Malware Analysis Report

2024-09-09 17:54

Sample ID 240613-nvebmaxbpf
Target a55a0de96eff9689c510337f76c2b2bf_JaffaCakes118
SHA256 2be36ac2c04ff406fb2e81a978ef15799877d01fc590e86fc0968fa143c66760
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2be36ac2c04ff406fb2e81a978ef15799877d01fc590e86fc0968fa143c66760

Threat Level: Likely malicious

The file a55a0de96eff9689c510337f76c2b2bf_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 11:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 11:42

Reported

2024-06-13 11:46

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

184s

Command Line

com.wjwl.lipsticka

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.wjwl.lipsticka

com.wjwl.lipsticka:ipc

io.rong.push

/system/bin/sh -c getprop

/system/bin/sh -c getprop

getprop

getprop

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 stats.cn.ronghub.com udp
GB 8.208.8.123:443 stats.cn.ronghub.com tcp
US 1.1.1.1:53 cfg.imtt.qq.com udp
HK 43.135.106.117:443 cfg.imtt.qq.com tcp
HK 43.135.106.117:443 cfg.imtt.qq.com tcp
HK 43.135.106.117:443 cfg.imtt.qq.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
US 1.1.1.1:53 s.jpush.cn udp
CN 119.3.253.130:19000 s.jpush.cn udp
US 1.1.1.1:53 api.weixin.qq.com udp
HK 43.129.2.204:443 api.weixin.qq.com tcp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:443 log.tbs.qq.com tcp
HK 129.226.107.80:443 log.tbs.qq.com tcp
HK 129.226.107.80:443 log.tbs.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 nav.cn.ronghub.com udp
HK 43.135.106.117:443 cfg.imtt.qq.com tcp
GB 8.208.102.120:80 nav.cn.ronghub.com tcp
US 1.1.1.1:53 open.weixin.qq.com udp
HK 203.205.239.154:80 open.weixin.qq.com tcp
CN 60.205.180.247:8000 tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.92.70.140:19000 sis.jpush.io udp
US 1.1.1.1:53 long.open.weixin.qq.com udp
CN 109.244.216.15:443 long.open.weixin.qq.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 60.205.180.247:8000 tcp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
CN 123.60.79.150:19000 udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 124.70.159.59:19000 udp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 109.244.217.35:443 long.open.weixin.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 1.94.137.47:7003 im64.jpush.cn tcp

Files

/data/data/com.wjwl.lipsticka/cache/image/journal.tmp

MD5 cb46ae335198e10191311eec4345db00
SHA1 3df8cef54f3251c2179546c1109d177e7a5e17d9
SHA256 eb1c44b3ff7c5c756e792ec964d3afeb64ac5b81af842864e658eb6c066f7392
SHA512 542e93dde1f64daf1fde3cdaa77b1fc8bcb00b613ed8acec35d201daf8447acf4a8a6161132eb65b74201e7f0f9ce964704c646fa397f91716a61334226e8f87

/storage/emulated/0/Android/data/com.wjwl.lipsticka/cache/ronglog/RongLog_2_8_27.log

MD5 90e68b2cec9bad90bba270dcbb4d118a
SHA1 66e5511bd60c4f127ce50255486a4cd14b61bd3b
SHA256 6ab3e6f09b16d2b2efbac963c6b77e5f91fba8a2bc3e70b98c3e38c5abeb1b4b
SHA512 b550e6c225054659da27dc76c9acdc9bf082e2faef642f4976603b1a9c345c1a19c5902bf8f0c2a5375e7cb624ec64aa53e3dedc4fb9bb8a6752016dfb755ea6

/storage/emulated/0/Android/data/com.wjwl.lipsticka/files/tbslog/tbslog.txt

MD5 eb64ee5ffac58519ae9915a658598669
SHA1 1d92cac8832415dc5bac1d09ff5c474ac4887a3c
SHA256 a837b01fb418878f3b0f6fcacd58a642b2e27c2a403bd9afd6fd58627436b041
SHA512 f036e9b1c4a931a7af2e3a357239406f47eb55ca9c2158c44008288115ae740f699b87be0406b7256c1bb7a28f793b8512e9a23a0054fdb7cfca869b782adb8b

/data/data/com.wjwl.lipsticka/app_crashrecord/1004

MD5 f1814a8ed875f90c97601ccc670dfeda
SHA1 a8c6191a87440922c8d5749e6d0a00e3e7582529
SHA256 19f82d63e1b74c7484756c5981b247a7ed8e4ff60b732f3e60a9bb24f9a09517
SHA512 0882dd37fb2541941daa0815056ad2b8cd296ccaf8d6a5baf720c5ebc765e22eab1cfc33ba6114e57809e6986721371b8c54066338161169c5276a98dbedbb00

/data/data/com.wjwl.lipsticka/databases/bugly_db_-journal

MD5 34a4cd83b1952d55607137e8465df4e7
SHA1 f3fe9f1dd9ce159ea9a92053d0900b0658f9a393
SHA256 120ec4bc21e2c2e98ad9850846697938e1f3805d55bbad532a7adc6f7053eefc
SHA512 a80797402ba08435acf508b1f4044f2372f2e03f78ac14bfd19219aa7494a5ea575d8db1ff68f481a0fc021fde3a3f8de863ee6ed5deb6a824c2f4a3a2b77af4

/data/data/com.wjwl.lipsticka/databases/bugly_db_

MD5 3bd7114ea95ae5d1ce480f0fe91750da
SHA1 3e4ed7d60346d6800564492b220c9e187cc99d42
SHA256 ff4e26f00087b5d1e48abc275e27b3324fde43eea41d55c7513c6d3ada29ac4f
SHA512 8d44c53454aadae20c3d7b70a2de4c1a88f4fc210b2b4958742a6f799550edf1224f86b4a6761ffebe7caf99a5160b3d97edeffe7ec320d3a0c27525afa978bd

/data/data/com.wjwl.lipsticka/databases/bugly_db_-shm

MD5 474c676f49060917b5d2501f661c1a2e
SHA1 61369827eb711573007affc9b208f30771817cbd
SHA256 2f8f4312f190c27338aa3ffa3e907a75b59cb14f935271a660522a5ce2828033
SHA512 4815e9bed3bbc32b1f9c02334af39487fc8f06ba9605ceb44b1adbe00cb13dd528313de9a440d8b31999caf902d0214edc779456e438e98d6e304c93818d2ba1

/data/data/com.wjwl.lipsticka/databases/bugly_db_-wal

MD5 d07ca99b9f1c5389daddb58cca4d2869
SHA1 4a4393a820143a79fb13c5361ed889b22e85c65c
SHA256 ea33397135b08e19a269bc5ad56bcb4281f4bd9984e6e83043ff29972bf0e714
SHA512 3575039a66341410451a9962c188501230346fa033540f6831b3bf219eb19d3d634612f922039cbed4abab557d355bd133b1a3fa12aa25b3632c87b02e361bc7

/data/data/com.wjwl.lipsticka/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.wjwl.lipsticka/app_crashrecord/1002

MD5 01b77206036192d6ee4d6945b70db637
SHA1 fbbaa940c822f450be086d54b8918ee6bd998cac
SHA256 c8c06af77c2a3b251901c9dbe8d02c52c70259d01037de6b25d4ad42cb57b5ba
SHA512 8db4b124e836bc2d7183b374d20ca0224e3745a388e56e08fa630ecb46f225d5c093c41faa3f4fc41d66f7532ead411c61d17414d149a7a9e1d373870fbcd272

/data/data/com.wjwl.lipsticka/app_crashrecord/1002

MD5 17f69e9a4db2a55e4eb4643f4702c186
SHA1 bad9f1d828a5189e14f1f65a49fb19619e800cbf
SHA256 965bdd330c0aeda651a43a2ff8ba98282983250001dfcc50e94bce4591b7d7b7
SHA512 237086a210b6ab93b755918a71f61c139927e15ac34f44a5b9c3d946c6d0172af5f5a4f64c0eafc48d1fd514d284f8aed5e4899776e7192a7492eb48abdcf1f1

/data/data/com.wjwl.lipsticka/app_crashrecord/1002

MD5 78e9bc4ac786c145f1f06bd4cb018494
SHA1 275f0329fc6f8bc38a0bc6dfc433f18510788e78
SHA256 9113d172cae99a40df973ee85a8ee86d41c42369c9c8376efcb37596fd6f5a19
SHA512 52398955102332f0ba64ff6de26350a39d958735d0067740339d88647ba17f1941ff7006240e61f75bf21a33dcfc4f646cf9cb9946bd9fa46a7317a7216fc2d5

/storage/emulated/0/data/.push_deviceid

MD5 f8c7061b7348078e17f576b19ac09ee5
SHA1 c5169e4a8bccb312bd15d082cbf2091623a89ef5
SHA256 c715eb90f4c867efe5b374579ab2a5701cac15a27836a619de6428793ec644ba
SHA512 0c26827e2b40590206de36bd2b56265fdd039f8b38630b9c1efe75b904c7bc34f91cbb6ecae871c3b07be0b84b718951c49eba37a508737935e9bbfc829f8a7f

/data/data/com.wjwl.lipsticka/app_lib/x86/push_daemon

MD5 ed4f17dc95b32c106489dcca43053619
SHA1 94f6bfb3172c7d038c79590d9f70b80fd57b6ef3
SHA256 a87325322479545fb44e9247bb04543d7787e8d388bb3610c81fd1cfe2d8f365
SHA512 acd20ae13bbb97cec412a7b9f3288756689e7692c9275c366c3cd4298b955a727fb9e234a1f4e889b7de06548a743f43c0b5f6aa644a80ab994b0b9a2cf63345

/data/data/com.wjwl.lipsticka/files/jpush_stat_cache.json

MD5 3bec4396d6eba1eeed6d1eee94c034f6
SHA1 8d7f2d03c2e01d12be0e7c95c819573453f578a1
SHA256 c74303cf649b98230de233d311bb0cfe3728c41bf6cf6cb1423f537880921fe1
SHA512 79355fb688ec9ac54a6b10e7b71b6d11cbaaa478fdaccf2f1430234ef5f767bf4c4d3d7f2b1ac10697038088ee758b9ac8dd61eb415ea2bdd6f5ecafe2bd7388

/storage/emulated/0/Android/data/com.wjwl.lipsticka/cache/ronglog/RongLog_2_8_27.log

MD5 4f8a55cb04c7d0250338e277ee40c2e1
SHA1 31d657b514d58b2d3fa8449888414a521056873c
SHA256 74f21ff770ecb4d5910dcf4ccd06b9c2644f42fa942afb57a8be9cca10657488
SHA512 1e9c3a37cc6c38084408cd7955d1db29f11d81330cce5e3e9add703a4e81ca68ff46fcf9684fd8ff39e7f44475b9929f4a5708c9f6bd610f3fb2465dec14f8ad

/storage/emulated/0/Android/data/com.wjwl.lipsticka/cache/ronglog/RongLog_2_8_27.log

MD5 c010ea9bae49f7482ac73bd97da2effd
SHA1 96d11179c8f90cc42c04d9cb5b5b4c9c4b2a596a
SHA256 717b40801c27e089c436c80068cb4c2ac5a36892b7ea68bcf90fb38764ac32cf
SHA512 d6f67d41eb5195b4c90c321c8aea47799832780eb1c42d5494526795b1d8f00d23d352ea12a7716339f64e574f095d22adc29f9ce841426ddcf97d3e3ba2b817

/storage/emulated/0/tencent/MicroMsg/oauth_qrcode.png

MD5 fb7ba074c39ca6faae8a48730a6892aa
SHA1 29681e799ff6a1d39a8881d2fc353bb1be3a5291
SHA256 a6dfdbbcc86b7d4cbf8737e6d310fcb3dda1ce53269559ded1aca9f22ab96b6e
SHA512 68cc6883995489a3156152745ee3a68d75c2bcc166a70b197e4f34e31448fee9811aecc18bea9253118345c205e79a724406f553bca423c7acb6f2089c3feceb