Malware Analysis Report

2024-09-09 17:35

Sample ID 240613-sep6eaxgrj
Target a629212bd009f54a90d4b58cdfdb05f3_JaffaCakes118
SHA256 1e341b1b80503c4bb15069f76b861aaf9ee71ebb3794d09736a101cdabdbc6c9
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1e341b1b80503c4bb15069f76b861aaf9ee71ebb3794d09736a101cdabdbc6c9

Threat Level: Shows suspicious behavior

The file a629212bd009f54a90d4b58cdfdb05f3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 15:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 15:02

Reported

2024-06-13 15:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

9s

Max time network

138s

Command Line

com.huluxia.mctool

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.huluxia.mctool

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 server.mc.huluxia.com udp
GB 163.171.146.42:80 server.mc.huluxia.com tcp
GB 163.171.146.42:80 server.mc.huluxia.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.huluxia.mctool/databases/hlx_mc.db-journal

MD5 e00022f4f78a4325e399459b5746f40b
SHA1 d001419f34a282d8f34640510bc86a9bfb0004e2
SHA256 24de19e8c268f01afceb7588a0fc3dd847a157a181336d01e825fe7c9e63893a
SHA512 fb13fed43086ab9541549f1b05d9b53299d9fd8f0d94da0f037d4d15dadb587964764ea5d1e59ee7a2b73bd5af4edd9aa0f2ba9ccdf45650c9a646c9457fcae9

/data/data/com.huluxia.mctool/databases/hlx_mc.db

MD5 2a3a9f415c4a657c6aab6310c7c3d285
SHA1 6cc7438c85ed79de0ed83540bf352c0bd1b08cca
SHA256 1a3f1128c097e9a64a0139f0a82e925686a2351b1637588f284bd19858cf0e40
SHA512 b5a1256ef53871c164f9dc0df02c3ee79918a19534b5f0577a63c1b08c8c27abaf79275d9c6532d956438ea2ef7d1ae783f184b341e9a08b0e163936124199da

/data/data/com.huluxia.mctool/databases/hlx_mc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.huluxia.mctool/databases/hlx_mc.db-wal

MD5 1d042b9153f2d0480e087175808803f8
SHA1 218da0b2a83ff5f9718c2d20a5dac82ee38e9175
SHA256 aa31ab1eaf07a3ca38c03ce6c17c575174b8c2557eb50f8c40e812eac2149612
SHA512 73df70d0f3676cad190d3bed6f1c76638b9f3a42b3e426c5f0a91fa2d3c0e24fd9c048a7bd80adee11fdb46410c3435759a584214e7f71d45f530b830292dc0e

/data/data/com.huluxia.mctool/files/umeng_it.cache

MD5 d5e375cd41f6128e8e0867557ec2cb51
SHA1 182ac7584e8cb460f9ed382994577ceba929bd7b
SHA256 d0d510cdcf27caa75ab04fc9aea948398d2ad0c5ba16a808b8bd5f927e2eb6a2
SHA512 bebd80a08db94892615f8500a01d9d585a4b65e6a1fd5d1ae71f90475796547ac6b8c0a4d071cbdf9e9a362958c9b1a9c2792c07ea58e7357508f8cdee8d5a1c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 15:02

Reported

2024-06-13 15:02

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 udp
BE 173.194.76.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 216.58.212.234:443 udp

Files

N/A