Analysis Overview
SHA256
17890b436d807d31f20a7fb06ea46c3b38cd35021b578a681358f6b24af5ddb0
Threat Level: Shows suspicious behavior
The file a49bfcb54bf28b5349876bbcb51d509b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Reads the content of SMS inbox messages.
Loads dropped Dex/Jar
Reads the content of the SMS messages.
Requests cell location
Queries information about active data network
Requests dangerous framework permissions
Queries information about the current Wi-Fi connection
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 08:23
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to monitor incoming MMS messages. | android.permission.RECEIVE_MMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 08:23
Reported
2024-06-13 08:26
Platform
android-x86-arm-20240611.1-en
Max time kernel
11s
Max time network
172s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.hkm.zhnkxq/files/lao/QsRSYwqVOp.jar | N/A | N/A |
| N/A | /data/user/0/com.hkm.zhnkxq/files/lao/QsRSYwqVOp.jar | N/A | N/A |
| N/A | /data/user/0/com.hkm.zhnkxq/files/Plugin2.apk | N/A | N/A |
| N/A | /data/user/0/com.hkm.zhnkxq/files/Plugin2.apk | N/A | N/A |
| N/A | /data/user/0/com.hkm.zhnkxq/files/yl_plugin.apk | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Reads the content of SMS inbox messages.
| Description | Indicator | Process | Target |
| URI accessed for read | content://sms/inbox | N/A | N/A |
Reads the content of the SMS messages.
| Description | Indicator | Process | Target |
| URI accessed for read | content://sms/ | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.hkm.zhnkxq
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hkm.zhnkxq/files/lao/QsRSYwqVOp.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.hkm.zhnkxq/files/lao/oat/x86/QsRSYwqVOp.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hkm.zhnkxq/files/Plugin2.apk --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/user/0/com.hkm.zhnkxq/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 120.55.89.238:8977 | tcp | |
| US | 1.1.1.1:53 | sdk.qipagame.cn | udp |
| US | 1.1.1.1:53 | jx.hamofo.com | udp |
| US | 1.1.1.1:53 | xiafa.hamofo.com | udp |
| US | 1.1.1.1:53 | zyin.bjmcmj.cn | udp |
| US | 1.1.1.1:53 | vpay.api.eerichina.com | udp |
| CN | 120.55.89.238:8977 | tcp | |
| US | 1.1.1.1:53 | passport.migu.cn | udp |
| CN | 120.55.89.238:8977 | tcp | |
| CN | 112.25.126.116:80 | passport.migu.cn | tcp |
| CN | 116.62.54.183:9004 | tcp | |
| CN | 116.62.181.149:8080 | tcp | |
| US | 1.1.1.1:53 | gyd.jms.cn.com | udp |
| US | 54.153.56.183:80 | gyd.jms.cn.com | tcp |
| CN | 115.159.152.136:8090 | tcp | |
| US | 1.1.1.1:53 | app.jtmtht.com | udp |
| US | 104.155.138.21:89 | app.jtmtht.com | tcp |
| US | 104.155.138.21:89 | app.jtmtht.com | tcp |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.hkm.zhnkxq/files/lao/QsRSYwqVOp.jar
| MD5 | 704b6b705ead9a6044a1b39302a41500 |
| SHA1 | 052fbb8668a9e3a298393edb72576ae751a0a79f |
| SHA256 | 01ee27ebcda2aba7c81c747411d6afbd49d737c5636124e283a03f52291ba9e1 |
| SHA512 | b3eab5d9fd288d3334af34c12f42cb26dceedafc807f694a268eb02593c05f9e16e7503a26c3fc552f489c7b91359e8bbaaf409329be33ad563f22e4064f9ee5 |
/data/user/0/com.hkm.zhnkxq/files/lao/QsRSYwqVOp.jar
| MD5 | 37393c85de6083460b609892b246916d |
| SHA1 | 055cd01bd0a6baa64f5b0fe1a5530d2f897fa9b9 |
| SHA256 | 78fce814ffc92d5af14bbed7a6b04a9e8f24414a774caf63799b67290292ba22 |
| SHA512 | 01934bb912ccdaae2a82e9bff9ca4d7777186d343ce549db619d8ba458487ca1c7c12eebe29e769f7220581c6f1d61d2a88ba6e9efe00b9f3b7961f4eb834abd |
/data/user/0/com.hkm.zhnkxq/files/lao/QsRSYwqVOp.jar
| MD5 | 7d8dcefbd757f205cf3f1f5874b42e01 |
| SHA1 | 1d71356f72a09f0fe263ae5b7743c6c95e49e5e5 |
| SHA256 | 465c0084c30d61cc5f44c2c6bb676c45e869bf173b1cce5872007c72cc1e76ee |
| SHA512 | ba9bf0079b65181557ef528f0f257e486f97f796a129896557d4baa378a6e2ff05397f84eb560e7c90e20b74dc65f22edb85746a183e8f68c53054f9b2d00205 |
/data/data/com.hkm.zhnkxq/files/Plugin2.apk
| MD5 | 3d216f8fddb9705a6720a285475837f1 |
| SHA1 | f053d23b284bfe2faf6e76d353ff052471e2de2c |
| SHA256 | de7bf40574754a5144fa5cf3bc5e97f7adc7f5abebb18c41e8f0631917db4c0c |
| SHA512 | 38be39da8f96abc87109cfd57b2d63ddfa72971f023024a5b4ce1f97cd905a96a94e19eea19ae9b745f28d02c6689a4473627ce57ec85dce2018a77e699620cb |
/data/user/0/com.hkm.zhnkxq/files/Plugin2.apk
| MD5 | 2a425e0fae74f20a2c475da937a619a2 |
| SHA1 | 4d701c7e6d828aa96ba8a493720e7282c49ec741 |
| SHA256 | 2c61a25f1ad5783bf82eea9faa2536cac4788ed3147bc1864d9ef17ea01be6a7 |
| SHA512 | 44c8d2a837b606de99055badbd4b5e708424ca9809b1583d13aefadc4d4af974658dc3a3f179fc3047eef7167151c638ff66dd6c8d38121b6ecdfb464d2a5a60 |
/data/user/0/com.hkm.zhnkxq/files/Plugin2.apk
| MD5 | ef019d14367b7346b1ae2419e9d445c8 |
| SHA1 | 23d81fcf81f3a9f2a991ba4d0d135fe2a28aa188 |
| SHA256 | 1d83642ede6b16a071676e895f547d056543b5b4622bbc9b9b4ab45e47bf9ba0 |
| SHA512 | ea582f21c6054c37c679c798e93116c9c18c9544c0feb78fb949bed7b2cd3122c8d7bb8ecef329829c2531764abeb6200f0af49ede97c3b0b7448bdb65a34a60 |
/data/data/com.hkm.zhnkxq/databases/wochi_v4.db-journal
| MD5 | d2eec6b226543b562e1b4741af000c6b |
| SHA1 | 3798e2ff13ccae18a03a8cada364810e69dfd310 |
| SHA256 | 1d3a619d615daf1b8282e97771c0a3709de44e4bdf98dddb68a03f660fd235c2 |
| SHA512 | 3221c5ad108c7bb6f1987c258631327d9c2aff532de92d0b4f897c9e1cbc04718d99c1a71ee2b801cf114b6076dbdd2383bf26ae54361c7cae1a266e50e449e5 |
/data/data/com.hkm.zhnkxq/databases/wochi_v4.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.hkm.zhnkxq/databases/wochi_v4.db-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.hkm.zhnkxq/databases/wochi_v4.db-wal
| MD5 | 7a048706905977c64e9664c19a85843a |
| SHA1 | 0d3aac71811cdb094342898d6711abff8075ba2c |
| SHA256 | c2b1fe4c8119c9b15f66ef0cc82512940228d9fd6f3132578d92806ed2895dc6 |
| SHA512 | 830f47b54db0445067e22364843e6471aad2fba794135122857ae6e908a9123678ea783f22f9e7a370a364195354d004d8fb5626adcc628f743da70226220e0a |
/data/data/com.hkm.zhnkxq/files/log.dat
| MD5 | ff9229f8e7c92d44d48e25206d43b021 |
| SHA1 | be3d75050c16c5b7484652ba292fdd6510f205d3 |
| SHA256 | 77fc3599be409f7e73e643de843c0ebcfa20662964c498fc59e245c7f5e003a2 |
| SHA512 | be7b3aa8d670a2873c6b7bfd4ca93121fd2450723cbbc36d9d06d152fafa3ce90451f0a60ab56bc96bccb81cf5aae0167b404073db14dc17b9513ac73d455c58 |
/data/data/com.hkm.zhnkxq/files/yl_plugin.apk
| MD5 | 5a4c666b43ee7f2b6995aaf3527e4a4d |
| SHA1 | b205bcb022797f3b16635db139c7524c0c388adc |
| SHA256 | 05eb3e1ca331b8c6a1f60f92abb2bddbac54a7b2c229ac07bf26c756297fe72a |
| SHA512 | c84fceddbf9928110fc3b85e0989b9cedd06383007ff99dea5a25096d8f892ab52d30ed9b52b72211449041f1274ead85bb42929ec269b58b6b0e616a8545e17 |
/data/user/0/com.hkm.zhnkxq/files/yl_plugin.apk
| MD5 | 918890b3fc5a3dc184a57d027ead24da |
| SHA1 | c638f375f49bc4731b633bdc001aeeadf9462039 |
| SHA256 | 57d03ac2189851d5069515da6997e12ca307c145aa21679da001477df5f81836 |
| SHA512 | fd9bfe41ce4041dc8c7db17df2a2164a24ea96372c212399c499f94d1fb7d95d430b8a7eb86041b9b2db88dfca0cf39e53cba2dad1e346aebed29e4ca5deb2ef |
/data/data/com.hkm.zhnkxq/databases/740410100062013-journal
| MD5 | 96ef69cdedae2043c1763528dd8ab1a6 |
| SHA1 | 5e60e110cda55a697d9fca2e8a315ff39428231a |
| SHA256 | cc35c86136292a8c7c8bab730d9cc13ab5cb4b41a708e5e51de9e46a81d15b71 |
| SHA512 | 3a48023d3560065cd58118eebbbe1805e8b57920bcb831cbd182ff76deb7a947abf806511f77b38cdd0e8cb5448d653828970d8fcf3e7afdc20256aaa17222bd |
/data/data/com.hkm.zhnkxq/databases/740410100062013-wal
| MD5 | 8521f8ab07dfac514c7e457800636895 |
| SHA1 | 77eef976c4e2707e64edbce3a2aa973c54b29233 |
| SHA256 | 93457c4fdc306b702a95715b8b60b951d670219ee9647fd7c0ab805d44abd619 |
| SHA512 | f1c501fffd18b88fe016812a168bd9c24c4e778430767df62a3bab4c3e83051da94634cd0424007294d295196e9c55a83099b49c4c39bf765d2c063d17d28fc0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 08:23
Reported
2024-06-13 08:23
Platform
android-x86-arm-20240611.1-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 08:23
Reported
2024-06-13 08:23
Platform
android-x64-20240611.1-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 08:23
Reported
2024-06-13 08:23
Platform
android-x64-arm64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |