Malware Analysis Report

2024-09-09 17:48

Sample ID 240613-keqsya1dmf
Target a4a44294f14722b5a1b855951393247f_JaffaCakes118
SHA256 c83204ef711047f13cdc971643afdd64de5d74dcb6f1eb19e2bf98655c467e15
Tags
discovery execution impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c83204ef711047f13cdc971643afdd64de5d74dcb6f1eb19e2bf98655c467e15

Threat Level: Shows suspicious behavior

The file a4a44294f14722b5a1b855951393247f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery execution impact persistence

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:31

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:31

Reported

2024-06-13 08:34

Platform

android-x86-arm-20240611.1-en

Max time kernel

172s

Max time network

188s

Command Line

com.qijin189.huosuapp

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.qijin189.huosuapp

com.qijin189.huosuapp:pushcore

com.qijin189.huosuapp:channel

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 umengacs.m.taobao.com udp
US 1.1.1.1:53 sdk.zaoyx.com udp
CN 203.107.1.97:443 tcp
CN 110.253.189.208:443 umengacs.m.taobao.com tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
US 1.1.1.1:53 s.jpush.cn udp
CN 120.46.84.108:19000 s.jpush.cn udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 120.46.84.108:19000 s.jpush.cn udp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 tcp
US 1.1.1.1:53 sis.jpush.io udp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 124.239.14.248:443 umengjmacs.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 203.107.1.100:443 tcp
US 1.1.1.1:53 httpdns-sc.aliyuncs.com udp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 139.9.138.15 udp
US 1.1.1.1:53 119.3.188.193 udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 139.9.135.156 udp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 113.31.17.106:7000 tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 120.46.84.108:19000 easytomessage.com udp
CN 1.94.9.210:19000 easytomessage.com udp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 106.11.61.137:80 tcp
CN 106.11.61.137:80 tcp
CN 123.60.89.60:19000 easytomessage.com udp
CN 124.239.14.248:443 umengjmacs.m.taobao.com tcp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 113.31.17.106:7000 tcp
CN 120.46.84.108:19000 easytomessage.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 1.94.9.210:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 umengjmacs.m.taobao.com udp
CN 111.63.206.54:443 umengjmacs.m.taobao.com tcp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 110.41.162.127:19000 s.jpush.cn udp
CN 1.94.9.210:19000 s.jpush.cn udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 123.60.89.60:19000 s.jpush.cn udp
CN 111.63.206.54:80 umengjmacs.m.taobao.com tcp
US 1.1.1.1:53 amdcopen.m.taobao.com udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
CN 113.31.17.108:19000 udp
CN 203.119.217.116:80 amdcopen.m.taobao.com tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp

Files

/data/data/com.qijin189.huosuapp/databases/MessageStore.db-journal

MD5 4e723cdcf77d06b7e98a2a52a5fd811a
SHA1 bc26b61150b541a167ec26e5bf2d0b7a0eb24970
SHA256 4184f1a6f6199e032d08fe7e126eaaa2da2d7460139828d16620f4d457709a62
SHA512 d756f8269a8d2f42e8037a71846b59133255be1d74acc3977073f473cb4ec09bb33a69343e5efdedcbb49de4dd312d959c258608e2c24a377a0ee873e579881a

/data/data/com.qijin189.huosuapp/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.qijin189.huosuapp/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.qijin189.huosuapp/databases/MessageStore.db-wal

MD5 ea65fda460318ad4ceaa52f0f4b831e7
SHA1 fa5e5e75f6125322d28ccc79a981a29821febc63
SHA256 37cdcf2bebb78eef0df1bf56c5b293b1d8d3291b1035e5973f65a78aa8b4a474
SHA512 2624eaa57faeee8906f118834147fa83fc501b6bf14b757709a09e6761ad540aac63ea891771062b50234995755659e1881458c63e5b47064326e51bf13da612

/data/data/com.qijin189.huosuapp/databases/MsgLogStore.db-journal

MD5 6311e8ec39c4a030093d53f98d0e8f56
SHA1 ec2f95f04d20b94f9317be23f202db86326e7d40
SHA256 4c8486ff9a40ffaba836db42613ad4a52edbe8c310d70ad946fc347c41ad3fec
SHA512 f275329023426a1bb8c750849aadee5a18af19ae2deba16480352272e03350065d7e9d7e5b6a5364a983a6f899fc88a7f8b88c58eecd87b1e86cc2b065dfda8c

/data/data/com.qijin189.huosuapp/databases/MsgLogStore.db-shm

MD5 259bcfed324b4d3fea6e94e15406a399
SHA1 6f79fbd9e4ca5b5add43051ac6001166ca0b9675
SHA256 f3770084e8014288bcf86ea2663e3dcba9d4731ccf12d3d7e6b7ce62ec3e03ef
SHA512 ac797d67b0cbb04104f5605e430b86c8143ab527a39b40867441f84516a3d55052cc66ec38da0bdcb44015366e212bd2c4737370c9b7c91bada8162c1f263b3e

/data/data/com.qijin189.huosuapp/databases/MsgLogStore.db-wal

MD5 0ac1021aef9819696bfe91f6dce4c963
SHA1 651ac0156993295a3e12ddffbaedc12bbfe4fffe
SHA256 0fb95b764c0994444b022ca1d6a72ad6fd5393b23fcd9ed755173c2368e9a90e
SHA512 afd233b665f2d147ced962ccdd56f7667ffc335b3afab875d22e26121ccbad8ad15900713fa594e66da875fa0498a381a2bd6daab0285c2c6abbca634906d328

/data/data/com.qijin189.huosuapp/databases/tencent_analysis.db_com.qijin189.huosuapp-journal

MD5 81d9fb47dfa5f67e1e81e5e32f76d1a2
SHA1 8771aaaaa33f74efe8ae11e3a656f203d787d6f8
SHA256 91cc067a6b42835d2877bded86eb4e7c38343ab96489eb603620571d33a27a60
SHA512 f04df501ef2eda5022bdb9eac8503801f53786e34c09b448e69a226558e8947805e9353910dc35d968cd2c0c660246ba0422e10f97f92ce553010bf92c940d0e

/data/data/com.qijin189.huosuapp/databases/tencent_analysis.db_com.qijin189.huosuapp-shm

MD5 c34b66d4384f39176b17f1b82b446790
SHA1 9eff61e9c94d23d0e2962b55c8b15adb8d315224
SHA256 329e0d3cd6667f9adde4f721972b7c8b191fec411e1d8f48a96690e21416289b
SHA512 38c099b2ba5fd3d75627f0eb5e73f9a3f6c633abd0792c2b4c8fe1a8f6060fee5532fc0096ad2a98afa633e727f0ba68bab44485d352db2b5b8093e32ca2b6ff

/data/data/com.qijin189.huosuapp/databases/tencent_analysis.db_com.qijin189.huosuapp-wal

MD5 6e006447c677701c996a01f58df162ec
SHA1 2c65847027cd78dadca3332b5bdbaa6f6a963930
SHA256 3c55d049e7f719dc7b48d005bd1df8a8f65e423c00cf35c9dc92910aa97f56e9
SHA512 a6274fc66752aab0af15dadc9891ca7f9000722cfc566616dfd576708096852d0e054d7165041c13e3c0cd25704f85b2501195515678b6b245ed8edad39119ff

/data/data/com.qijin189.huosuapp/databases/pri_tencent_analysis.db_com.qijin189.huosuapp

MD5 eb0f6c28bc3ad3471902e07c82d2c0db
SHA1 b6ebc7bc314ac6aa920bf71c0ee717398e101837
SHA256 9a806d0f45cddd023f8a05fc69b907a6a5aac0e35e627f12caa053ca6458d581
SHA512 6f9720e4e88da91f03fdda7f1862df69177a32b5784e4673a6e64f1704b0683435daf36932e9cbfff4b4580596374787065a4a7b69567707e4939af8dbcfa09c

/data/data/com.qijin189.huosuapp/databases/pri_tencent_analysis.db_com.qijin189.huosuapp-shm

MD5 9987d060852eeb929edd635567dcf56f
SHA1 6053ade00090e8ea9200444177227d9294a8a326
SHA256 af51fbf580dd6e29192e0fe6a0a5464c3d6e32ce7f0b481643bb494f771f09ce
SHA512 c82814a72ff8b0a045a437f0f4ecdf674a83f9ce5961b0e26d10721a8cb6d7224dbaaad84012c80c899eb28ab7fcec1e793297666f14971cea159c08db4dd859

/data/data/com.qijin189.huosuapp/databases/pri_tencent_analysis.db_com.qijin189.huosuapp-wal

MD5 37d45211c96c0b69b55d8db22b96b502
SHA1 a14c2c4e554cdb7726f842d6a481ecc802c0723a
SHA256 ed9814061f3fc7675f0d04e809f5e0c173ca9e4aab2e372e10490ef51913d3fa
SHA512 a64f8221966b2ca0e628cef9762300677613082cf7a147856e84b254775d0b6ddfe971178ff64b330a0677cea470e7cb9f5477c3040fa12be1c78fc640c14dc4

/data/data/com.qijin189.huosuapp/databases/outdbName.db

MD5 1c4274aa7a9a5cac8c6d1df71e4588c6
SHA1 abaecd685e01cc68801292e3dc7085654a22feba
SHA256 3f6cd5f480ae69859b7841450f3d032c528ba385ebf9f371b9c8fdc6eb4231be
SHA512 1adb95935798607bd36cedcd183924d3068f50097d017b278da7caee7771532b61ec3606f6189b6dec8426eb038fe40be75079ce35894b1a8e0d1d815261150c

/data/data/com.qijin189.huosuapp/databases/outdbName.db-shm

MD5 025d2a0bbddbfe91cf8e21de2030b2d8
SHA1 e2c377a7e54dc57f0fe3a6025337a723b0a644c0
SHA256 d300fd8873ad4b4698183f385af644fefadeba0114b750d61e57dea32e84570b
SHA512 92218e97fac5849fc6ce25cf89833d4b111d21705660dda858af945b6489dc2bad467bb89ce9c74a86e86dd7437823f8d30a1a9ca57411fb913cd2d19b7198d7

/data/data/com.qijin189.huosuapp/databases/outdbName.db-wal

MD5 69e45159ea754aff385071f6839436a0
SHA1 af39e5cc55ed539df219493e40e7c11bd891d7de
SHA256 394d116851f845b2a965a9808b63b173ed3efc96f2d760790ef7897bbd3fcf45
SHA512 bfce46cd45a98e861f5654a3119fd45075af868fc0af49f33512992003f4135dae8e3befada15c2f5f5cff765ebbcc500005927a57e076b9c39c01ae2d8d17f6

/storage/emulated/0/system_hs/189/outdbName.db

MD5 486e2bac2b3e9e1cb411d2838a4854bd
SHA1 81dd0a7537f4af319b830ae834908986be85da8b
SHA256 5644a250fa6cef16c2c802b98275656a5fc39dcf89bcc22193742d85c7313f57
SHA512 c146789563dae163e373489b3df53f22efebd32b69643992969241eb5ad5eec668de67e7cd2aaf5c3a8af57b0842115d00183825734f57643d3fdb09835fe681

/storage/emulated/0/system_hs/189/outdbName.db-shm

MD5 8242d22fcced66f8250722d1b6467bc9
SHA1 f6a40e49a208f4c064fa18ed542c1ac2e34e1b39
SHA256 fe7460360397c98c47e965522c5e3abc99e2f0cbaaca09c13fc4a841e5679ce7
SHA512 59114013c6e4eb4134fd98367e9fd0f1e81c79df49fc65728f53936400fa40ceb77c425e9b5f9779e2e2fe1b33fa31e8a18a006668895ccb07f14118e2dc885a

/storage/emulated/0/system_hs/189/outdbName.db-wal

MD5 a3b5e79b7adf4978b5445be69cb1e224
SHA1 6a07128ff5b44574fb654cc7d79209ffd42120ae
SHA256 dd555e3ebd725c8b6e856211e7be23def70f4b676df4e704c5c3bb158f9263fa
SHA512 19c24214e85f8bc31c20634670adff882d34f974acdab8199c5a81976f26b91c2d3c29efb9179e86213a2d1eac3fb9d32ed2a7cc7304f5a09adc408e1a7e60a3

/storage/emulated/0/system_hs/189/outdbName.db

MD5 6ccb1b41fa090bcc9c348cb0f25e826c
SHA1 89c072b876b8eb03f6e4b18e7fce3c8835eacbb4
SHA256 3b7526ac18f9a7133934bdfccac237eed07cf5ce48c50f557791af3920320131
SHA512 67fb619abe241b723608e3a1c4b85863f5c224fafffec52a9aee61c5d449a2e760b2d0787baaf2adce72daaed5472ceebebece73970a16bb4875aed8ebf2d801

/data/data/com.qijin189.huosuapp/databases/pri_tencent_analysis.db_com.qijin189.huosuapp:channel-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012