an app to access approximate location.	android.permission.ACCESS_COARSE_LOCATION	N/A	N/A
Allows an app to access precise location.	android.permission.ACCESS_FINE_LOCATION	N/A	N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE	N/A	N/A
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE	N/A	N/A
Allows an application to record audio.	android.permission.RECORD_AUDIO	N/A	N/A
Allows an application to read the user's contacts data.	android.permission.READ_CONTACTS	N/A	N/A
Allows an application to write the user's contacts data.	android.permission.WRITE_CONTACTS	N/A	N/A
Allows an application to read SMS messages.	android.permission.READ_SMS	N/A	N/A
Allows an application to receive SMS messages.	android.permission.RECEIVE_SMS	N/A	N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE	N/A	N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.	android.permission.CALL_PHONE	N/A	N/A
Allows an application to request installing packages.	android.permission.REQUEST_INSTALL_PACKAGES	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 09:13

Reported

2024-06-13 09:17

Platform

android-x86-arm-20240611.1-en

Max time kernel

141s

Max time network

190s

Command Line

com.zuoyebang.airclass

Signatures

Checks if the Android device is rooted.

evasion

Description	Indicator	Process	Target
N/A	/system/bin/su	N/A	N/A
N/A	/system/xbin/su	N/A	N/A
N/A	/system/xbin/su	N/A	N/A
N/A	/system/xbin/su	N/A	N/A
N/A	/system/xbin/su	N/A	N/A
N/A	/system/bin/su	N/A	N/A
N/A	/system/xbin/su	N/A	N/A
N/A	/system/bin/su	N/A	N/A
N/A	/system/xbin/su	N/A	N/A

Checks Android system properties for emulator presence.

evasion

Description	Indicator	Process	Target
Accessed system property	key: ro.product.name	N/A	N/A
Accessed system property	key: ro.serialno	N/A	N/A

Queries information about running processes on the device

discovery

Description	Indicator	Process	Target
Framework service call	android.app.IActivityManager.getRunningAppProcesses	N/A	N/A
Framework service call	android.app.IActivityManager.getRunningAppProcesses	N/A	N/A
Framework service call	android.app.IActivityManager.getRunningAppProcesses	N/A	N/A
Framework service call	android.app.IActivityManager.getRunningAppProcesses	N/A	N/A
Framework service call	android.app.IActivityManager.getRunningAppProcesses	N/A	N/A

Requests cell location

collection discovery evasion

Description	Indicator	Process	Target
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	N/A	N/A
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	N/A	N/A
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	N/A	N/A
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	N/A	N/A
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	N/A	N/A

Queries information about active data network

discovery

Description	Indicator	Process	Target
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	N/A	N/A
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	N/A	N/A
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	N/A	N/A
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	N/A	N/A
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	N/A	N/A

Queries information about the current Wi-Fi connection

discovery

Description	Indicator	Process	Target
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	N/A	N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence

Description	Indicator	Process	Target
Framework service call	android.app.IActivityManager.registerReceiver	N/A	N/A
Framework service call	android.app.IActivityManager.registerReceiver	N/A	N/A
Framework service call	android.app.IActivityManager.registerReceiver	N/A	N/A
Framework service call	android.app.IActivityManager.registerReceiver	N/A	N/A
Framework service call	android.app.IActivityManager.registerReceiver	N/A	N/A

Uses Crypto APIs (Might try to encrypt user data)

impact

Description	Indicator	Process	Target
Framework API call	javax.crypto.Cipher.doFinal	N/A	N/A
Framework API call	javax.crypto.Cipher.doFinal	N/A	N/A
Framework API call	javax.crypto.Cipher.doFinal	N/A	N/A
Framework API call	javax.crypto.Cipher.doFinal	N/A	N/A
Framework API call	javax.crypto.Cipher.doFinal	N/A	N/A

Checks CPU information

Description	Indicator	Process	Target
File opened for read	/proc/cpuinfo	N/A	N/A

Checks memory information

Description	Indicator	Process	Target
File opened for read	/proc/meminfo	N/A	N/A
File opened for read	/proc/meminfo	N/A	N/A
File opened for read	/proc/meminfo	N/A	N/A

Processes

com.zuoyebang.airclass

logcat -v time

com.zuoyebang.airclass:core

logcat -v time

com.zuoyebang.airclass:channel

logcat -v time

logcat -t 300 -v time

ls -l /system/xbin/su

com.zuoyebang.airclass:core

logcat -v time

logcat -t 300 -v time

ls -l /system/xbin/su

com.zuoyebang.airclass:channel

logcat -v time

logcat -t 300 -v time

ls -l /system/xbin/su

Network

Country	Destination	Domain	Proto
GB	142.250.180.14:443		tcp
N/A	224.0.0.251:5353		udp
US	1.1.1.1:53	qapm.baidu.com	udp
HK	103.235.46.42:443	qapm.baidu.com	tcp
US	1.1.1.1:53	ufosdk.baidu.com	udp
US	1.1.1.1:53	nlogtj.zuoyebang.cc	udp
CN	81.70.127.148:443	nlogtj.zuoyebang.cc	tcp
CN	124.237.176.102:443	ufosdk.baidu.com	tcp
US	1.1.1.1:53	nim.qiyukf.com	udp
CN	203.107.1.97:443		tcp
US	1.1.1.1:53	www.zybang.com	udp
CN	183.136.182.36:443	nim.qiyukf.com	tcp
CN	183.136.182.36:443	nim.qiyukf.com	tcp
CN	81.70.126.109:443	www.zybang.com	tcp
US	1.1.1.1:53	adash.man.aliyuncs.com	udp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
HK	103.235.46.42:443	qapm.baidu.com	tcp
CN	203.107.1.97:443		tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
US	1.1.1.1:53	android.apis.google.com	udp
GB	216.58.212.238:443	android.apis.google.com	tcp
HK	103.235.46.42:443	qapm.baidu.com	tcp
CN	203.107.1.97:443		tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
CN	203.107.1.100:443		tcp
US	1.1.1.1:53	crab.baidu.com	udp
CN	112.34.111.91:443	crab.baidu.com	tcp
CN	203.107.1.100:443		tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
US	1.1.1.1:53	httpdns-sc.aliyuncs.com	udp
CN	203.107.1.100:443	httpdns-sc.aliyuncs.com	tcp
HK	103.235.46.42:443	qapm.baidu.com	tcp
CN	203.107.1.97:443	httpdns-sc.aliyuncs.com	tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
CN	112.34.111.91:443	crab.baidu.com	tcp
HK	103.235.46.42:443	qapm.baidu.com	tcp
CN	203.107.1.97:443	httpdns-sc.aliyuncs.com	tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
CN	203.107.1.100:443	httpdns-sc.aliyuncs.com	tcp
CN	112.34.111.91:443	crab.baidu.com	tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
CN	203.107.1.100:443	httpdns-sc.aliyuncs.com	tcp
CN	203.107.1.100:443	httpdns-sc.aliyuncs.com	tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
CN	203.107.1.100:443	httpdns-sc.aliyuncs.com	tcp
CN	203.107.1.97:443	httpdns-sc.aliyuncs.com	tcp
US	1.1.1.1:53	adash.man.aliyuncs.com	udp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
CN	203.107.1.97:443	httpdns-sc.aliyuncs.com	tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp

Files

/data/data/com.zuoyebang.airclass/databases/MessageStore.db-journal

MD5	924b7e92228185ab7d9182b3f5f0950d
SHA1	885b45fc0bacc42c4ce56105c5fd85a884c0eaa9
SHA256	f8faed05c51282cde000626e288269e8d2177114440a954f17319105da3b9182
SHA512	2c0bfb85eccb82332fa70a8197cc7d2bf81d825dce63f75be042d239cdcc9943cf4ee1ce730d4ce70b0f41053e1a68cb423b0abd5b67c3e34b6cf21879439393

/data/data/com.zuoyebang.airclass/databases/MessageStore.db

MD5	f2b4b0190b9f384ca885f0c8c9b14700
SHA1	934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256	0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512	ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zuoyebang.airclass/databases/MessageStore.db-shm

MD5	a1cbde7f504e3bfc58c50ddfc89dcfa8
SHA1	88b8a59cbe4bdaebecb42c0ab54d90969959ecbe
SHA256	9e49ad8e37d5471962b3f81295a707fcc3f7cf02b2fec25c17be270704fae615
SHA512	7801421d66827efbfd2fd356fb8d5f505c1d54d8fb62aa616458cc98c61fee5660d0b2da8076400aa33ba1439b08c476b1c0cc2ed188747a26c77b5774d768df

/data/data/com.zuoyebang.airclass/databases/MessageStore.db-wal

MD5	2ff2453383b0067b2cd6a7f11428887a
SHA1	a5513d2c7bac2718852dc349648f54975baa49ee
SHA256	b8523636fdaac0b1b68ba18c3c732c4a9a3c86ee09786f804634ddd6d9607fb1
SHA512	2c924499716965426455f51660dba4994de409eaa6ae735e1317cd3561c974e12af939cdff38837aa76c4a210c048b0551d8bf9033cac415aa78d290d2f36010

/data/data/com.zuoyebang.airclass/databases/MsgLogStore.db-journal

MD5	d3f06aef0012269390892495f7950cc8
SHA1	334cb2a10d4b3364bb7807cfe0b173a1aee6084b
SHA256	02c22782c8b0be5dfdfdaf18db748aa57b610266ba90a6760eb69b24d33fa2d1
SHA512	9a29da30fc3c885f4b891616f923b233c5b5bdd6df1194c1e5143fc854fcdec3db248752c2d3f0071620fed803a3c95cf7734bca247c3c35d30624b8360aa02c

/data/data/com.zuoyebang.airclass/databases/MsgLogStore.db

MD5	25c21eb407f26db4008773ddbe292240
SHA1	a8ea7d8bc03fe5793e804ad41cd3f198a83c168a
SHA256	f8bb5c40db3073606b336e1d1bf6272c3778992d6aae81cf71c87305a9a5e441
SHA512	cf8b93d512f22b141c9bb0372064d3e9d6feedd433fada3287ec6e5e8ce487b02ea548ac74359754604a8cfe0c27cb1e40b2a2a02d5f0f0493af8d0968285597

/data/data/com.zuoyebang.airclass/databases/MsgLogStore.db-shm

MD5	bb7df04e1b0a2570657527a7e108ae23
SHA1	5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256	c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512	768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zuoyebang.airclass/databases/MsgLogStore.db-wal

MD5	1806ce69b9f0e1723aaf784a0bea2f30
SHA1	305e494bde44f6491fe6cd3fd2cf5a00c072889b
SHA256	1f56de58217bbfdc4f2c4605b64506c049f16c96669cf8d00defa9e84c1b61b1
SHA512	da615766027bfe4d25082f1fb590df4bae91968b657f3b3c634243530e8c8504e46bb1a818d321aaddc309a7abe011b151d27f708150a8bd9cd190e8b8785ecb

/storage/emulated/0/backups/.SystemConfig/.cuid2

MD5	3fda7afb500b4180f60c3154bc5bd81d
SHA1	a89aa4e7244ffc60f5ec74fba3bc807dceb6420c
SHA256	6cefbf72f8f3bd0f52e3439163561eb711b0890ca61c1f989366d3295c822ded
SHA512	6f46b601462f9ff19acd22173512206b5a2a86483d6bb33a60dcca06c5f6cddddb34653bd4e09b2bfee5f6da8c32fc2c6d2200d15db5c7334dfd8557c2bffaf0

/data/data/com.zuoyebang.airclass/databases/events.db-journal

MD5	1e38d4e625347fb41d42f1b24ffaa049
SHA1	7e0f16bc2eed4113aafc910452522da84e54e581
SHA256	5b5c8f9cc1af103504c95abe009a597448cdae654ff36aab67ffbf7d49414213
SHA512	b9861a871d9c66c67da9a143ae60785f88404ece924c2c6c6cd2914d70ccb9303358d6efdacfc49ef8196ee8f39c2a28a3bd54b2e538ea6220fac0e056afa2de

/data/data/com.zuoyebang.airclass/databases/events.db-shm

MD5	cf845a781c107ec1346e849c9dd1b7e8
SHA1	b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256	18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512	4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.zuoyebang.airclass/databases/events.db-wal

MD5	94f1b5000f9a9d69ace9390246a349a4
SHA1	e9814162a75209fce37359618c13a5af881885f8
SHA256	615eaad8ca8a258bfb74327d8af8891f2716057dab401acd5bff5f7aae4be2a4
SHA512	75659f2bf49b3b0a8647f53523838b276d0d2c0ea5fc7d10d996c8858a6bf30680c23d7059ff72d79392703e4a014b5fb2473a9ba7db5c746dca2716bb2f8694

/data/data/com.zuoyebang.airclass/databases/airclass.db-journal

MD5	d66d0189eff58720bb87f588a9361923
SHA1	e72f5d51d35a697c9e55d5aab884a21d951d063c
SHA256	42f4d25152e54d25ba52dca4ad2b85f851a90688c050f21d826f1256b9a57b82
SHA512	cd8fab0082c216f1c9e21114eb4dbaef4e4011e02d647f5e0ba6ec66f8d4e9b8c4991fea6dad0db1d21c0bdb1877c6aca9cbab229f76d8a2413911bd23b38e16

/data/data/com.zuoyebang.airclass/databases/airclass.db-wal

MD5	191167d1a6a1eeff2982da17705fdb61
SHA1	4f585c18a7d26727e7936c0d9b5807fc8d89caf2
SHA256	c7338564025d418f10d7d276cf02153e56eb7975bab9fa72b95919174e058d61
SHA512	8f40949ffc4bb2dfd740941097d3ed13fa873552b652892c91d2d68d1030e4eb1fe8b6df4720aed7fa632922cfbe7e16163e55cc77a71845e88d7fbdeac03a19

/storage/emulated/0/Android/data/com.zuoyebang.airclass/loggers/202406130914_-1_main_0.txt

MD5	60eef6fccdbc5d8d1e716b7cc3e6ed48
SHA1	f10ee84a2f0e964161324b4abd25e56c23ce0c9d
SHA256	c7be239d5156297942be254894f6a0d0f9ffdf7318e900f04c25ddefdc245367
SHA512	e70c242360754640a861407e64211b89ecb9035954c953902940bdc7e50c79c969f3d42bed8b3538244f0399c221c6688e666bb0ad0083c72b76eee149be0c51

/data/data/com.zuoyebang.airclass/unicorn#cheese#

MD5	fe8737e987ccb94b66443f918291936e
SHA1	548b7de73c83452d04cc33598d2913bc78c5f44b
SHA256	efbc00c065ac71305ce616f744f1226852a640754c20da019095d3138cd93aa9
SHA512	71e8b76c62c75938dd1c572f2c134e428e18f67facffca2b4f8b738b74cc8408586ca2389feeae366f5ec09920653bc2c99cfa3a1d718a2e2c7a6eeba05824c7

/storage/emulated/0/Android/data/com.zuoyebang.airclass/files/com.qiyukf.unicorn/log/tmp_u_20240613

MD5	fcd6bcb56c1689fcef28b57c22475bad
SHA1	1adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256	de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA512	73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5	9781ca003f10f8d0c9c1945b63fdca7f
SHA1	4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256	3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512	25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5	befb1904f66a4b54936151833e19835c
SHA1	8a1a6a99ffce4fbbc2f4d277ee4b754c23f8d83e
SHA256	88207cf60555b8b9a1bb600db1d44d05400963c68a1953ec757a0c8d391afdf0
SHA512	6f262dd09ac2677a992ae78648f25dd0032dda3b962d6ef8d31a12885fd405210d0af0f0fcd58645d03272e074fa6c63f940eb1c7a6fbfc8f086e7bfe944ef06

/storage/emulated/0/.DataStorage/ContextData.xml

MD5	fd8ebc1b080fe9cde042b60ef54847c5
SHA1	a875f28a42213faa96def99cdca5652cedc4e59b
SHA256	6c04ae9527745edc5b9096775f01a2dda2be4f1301fbfcb898e850cc7d4fc4e4
SHA512	da346cc62cd279fdbd2a47f8d48c73ce61219be2f716cdc2454bcb700dce7278b5fbeeb479734d2c7dd8cc369025661fbcd357a7d31e978b0f674b56dbcb0028

/data/data/com.zuoyebang.airclass/databases/accs.db-shm

MD5	4a613f45c5bff5530f6ef9951f5d1855
SHA1	71d0a0386fe6066d507455e5c8a2dec2d52902aa
SHA256	b6af8af8599f6fb6465d9fb4ee5fa21eb4622c7488645e8dd8dbbd66e18f14b4
SHA512	8704d4676e06f16563ab4991f535c8d11cfebec83474cb3dca82db7c1464a6d836a45006777251e7ac8fa0f607889b389e6cbb9c147550f6759ad10c4f4ecca0

Malware Analysis Report

2024-07-28 11:29

Table of Contents