Malware Analysis Report

2024-09-09 17:54

Sample ID 240613-kp8fqsvhnj
Target a4b26e958af95a3fd7bd1a196e70359d_JaffaCakes118
SHA256 86b8c3507d2115b523da90444288d95cf268588a28ea20ffc32851f04af757d3
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

86b8c3507d2115b523da90444288d95cf268588a28ea20ffc32851f04af757d3

Threat Level: Shows suspicious behavior

The file a4b26e958af95a3fd7bd1a196e70359d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:47

Reported

2024-06-13 08:50

Platform

android-x86-arm-20240611.1-en

Max time kernel

11s

Max time network

130s

Command Line

com.sgn.popcornmovie

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.sgn.popcornmovie/.jiagu/classes.dex N/A N/A
N/A /data/data/com.sgn.popcornmovie/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.sgn.popcornmovie/.jiagu/classes.dex!classes3.dex N/A N/A
N/A /data/data/com.sgn.popcornmovie/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.sgn.popcornmovie/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.sgn.popcornmovie/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.sgn.popcornmovie

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.sgn.popcornmovie/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.sgn.popcornmovie/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

cat /sys/class/net/wlan0/address

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
US 1.1.1.1:53 umengacs.m.taobao.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.sgn.popcornmovie/.jiagu/libjiagu.so

MD5 610a895c4a71bbeeaea16eddb1422bbf
SHA1 9f919de42ed1e80bfadfef48f8202b202166f869
SHA256 baa349e9b5a47be21b6ea00ef2e0c0c5dc203c0e4c391dac46df07ca9d333217
SHA512 ef4173ba32309ef1257b75bcff28fd44ab14398577b4fb3b6b95323035c964201ed39546cda3b7115ba5025781f3b9c018443e7932edd50a25b1be60359f80f2

/data/data/com.sgn.popcornmovie/.jiagu/classes.dex

MD5 fb9f8a351cec33a76f442e5f60a81b9a
SHA1 fcab2e611f62954f9394c49b7055a064f44f0cb8
SHA256 24c47bdc78e7a748ca14fccb50c3f5391e4b9ff5d35c8b0682594d2fe3844cce
SHA512 71415dae8f5e8da8b962ff3553d892d1fbc17498a70e0c51040eea838ba3877c51521395ab08efb251af0516f441d7dda02dc2e7f1af178952e02447cdb9459d

/data/data/com.sgn.popcornmovie/.jiagu/classes.dex!classes2.dex

MD5 32ef01f4721e30cc0dd1fc3307ebfdba
SHA1 9b130f9304751f9d5d1573fe6ff493a11be712b9
SHA256 1cc310556b5d42c18433a6deb9c1876c2132b126c66111f01fc82076cf2e726e
SHA512 1e1cd531b92e34582d0784d86933d811304349af717a50adb74fa7c89bc25ea9882b1b280a4e266f2bb2b86158497ec18bad5f519842271a8e548cf939cb9c22

/data/data/com.sgn.popcornmovie/.jiagu/classes.dex!classes3.dex

MD5 862fc34f7bdbe05dc8b5db9c0faebff0
SHA1 83243c85cd40e93b8f4115216c331f9d4a0bac02
SHA256 d32b0179081a1785e39fd30498b1ab99877be98427b0d58649b5b4b11ea6630c
SHA512 bf31f949710342b8aed219f91176703a8c0654c2389028791ededc7fc1df6dbf587886ae9b93f34c36474ad790706ed117ee0afc51fe30dcf1bb310d2a99ce0b

/data/data/com.sgn.popcornmovie/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.sgn.popcornmovie/files/.jglogs/.jg.ri

MD5 2dd47b0d7c2ece00bfa39b9fe13f260f
SHA1 7b89474c901c17eb845ce809384822eef070ef1b
SHA256 d7e8580ee0698d94453a37b840e386959a5577105b237006adc7cd4dc8f0de41
SHA512 8c4e9a3f4d1f695e72f6c7a6ea7ef13bc2f54d8c25975291197a7ca389b0f2f72c3691c4e33bbfa9aec203789ce6cbeac804c2d4e4570acb087d1c959a5fbd0a

/data/data/com.sgn.popcornmovie/files/.jglogs/.jg.store.report_cf

MD5 16f993ccfd05c68a16bd40b07b9096e8
SHA1 edcb9f57feb0d2ca5cd3bf7035e067b64b650cbe
SHA256 aea37df4690116c5d1fb430615b37a48fecefec48ae1dac20f71b746dfbd296a
SHA512 1fc1f5e91537df4730f8486e0a52714d7015bc12566337379aa6533c2fefcd29f787ce4541a28f314a0ebd443df08a5b17d61ecb271565bc4980d8bc502d89a6

/data/data/com.sgn.popcornmovie/files/.jglogs/.jg.store.report_pid

MD5 1f52eee633f42028a6fe95fecc925b86
SHA1 59300d24a937013ade298cddc618a7b4e197e3fc
SHA256 540f0349c9f97b9abbdf90bbb6e4bd02b5aa0d225932730b331eadd3adf58bc3
SHA512 1cf6a4f1b425157f1251c51948157f2047fd736e6c697cbd1bd11f1572ffc4630140d21f93d352b65f57b5d0a24eff47365652206df87fd96d5dad8cf63ac1bb

/data/data/com.sgn.popcornmovie/databases/MessageStore.db-journal

MD5 1556b2d8949f02f5ed79cc462ed4681b
SHA1 1b257d51b678d07d9461597e1ac409ef466babd9
SHA256 5e804ae4ca058bf4133037065dd1cc0c841881294a55c29a00811f6ea7f65668
SHA512 3ed0f7cb7ed8d58acea22a61ef875f52540f1a55aef7cd42f4e27a27c8b1c12c6aa307071939e42fb8cf017abb483db1f08d0831aac11f9ec93e2e23ece5b99d

/data/data/com.sgn.popcornmovie/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sgn.popcornmovie/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sgn.popcornmovie/databases/MessageStore.db-wal

MD5 ac67660e923186193bd89ff6edf3cedc
SHA1 f2e4ef5c1726e0230e8a0f889a13b73de3df5c9a
SHA256 e60805640122153a7e4809fba2551c67d018af13609b0aeb8b8d29a4420bf882
SHA512 74be927404b5e706f60a87b4a1599ed860587cb48035177b93d5edd2df40295f9caca936f0725b43dc0dd7df407c92bce5e0e5581222396124418adfe203a3e0

/data/data/com.sgn.popcornmovie/databases/MsgLogStore.db-journal

MD5 8f3bed6e25447ed88411d592d7458ecb
SHA1 a1e7b0d55d0dfc2c5002c56657f9431df2d256c4
SHA256 ccaa32b3e2fe28dec9669ac6014af0eb6c3111cadb0b826f10ff72423e13bdea
SHA512 555d8d0e976703931137a0a48ab09f837bb26dbb7b3941f1775e17ff562f306faec6203dad1e4462096f8482dade9a5478966dd2f6c7f4ff7586e60df1eea383

/data/data/com.sgn.popcornmovie/databases/MsgLogStore.db-wal

MD5 9a211edb7a2206808a03457a5a5a281a
SHA1 61efc0d332e9b64b86727ce67eaadeb9c70c0dc4
SHA256 72af9e3223806f61ed45b31ae238c5138d63ec085c4d3d74d0909ed0aafc6492
SHA512 ebcf727766e14fbdf0f2f1f119e8cf5316fc3c31bbc63f81d9e5e7ca1147c5582e781b0ee0a1a0fe2694eb779faa24ce66f09cd48a13cb6256863c55deff1fa1

/storage/emulated/0/Mob/comm/.di

MD5 70a42cba408700f9a6c01c7941a8829e
SHA1 eab01cc2c0671538795fb0b1146017dc099d0984
SHA256 499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA512 8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

/storage/emulated/0/Android/data/.mn_410185822

MD5 f321656a466363e5192773d92000e401
SHA1 3a6abe9be1a6f4deffaa98fd27f3449c888d3c4a
SHA256 53efd5207de6ed80429ec3c7865eed2b64023a0ed66e0fd29e7f45b708a1751c
SHA512 fcf6884bf5ce8d10b3a3dd461fad96cb6cf0bc4129e01788de112551230fbc4d8ea6961b04411d1c7816e248437c4560277069d9c544e5450612abc0e2c0171d

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 ee00160809e6bc70d4e14f97c6cbd762
SHA1 5db87d470423bc0e42b91a7b31fe1c7761aae5b0
SHA256 0b824d933354c12a3b9afdcb6a06e1cbc5534e335da97c0e96b8ffd0bbcd6228
SHA512 43738f1edc7a41aa19fc02fa4885ea30513f0b744e35993121ca639da6c208457a466bcc721ad821c151174dff20deef969f6904f03d7836086f8c10f00323ea

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:47

Reported

2024-06-13 08:48

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 tcp
GB 142.250.187.202:443 udp
GB 142.250.187.202:443 tcp
GB 142.250.187.202:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 08:47

Reported

2024-06-13 08:47

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A