Analysis Overview

score

7^/10

SHA256

86b8c3507d2115b523da90444288d95cf268588a28ea20ffc32851f04af757d3

Threat Level: Shows suspicious behavior

The file a4b26e958af95a3fd7bd1a196e70359d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:47

Signatures

Requests dangerous framework permissions

Description	Indicator	Process	Target
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE	N/A	N/A
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE	N/A	N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE	N/A	N/A
Required to be able to access the camera device.	android.permission.CAMERA	N/A	N/A
Allows an app to access approximate location.	android.permission.ACCESS_COARSE_LOCATION	N/A	N/A
Allows an app to access precise location.	android.permission.ACCESS_FINE_LOCATION	N/A	N/A
Allows an application to request installing packages.	android.permission.REQUEST_INSTALL_PACKAGES	N/A	N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW	N/A	N/A
Allows an application to read the user's contacts data.	android.permission.READ_CONTACTS	N/A	N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:47

Reported

2024-06-13 08:48

Platform

android-33-x64-arm64-20240611.1-en

Max time network

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country	Destination	Domain	Proto
GB	216.58.212.196:443		tcp
N/A	224.0.0.251:5353		udp
GB	172.217.16.228:443		udp
GB	172.217.16.228:443		tcp
GB	142.250.187.202:443		udp
GB	142.250.187.202:443		tcp
GB	142.250.187.202:443		tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 08:47

Reported

2024-06-13 08:47

Platform

android-x86-arm-20240611.1-en

Max time network

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country	Destination	Domain	Proto
N/A	224.0.0.251:5353		udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:47

Reported

2024-06-13 08:50

Platform

android-x86-arm-20240611.1-en

Max time kernel

11s

Max time network

130s

Command Line

com.sgn.popcornmovie

Signatures

Loads dropped Dex/Jar

evasion

Description	Indicator	Process	Target
N/A	/data/data/com.sgn.popcornmovie/.jiagu/classes.dex	N/A	N/A
N/A	/data/data/com.sgn.popcornmovie/.jiagu/classes.dex!classes2.dex	N/A	N/A
N/A	/data/data/com.sgn.popcornmovie/.jiagu/classes.dex!classes3.dex	N/A	N/A
N/A	/data/data/com.sgn.popcornmovie/.jiagu/tmp.dex	N/A	N/A
N/A	/data/data/com.sgn.popcornmovie/.jiagu/tmp.dex	N/A	N/A
N/A	/data/data/com.sgn.popcornmovie/.jiagu/tmp.dex	N/A	N/A

Queries information about running processes on the device

discovery

Description	Indicator	Process	Target
Framework service call	android.app.IActivityManager.getRunningAppProcesses	N/A	N/A

Queries information about active data network

discovery

Description	Indicator	Process	Target
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	N/A	N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence

Description	Indicator	Process	Target
Framework service call	android.app.IActivityManager.registerReceiver	N/A	N/A

Uses Crypto APIs (Might try to encrypt user data)

impact

Description	Indicator	Process	Target
Framework API call	javax.crypto.Cipher.doFinal	N/A	N/A

Checks CPU information

Description	Indicator	Process	Target
File opened for read	/proc/cpuinfo	N/A	N/A

Processes

com.sgn.popcornmovie

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.sgn.popcornmovie/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.sgn.popcornmovie/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

cat /sys/class/net/wlan0/address

Network

Country	Destination	Domain	Proto
GB	172.217.169.74:443		tcp
N/A	224.0.0.251:5353		udp
CN	203.107.1.97:443		tcp
US	1.1.1.1:53	log.umsns.com	udp
CN	59.82.29.162:443	log.umsns.com	tcp
US	1.1.1.1:53	adash.man.aliyuncs.com	udp
CN	59.82.40.77:80	adash.man.aliyuncs.com	tcp
US	1.1.1.1:53	f.gm.mob.com	udp
CN	180.188.25.47:80	f.gm.mob.com	tcp
US	1.1.1.1:53	umengacs.m.taobao.com	udp
GB	142.250.187.238:443		tcp
US	1.1.1.1:53	android.apis.google.com	udp
GB	142.250.187.238:443	android.apis.google.com	tcp

Files

/data/data/com.sgn.popcornmovie/.jiagu/libjiagu.so

MD5	610a895c4a71bbeeaea16eddb1422bbf
SHA1	9f919de42ed1e80bfadfef48f8202b202166f869
SHA256	baa349e9b5a47be21b6ea00ef2e0c0c5dc203c0e4c391dac46df07ca9d333217
SHA512	ef4173ba32309ef1257b75bcff28fd44ab14398577b4fb3b6b95323035c964201ed39546cda3b7115ba5025781f3b9c018443e7932edd50a25b1be60359f80f2

/data/data/com.sgn.popcornmovie/.jiagu/classes.dex

MD5	fb9f8a351cec33a76f442e5f60a81b9a
SHA1	fcab2e611f62954f9394c49b7055a064f44f0cb8
SHA256	24c47bdc78e7a748ca14fccb50c3f5391e4b9ff5d35c8b0682594d2fe3844cce
SHA512	71415dae8f5e8da8b962ff3553d892d1fbc17498a70e0c51040eea838ba3877c51521395ab08efb251af0516f441d7dda02dc2e7f1af178952e02447cdb9459d

/data/data/com.sgn.popcornmovie/.jiagu/classes.dex!classes2.dex

MD5	32ef01f4721e30cc0dd1fc3307ebfdba
SHA1	9b130f9304751f9d5d1573fe6ff493a11be712b9
SHA256	1cc310556b5d42c18433a6deb9c1876c2132b126c66111f01fc82076cf2e726e
SHA512	1e1cd531b92e34582d0784d86933d811304349af717a50adb74fa7c89bc25ea9882b1b280a4e266f2bb2b86158497ec18bad5f519842271a8e548cf939cb9c22

/data/data/com.sgn.popcornmovie/.jiagu/classes.dex!classes3.dex

MD5	862fc34f7bdbe05dc8b5db9c0faebff0
SHA1	83243c85cd40e93b8f4115216c331f9d4a0bac02
SHA256	d32b0179081a1785e39fd30498b1ab99877be98427b0d58649b5b4b11ea6630c
SHA512	bf31f949710342b8aed219f91176703a8c0654c2389028791ededc7fc1df6dbf587886ae9b93f34c36474ad790706ed117ee0afc51fe30dcf1bb310d2a99ce0b

/data/data/com.sgn.popcornmovie/.jiagu/tmp.dex

MD5	f1771b68f5f9b168b79ff59ae2daabe4
SHA1	0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256	9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512	dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.sgn.popcornmovie/files/.jglogs/.jg.ri

MD5	2dd47b0d7c2ece00bfa39b9fe13f260f
SHA1	7b89474c901c17eb845ce809384822eef070ef1b
SHA256	d7e8580ee0698d94453a37b840e386959a5577105b237006adc7cd4dc8f0de41
SHA512	8c4e9a3f4d1f695e72f6c7a6ea7ef13bc2f54d8c25975291197a7ca389b0f2f72c3691c4e33bbfa9aec203789ce6cbeac804c2d4e4570acb087d1c959a5fbd0a

/data/data/com.sgn.popcornmovie/files/.jglogs/.jg.store.report_cf

MD5	16f993ccfd05c68a16bd40b07b9096e8
SHA1	edcb9f57feb0d2ca5cd3bf7035e067b64b650cbe
SHA256	aea37df4690116c5d1fb430615b37a48fecefec48ae1dac20f71b746dfbd296a
SHA512	1fc1f5e91537df4730f8486e0a52714d7015bc12566337379aa6533c2fefcd29f787ce4541a28f314a0ebd443df08a5b17d61ecb271565bc4980d8bc502d89a6

/data/data/com.sgn.popcornmovie/files/.jglogs/.jg.store.report_pid

MD5	1f52eee633f42028a6fe95fecc925b86
SHA1	59300d24a937013ade298cddc618a7b4e197e3fc
SHA256	540f0349c9f97b9abbdf90bbb6e4bd02b5aa0d225932730b331eadd3adf58bc3
SHA512	1cf6a4f1b425157f1251c51948157f2047fd736e6c697cbd1bd11f1572ffc4630140d21f93d352b65f57b5d0a24eff47365652206df87fd96d5dad8cf63ac1bb

/data/data/com.sgn.popcornmovie/databases/MessageStore.db-journal

MD5	1556b2d8949f02f5ed79cc462ed4681b
SHA1	1b257d51b678d07d9461597e1ac409ef466babd9
SHA256	5e804ae4ca058bf4133037065dd1cc0c841881294a55c29a00811f6ea7f65668
SHA512	3ed0f7cb7ed8d58acea22a61ef875f52540f1a55aef7cd42f4e27a27c8b1c12c6aa307071939e42fb8cf017abb483db1f08d0831aac11f9ec93e2e23ece5b99d

/data/data/com.sgn.popcornmovie/databases/MessageStore.db

MD5	f2b4b0190b9f384ca885f0c8c9b14700
SHA1	934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256	0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512	ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sgn.popcornmovie/databases/MessageStore.db-shm

MD5	cf845a781c107ec1346e849c9dd1b7e8
SHA1	b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256	18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512	4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sgn.popcornmovie/databases/MessageStore.db-wal

MD5	ac67660e923186193bd89ff6edf3cedc
SHA1	f2e4ef5c1726e0230e8a0f889a13b73de3df5c9a
SHA256	e60805640122153a7e4809fba2551c67d018af13609b0aeb8b8d29a4420bf882
SHA512	74be927404b5e706f60a87b4a1599ed860587cb48035177b93d5edd2df40295f9caca936f0725b43dc0dd7df407c92bce5e0e5581222396124418adfe203a3e0

/data/data/com.sgn.popcornmovie/databases/MsgLogStore.db-journal

MD5	8f3bed6e25447ed88411d592d7458ecb
SHA1	a1e7b0d55d0dfc2c5002c56657f9431df2d256c4
SHA256	ccaa32b3e2fe28dec9669ac6014af0eb6c3111cadb0b826f10ff72423e13bdea
SHA512	555d8d0e976703931137a0a48ab09f837bb26dbb7b3941f1775e17ff562f306faec6203dad1e4462096f8482dade9a5478966dd2f6c7f4ff7586e60df1eea383

/data/data/com.sgn.popcornmovie/databases/MsgLogStore.db-wal

MD5	9a211edb7a2206808a03457a5a5a281a
SHA1	61efc0d332e9b64b86727ce67eaadeb9c70c0dc4
SHA256	72af9e3223806f61ed45b31ae238c5138d63ec085c4d3d74d0909ed0aafc6492
SHA512	ebcf727766e14fbdf0f2f1f119e8cf5316fc3c31bbc63f81d9e5e7ca1147c5582e781b0ee0a1a0fe2694eb779faa24ce66f09cd48a13cb6256863c55deff1fa1

/storage/emulated/0/Mob/comm/.di

MD5	70a42cba408700f9a6c01c7941a8829e
SHA1	eab01cc2c0671538795fb0b1146017dc099d0984
SHA256	499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA512	8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

/storage/emulated/0/Android/data/.mn_410185822

MD5	f321656a466363e5192773d92000e401
SHA1	3a6abe9be1a6f4deffaa98fd27f3449c888d3c4a
SHA256	53efd5207de6ed80429ec3c7865eed2b64023a0ed66e0fd29e7f45b708a1751c
SHA512	fcf6884bf5ce8d10b3a3dd461fad96cb6cf0bc4129e01788de112551230fbc4d8ea6961b04411d1c7816e248437c4560277069d9c544e5450612abc0e2c0171d

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5	9781ca003f10f8d0c9c1945b63fdca7f
SHA1	4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256	3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512	25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5	ee00160809e6bc70d4e14f97c6cbd762
SHA1	5db87d470423bc0e42b91a7b31fe1c7761aae5b0
SHA256	0b824d933354c12a3b9afdcb6a06e1cbc5534e335da97c0e96b8ffd0bbcd6228
SHA512	43738f1edc7a41aa19fc02fa4885ea30513f0b744e35993121ca639da6c208457a466bcc721ad821c151174dff20deef969f6904f03d7836086f8c10f00323ea

Sample ID	240613-kp8fqsvhnj
Target	a4b26e958af95a3fd7bd1a196e70359d_JaffaCakes118
SHA256	86b8c3507d2115b523da90444288d95cf268588a28ea20ffc32851f04af757d3
Tags	discovery evasion impact persistence

Malware Analysis Report

2024-07-28 14:40

Table of Contents

Analysis Overview

Threat Level: Shows suspicious behavior

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files