Malware Analysis Report

2024-09-09 17:54

Sample ID 240613-m28clszdqn
Target a52f887830c1f061fd7ab32fc2ef47a4_JaffaCakes118
SHA256 f2e1b333f663cfa8cda2786a4455a1682a50fb2ccfdb24d6a41ea1a96b3c01ce
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f2e1b333f663cfa8cda2786a4455a1682a50fb2ccfdb24d6a41ea1a96b3c01ce

Threat Level: Shows suspicious behavior

The file a52f887830c1f061fd7ab32fc2ef47a4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Queries information about running processes on the device

Checks Android system properties for emulator presence.

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 10:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to add voicemails into the system. com.android.voicemail.permission.ADD_VOICEMAIL N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 10:58

Reported

2024-06-13 11:02

Platform

android-x86-arm-20240611.1-en

Max time kernel

99s

Max time network

175s

Command Line

cn.beekee.zhongtong

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cn.beekee.zhongtong

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
US 1.1.1.1:53 hdgateway.zto.com udp
CN 59.82.29.162:80 log.umsns.com tcp
CN 115.238.232.58:443 hdgateway.zto.com tcp
CN 115.238.232.58:443 hdgateway.zto.com tcp
US 1.1.1.1:53 cfg.imtt.qq.com udp
HK 43.135.106.117:80 cfg.imtt.qq.com tcp
HK 203.205.137.234:443 tcp
HK 129.226.106.211:80 log.tbs.qq.com tcp
CN 223.109.148.177:443 tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 223.109.148.130:443 tcp
GB 142.250.200.46:443 tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 223.109.148.179:443 tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp

Files

/storage/emulated/0/Android/data/cn.beekee.zhongtong/files/tbslog/tbslog.txt

MD5 9de0ccaba09a9d405ed5a6ec52399518
SHA1 fbbde841c1179f700f9cb014db72f4e7ac552392
SHA256 c75199d8c2be67c2b48cc64caac81f8b5b05d87258c1c4297e55eec51c6b82d0
SHA512 92f79bc03d45ee48676bce561275682ebe78ee7ada37b1dc1487df79346649fd8ce85cd7ce7d62381196451afb9cea6b977a74243a8eefdc27fbcc177450708f

/data/data/cn.beekee.zhongtong/databases/ua.db-journal

MD5 aee853d905fb023281442df87bc106b9
SHA1 27b8ffab6b73f4e5054689cf716759119f594a16
SHA256 b2bbbbc6d4ce81e1618e285ff48bdf3fb6c7161146af6e0940457e104e7fb01a
SHA512 62727d48c3b5d147c70dcd757a6a1da3ed805518e9e2c75f8b97e8609d67aee2fb8de3d3172fa4bd958f7bde2ad32d70989427c7e573fe93497c1a3e48c48182

/data/data/cn.beekee.zhongtong/databases/ua.db

MD5 0adda9c85a5e4808f5b1b74c0a8591a5
SHA1 5048107883ab1e345af9cf2e6849ce46e0e612bf
SHA256 1e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1
SHA512 646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1

/data/data/cn.beekee.zhongtong/databases/ua.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.beekee.zhongtong/databases/ua.db-wal

MD5 30c93b2d8acfc836744f35547f257853
SHA1 2b93f1e509f6f3dad73c9911e99f12a2d5fe6135
SHA256 86b43162b6b77dbac2257052fa3cb60374ee4132c172aa7a899893612e458681
SHA512 35acba53f53952500352abb280153c822448f1466df857573da78ee0fdb32b114688025fd463dc9077d1881ba119446c4c083f09e9605216d5007cf49e5dc4fc

/data/data/cn.beekee.zhongtong/databases/ztoExpress.db-journal

MD5 8a41eb7a1be5923cd58212ffad945973
SHA1 a15c96cf3beb2871da325005fcc115c475b1205d
SHA256 9c69bfe59d57adcd119767922d49acc45da1615049642f0a64670f6885f07e69
SHA512 c71a5cce2728f89353a5ec77452800dae0fa7ce500d604bf2ac444ddf319fa866af5aec006b9561e578f8c874e4f09095dad4e5c131b130336b42175a1048fa1

/data/data/cn.beekee.zhongtong/databases/ztoExpress.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.beekee.zhongtong/databases/ztoExpress.db-wal

MD5 29fbc8953fb1ab0e1c18fc6d67b78fa0
SHA1 8ef38d5877c792e485560910829ef54e41da7089
SHA256 850bb11be720bdfeea5616bab92c41d529b196691dc9719720f5d9723ec539a5
SHA512 d0b29cef59aa9fd93b2f9db2e850e56f2737dc2dc1259402bf1ab308be305a827cb866f8a7604d9b32f9222b9bb676288ab254354d2311262cde46ea63349af3

/data/data/cn.beekee.zhongtong/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/cn.beekee.zhongtong/databases/ua.db-wal

MD5 8b9f34e0ca794457aaf7264c48a08bfa
SHA1 9f506c5d60c37b952667eac3564c783961f3d770
SHA256 6f9278cd719d3c9ce0586850e0ed7a22c56078e22f5490a7b1802d8751e93452
SHA512 821610de0dc866d491aad100100b2c1242e6b1132167135282bc86e086a604f994c3f88b68d926b47f1c1a0da6baf421c312edb4c41570e73e10caa0c60d764d

/data/data/cn.beekee.zhongtong/databases/ua.db

MD5 27a64f38986112381e67f243df046e54
SHA1 32dbd6cd3e98f2dba8763fb04fb7c3c738c3be08
SHA256 f68fcb0afde46414620af3ee819d2f8a29abab8b99da9c4a8713c0ec9d4590ad
SHA512 7aef423d23b0aca3cc436d2197bc6d1a652cd001b0f25b3c4ddfd047e0fa4b0995cfa57ca3e3607a230adbd60de75f7ba8ae426cb6ae1f92e60f769d2c675a87

/data/data/cn.beekee.zhongtong/cache/image_manager_disk_cache/journal

MD5 eaa75076902b87b164b3308a45c35cb0
SHA1 b3c78654b982f4ab2a89359a209db416efebfefd
SHA256 9b8dd4fb22279b450a4c2cf4b03524593d6c59c6f8a92e8f529cad92c4af5051
SHA512 ea3900b50cf1837340b561ce4aa37d001537d79a37beef414f029b2c0ef25120ba5d345c6c0af64a9e92f8cf17b37685054873c91df8d26672dcaa7ae974dfb6

/data/data/cn.beekee.zhongtong/cache/image_manager_disk_cache/b1e7157caa5c44bfcf0e65c773603a1d957aceb574ed5c39cf71cb3c12428682.0.tmp

MD5 6ecbe4db08314d91916c42cdae65c47f
SHA1 54e34369ea612576be29b4ba7ae4b7df4efe8f60
SHA256 dd34e4151bafe0d25b3da269f3a623d282b5ff2491a3b24d0cf0623ec85238d0
SHA512 31e1f7afc75a9535e738be38c17d445cf9da53dff2ed76a4cbb8dae78ba19afe26486c48ad1ad893986ee3ae247b28ad649e882116da33a68956762344f9cff3

/data/data/cn.beekee.zhongtong/files/umeng_it.cache

MD5 32a8e908d080a6b12c49d89c97e14938
SHA1 2fe0f1104e1acb509cea898aafd2f5ce9e973911
SHA256 f7628898b050709aec46866fa98e56234e7ee99a907848eb38a01eceef53e157
SHA512 029a314c25bfb50ce70adb365bcbe60250ec120ecf850588bd6cf3ef22e0470e96e94d11ca0fb4b49aeb6d674d545457646b004a84f19a76f1588cf9df87396d

/data/data/cn.beekee.zhongtong/files/.umeng/exchangeIdentity.json

MD5 64c8b1ddb52e02d7870cd1f665701488
SHA1 ac7290a27eeaca59c5f158c32ad31bd5b5a4fd26
SHA256 7a84f9337cdc918ac31143c0c5c00f97ef2801944a64270db68f11445caf12cc
SHA512 9d2eabdedbde9417ec8482e7a68461f79c057900d210ef9e68cda1cc1f8049a2eb605f3c7574e5348bb9dcdd50b2cd8f3174bf80e91d37bc7a4554e988990204

/data/data/cn.beekee.zhongtong/files/exid.dat

MD5 ca45a73a01661468dd52f11cefd498a7
SHA1 525fbb3d4aab872cfba6a1feab5a0fe0f085bfe9
SHA256 eb640f5647b91fe8eefc5a9ce1b4e19df12364357d8d16c1ce041d1354aaddef
SHA512 18430729d0e30ceff34f53dc54b5ad5167a5b86afb08025515ceba7e94259abaa5a0e55151a9af70003fd048dee41b60ad1679d8af7fdb06e237f969c28a5a6b

/data/data/cn.beekee.zhongtong/files/.envelope/a==7.5.3&&5.2.8_1718276346285_envelope.log

MD5 553a149656570d75854c42fa25e8b132
SHA1 adc079b518bbbcee89f9fd522aa0069e0089b851
SHA256 0064769f250efb1d89347d387062f1fb7a6f59bbf40b6e01e22b3d73f2165a5e
SHA512 5965b3bc64e4bd242f8d0f440096e475ff594569df82712fa2a281ba4ed9d39e283eedfc3fa9b09917f37d1acb443406ff04df57fb5fae5d45389b99289311f1

/data/data/cn.beekee.zhongtong/databases/ua.db-wal

MD5 f50f716b5391995ebc21a636ded99440
SHA1 cbc9b0bd5883859cab4d763fe08f21829a2cf31a
SHA256 cba1471cd8f438b12d8732c23fbf921235297a97097b83cccffcba681652a374
SHA512 9e27fb84f0fe6703019a502ff480d9cf2937dc7064f2f7a8ad9a2536d06a13a06c4c5ec16f44b9cd6a2e65a54999f6d74588c6608fe9b222fb446c52e003d2ac

/data/data/cn.beekee.zhongtong/databases/ua.db

MD5 ff23b5ed105c63d4bc77c8ef57e2330c
SHA1 ed5e364816cb4f1dfc70e94d950bdc70f95c6647
SHA256 a30d6d2ee77542cb959101449c40c960913913af581ede7d97e46e55a03fedb3
SHA512 f2af4f583dc152c660d2297ed35a66f6c314b0898456b2720765a35d63bc8acf13c70a3cba03eaef85d0fdd59f8d783a6d7905afa1e567d9318298b43202e466

/data/data/cn.beekee.zhongtong/databases/ua.db-wal

MD5 6c5973eaf607e4076c82e487302697d9
SHA1 fdafc72974df4b779c9338ebb60c241ccebdaa55
SHA256 c436372dee0e4a35ab0d75ec4c2e771634f2e7d092eb0f799fc95c136e83af76
SHA512 304ae8937c2fb604cd0947af7a9565fef335c61fb424b5933a5f80f59e6b77592558d2d277664b4712624f019d88add3b4af5f42cbe91a39f6523a46accc6989

/data/data/cn.beekee.zhongtong/databases/ua.db

MD5 11a88cd57f714fb388976f44c1dfadad
SHA1 5ff15d8e9c2b1863d51ce0dad20f844e5e112028
SHA256 73ca3e0a85d80db019500397d1133e8878ac4a26b008e4f470f51cc3fd269483
SHA512 462d1045a0df3cfa720c11e7a90d954f1aee5fccc69b62694110cc1a54257ca6c451b1253bad2e0571e93beb05f4450de107f970ba2a295dccee72931f4c9471

/data/data/cn.beekee.zhongtong/cache/image_manager_disk_cache/ac8577a2581d28d9157f9e7a097f3f47124c668213c423f1b4f29ba733525e75.0.tmp

MD5 5e42d7fff05919750f55b5ebe3432da5
SHA1 c3ad0945384f755db9c10b9148fb5a758ebfcb19
SHA256 5288a5730198ac38e90293f5df85f84507eee9c941b3fc7c9429952302108977
SHA512 88a868354ffa83d822c80cecee6ecee9766e3129917b9f2e2065e3a1af37cda3883ca819cd776206a29b3e5be0d7cbd3a67b1f7d451f0aa3be87363badc8eac4

/data/data/cn.beekee.zhongtong/files/.imprint

MD5 7f50cc7b0ddce39b81d879204ec846f5
SHA1 115ad2dbd824f43be96da502c3f28265045851b3
SHA256 ab7ead33e65613f83f9173dedb7cb37d591fc2b7887bd3db46e91d128e30541d
SHA512 874ed5d110f4f861e28eadb125c5b72b56d035bdea652c13adf8ba1d326acb13c9fb29825b3b5d867ec7ad1ca06aa33d6aa0c03335924495212abdcf96b42433

/data/data/cn.beekee.zhongtong/files/umeng_it.cache

MD5 316215a3b8131508182d44bebaf1c07b
SHA1 37c34e39e11900b7248a2662bb12cfe6a607af74
SHA256 ac77dd6b5cd96ffb763c4867a193432a7583d3ebfdf5a75e11adc435d99fd274
SHA512 1fb3e9aa17dc54758ee4017f2c8b682c640ee2f833b0ee19485177cf4bcdb01c7704ab4306d986a10db12d8d0d94223143d3ae4912dfb5a820b80a9588913c36