Malware Analysis Report

2024-09-09 17:36

Sample ID 240613-rzyslsxcnm
Target a6109103331ff7d97667b409e9c38669_JaffaCakes118
SHA256 74f0e5e3933e1dba3d77f14ce9088d4e76ec61023a31e484c4d7b18078dd88bb
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

74f0e5e3933e1dba3d77f14ce9088d4e76ec61023a31e484c4d7b18078dd88bb

Threat Level: Shows suspicious behavior

The file a6109103331ff7d97667b409e9c38669_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 14:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:38

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:41

Platform

android-x86-arm-20240611.1-en

Max time kernel

63s

Max time network

130s

Command Line

com.zengame.cscdd.qihoo

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.zengame.cscdd.qihoo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.365you.com udp
CN 81.69.155.251:80 www.365you.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 static.365you.com udp
CN 212.129.231.252:80 static.365you.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 175.24.154.162:80 static.365you.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 42.192.254.218:80 static.365you.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.zengame.cscdd.qihoo/files/umeng_it.cache

MD5 8499d97719b173f8812df9e898ef31de
SHA1 acbf75d56d78120087d94606c6d72341877e5f86
SHA256 2f4d71735a177972b89c2e3dda013ab265b7122044731828c190385f6b43362c
SHA512 76b2d3b3866bd13e77cc43b67540fc3f2f042d056c48b04a9a11c5394c360fd51d64aa77c54f0a49bfb3acae6c4ae0322b442a6f473afd8b588a14fc18d59939

/data/data/com.zengame.cscdd.qihoo/files/qhopensdk/pro/220/pro.jar

MD5 73484f7acca7e242b408c8b99f524c6e
SHA1 2cbb24a56697082cf2926103954592705d282cc9
SHA256 da6826229c640040135b7113139157cea5af0993b81f4575c3369343c7836158
SHA512 5d8d82b3c0356d48bf76f5d3d882c4dc3edc3d3d5c095ff0f2ec7652a1b2b8d27fe2595060aee277460b9d671310c2f9fdd143e7391edc89d7d8f061d255444a

/data/data/com.zengame.cscdd.qihoo/files/mobclick_agent_sealed_com.zengame.cscdd.qihoo

MD5 b4ab848c5acaa16f207d7dd1b0bfb301
SHA1 5845612687f85f0f3a2bc18aea4a6af4814ceeaf
SHA256 52cd21edb6b5aff2665ee82b86c7a589bb1a5b5f327a2ff8bf02362c1faf744e
SHA512 a1c3dc0a9d443f8c5c35a147c9e8cb3b290f78700e1b4f67c25d959655fb28c150719c032749c84033330b32acd867e681c511e6ccc3ee2345dfdb1956d67b52

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:41

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

172s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:41

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

133s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:38

Platform

android-x86-arm-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 14:38

Reported

2024-06-13 14:38

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A