Analysis Overview
SHA256
a368578828f2438b98fa428d36dc88d5d90d606e4efdbf944af1eb1900a02db8
Threat Level: Shows suspicious behavior
The file a515c29b2edc5b9f14a8e4a498e79299_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries information about active data network
Requests dangerous framework permissions
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 10:29
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 10:29
Reported
2024-06-13 10:32
Platform
android-x86-arm-20240611.1-en
Max time kernel
33s
Max time network
130s
Command Line
Signatures
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | f.appjiagu.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.jky.xht
chmod 755 /data/user/0/com.jky.xht/.jiagu/libjiagu.so
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | f.appjiagu.com | udp |
| CN | 180.163.249.208:80 | f.appjiagu.com | tcp |
| CN | 106.63.25.33:80 | f.appjiagu.com | tcp |
| CN | 180.163.249.208:80 | f.appjiagu.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| CN | 106.63.25.33:80 | f.appjiagu.com | tcp |
| CN | 180.163.249.208:80 | f.appjiagu.com | tcp |
| CN | 106.63.25.33:80 | f.appjiagu.com | tcp |
| GB | 216.58.212.202:443 | semanticlocation-pa.googleapis.com | tcp |
Files
/data/data/com.jky.xht/.jiagu/libjiagu.so
| MD5 | 6c9d83b90aa9c9f904d22eb9b16f8f95 |
| SHA1 | 4d5e0ce3c55a22475b58a982d67ab9aa84384c40 |
| SHA256 | 2432ac0b864b33cd599129578c42c43811461dbcb83e2a21301ccb8d0810c5e7 |
| SHA512 | 07d16f67cefc986c0d6974e3bbc38d95b5b184520ec8f3c9ae59a2f0e76213d359b35dc507d482322d2c045ee75183def8e3d7659ff5fa78f6afff931084e90b |