Analysis Overview
SHA256
4e1c21a1cb3300c53a44a7850e664a77f35147cc1ee7b627fe050ad5afd7d089
Threat Level: Shows suspicious behavior
The file a616ab21575c71fc80aa35367ccb58ea_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Queries information about running processes on the device
Queries the phone number (MSISDN for GSM devices)
Queries information about active data network
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 14:45
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 14:45
Reported
2024-06-13 14:48
Platform
android-33-x64-arm64-20240611.1-en
Max time kernel
9s
Max time network
171s
Command Line
Signatures
Processes
com.zbzhixue.app
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.68:443 | udp | |
| GB | 172.217.169.68:443 | tcp | |
| GB | 216.58.204.74:443 | tcp | |
| BE | 142.251.168.188:5228 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.180.10:443 | udp | |
| GB | 216.58.204.74:443 | udp | |
| GB | 216.58.212.227:443 | tcp | |
| GB | 172.217.169.68:443 | udp | |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | tcp | |
| GB | 142.250.200.3:443 | tcp | |
| US | 172.64.41.3:443 | udp | |
| GB | 142.250.200.3:443 | udp | |
| GB | 142.250.179.228:443 | tcp |
Files
/data/user/0/com.zbzhixue.app/.jiagu/libjiagu.so
| MD5 | f47ccb3ce6fda626c6c29b66b8200f1a |
| SHA1 | 03361d06acc540baf0a2bdc37a20612dec7439c8 |
| SHA256 | 7cb4c6c1359c5a9aeb86441ab855811e3ab420802d4376627855c18babb20916 |
| SHA512 | a32253d71e6c01599858124b25042ab44be367eed06184ade8e4be4a7e726283f4acab58fe830ac428895721e6dda922e94d9c56b385f4854a25758d59e768c5 |
/data/user/0/com.zbzhixue.app/.jiagu/libjiagu_64.so
| MD5 | 69eacc7067118e63be591e6497446683 |
| SHA1 | a21b1d3be9639cceb57436f67006d43faa47f8ec |
| SHA256 | 01c6fd5317acbdb047072a2a0db1abfef56e949c0156713f554a308fea3749f1 |
| SHA512 | 54d81dbf86cf61fd96ae9e2e5c7a888208c41e92228af356beb13663c8bbd7d8fb8ee9dcd647ef51d05e76b71d0dac5dc964bd8b5652e65429b970684d1276f1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 14:45
Reported
2024-06-13 14:48
Platform
android-x86-arm-20240611.1-en
Max time kernel
14s
Max time network
139s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.zbzhixue.app/.jiagu/classes.dex | N/A | N/A |
| N/A | /data/data/com.zbzhixue.app/.jiagu/classes.dex!classes2.dex | N/A | N/A |
| N/A | /data/data/com.zbzhixue.app/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/data/com.zbzhixue.app/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/data/com.zbzhixue.app/.jiagu/classes.dex | N/A | N/A |
| N/A | /data/data/com.zbzhixue.app/.jiagu/classes.dex!classes2.dex | N/A | N/A |
| N/A | /data/data/com.zbzhixue.app/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/data/com.zbzhixue.app/.jiagu/tmp.dex | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.zbzhixue.app
com.zbzhixue.app:pushcore
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.zbzhixue.app/.jiagu/libjiagu.so
| MD5 | 5aea02f4e4c77fbf2e7a27f7ca9cc06b |
| SHA1 | 522db1748608e9173547b29b7aa82ddc3542c534 |
| SHA256 | 5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2 |
| SHA512 | 5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316 |
/data/data/com.zbzhixue.app/.jiagu/classes.dex
| MD5 | ebd14835ff4d93accfe103a6e8f3dc66 |
| SHA1 | 6f3fcd63ed23e52004c63e04adcd05bb54b0673e |
| SHA256 | 98809c4eea8ba5fb6d443e52500e521af74a1847b6eeaea53e644721272bf18a |
| SHA512 | fb8a909734d558c5e844a331efa578cd08963cb90b8c99b5a6eb7cd120ce5b0037524dde7d0f36744cca7c1d9ee740c5ddfcc14befa84b961fff7543158c0140 |
/data/data/com.zbzhixue.app/.jiagu/classes.dex!classes2.dex
| MD5 | 52786a11118f744b47cac29fd8e4e784 |
| SHA1 | 3ca9b96dd90d48b35c497b655d377d274c43d9fa |
| SHA256 | 9e8dace9b61f44efee4d3b921e1575e14f9b7e1696d120d7ac3fe4806d76395b |
| SHA512 | 6fecf8a80e62cf5d47c0a8225b6d1d18dde801fd7d48f9a1c90fd3f9e157f4ac0b567829cb66c8557ff01885b04088aadd3dd421788ed678b22899e371bce564 |
/data/data/com.zbzhixue.app/.jiagu/tmp.dex
| MD5 | f1771b68f5f9b168b79ff59ae2daabe4 |
| SHA1 | 0df6a835559f5c99670214a12700e7d8c28e5a42 |
| SHA256 | 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939 |
| SHA512 | dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d |
/data/data/com.zbzhixue.app/files/.jglogs/.jg.ri
| MD5 | 16916477889111a30cc72f19cc6f83f8 |
| SHA1 | ed18a4f634b2253aefdd529be0c190d402e0fc1c |
| SHA256 | 04c40b7a45121fef31578e70aabb2220fd685bc6b04b8217a2cf2b36c23cca5d |
| SHA512 | 5284a0c269c568315a02ff016284cc2e3784be67d2e65f23309eab56cf85fb57c09bcd29a252be5d44cec5f698ad47cddf58a6fe94f77a7babc1e5a1fd388333 |
/data/data/com.zbzhixue.app/files/.jglogs/.jg.ri
| MD5 | 49a2c4fad207eb9be67b590a5f699203 |
| SHA1 | a8d781d0801d5d8bbbad4341299fab39f83a9713 |
| SHA256 | a3452ec4f8a59ff4b08a7887bc62a70645e55573cf9effc83483fd70a226c078 |
| SHA512 | c5aad594dc292050031af7ab54f07c1a2a6b9c383bc3cf9a289e8ebe9197c842a4a125182858c02b035015b8e734a37ff025038e297a25844c5b77815bade375 |
/data/data/com.zbzhixue.app/files/.jiagu.lock
| MD5 | 1ca051278785d9d15db1cc2def5b469e |
| SHA1 | b8efd73eb6f102d52362191e9d095d8d05378fdc |
| SHA256 | 2921d81d84e9c6b9ed14eb5626e2e6b9211e27f174bc74c327e231d39ddc9965 |
| SHA512 | f40545936333eba5ddfde96b1b1e8d03645d25cacedc891505574378be84997366bd52b5ec8652fa294000ceec4fcbf05865398139508c4d48421d80135743fa |
/data/data/com.zbzhixue.app/files/.jglogs/.jg.rd
| MD5 | 8ff24268bc92a9fdca0103d0d33ac6ff |
| SHA1 | a47f7dae3c5305035bc92fc17b93543c7a99ee30 |
| SHA256 | ad61469093e6279d37b15d7ab72d6129acade96a5061cb727294a682dbbdf645 |
| SHA512 | eca821c6611930bb101302ec5e3ab68f08a23f9c97316a44b8c99b8ef174971459dd7210bfda8e376e61a00f2f90c08a065fdb24f48b65d0562dcb8c30daab89 |
/data/data/com.zbzhixue.app/files/.jglogs/.jg.store.report_pid
| MD5 | 7139a24bacc4f0bb846e4e69538189d0 |
| SHA1 | 0b6d363a502ee0d29dc90beac39b303cfcaa3673 |
| SHA256 | 2bad0cb3ba2c47a088ce177eebab5914ade5e3b55d7ce79fec74842acba35e05 |
| SHA512 | 39a84fd40ab0fb8b80eb85d1b2d66ee49f0d99fd3a4b9f516b38afa604accff83c010f63caabdb891b242b262d807b9679fb04b49529758edf66c415139b20ba |
/data/data/com.zbzhixue.app/files/.jglogs/.jg.ac
| MD5 | f1f20c5e43a72df7d5f2189e09bf7e09 |
| SHA1 | 3378f7308ba0d29c2ed2885a27702962502188a0 |
| SHA256 | 2c6315d0f42929dbd64598c4b8ef289ec74bfcab923927fb2bd2626bc7838934 |
| SHA512 | 8bb82855cd04533c8b3f483f511d20b19385da6494f365b47ad95459d1d7c4367aa7f8c4cb0ad31cf9107cf5df7e99888dd1a70561501e0c55b1cff9da492e6c |
/data/data/com.zbzhixue.app/files/.jglogs/.jg.ic
| MD5 | 9bcf79003cf19fa960fe38aa96d3b5f7 |
| SHA1 | 84be077508332028da0855ef5d5415a4c5363bba |
| SHA256 | 7f0cc8e8990823eeb4b0fa26df014b77f6f67ea9a57e83d545d8114e1fe55286 |
| SHA512 | 20aaa8ede070945687f4ea165a3f7393a3d009415c128a07298ca25b05668b8420f737ad21412c4ada79a89649b056a94460c1cf4c847cfae2c86571e91ca1ba |
/storage/emulated/0/Android/data/com.zbzhixue.app/cache/uil-images/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
/data/data/com.zbzhixue.app/databases/my_database.db-journal
| MD5 | 7ffcd6cd7d7ffdfbc64bbc6a082e21fb |
| SHA1 | 609b2026ae5b60be1965d0d0f11dd30bf6bed2a5 |
| SHA256 | b623fa29d461e249696a7733fa2bf1132093eabeb8ec70efe9b7dc16b24a0e20 |
| SHA512 | 1d5ccfa71fd65edefa2eb36ccd3f44cf17f96d2810f48936fc951bbec77f7dd7f319bea7e00aa9137485e96b966ca8d60b6fad3b14005be062619aabedc58ede |
/data/data/com.zbzhixue.app/databases/my_database.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.zbzhixue.app/databases/my_database.db-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.zbzhixue.app/databases/my_database.db-wal
| MD5 | 7f155e5d32976e266ddad30b168a61bc |
| SHA1 | d07c817f6e289983aabf5bb7d18bdb2b75064cb1 |
| SHA256 | 34a7a0e64c82f2865f84f97ea90505f526e59ce5d36416af907cef3286f5a52c |
| SHA512 | 8c2d122f71ae5601cbb8290ef2445e901fbd6f3d23ec3bfba9fdf7a563945805b2056a7f2b8e85acc46c746c8ebb6812202f25fae126925528ad7af85ae23841 |