Malware Analysis Report

2024-07-28 14:34

Sample ID 240613-rzyslsxcnm
Target a6109103331ff7d97667b409e9c38669_JaffaCakes118
SHA256 74f0e5e3933e1dba3d77f14ce9088d4e76ec61023a31e484c4d7b18078dd88bb
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

74f0e5e3933e1dba3d77f14ce9088d4e76ec61023a31e484c4d7b18078dd88bb

Threat Level: Shows suspicious behavior

The file a6109103331ff7d97667b409e9c38669_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 14:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:38

Platform

android-x86-arm-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:38

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:38

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:41

Platform

android-x86-arm-20240611.1-en

Max time kernel

63s

Max time network

130s

Command Line

com.zengame.cscdd.qihoo

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.zengame.cscdd.qihoo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.365you.com udp
CN 81.69.155.251:80 www.365you.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 static.365you.com udp
CN 212.129.231.252:80 static.365you.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 175.24.154.162:80 static.365you.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 42.192.254.218:80 static.365you.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.zengame.cscdd.qihoo/files/umeng_it.cache

MD5 8499d97719b173f8812df9e898ef31de
SHA1 acbf75d56d78120087d94606c6d72341877e5f86
SHA256 2f4d71735a177972b89c2e3dda013ab265b7122044731828c190385f6b43362c
SHA512 76b2d3b3866bd13e77cc43b67540fc3f2f042d056c48b04a9a11c5394c360fd51d64aa77c54f0a49bfb3acae6c4ae0322b442a6f473afd8b588a14fc18d59939

/data/data/com.zengame.cscdd.qihoo/files/qhopensdk/pro/220/pro.jar

MD5 73484f7acca7e242b408c8b99f524c6e
SHA1 2cbb24a56697082cf2926103954592705d282cc9
SHA256 da6826229c640040135b7113139157cea5af0993b81f4575c3369343c7836158
SHA512 5d8d82b3c0356d48bf76f5d3d882c4dc3edc3d3d5c095ff0f2ec7652a1b2b8d27fe2595060aee277460b9d671310c2f9fdd143e7391edc89d7d8f061d255444a

/data/data/com.zengame.cscdd.qihoo/files/mobclick_agent_sealed_com.zengame.cscdd.qihoo

MD5 b4ab848c5acaa16f207d7dd1b0bfb301
SHA1 5845612687f85f0f3a2bc18aea4a6af4814ceeaf
SHA256 52cd21edb6b5aff2665ee82b86c7a589bb1a5b5f327a2ff8bf02362c1faf744e
SHA512 a1c3dc0a9d443f8c5c35a147c9e8cb3b290f78700e1b4f67c25d959655fb28c150719c032749c84033330b32acd867e681c511e6ccc3ee2345dfdb1956d67b52

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:41

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

172s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:41

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

133s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

N/A