Malware Analysis Report

2024-09-09 17:48

Sample ID 240613-mtkxcavgqb
Target a524bd886e412435992366e9726b6418_JaffaCakes118
SHA256 5f9e147476d6207f96829ce7694536e4d0487340594d2e1a317367507e5f35f5
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5f9e147476d6207f96829ce7694536e4d0487340594d2e1a317367507e5f35f5

Threat Level: Shows suspicious behavior

The file a524bd886e412435992366e9726b6418_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 10:45

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 10:45

Reported

2024-06-13 10:49

Platform

android-x86-arm-20240611.1-en

Max time kernel

176s

Max time network

183s

Command Line

com.jxzc.zhichengsd

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.jxzc.zhichengsd/mix.dex N/A N/A
N/A /data/data/com.jxzc.zhichengsd/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jxzc.zhichengsd

sh -c getprop ro.yunos.version

getprop ro.yunos.version

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 bao.financesd.cn udp
US 142.54.160.10:443 bao.financesd.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.71.159.41:19000 s.jpush.cn udp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.94.137.180:19000 sis.jpush.io udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 tcp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
CN 123.60.79.150:19000 udp
CN 124.70.159.59:19000 udp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 1.94.2.18:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 1.94.2.18:7000 im64.jpush.cn tcp
CN 1.94.2.18:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 1.94.2.18:7008 im64.jpush.cn tcp
CN 1.94.2.18:7009 im64.jpush.cn tcp
CN 1.94.2.18:7006 im64.jpush.cn tcp
CN 1.94.2.18:7005 im64.jpush.cn tcp
CN 1.94.2.18:7004 im64.jpush.cn tcp
CN 1.94.2.18:7007 im64.jpush.cn tcp
CN 124.71.159.41:19000 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 124.70.128.38:19000 sis.jpush.io udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
CN 123.60.79.150:19000 udp
CN 124.70.159.59:19000 udp
US 1.1.1.1:53 tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
US 142.54.160.10:443 bao.financesd.cn tcp
CN 1.94.2.18:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 1.94.2.18:7000 im64.jpush.cn tcp
CN 1.94.2.18:7002 im64.jpush.cn tcp
CN 1.94.2.18:7007 im64.jpush.cn tcp
CN 1.94.2.18:7009 im64.jpush.cn tcp
CN 1.94.2.18:7006 im64.jpush.cn tcp
CN 1.94.2.18:7004 im64.jpush.cn tcp
CN 1.94.2.18:7005 im64.jpush.cn tcp
CN 1.94.2.18:7008 im64.jpush.cn tcp

Files

/data/data/com.jxzc.zhichengsd/databases/bugly_db_legu-journal

MD5 2c9f991e77a370179224a4a2bc526ccd
SHA1 32588364c85a6fa00087d2ef6cebd3c613f4e70e
SHA256 d8d96c42aaf9de87a56f9043b79ef84e899b63af66570e5b48820ba9d2f67483
SHA512 78d267fa61c985dc94910d1cf573ec4683e5a3c943c93c7e0225be4770957ff3967b6d0971a11202ca0fc5bb719f4c64fab6f08580c3f9dba24cb23d42803437

/data/data/com.jxzc.zhichengsd/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jxzc.zhichengsd/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jxzc.zhichengsd/databases/bugly_db_legu-wal

MD5 e1432c2a9236677be65e0e95d689006a
SHA1 925a0ffbf9eac6870e4e78f1d5b69ec494d73fb1
SHA256 051941ce72554e2632e57ad81ca460dd0ebeacc1171851932f5880fc6c2f1024
SHA512 eaed17ab15a1f53cca50e4d4faaec9f9f0d3930cdf1bc8be2991edd0f0168307a487b1445e9a8175e3bfe9c16a6a848be220e72f3e51bea8be9218933adb6125

/data/data/com.jxzc.zhichengsd/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.jxzc.zhichengsd/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.jxzc.zhichengsd/lib-main/libIDCARDDLL.so

MD5 37f9e6b4dd3a2abb2dda0bd9bb1e8fed
SHA1 4a9eb3d907f8c5f0e9ec38076e080822a8d250bf
SHA256 66da20381205685da4fa94b1e04f279ce04eff2229e2ecc123ac7af0d6526044
SHA512 3fe1b0de71fa8a96bec7f50c54c2451ea37f0e409e0f70807e2165e2e80a740f002e6040bcc78c70581d279b64a95ad1e0306cc2eb4436985df834e0e19ef156

/data/data/com.jxzc.zhichengsd/lib-main/libshella-2.8.so

MD5 d310811174bdc53f6fb483e4503970ba
SHA1 bfd9aa7da06c7b76a23ece8b6ef33f787f5ba82d
SHA256 f446a00492cae9803125ec64674204ff392cedb113f21b349c690793ea822fdd
SHA512 3abd061bef1497e7223ac6acc0b412df190b235a6fa31ffd78168fb506c358a08a9ced9f8d571206d4892d3889b0cdcdd1a7e37d87e27b2361f75a03c9b007b1

/data/data/com.jxzc.zhichengsd/lib-main/dso_deps

MD5 b3b4d9bb5e4b1ce8dfaf09ab2a70faa7
SHA1 c14410fd7eda0d65bd9d3415802c0ae7430e6f5a
SHA256 0cc7a0eff4862247b774c7da552c41da0acfa55cf426e5f082544defb15550f7
SHA512 021ff637de06a8f6a3851d26a41976c4debce7ad52f4cbce77e92b22cab1dc3691c7c87447333b3e92a342ceefde0d97751be9b8bef0a728c2b5cb55b201105a

/data/data/com.jxzc.zhichengsd/lib-main/dso_manifest

MD5 1f40f5ae1c7c376616f1776cceef8799
SHA1 ecf0a437aac019da21edb27f09ccdc7bc9e595b9
SHA256 080f72463cb305762b4542eed9c91f9ac6e7137e9308194a689183723afd33d5
SHA512 3066cc5a12eacbc5316a6cf202e1bc9e7d47d0284ea35c4d35b643e2c5722940019340cfaf5787bda325dba691b6c8224ff7ee4f5fd55620ef4e3fd0a107ff71

/data/data/com.jxzc.zhichengsd/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/storage/emulated/0/data/.push_deviceid

MD5 1fe22feb2fc5f4d454783bfa52d2742c
SHA1 a65fa1660069a0cb80f7269eeabd468d5c9bd7a9
SHA256 52d523e38545f7ea4f973404db3c98c2fbea43441e67076f661775e704e80c37
SHA512 fdfff27a2d186bc1bf55ae39c8e55ebbec56442c37f0fc28eff91ed74637c4a2bab5206dceb9ef48bf9ab030dee27cb5e73f7456dbebe9f1f3e54cee5e37a099

/data/data/com.jxzc.zhichengsd/files/jpush_stat_history/normal/nowrap/99bea5cd-999b-40c9-96fb-9766ad4a1ac5

MD5 b12cb2b29f06fa8adf00a80db7af3693
SHA1 3a0f9f84e44b6dc6d622d3a3a198b531b47ab486
SHA256 e3acf88930a43db8ea06414dbcc1575a5e715ca91679372799b5b76f49bc49cd
SHA512 6fb7063bbdf2b398cfdc832ea0b10d2cc796f8469d8a5cacf9193abf7c781bb90a4d4d921a69b3341eba84d13547e8454aa5626168ff95b098495c0116e093c3

/data/data/com.jxzc.zhichengsd/files/jpush_stat_history/normal/nowrap/0e94c91e-2fa2-4e9e-a109-8bcc4e140233

MD5 b139f5d20b55cacdc4971a8bb835f403
SHA1 1942b33a7155f6ddfdae6d8da786d5cbd08478fd
SHA256 9a34ecb90e290535db126a4e19744768749b45bda1ece1407599ecd2878ae4a6
SHA512 fe1c831e978838751fde5a458e1fea413ad88a5688e2828c3b2d34bf8651d3eb3bcab9717b5166cfb77bfd0aa45adfb71f043ebb36e4b004ee46d9b8daaf5f53

/data/data/com.jxzc.zhichengsd/databases/google_tagmanager.db-journal

MD5 8d2273b327e781e4afef4fbab3e308d3
SHA1 f9314cdd44334a7aae30ceda712311935a365162
SHA256 a7f7f13ce645720d7be009e227aa39e3f611a06056066add826eedf7bce1b815
SHA512 7af93f789bd467787c19c95c41a2ca7e198356284976f729a549fa765cd5df824586727b0f7b2622dc06b6140ab4753d373a35d8ed5fb04cff1f42f3a9c0b7d4

/data/data/com.jxzc.zhichengsd/databases/google_tagmanager.db

MD5 5c0157f7bab02442289883c5db928a8b
SHA1 9023da3e899e1290d9dcdd0d84270180a615be19
SHA256 e061da032ed90676ebe9dfe4900f2c50d7a1c0eb5b9c55df1634f20a744153c7
SHA512 9e3730815a67f6c138faff4c159927785658ec4608d337a2e3f4a7c8db26f911b1f4a01d9f90f958c378bd88cd9185814fe5951d6a045ae3c32ba2b88d28932d

/data/data/com.jxzc.zhichengsd/databases/google_tagmanager.db-wal

MD5 5b6674fac707834878227b7e0a26f6c1
SHA1 e0ebdf04ddd70de41b4cf778662623977396cb7e
SHA256 018fcaba0d6427f6e6da1b40c12be09456a0813f6ae73fa6d1e4c227124b4c2a
SHA512 f8a30ecc6205a0ff5c7b9741f1cfa4b404820d194be2e63cb3452c6b8b87790783d22f0a0db86af2e3b16ae7141ffe34b04d8339a1866b5e55e10565de5f4c9f

/data/data/com.jxzc.zhichengsd/databases/google_analytics_v4.db-journal

MD5 bb77abb3c2e2dfb3ee37ef1b46c1d08f
SHA1 30411755d9a5a5c1e17363a9cff6bd71a25357a3
SHA256 e5799c43a9c7edaa256ded219dc998d62394bee7f2973ed609eb15d3c9ea8c09
SHA512 ef25bff657b8ff2f4475d0c75a38e96979e324e80aa18b6db5fd93065d02152b04e6e6eb0778fc402842c6d2a7e0845575ebd26e291ecb208a5e255259b844d0

/data/data/com.jxzc.zhichengsd/databases/google_analytics_v4.db-wal

MD5 4ee27ab3ddbd82e3fdf25cfbd962a15c
SHA1 1e092e9c145da649c05b7379a384cb6300b065c0
SHA256 f448eb6656a3205dad3969744f18eb082ad7f099a1f7566bfce44db3c3851432
SHA512 0b2b564ea860f5a1d2e0d86b2a6bce168f0d805a6b8e41f6e8eab8813faf923fb0052eda6391ddea1d7e5913ce321d6fef94b7d447f434ceae04b26228d3fe6d

/data/data/com.jxzc.zhichengsd/databases/RKStorage-journal

MD5 9740afac2328363fb6578226c732167f
SHA1 bb5ade176bd90ade6a4e8cf9fbe68cc995035af3
SHA256 48583e603cc22c8200564f233cb3f476e66a3fbad5e01ec0cc66e848b4cb447e
SHA512 b64bc46ca226f388f5e9058e337858a589fc9c97bf85ba5b3a0d9137dabf51569a17c5ede982b3bfd578369d28f6f3a8e3a16d70d8ead46f9d5f4420a63adee9

/data/data/com.jxzc.zhichengsd/databases/RKStorage-wal

MD5 b398080ba7de48c14dbe634dee304e16
SHA1 012d7a76eeb0c6d3d9767b8ebb74effde33434bd
SHA256 d3036765856fe850121b215b334370330082d3ae8350aad949471d888d83efe4
SHA512 3b27fed214f344b843bc0fe30c92234444b59c958df7eb4de03aef8628a86fa1e64d4c3b7d48019199419a1cbe9e9ce848fdef670b5d8d8229c7aa7a77ce2a74

/data/data/com.jxzc.zhichengsd/files/gaClientId

MD5 e2a53bc7ed047d9d0c62ca322d864f95
SHA1 599b2985a6a04a958360a66bf979296a74443373
SHA256 fd65ac4301e84c29aa98d9907f39b7d4261cce1d40fbef47a0a65da744643a5d
SHA512 7509d1aee8fc57f15b5c8090e4b40d458fee6f8274ec5c86cd6f3ae8b986164458d8347c2597d2b3469b4bff7b7cfbe12e7fce9d7e25e580f041bc06eec620d1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 10:45

Reported

2024-06-13 10:46

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 tcp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A