Malware Analysis Report

2024-09-09 15:58

Sample ID 240614-11cq7s1gpp
Target abad5b66f157179cfd5be9bf136f2baf_JaffaCakes118
SHA256 919f40f9df055b39cd6ba8ce648fb0a3ec81f1ad86e28052ea5141508b727f73
Tags
discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

919f40f9df055b39cd6ba8ce648fb0a3ec81f1ad86e28052ea5141508b727f73

Threat Level: Likely malicious

The file abad5b66f157179cfd5be9bf136f2baf_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Obtains sensitive information copied to the device clipboard

Checks known Qemu files.

Checks known Qemu pipes.

Queries information about running processes on the device

Reads information about phone network operator.

Queries information about active data network

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 22:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 22:06

Reported

2024-06-14 22:09

Platform

android-x86-arm-20240611.1-en

Max time kernel

125s

Max time network

178s

Command Line

com.zzlywgl.h5.gycq

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/bin/qemu-props N/A N/A
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zzlywgl.h5.gycq

/system/bin/sh -c getprop

getprop

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 msdk.tanwan.com udp
US 1.1.1.1:53 apisdk.tanwan.com udp
US 163.181.154.236:80 apisdk.tanwan.com tcp
US 163.181.154.234:80 apisdk.tanwan.com tcp
US 1.1.1.1:53 www.tanwan.com udp
US 163.181.154.233:80 www.tanwan.com tcp
US 163.181.154.233:80 www.tanwan.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 216.58.212.202:443 tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp

Files

/data/data/com.zzlywgl.h5.gycq/databases/bugly_db_-journal

MD5 18c2d2b22743099a5cb7d61e5baf1a4b
SHA1 af43765c5fae219af48b5e2ce842aad4a177f9e3
SHA256 2676cb541d9e410fcc9af6933fd914af8c739277e62f983cb7b0d69a97054600
SHA512 8cd356fe9dfec06648f9222a72b4205bf8007df375296f6885174c7884f0ba1fd696bff63bc37006ab1636cf800536b361c485a70f7f55397707de15fa351184

/data/data/com.zzlywgl.h5.gycq/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zzlywgl.h5.gycq/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zzlywgl.h5.gycq/databases/bugly_db_-wal

MD5 fdc05af696d5961032d6a75aa657d6ea
SHA1 e64a2f19c7465642e08d50a4e3113ee1ab694f75
SHA256 0174b0b530f0901a66b403c6c6b7a008e4a5b9d672a170dbb4d0821fe4394b56
SHA512 b28b3737c0c583dbd24efe08e4db1e5eb1bcfc49d5bece72f1acd9cccf6b865ad6916e41b249ba98d7821ee9068bc68f8d848d48e4d955f9633c1da1b0035862

/data/data/com.zzlywgl.h5.gycq/app_crashrecord/1004

MD5 ff9b03244daf8762c8835b32c737f893
SHA1 895bfea4f926ecfbb6b92dca00c64bb35c279edb
SHA256 6a77967e189c581cbaa782253833ec21304e024197c2f8b4080d4535417e589c
SHA512 411c3eda55598ac3ffbd468c496dc65210b5469a6a261f7736797957bb672bc9efe88bfd4d776e1089fafd70165ddebe3d24360ddcda8574c771db61d41a09ef

/data/data/com.zzlywgl.h5.gycq/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/storage/emulated/0/Android/data/com.zzlywgl.h5.gycq/files/tbslog/tbslog.txt

MD5 45bfc3c4b80ee8084c26c43685029823
SHA1 2ce52f7b72c57fb200031cd4934386e9413fa2bc
SHA256 2e9aad2d1268c0a035b1a074d95f4299d49095f461b36d3a9e21aa2e8ea7bd15
SHA512 50f41c62a341001b1d52bed7f64749779c3cab74b9d2231d127ba4102401e81f750bb26a82d5e43c76c55b5da485bceb7a5488fc87200255d12fe93de2f32a71

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 22:06

Reported

2024-06-14 22:09

Platform

android-x64-arm64-20240611.1-en

Max time kernel

125s

Max time network

179s

Command Line

com.zzlywgl.h5.gycq

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zzlywgl.h5.gycq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
US 1.1.1.1:53 msdk.tanwan.com udp
US 1.1.1.1:53 apisdk.tanwan.com udp
US 163.181.154.232:80 apisdk.tanwan.com tcp
US 163.181.154.234:80 apisdk.tanwan.com tcp
US 1.1.1.1:53 www.tanwan.com udp
US 163.181.154.234:80 www.tanwan.com tcp
US 163.181.154.234:80 www.tanwan.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp

Files

/data/user/0/com.zzlywgl.h5.gycq/databases/bugly_db_-journal

MD5 610fde09cf6c65f932eaa7df3fd7f46e
SHA1 d31ab21154466d2f8a0d78a23d3db0388266bb43
SHA256 d0c04dbff38b0408f02b019c5c58ce9300fbb3a9048f9eed36c7467e51343857
SHA512 d5840f0f292264b06019513136735c3d39fd5654d0dd385c4fbaef41e4b2d258ce25011effb77cd129442354d94a729de09487cd08552744a172b826b81ea906

/data/user/0/com.zzlywgl.h5.gycq/app_crashrecord/1004

MD5 c17137013ef83dff0bf96ec05c2d4f59
SHA1 46ea70b4bf43232ccb827e7d9d4ff03fa63cfae1
SHA256 5aa193fba6fc58f610ebe2548425b1e8af6852212f6f26708ee83bbfa5bbda90
SHA512 d09fdb0fd7ff2441bd552d0904b53f21589130eaea84c1ef5d9c2627c2fd55c50ee65b72a8b55dd89a824b46f9adb8aca79efb01622d5b963c00825f7e5366d4

/data/user/0/com.zzlywgl.h5.gycq/databases/bugly_db_

MD5 86c9f8994645d8f0a2eb571054551670
SHA1 d8d135f8f388d863e9eba4e4604797ab74331486
SHA256 5c1f0fa2128d21a7575189d904c47ab2e4b63626e92198e221d9731b8d1a6653
SHA512 d1c6615ca445906ea9f12d319e8c6b59a2bf1fbc6573c60b0bb14bc0138bd7b7ab856ede78ef28aebe81b92edb5d1843eb451058c00cdca0af6f1f8a112f6318

/data/user/0/com.zzlywgl.h5.gycq/databases/bugly_db_-journal

MD5 c24f086d0b1aea35c3f4355d9e552a4c
SHA1 6a2278870fee78ded16ba5370c6ed92c2d0819a6
SHA256 acbb00ef2f74511a7719701c01f950ee7168c08ee1090bd09f380242b4996e2f
SHA512 14c97dcc272eac2ab6e6ff3d9955895e883a2d08ce786056e02abec8c7ef00d238d9898361d702757dc462cdaa7511e8a281207f24efdad5721e2c6e1a6792a8

/data/user/0/com.zzlywgl.h5.gycq/databases/bugly_db_-journal

MD5 bf122ffc4e39c041b343c5692f46ecb1
SHA1 6868cd1b9b953a37d0933b7eeccead4486c5c120
SHA256 aaaa858b5299c3f1bcbda2c37e084c44139085125761fd8e9e84776294ff26a6
SHA512 d6ec05ec0cf411909ae47c8f1081765bda88b5943c5a29fd43e5530ffee9c844a556b8b2a62716a9d11e5f971b2f07063df9b152c2a87a312409a910761350f6

/data/user/0/com.zzlywgl.h5.gycq/databases/bugly_db_-journal

MD5 9ba1ead366aba2a84d4aff0c346ec29e
SHA1 f0c9b1c4685c37fddea651ced0617f9fef4ee27f
SHA256 264a236ae4692cf37577d2e57335a232517ad11616d4f57942d0a982d7a68460
SHA512 f315266f109d09aeb8c73d3d29a638db0541a5d377a2e3e2429cd7f3a14d34d547436cf08c76762bd00980e29c63e5fba135051cb459637384e13f70a073c2bd

/data/user/0/com.zzlywgl.h5.gycq/databases/bugly_db_-journal

MD5 46941d7b17128309dc9ed8149bf88d2f
SHA1 02dba0727ae77384553a2f2d940a3891f4993386
SHA256 72c36b706eaf94d1cbd02c6d1f7a5f8c7ac5c415d322723b3015cbf23ea9b270
SHA512 5077f693c8d0419eeb5a4be9236c95709e022c95a0c69ec76b595984a26167e794daceabfdda8611389c92de223447114b653ec9aa52d3423c58074b1db29c14

/data/user/0/com.zzlywgl.h5.gycq/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/storage/emulated/0/Android/data/com.zzlywgl.h5.gycq/files/tbslog/tbslog.txt (deleted)

MD5 598b3b6c81b9b4b420e1ae746341b08d
SHA1 d59611c2e3064a50388dedc22585832c09bc1fbc
SHA256 fbf69d451401513ab821ede149c54690af3cb0a78bc77376c55f2f9697ec24d3
SHA512 c7b1f5d097bbf2653f3316f0ca666449836515cf44b616c350e7da25d7e4ac4467921c0fe5b69d06a9e27ff39e0fd8be370df87a3a7fbe6980057fd3199c236c

/data/user/0/com.zzlywgl.h5.gycq/databases/bugly_db_-journal

MD5 9516e00af9e149d22d2c468027758a7a
SHA1 31c97a41fbe9c93c1dfc9dc9b1dce137ecb3ff49
SHA256 591cdac69bc3009d50b1dbe6685fe5e361faafd043c1b6f510c0cbf05355d339
SHA512 992312d7c745e076c731a025842f6e50c56ddc7539353afd8d025ca21c12326d55baf5259fb2fae8c8e09203c88e0d7d65c7daf639b32962af1b87e22f158dbd