Analysis Overview
SHA256
1a0f9e6e078ce14123b8b23f5540e74d82115b93efccd153bc5d521f27b1414d
Threat Level: Likely malicious
The file a51ca0ca57e85fa90c96cd4d6c81a07b_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 10:37
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 10:37
Reported
2024-06-13 10:40
Platform
android-x86-arm-20240611.1-en
Max time kernel
174s
Max time network
158s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.fsms.consumer/mix.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.fsms.consumer
/system/bin/sh -c getprop ro.board.platform
sh -c getprop ro.yunos.version
getprop ro.board.platform
getprop ro.yunos.version
/system/bin/sh -c type su
logcat -d -v threadtime
/system/bin/sh -c getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.build.version.emui
getprop ro.build.version.emui
/system/bin/sh -c getprop ro.lenovo.series
getprop ro.lenovo.series
/system/bin/sh -c getprop ro.build.nubia.rom.name
getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.meizu.product.model
getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.build.version.opporom
getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.vivo.os.build.display.id
getprop ro.vivo.os.build.display.id
/system/bin/sh -c getprop ro.aa.romver
getprop ro.aa.romver
/system/bin/sh -c getprop ro.lewa.version
getprop ro.lewa.version
/system/bin/sh -c getprop ro.gn.gnromvernumber
getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.fingerprint
getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.rom.id
getprop ro.build.rom.id
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.74:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.fsms.consumer/databases/bugly_db_legu-journal
| MD5 | 550f568f27956dc53c197dcfa44fc00c |
| SHA1 | e7969c2f1b609dc4da4004ae3c6b39809d9ba588 |
| SHA256 | 844b2d25740f8789916573604139306686e16d0970e51b12ef07eecc8b612713 |
| SHA512 | 45a4dc78ca4e3c981c1afeaa8e516fad35b2d28171f87d58d81c202a306aa34dbb844a63c8c4e1db13363680738cc316bc3d4a53b3416be9f1c27cc78a5fadce |
/data/data/com.fsms.consumer/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.fsms.consumer/databases/bugly_db_legu-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.fsms.consumer/databases/bugly_db_legu-wal
| MD5 | 2aedb7c7f4f0bd3a54b16cafa5e6bd95 |
| SHA1 | 59865f810386cb3eafb5aaf64f26dab1e5701cce |
| SHA256 | a580e7ade76253d73341a9d919312d563c9f0e4ca8b15b805e139db5647638f7 |
| SHA512 | 5727f8bdf9e12ef2bdd517b1cbca601905b5396a30a7f628dbdd3491132d54f99902e6206ce7253e2c9498bf96bf92dbce745c7ef6069467dfd2a7d996b5afad |
/data/data/com.fsms.consumer/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 10:37
Reported
2024-06-13 10:40
Platform
android-x64-arm64-20240611.1-en
Max time kernel
179s
Max time network
132s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.fsms.consumer/mix.dex | N/A | N/A |
| N/A | /data/data/com.fsms.consumer/mix.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.fsms.consumer
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.78:443 | tcp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp |
Files
/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal
| MD5 | 85402d2198055f5e48e5a4e08159dac5 |
| SHA1 | c9b9527a77936a731f5e86b90ff8f0dac74f90bc |
| SHA256 | fdf03c4fa5203e8ef5e30ed5ab2a0d5eb7d7f59356c0c1ab3b60f3f1fab4e397 |
| SHA512 | 1132909b3040274dd2cd3680501f10dd66eb5c77dc1e6ff54b68ccbef348daf12b355570ad936cb9f9a50246702d0843c8184d58473b1fc8740ac294b42ff849 |
/data/user/0/com.fsms.consumer/databases/bugly_db_legu
| MD5 | a4c4232cad0c4109c4d2636c7ba5d0e7 |
| SHA1 | fc0320241bade6c6cb5e0d5dfc2421efb2ee66f3 |
| SHA256 | dae5fa52c3fe63d2cbf9ee0130e437f696f821fc4553492e56071669651b97ce |
| SHA512 | 2440b724a9fa4a024348831545423bcfd878e2121ef866ad0c69b3272fcee450f90cc8adc6bd13040b2f6d37a01c7c201573173f97b7f3248cd54d2aa6c2c4b0 |
/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal
| MD5 | 14a6d6f7f61e09e26fc11f3ec8461dc4 |
| SHA1 | 919412bcec6f715e2957407afc48f48bfcad25e3 |
| SHA256 | ee91ff00e2988554adf1a3e0d0eec1c7070accaf4f6ea62f7651edb301533ed7 |
| SHA512 | 6235c7a4376e37e8aea54898afef7aa197c0d83d317cb023706d9c33a91b9b9bc1469be8a79d1bc151806e2c31525e8eb95f358630f5916a658ea8e9e42bc4e4 |
/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal
| MD5 | dd9a281234b6dd6659f99f43df8f52b9 |
| SHA1 | 37aee27d70e9a1d7b575785e1b27330762a44c33 |
| SHA256 | b9ff069d1dbacfb9122762f1d696723a1ff829e3ce274ba14c42e82178a2e534 |
| SHA512 | c4608e834c129bf9fd578fb2e618ba362e8c0495d9b744d2d6343eca0ef30fdfefd6410aa37b9c44c3b1e09c2a535c754ce54a9b45dd68ad4f8545f2dfb16a06 |
/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal
| MD5 | d7675d09c4d74ef9dfdb35d3856f703e |
| SHA1 | 5506d3b6615f07748a0f7bb858844a5c1747ca5b |
| SHA256 | 3d99861b993ef0331df6d84d4bc5c3242fc8a10d33e90670e1759852429b69ea |
| SHA512 | 31286ef424552c62c8e34a46b96918efb65c155838421a041f2ae2bd20233305350913f213bb15c8202cfc6979614110eac944905b2290f2e43ecc4b9d308cc9 |
/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal
| MD5 | a849d3a1efc7f2a7f89e99a2b6790b75 |
| SHA1 | 6870b2e8ff2d26222ccbcab67e5bf433422cb0c3 |
| SHA256 | c30c9b18e1a13cf84def5ed0916e308352b0248bb8ac82d726596668c2bd3240 |
| SHA512 | 2ce05e243e8b76fc12a09843a54be72ab937a1b8265783310d1533316c82c382f9e4fa896b271381957c7d27c878a3fc4ccd3694d4b444b5eb48405029dc7507 |
/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal
| MD5 | 0e79ad2ab4d0012fce511f26be6d7efb |
| SHA1 | aa67768d093dc7cf6076b55404200699ffe36932 |
| SHA256 | ead3e2f4ab850330ff4103c2fb38c6af4d305ba5a69a3e458bd2a22cf4a482e4 |
| SHA512 | 901dff00ed37f9505179c57e2d7db5170c4a2ca645d4380f37927eaba8a6b33410395ec3faa61d38e976705070df4ccdd8b5b1a263ad2a36d0ef13dd36f85d89 |
/data/data/com.fsms.consumer/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/user/0/com.fsms.consumer/app_bugly/rqd_record.eup
| MD5 | 5ec758aba3fc538354888e38ac5ed313 |
| SHA1 | d35b6573d25b6e282a680a4ffe9ccfceebec74a4 |
| SHA256 | 12eb72ff09eef9137e67ce8f0588607a28976e0e082b80125f7ff572405a582e |
| SHA512 | 13e094ecf0cad0cec897853bd3fad125b5ab07db68652cad4affb1b03da9d50a19815b268361a45543205cd54774148691a3433abb075a48ef0c846dae73ccec |
/data/user/0/com.fsms.consumer/app_bugly/tomb_1718275049520.txt
| MD5 | d61f3cc3a790ef2da2940be6c50062bb |
| SHA1 | dca65a349bc24e5634ad16c82381dc14d6edd9b7 |
| SHA256 | fa6554bad796eb8a48180d655f5145306e20d85b637b64ab03cfcffa67563232 |
| SHA512 | 2d21f7f088331ac0f434a8feedf35e79fe9618edfb084744a05231bddbf04dfc0d39c1235388ac23572f5abaf8e28d3899d735b95e804c78b863ffc1b94de3bf |
/data/user/0/com.fsms.consumer/app_bugly/rqd_record.eup
| MD5 | 5ba5018e1d2c68df2148103f59f33c25 |
| SHA1 | 9c936cdc38dc6af8847a2bd4178b2e55a1f9e50d |
| SHA256 | e77446c0467c4a2a2c2f8bfa7b9e0769b36a8e37369c3b391b92fc024ce39759 |
| SHA512 | a9b4084eac71feae90bd563788eae953eeb3e9d9e4530b3b7bf01def692dd47df3c72eae9a018529fca5223c30a3eb8904312592f045abdf6c3c9027458308e0 |
/data/user/0/com.fsms.consumer/app_bugly/reg_record.txt
| MD5 | bc13091f8fb274febdf6a9a02d54c4d0 |
| SHA1 | c43c01283ab795cd751edbbce79c641702aea4a5 |
| SHA256 | 7b29118956add022f8a509ead69b50f9af6d675b0e35fbd50b6c704d6c7928ba |
| SHA512 | 2dcd4b651290236e275b2fa448d721e7c67bfe9e8bb10a4a85a42980715d670b30ef1492d896cc4b8b2dec29f9596a95622def860f6e30b32150dfb5ec9fa4d7 |
/data/user/0/com.fsms.consumer/app_bugly/map_record.txt
| MD5 | 3c8f8000d465bdfac47f7a3627748c92 |
| SHA1 | 00a3a993856da911328b917a4c8535351338dd7b |
| SHA256 | b3c7a8e19615f6316a79710243162c75465f31eaedb139197653ba7a341d4189 |
| SHA512 | 8dbabc56cf90f91f569cde9bcfb7f2a9c61d8151979d4e782083c5b662858747e28ae3670dfe89f71af58e81b3c0064044656742e1fac060224e3aef0ac8522a |
/data/user/0/com.fsms.consumer/app_bugly/rqd_record.eup
| MD5 | 0f41feb7396fd7e6d9e7983658ef7e5c |
| SHA1 | 4110cfd194e144ae94a0816a1940b237a5bede7c |
| SHA256 | 9e7c626fdd5b839f49b33edaa4d076eeacf2d95ae4fd3c3e40953e70249c0be9 |
| SHA512 | 493464a851d0c3aec2018cc4dae2b613e6b8f21906978c7f87a2621b58fe84e8451d30df7cf9d8e1b0d20cf0c9069deb32d7a14d9c13730883994d9dcb5a2865 |
/data/user/0/com.fsms.consumer/app_bugly/sys_log_171827504994901.txt
| MD5 | 4c6037eefb5e619746f58d2b3d9ab5d3 |
| SHA1 | 54b1f00720d0e5c0114e18300358d72fbc874803 |
| SHA256 | 9a901a1263936c919ac56b68bfe1c369ab1ef233a0077906959e0914832927dc |
| SHA512 | dace93ec6bb638e662aa04dcd581d992af1d8bf777d472e36842c61b40cb8bf079fd1942ad446038da8cf467d3eea7517774f39f6d7c97418a163c157e870798 |
/data/user/0/com.fsms.consumer/app_bugly/rqd_record.eup
| MD5 | 078507ea6e0ba49dcce42bcf714a5d2c |
| SHA1 | aac3130754b46ab237deaefed3762916b790f8f0 |
| SHA256 | 3db06ebebc7672b92231e9bcb6c85276347821771ffadd68e0d546a07e476529 |
| SHA512 | c2accb3a2784f2a715a416500ac740f5ce246239c263a62a2cd583e8f6bf88dd0ad07050184047757dee0c35c55c7f311e3d2e6d9aae52d8a41b87f778decbc9 |