Analysis Overview
SHA256
3c454a24203db0ddad404e0cfc3d869f4122500b0add1ed62b5919d2ea8a4411
Threat Level: Shows suspicious behavior
The file a512af607330f2511112cf1aae68b22e_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries information about running processes on the device
Queries the phone number (MSISDN for GSM devices)
Loads dropped Dex/Jar
Queries information about active data network
Requests dangerous framework permissions
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Queries information about the current Wi-Fi connection
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 10:25
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 10:25
Reported
2024-06-13 10:29
Platform
android-x86-arm-20240611.1-en
Max time kernel
173s
Max time network
167s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.evilgorilla.redknight.gtx/.jiagu/classes.dex | N/A | N/A |
| N/A | /data/data/com.evilgorilla.redknight.gtx/.jiagu/classes.dex!classes2.dex | N/A | N/A |
| N/A | /data/data/com.evilgorilla.redknight.gtx/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/data/com.evilgorilla.redknight.gtx/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/data/com.evilgorilla.redknight.gtx/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/user/0/com.evilgorilla.redknight.gtx/files/ebody/res/37673/vva.jar | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | s.appjiagu.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.evilgorilla.redknight.gtx
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.evilgorilla.redknight.gtx/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.evilgorilla.redknight.gtx/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
cat /sys/class/net/wlan0/address
cat /sys/class/net/wlan0/address
sh -c ps -ef
ps -ef
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.74:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | a.dan665.com | udp |
| CN | 39.108.120.165:9127 | a.dan665.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | game.62game.com | udp |
| CN | 47.107.234.67:8001 | game.62game.com | tcp |
| CN | 39.108.120.165:9127 | a.dan665.com | tcp |
| US | 1.1.1.1:53 | ez4q2.cn | udp |
| CN | 112.65.70.244:80 | ez4q2.cn | tcp |
| CN | 39.108.120.165:9127 | a.dan665.com | tcp |
| CN | 39.108.120.165:9127 | a.dan665.com | tcp |
| CN | 39.108.120.165:9127 | a.dan665.com | tcp |
| CN | 39.108.120.165:9127 | a.dan665.com | tcp |
| CN | 39.108.120.165:9127 | a.dan665.com | tcp |
| CN | 39.108.120.165:9127 | a.dan665.com | tcp |
| CN | 39.108.120.165:9127 | a.dan665.com | tcp |
| US | 1.1.1.1:53 | s.appjiagu.com | udp |
| US | 104.192.110.60:80 | s.appjiagu.com | tcp |
Files
/data/data/com.evilgorilla.redknight.gtx/.jiagu/libjiagu.so
| MD5 | f0f9ef36b67807a253b5932f865eae7b |
| SHA1 | 6a8d66c6efa2750b54cb763f4ad044bba4154e0d |
| SHA256 | 646dcd8290a30e992553186392239da39ce7c8e7c2fd87b3d6a880551782db75 |
| SHA512 | e7ea65467e557e4992e746d808cae3e2d16b42187b1a94326c47c689cef9fe21a2a9d2b312c60c8ff40e128dacbde84cd6b93a191ae38496584a45fe60c04548 |
/data/data/com.evilgorilla.redknight.gtx/.jiagu/classes.dex
| MD5 | 00049265914b4342e418b439ffdf2dbe |
| SHA1 | f61856f9b78974d24644bbaf2177aa96dce36168 |
| SHA256 | fbe8225241a6a8991c9671324ede143b26c8661cd0939352ea5a0c5f20818a61 |
| SHA512 | e8598d16096fecdf0a5617fe2883816741489dfca5c1586d70dbb5c1eaa33b15870b7d82e0cc2b6af26ad6b30fe4279fd365dfc7b95a52c0254f0ebe1ecff7d7 |
/data/data/com.evilgorilla.redknight.gtx/.jiagu/classes.dex!classes2.dex
| MD5 | a7c7063ad50f2f85408443f093df737e |
| SHA1 | 36c8f6e826af48569e0078db628b6734894076d6 |
| SHA256 | 0a7d9fed3420131f13155590bab16579a012d3a3cfe7e3d2fe824755126fc1fc |
| SHA512 | 209de0b2f2cff1b063c8da4f45b43037c0dc40b321d8273b721c6bdd3e6ef2a72d9e8a103a835e5e22cf4e0d8ba500c4ebefedc5476949ef146d4ed2f98e17cb |
/data/data/com.evilgorilla.redknight.gtx/.jiagu/tmp.dex
| MD5 | f1771b68f5f9b168b79ff59ae2daabe4 |
| SHA1 | 0df6a835559f5c99670214a12700e7d8c28e5a42 |
| SHA256 | 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939 |
| SHA512 | dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d |
/data/data/com.evilgorilla.redknight.gtx/files/.jglogs/.jg.ri
| MD5 | cf04c5377f7a708f60dd8a293db71096 |
| SHA1 | dd07f95376502b86fa29d3f0b62eddd1d6f897ca |
| SHA256 | 60ff03ed1206b5476ab77a290a8e1a78699b3f382cf116e895ce3309b0447765 |
| SHA512 | 9ab84f35d003aead5b0aad6938f4789a2e7618f2118a97014dc0ad0898cf599297ddede3a621469bad0223bdfa704b2a3efea18e6e592ae116d86a10a43212c1 |
/data/data/com.evilgorilla.redknight.gtx/files/.jglogs/.jg.ri
| MD5 | a5bfca24b22ead3719ff1ddc78698a86 |
| SHA1 | f51b23ef5609cc4ae02fb7229d8a3f7788946635 |
| SHA256 | b0ba7c99f856115e6c138ff56508b9d72629aa390dee000b75d1ce65554b11ed |
| SHA512 | 64f5981d80c4e3530aa0f75c1854d996341b8a83d71d99ab42abcc91b2dbeaafe1d4d76bea1c785ba5cd77f253bf00d8b5e19f2fee501dfcb205d88d9f04d804 |
/data/data/com.evilgorilla.redknight.gtx/files/.jiagu.lock
| MD5 | c522e4e7408446b191485b3859086e11 |
| SHA1 | 94e9c4c3d7eb8d00c20be9a8d4d1bda23745baf5 |
| SHA256 | 42f83576c1463f6c5371b8c2f97e2219c9d303445fa0674818213defd0409164 |
| SHA512 | 152334cf548ff6908b8d08867c0c7e36cd727cdb23891af165aface6a76e66150d275a2dd78a7d4c0ece27e2b2bfde90f05f8c1c632a5ec698ea51d6eb77a0f2 |
/data/data/com.evilgorilla.redknight.gtx/files/.jglogs/.jg.rd
| MD5 | 2c0e79e1b45234d1100e7d9e09fb168f |
| SHA1 | a31163d8fdaebb3f9127343df8aadf602e2c12de |
| SHA256 | 1a3045fefea8bc77d9b4f2e5f77f6a84a6aab539f6101913297d2f2ce584bccf |
| SHA512 | 0bf431492f0976feac135a7f251cb86fd649d13471aa976428f87f60199bbcd204eedcb342d2ba3fdc69ab9fb6b0e6a11bb3cd277248e5f8d00a9af823a0e17c |
/data/data/com.evilgorilla.redknight.gtx/files/.jglogs/.jg.store.report_pid
| MD5 | 7ef78abdb3c3130f825ee9ea39ccf1fd |
| SHA1 | 1425d0a1027540b4057f70b77dc55b6edffb08e3 |
| SHA256 | 4f492508dd77fee1603ddca37968ea649b612aba51183c09f422b85cda11cfce |
| SHA512 | c0a309cb23bff58469f173dd642b3170adc82dddf4d702a0582be97db6d8c5777c5b4bb27a4df637e1004a5b6bbef6eba640001217ab4cba4c8103e901063cde |
/data/data/com.evilgorilla.redknight.gtx/files/.jglogs/.jg.ac
| MD5 | 9cffa034029fb7c792e949e75d946aba |
| SHA1 | 5796bba18ad379a3703e9cb250f3f58ea0616dcb |
| SHA256 | 97c06ec2a56850a1d532007de7f714649e5d9921346685d7f2d2009d131b791c |
| SHA512 | fd5b831284c4a588180a8b43ca17e7d1234a8a000472ddd4c30a568ab79b687c161cf53a13dbf009efb237fe2967a8a7584e4953adb565e848eae16a31bc64df |
/data/data/com.evilgorilla.redknight.gtx/files/.jglogs/.jg.ic
| MD5 | bcb1894eab92d05f16ae94f220b46dc1 |
| SHA1 | bcb80c9b346c607c94e138956757b5d5638eb6a6 |
| SHA256 | b0f097aa9819262d311bbb155d10e3b37ac3bde4924fbd582c341f44f79a09cf |
| SHA512 | 16ffe574b537b6f88f0898d11d08165e52b3dbe94584a19e795431b686d27bbe0b59b5fe3d84b30b32070403a5d7de22ef976a35ce422163f48c39e5adf06119 |
/data/data/com.evilgorilla.redknight.gtx/files/ebody/seey/tv
| MD5 | 1c4ec9002d8f6c1ddae5c151e48cf718 |
| SHA1 | 2425cc273831d722bee4906c14c03fe497b99c08 |
| SHA256 | f6c857ed9fb74036aad1662f0450a84601f9eaf5f9eb0e6943136fa6ffab21b0 |
| SHA512 | 6371c3db3d1dd610f1d22a8a5c5ba3efb8e4d0fd8df158f0dcc001238072717bb1d385152e4b8f67d7283eaf41d0582f6381e859f83f673e8b4ec48ce59d76ac |
/data/data/com.evilgorilla.redknight.gtx/files/ebody/as/cheuu
| MD5 | fb851f774d3244e6ce0108839dfa5d5d |
| SHA1 | a19ccf4ea320e266ef909cd3d6843a3edf78af02 |
| SHA256 | 98712fc8a9a67d4a00ef443566fddf206e6c69855365ae187eedd25ddac7acdb |
| SHA512 | 7a44bf664d9d6a10701b1690061936fb58439361b14a5ee2cb204b2ec49a2d5fa0658b7fffb5b9a71bf387940a6b0cfa3d249ded3003a6bee639dc133239f2f8 |
/data/data/com.evilgorilla.redknight.gtx/files/ebody/seey/tmd
| MD5 | f22d1c9d8805a03089a14cb8f0a077f0 |
| SHA1 | fbf44eea9680293a31ffaefdf4a51fe76b661b96 |
| SHA256 | c799bb41ae4a0e972aa7f51fa42bddcb39740813d1549c792a1bfd1cb159be49 |
| SHA512 | 9c14964bf702554b46136efa6238920b25cdba7f228d72eb66de2efeed0e7f6a785770fc97bbd53819538c23add5ec41ed99933809c30ff8a95311728b044ae3 |
/data/data/com.evilgorilla.redknight.gtx/app_ebody/res/xmtok/37673/uuloi
| MD5 | a4be05e15ad132090b309f396e91ff58 |
| SHA1 | 8c8b8354188d80d9abf60f4f63883d2b92a553f2 |
| SHA256 | e2c35ba3e0b82ced9693b57da9c9c57a1e9914d272a8f94f9f39b40ec3451016 |
| SHA512 | 1db29d80bdec4939d19566a9714cb400fcf7baf17b306b6b65ec92f573aa1910262cd4b51d9791af38b5951ef39bbb499a9003b9e0c528c31a2a21e45f09f341 |
/data/data/com.evilgorilla.redknight.gtx/files/ebody/res/37673/vva
| MD5 | c7464d7ac75c59a56ff2f6a0f9374094 |
| SHA1 | e18fb726a5a36039aa18c383b265e79a343479e4 |
| SHA256 | c22c33159bbba233c5747086b13a5ee067c44bc7726267e4d02b8993fde1f344 |
| SHA512 | 93fd8ca48d0febfc386b9cfb4eb01e5aaf72ff0f9e1abd4720884fa0c93d422728f61da7edebabc1267a8aa2c4f6aa831c8d5a596d08f6b64ef696e19188a9f9 |
/data/data/com.evilgorilla.redknight.gtx/files/ebody/res/37673/vva.jar
| MD5 | c575a286b11bbafcf8e4905d27f30977 |
| SHA1 | 92f75a7425564f8e5ced10e4ef098c378a0748bd |
| SHA256 | 185c4ce6748aecf146255ae05828bb01d88b523d7c930e058c851ea5d329beba |
| SHA512 | f71571ee69dbb5fea7ac72572b1e50bfac1c7b0a577a5163631410d9f002ce38ebc1e3da4b43000a3575b68b30c70609269c48d165e1cd326474d3e46e19087e |
/data/user/0/com.evilgorilla.redknight.gtx/files/ebody/res/37673/vva.jar
| MD5 | 7eb039aa7728169a015707a82e1b41a4 |
| SHA1 | adeae37340af1ce383c908cdc4d375b270b30a60 |
| SHA256 | 9e4e34e3db9a85d0e2f937c85255f2c924df7465284c9f8d91f9ab4ed8f2c49c |
| SHA512 | c60f5c867ff34eed8186741ed2947e21ea7f3264114347ff64c90d9e04381238f0a3fbae18ef4ddc3c4b390935a21ebcfa311815384615574e9c9f90a825f7ca |
/data/data/com.evilgorilla.redknight.gtx/databases/cc/cc.db-journal
| MD5 | fedbdfc6619b2b01d615a3493f63cf2d |
| SHA1 | 84d990b1279114b4ba2cd91ba6e86782276703f7 |
| SHA256 | 7e178a12022e806cfc51d5ebd7a16faa1297289abe40aff4328a9f2ac1116398 |
| SHA512 | 18cb31b054eef4acb29d4c2b2c39ea9cb42067b3e01952830f32ef26f1619b39b6d19601c1b7ac110e30f38cb39681b86c6fcb56583a9ff3407f7565f9cdd593 |
/data/data/com.evilgorilla.redknight.gtx/databases/cc/cc.db
| MD5 | 5d7ea1a23af19b4340cc8d90f28297d5 |
| SHA1 | 4cfe95b23a9e98378d69c4290af81b51fbe76aea |
| SHA256 | 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da |
| SHA512 | 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b |
/data/data/com.evilgorilla.redknight.gtx/databases/cc/cc.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.evilgorilla.redknight.gtx/databases/cc/cc.db-wal
| MD5 | 4765027560eb371d08472ba8373f29a1 |
| SHA1 | 3a85656267ffc69e5f3f6f14e232692bc9cef62b |
| SHA256 | 5078de96c1892b38eea80d475c225ad27d504e30f6a437c809e4d82534256c9e |
| SHA512 | 08961a73089410601d537981870303ed9cb72e530754279e08e27cfbcc6b93f6f333f7f778d97b437d019b508ef0f341278dda6face52edfff13d3eb250d2f92 |
/data/data/com.evilgorilla.redknight.gtx/files/.jglogs/.jg.ac
| MD5 | 9f2569e38ded36bf2cd0490732cfc9f8 |
| SHA1 | 2418f5f7b22de6a321ef44f2b9bf704e743316d2 |
| SHA256 | 802191f67e06d39fceb04d5f1f67f50e0bf55c37194f6c35c48d7fbe4e784b32 |
| SHA512 | 7127c0cd15e0e171e2261c94de281d4769e852081b3ba61938222f4cef54d9b7fff4c50455773c8f7272c4835b2692de49c2e874b66f06b6c1504927d358b520 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 10:25
Reported
2024-06-13 10:26
Platform
android-33-x64-arm64-20240611.1-en
Max time network
9s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.68:443 | udp | |
| GB | 172.217.169.68:443 | tcp | |
| BE | 142.250.110.188:5228 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 10:25
Reported
2024-06-13 10:29
Platform
android-x86-arm-20240611.1-en
Max time kernel
7s
Max time network
151s
Command Line
Signatures
Processes
com.miui.ad.mimo.plugin
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 10:25
Reported
2024-06-13 10:29
Platform
android-x64-20240611.1-en
Max time kernel
7s
Max time network
131s
Command Line
Signatures
Processes
com.miui.ad.mimo.plugin
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.169.42:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.194:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 10:25
Reported
2024-06-13 10:29
Platform
android-x64-arm64-20240611.1-en
Max time kernel
8s
Max time network
132s
Command Line
Signatures
Processes
com.miui.ad.mimo.plugin
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |