Analysis Overview
SHA256
66f36c54f06d5b58949ea1e01b0eabab52394fa2740d46b2fd8f4180d2eeabd6
Threat Level: Shows suspicious behavior
The file a5f47af010bf749a674aed9e9e730a7a_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries the phone number (MSISDN for GSM devices)
Loads dropped Dex/Jar
Queries information about running processes on the device
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
Queries information about the current Wi-Fi connection
Queries information about active data network
Declares services with permission to bind to the system
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 14:10
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:14
Platform
android-x86-arm-20240611.1-en
Max time kernel
179s
Max time network
134s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.dbgj.stacore
getprop ro.board.platform
getprop ro.mediatek.platform
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | stat.anquanxia.com | udp |
| US | 107.149.163.133:80 | stat.anquanxia.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
Files
/storage/emulated/0/data/.systemid
| MD5 | b68ae2e5920e3460fa8afa495c887fc2 |
| SHA1 | bcf53ec0b2824c1a12eb97cfa807e910029330ab |
| SHA256 | d28c9d0949c70649e445799e3fe49ae96ffc4b48ce4396b0a9886a95eafdc0e4 |
| SHA512 | 7c57c36c33c11a2e3cc5578f12f0d522afd17dae561090a7a51172e00cea6e796f141f854fb3c6b77c15dea1b40600cbeab802db77adacb1c8ddcfb424626152 |
/storage/emulated/0/data/.systemmac
| MD5 | 0f607264fc6318a92b9e13c65db7cd3c |
| SHA1 | c1976429369bfe063ed8b3409db7c7e7d87196d9 |
| SHA256 | c248c629af1fe0a8c46b95668064c1d2952a9e91d207bc0cc3c5d584c2f7553a |
| SHA512 | 9dbd40b135b46c7be31b8c7d11c75b0b179af3a6550fca52ec447583aeb50aaaedb4b1e9373cf8826615149549a2efaee04efdc9a282e3a6b387c73099c13fb1 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:14
Platform
android-x64-arm64-20240611.1-en
Max time kernel
179s
Max time network
140s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Processes
com.dbgj.stacore
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | stat.anquanxia.com | udp |
| US | 107.149.163.133:80 | stat.anquanxia.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/storage/emulated/0/data/.systemid
| MD5 | 09a97e6d4e86765ffcca2e5f986f4d17 |
| SHA1 | bff0532dceef0ef8142960c0949993ac1a3fd53f |
| SHA256 | a0e0dbee68da9279c579e20159c751f2c50b4a6a1161b434a8ecb066913ef8f5 |
| SHA512 | 5075b8dd260e54c6067035632b30c6d09aa2b1fba99f008c91ea3b514e943bf1601d3d830e4de57cbea24f269c83e3d7a394be971ec6fa21d61cc339982337d1 |
/storage/emulated/0/data/.systemmac
| MD5 | 0f607264fc6318a92b9e13c65db7cd3c |
| SHA1 | c1976429369bfe063ed8b3409db7c7e7d87196d9 |
| SHA256 | c248c629af1fe0a8c46b95668064c1d2952a9e91d207bc0cc3c5d584c2f7553a |
| SHA512 | 9dbd40b135b46c7be31b8c7d11c75b0b179af3a6550fca52ec447583aeb50aaaedb4b1e9373cf8826615149549a2efaee04efdc9a282e3a6b387c73099c13fb1 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x64-arm64-20240611.1-en
Max time network
10s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:14
Platform
android-x86-arm-20240611.1-en
Max time kernel
9s
Max time network
140s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.percent.rainbowbreaker/files/stares/updates/sta.jar | N/A | N/A |
| N/A | /data/user/0/com.percent.rainbowbreaker/files/stares/updates/sta.jar | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Processes
com.percent.rainbowbreaker
getprop ro.board.platform
getprop ro.mediatek.platform
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.percent.rainbowbreaker/files/stares/updates/sta.jar --output-vdex-fd=61 --oat-fd=66 --oat-location=/data/user/0/com.percent.rainbowbreaker/files/stares/updates/oat/x86/sta.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | stat.anquanxia.com | udp |
| US | 107.149.163.133:80 | stat.anquanxia.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.178.10:443 | semanticlocation-pa.googleapis.com | tcp |
Files
/storage/emulated/0/data/.systemid
| MD5 | 40ecb1a105c5cd212007e81204337df8 |
| SHA1 | daf55bca16255e685a566e3f58d1ea088699c5b1 |
| SHA256 | ba139d2fd6cb32573e67fd693476a682dbb869bdf46632db2462780174ba4020 |
| SHA512 | 068abbf06896268ec1d671e3c91e672da5e68c409c7ebbcf538bfc844e95962f94c1ed89d563603f6e6124ba820de52c80f9a86c38fee56b9d695962f4bbf187 |
/data/data/com.percent.rainbowbreaker/files/stares/updates/sta.jar
| MD5 | 8ec43e10005ec4bc91c4e45b8e68e304 |
| SHA1 | 66fb42cb11e77900e55cbd4a8e247841dad1c5ea |
| SHA256 | 18d90827352cf0ed3084c4f1f94d98026908f674914889e1e58c2ac5e68be63f |
| SHA512 | 6077f32c03361faa552bde6c7cb9676c6393a9b7a30a9622095e6eb93da484b29fd75edd955523c8b51d4e86fe4a19fbce5cc456f7612162dbdec76e43b563d6 |
/data/user/0/com.percent.rainbowbreaker/files/stares/updates/sta.jar
| MD5 | f4e9864345c65cfda19a2f32209cc1ac |
| SHA1 | a28bd5640006c97399085831a71f444cc9142123 |
| SHA256 | a908ee5efebad005c51ab86e6a47b56ea8f11b44129e149db376fa8d5eeb383c |
| SHA512 | 9b0f40b2f8eebed0817b5a1ab31ab61af2da9d2e3ae1f5b880b40552986e5bd192ed9d1c31c5fe74cf458a51e809f05300f1fade9e4c28a3517a3a1c6ffc5f7c |
/data/user/0/com.percent.rainbowbreaker/files/stares/updates/sta.jar
| MD5 | a76a0eec70efc99ea0ac64c07f6bec32 |
| SHA1 | 8102d17f7690ba9697f1be3de7cedfb765e70d51 |
| SHA256 | aa563dff1eff005677766ff94f60884b3ca72e1b4e0e478dd8ba781269dca37e |
| SHA512 | dff801c2e27bf4e62a1fb04f0a120a8be7f7cabc3640195dd3caacca4c6c3741eaeeb4d9e5afe151d6b8cf38684779acff4f99d37fe784329ca6b9ecfd2cd0c0 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:14
Platform
android-x86-arm-20240611.1-en
Max time kernel
6s
Max time network
131s
Command Line
Signatures
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.muzhiwan.market
chmod 755 /data/user/0/com.muzhiwan.market/.jiagu/libjiagu.so
/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.muzhiwan.market/.jiagu/classes.dex --dex-file=/data/data/com.muzhiwan.market/.jiagu/classes2.dex --oat-file=/data/data/com.muzhiwan.market/.jiagu/classes.oat --inline-depth-limit=0 --compiler-filter=speed
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.muzhiwan.market/.jiagu/libjiagu.so
| MD5 | 9885f6c9682fef5e0ab72e530eb52ebe |
| SHA1 | 8b480c3ec2bdd236c26e3b3a6e7d95fa14df43d0 |
| SHA256 | 0e17f244f4927f3fbe422cbbfcf19c829500ff0dec09c4442b0801b4db7e8fdb |
| SHA512 | f7e39025f354e75e826eb023a5687640796e8a343926a1f6338f353a6930655b0dd5108cea246f5592b56fe32395f95814f469203dd70ee22f20d420f79692a9 |
/data/data/com.muzhiwan.market/.jiagu/classes.dex
| MD5 | 3c79da0d95d99b9d5a31436cdda76828 |
| SHA1 | 969c7d830f245df06f40238c35f36bc6955057f5 |
| SHA256 | 86634370a791151dbc829b6475fd64389a06582bbee718c8fb5ea18b85d50779 |
| SHA512 | beee337d38a2ce5c60411f64b794dce54839f32d58e2945bac5a8216a75998bf9db3cb441f5f5470cb4bab84f60a3efd1c2491aad0f605ba8b67af317bf5f4d1 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x86-arm-20240611.1-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x64-arm64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x86-arm-20240611.1-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x86-arm-20240611.1-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:14
Platform
android-x64-20240611.1-en
Max time kernel
179s
Max time network
187s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.dbgj.stacore
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | stat.anquanxia.com | udp |
| US | 107.149.163.133:80 | stat.anquanxia.com | tcp |
| GB | 142.250.178.10:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.213.8:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.213.14:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 216.58.201.98:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/storage/emulated/0/data/.systemid
| MD5 | 21d193497aeb88b04d3f0fa14a4a2309 |
| SHA1 | eef5f2d6a7c0f001868fc79e0b80b3ecee4cdf54 |
| SHA256 | 2b3b1da5f2f8a546eae92cbb839f092547a5b4b000c38eb914fca9d39adee07f |
| SHA512 | 028f0716167bd7b29bf0a75643cec75b47bab96f668d8b59f649e4cf574196b1bb048caee4692f621069a64b968ff288667ff8e4db407d644f3083549906c600 |
/storage/emulated/0/data/.systemmac
| MD5 | 0f607264fc6318a92b9e13c65db7cd3c |
| SHA1 | c1976429369bfe063ed8b3409db7c7e7d87196d9 |
| SHA256 | c248c629af1fe0a8c46b95668064c1d2952a9e91d207bc0cc3c5d584c2f7553a |
| SHA512 | 9dbd40b135b46c7be31b8c7d11c75b0b179af3a6550fca52ec447583aeb50aaaedb4b1e9373cf8826615149549a2efaee04efdc9a282e3a6b387c73099c13fb1 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x64-arm64-20240611.1-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:14
Platform
android-33-x64-arm64-20240611.1-en
Max time kernel
8s
Max time network
173s
Command Line
Signatures
Processes
com.muzhiwan.market
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.36:443 | udp | |
| GB | 172.217.169.36:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.36:443 | udp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| GB | 172.217.16.227:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 172.217.16.227:443 | udp | |
| GB | 216.58.212.195:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/data/user/0/com.muzhiwan.market/.jiagu/libjiagu.so
| MD5 | 065a199e794468856177afecd068a072 |
| SHA1 | b08f91f32074a746af204e8e9da92e5523a45e30 |
| SHA256 | a5d74be71c1dadab4410f3833877407bc560248a6d06f16a30f875fb7a4bb91c |
| SHA512 | ff2a165cef603225be7f608b6a3f872f378ce14dfc009b0d0804bfad9c1751d30d8b02ee70e3fcf301047bd0b8bbe1815343bd25c2bcee4b792217baf050cfed |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x86-arm-20240611.1-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x64-arm64-20240611.1-en
Max time network
11s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x86-arm-20240611.1-en
Max time network
9s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 14:10
Reported
2024-06-13 14:11
Platform
android-x64-20240611.1-en
Max time network
9s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |