Malware Analysis Report

2024-09-09 17:25

Sample ID 240613-r4tz8axdqk
Target a616ab21575c71fc80aa35367ccb58ea_JaffaCakes118
SHA256 4e1c21a1cb3300c53a44a7850e664a77f35147cc1ee7b627fe050ad5afd7d089
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4e1c21a1cb3300c53a44a7850e664a77f35147cc1ee7b627fe050ad5afd7d089

Threat Level: Shows suspicious behavior

The file a616ab21575c71fc80aa35367ccb58ea_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 14:45

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 14:45

Reported

2024-06-13 14:48

Platform

android-x86-arm-20240611.1-en

Max time kernel

14s

Max time network

139s

Command Line

com.zbzhixue.app

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.zbzhixue.app/.jiagu/classes.dex N/A N/A
N/A /data/data/com.zbzhixue.app/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.zbzhixue.app/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.zbzhixue.app/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.zbzhixue.app/.jiagu/classes.dex N/A N/A
N/A /data/data/com.zbzhixue.app/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.zbzhixue.app/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.zbzhixue.app/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.zbzhixue.app

com.zbzhixue.app:pushcore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.zbzhixue.app/.jiagu/libjiagu.so

MD5 5aea02f4e4c77fbf2e7a27f7ca9cc06b
SHA1 522db1748608e9173547b29b7aa82ddc3542c534
SHA256 5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2
SHA512 5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

/data/data/com.zbzhixue.app/.jiagu/classes.dex

MD5 ebd14835ff4d93accfe103a6e8f3dc66
SHA1 6f3fcd63ed23e52004c63e04adcd05bb54b0673e
SHA256 98809c4eea8ba5fb6d443e52500e521af74a1847b6eeaea53e644721272bf18a
SHA512 fb8a909734d558c5e844a331efa578cd08963cb90b8c99b5a6eb7cd120ce5b0037524dde7d0f36744cca7c1d9ee740c5ddfcc14befa84b961fff7543158c0140

/data/data/com.zbzhixue.app/.jiagu/classes.dex!classes2.dex

MD5 52786a11118f744b47cac29fd8e4e784
SHA1 3ca9b96dd90d48b35c497b655d377d274c43d9fa
SHA256 9e8dace9b61f44efee4d3b921e1575e14f9b7e1696d120d7ac3fe4806d76395b
SHA512 6fecf8a80e62cf5d47c0a8225b6d1d18dde801fd7d48f9a1c90fd3f9e157f4ac0b567829cb66c8557ff01885b04088aadd3dd421788ed678b22899e371bce564

/data/data/com.zbzhixue.app/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.zbzhixue.app/files/.jglogs/.jg.ri

MD5 16916477889111a30cc72f19cc6f83f8
SHA1 ed18a4f634b2253aefdd529be0c190d402e0fc1c
SHA256 04c40b7a45121fef31578e70aabb2220fd685bc6b04b8217a2cf2b36c23cca5d
SHA512 5284a0c269c568315a02ff016284cc2e3784be67d2e65f23309eab56cf85fb57c09bcd29a252be5d44cec5f698ad47cddf58a6fe94f77a7babc1e5a1fd388333

/data/data/com.zbzhixue.app/files/.jglogs/.jg.ri

MD5 49a2c4fad207eb9be67b590a5f699203
SHA1 a8d781d0801d5d8bbbad4341299fab39f83a9713
SHA256 a3452ec4f8a59ff4b08a7887bc62a70645e55573cf9effc83483fd70a226c078
SHA512 c5aad594dc292050031af7ab54f07c1a2a6b9c383bc3cf9a289e8ebe9197c842a4a125182858c02b035015b8e734a37ff025038e297a25844c5b77815bade375

/data/data/com.zbzhixue.app/files/.jiagu.lock

MD5 1ca051278785d9d15db1cc2def5b469e
SHA1 b8efd73eb6f102d52362191e9d095d8d05378fdc
SHA256 2921d81d84e9c6b9ed14eb5626e2e6b9211e27f174bc74c327e231d39ddc9965
SHA512 f40545936333eba5ddfde96b1b1e8d03645d25cacedc891505574378be84997366bd52b5ec8652fa294000ceec4fcbf05865398139508c4d48421d80135743fa

/data/data/com.zbzhixue.app/files/.jglogs/.jg.rd

MD5 8ff24268bc92a9fdca0103d0d33ac6ff
SHA1 a47f7dae3c5305035bc92fc17b93543c7a99ee30
SHA256 ad61469093e6279d37b15d7ab72d6129acade96a5061cb727294a682dbbdf645
SHA512 eca821c6611930bb101302ec5e3ab68f08a23f9c97316a44b8c99b8ef174971459dd7210bfda8e376e61a00f2f90c08a065fdb24f48b65d0562dcb8c30daab89

/data/data/com.zbzhixue.app/files/.jglogs/.jg.store.report_pid

MD5 7139a24bacc4f0bb846e4e69538189d0
SHA1 0b6d363a502ee0d29dc90beac39b303cfcaa3673
SHA256 2bad0cb3ba2c47a088ce177eebab5914ade5e3b55d7ce79fec74842acba35e05
SHA512 39a84fd40ab0fb8b80eb85d1b2d66ee49f0d99fd3a4b9f516b38afa604accff83c010f63caabdb891b242b262d807b9679fb04b49529758edf66c415139b20ba

/data/data/com.zbzhixue.app/files/.jglogs/.jg.ac

MD5 f1f20c5e43a72df7d5f2189e09bf7e09
SHA1 3378f7308ba0d29c2ed2885a27702962502188a0
SHA256 2c6315d0f42929dbd64598c4b8ef289ec74bfcab923927fb2bd2626bc7838934
SHA512 8bb82855cd04533c8b3f483f511d20b19385da6494f365b47ad95459d1d7c4367aa7f8c4cb0ad31cf9107cf5df7e99888dd1a70561501e0c55b1cff9da492e6c

/data/data/com.zbzhixue.app/files/.jglogs/.jg.ic

MD5 9bcf79003cf19fa960fe38aa96d3b5f7
SHA1 84be077508332028da0855ef5d5415a4c5363bba
SHA256 7f0cc8e8990823eeb4b0fa26df014b77f6f67ea9a57e83d545d8114e1fe55286
SHA512 20aaa8ede070945687f4ea165a3f7393a3d009415c128a07298ca25b05668b8420f737ad21412c4ada79a89649b056a94460c1cf4c847cfae2c86571e91ca1ba

/storage/emulated/0/Android/data/com.zbzhixue.app/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.zbzhixue.app/databases/my_database.db-journal

MD5 7ffcd6cd7d7ffdfbc64bbc6a082e21fb
SHA1 609b2026ae5b60be1965d0d0f11dd30bf6bed2a5
SHA256 b623fa29d461e249696a7733fa2bf1132093eabeb8ec70efe9b7dc16b24a0e20
SHA512 1d5ccfa71fd65edefa2eb36ccd3f44cf17f96d2810f48936fc951bbec77f7dd7f319bea7e00aa9137485e96b966ca8d60b6fad3b14005be062619aabedc58ede

/data/data/com.zbzhixue.app/databases/my_database.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zbzhixue.app/databases/my_database.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.zbzhixue.app/databases/my_database.db-wal

MD5 7f155e5d32976e266ddad30b168a61bc
SHA1 d07c817f6e289983aabf5bb7d18bdb2b75064cb1
SHA256 34a7a0e64c82f2865f84f97ea90505f526e59ce5d36416af907cef3286f5a52c
SHA512 8c2d122f71ae5601cbb8290ef2445e901fbd6f3d23ec3bfba9fdf7a563945805b2056a7f2b8e85acc46c746c8ebb6812202f25fae126925528ad7af85ae23841

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 14:45

Reported

2024-06-13 14:48

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

9s

Max time network

171s

Command Line

com.zbzhixue.app

Signatures

N/A

Processes

com.zbzhixue.app

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 216.58.204.74:443 tcp
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
GB 216.58.204.74:443 udp
GB 216.58.212.227:443 tcp
GB 172.217.169.68:443 udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.200.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.200.3:443 udp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.zbzhixue.app/.jiagu/libjiagu.so

MD5 f47ccb3ce6fda626c6c29b66b8200f1a
SHA1 03361d06acc540baf0a2bdc37a20612dec7439c8
SHA256 7cb4c6c1359c5a9aeb86441ab855811e3ab420802d4376627855c18babb20916
SHA512 a32253d71e6c01599858124b25042ab44be367eed06184ade8e4be4a7e726283f4acab58fe830ac428895721e6dda922e94d9c56b385f4854a25758d59e768c5

/data/user/0/com.zbzhixue.app/.jiagu/libjiagu_64.so

MD5 69eacc7067118e63be591e6497446683
SHA1 a21b1d3be9639cceb57436f67006d43faa47f8ec
SHA256 01c6fd5317acbdb047072a2a0db1abfef56e949c0156713f554a308fea3749f1
SHA512 54d81dbf86cf61fd96ae9e2e5c7a888208c41e92228af356beb13663c8bbd7d8fb8ee9dcd647ef51d05e76b71d0dac5dc964bd8b5652e65429b970684d1276f1