Malware Analysis Report

2024-09-09 17:41

Sample ID 240614-b3c3bazgjh
Target a7934dee69bb5118280fc64d90141071_JaffaCakes118
SHA256 9923d55c77e0b4a877fc4c7a173c5ab0d18123a359eea1045d9336e493d575d4
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9923d55c77e0b4a877fc4c7a173c5ab0d18123a359eea1045d9336e493d575d4

Threat Level: Likely malicious

The file a7934dee69bb5118280fc64d90141071_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:39

Reported

2024-06-14 01:43

Platform

android-x64-20240611.1-en

Max time kernel

109s

Max time network

183s

Command Line

com.xiandong.buyer

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.xiandong.buyer/mix.dex N/A N/A
N/A /data/data/com.xiandong.buyer/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xiandong.buyer

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal

MD5 05730240bd220344fa1d5feeee52303c
SHA1 2acf68f715aa516131cca2740bf6b56ac28806ad
SHA256 ac017b5266c577cb106bd3112c44205fb40e02ffc0abe6cf1b725e934e713338
SHA512 df2a7d4a1b1a5fc5468928dbff24c92daefcbca9111020c3163048dfbba5991eb8799685ef65f39257d6e98e3784bbed47c98caa1c66bb561320917e603f86df

/data/data/com.xiandong.buyer/databases/bugly_db_legu

MD5 a99bcfb3ff0ddd7012e6e769208d5be1
SHA1 c5a225e06d249cff7e66e13de84f55457cf0ec37
SHA256 33dccf6d26811e254949cf47fc33ca7c3d8b86daa509eff4a8b66259dd075f1f
SHA512 025a46eb1521a0e271a91d1f97c0fcf747aee20554efcacc36a31cfb24a12a242ea9c54f194c8610ff64d2d5db085a81ba93214ecb1bb84e95622ca8fc3fc7f8

/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal

MD5 46284e0d893526e739f40bcd32214356
SHA1 dff5abaa53d5cff8ba86e9a7684a454d5c08ea4b
SHA256 9b19b20e18c048365a98ada37b37f849b5f25eb21a08371df13c94c575005441
SHA512 1f92f6b12be6b9e36d6680d0802114097dd5711f0de8bdeda164a6355933bd02d50f5ba93ad40ddf8dd9bea936999e63c179075efbcdbe5429d44ff9f5b955e2

/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal

MD5 246294128df4827acff108d3e559a965
SHA1 b6422df1ce34b6b65b1c110d1a7056d7ce5a8946
SHA256 4dc40eff8cd5105ea738de40485e8ae2bc5b2beea94e12de29c592e3dabe007e
SHA512 e7fc939bf2fb2c9d5cc2179285fb09cf2d77c6f175eb479dce39a75fef0e1bad1ea0283733ac1a9d311262a74ac56d36c8a62d30810c31885cd981b4fad61284

/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal

MD5 5896626b92aa5ff761e1923ab757eff5
SHA1 9ea23792c975c13cddfde2c93d030171189945b8
SHA256 b358dbeb10fcd29148e9ffcac704d4eb74cdd38164f99541098dce6ce09d0e87
SHA512 1b0042182308f22738805edc3095509db5d98d69f54b095760e806bb80e8d28a5ee5fc5b606a6dc3c6f3375732e63e0f19f707077f7e160d5e3d16c11d898618

/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal

MD5 e0b3f4d81df0ca44f477b22934590e3a
SHA1 71dc70dadb2a0ebcabdaa904a2c5582c2bdab371
SHA256 a7c5ec61db3087e922c8678b18b368bf252c04e738f663dfd8dd026397a3d6f3
SHA512 fb287e9868ae35563c742e3a648b20594c884c97a318be1f42ff5c65cce7f1af0feb3eeb8fe6e42c74325360d97c9c49de1ec0c137369d0129fed7ddfeae6f7b

/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal

MD5 a9061d685a1db55ef06bf51adedddbcd
SHA1 3b7edba576fe04149e5d581bfe386336adf7c6e6
SHA256 fafd00e24ee5a20126fa3873e7a180d90600e6a6654d6c13dcb39d3243c13697
SHA512 8397cad8cf62d8956e40480b763b0222ddccf6473195ab3f699b2f96293b348ceea9fbafc8afd10fbf31a3f9710086840ae5e5348307fcad1d3dee2e379f6fbb

/data/data/com.xiandong.buyer/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.xiandong.buyer/app_bugly/tomb_1718329203937.txt

MD5 bd0f8f8f3ad93fa07623422ec6e72003
SHA1 c3589295e7a4ddcf35bcd7a2c13bfd381783821a
SHA256 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647
SHA512 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b

/data/data/com.xiandong.buyer/app_bugly/rqd_record.eup

MD5 1abd0c3e899595a4fae03864ea8bd6b6
SHA1 69bdb9a005f2384b0a0d96df2d9b6602360aeaad
SHA256 026d43869b7983a1c74043195290f2542e3588b246b2b3b77d7700067a2159fb
SHA512 d766ebd419f2bb46322dfe4d3df818c02e7d9e80161eaeabeb6471fa02d9ef702cda031297d1083eefcead80a11e4c6d0216b0749865f39406a416395c9f6623

/data/data/com.xiandong.buyer/app_bugly/rqd_record.eup

MD5 d3df066757b2878b6ee5f9c6fbdc4a34
SHA1 4b9db881e74d10024e56ce58c4bc0fae31dfe48b
SHA256 bfc0b767cf98e93fd0140b38b8ea26af9f80806e48e5f09c7459a089cb784fca
SHA512 f6466e77a979162a81ce894c4dc21acb19736bf73f7d1aa4629fcfd7054f92c1bb23751b030012c92a6ecdef23780b967752d776f8a7b370114bbeb4e255d3a0

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:39

Reported

2024-06-14 01:43

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

138s

Command Line

com.xiandong.buyer

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.xiandong.buyer

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal

MD5 d35bb9a0caebad08f0977c637bef7625
SHA1 6267f17ce1ab5504f8396a8799c8b9583e3655b1
SHA256 1d16a74f1da6c88a5a383e30fe2b114c8c871f7a9d7430a04cf1c5367a85ef9d
SHA512 e8722691fc5e28df48b4f464eb5261ec5ac50c52f7f89ea09ba88dce89bb099e4cda5d89937a11249069b17751416a4c215c1e09dc74e1befc39e99620f93312

/data/data/com.xiandong.buyer/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xiandong.buyer/databases/bugly_db_legu-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.xiandong.buyer/databases/bugly_db_legu-wal

MD5 4475360a6638d821606cdb4f7b920d86
SHA1 e08ccc589a013fd156647b3e1eb2342eaee819b0
SHA256 28ee0c933b3f6da2029f3fdb970b78d3845efac58c2468f9a1fcb55a806c529b
SHA512 06a601adbcd06bd461de97cbbb31ce23a74e689622d9891ecf2b574f5056de0b5c4cbb0f4370b036ea818405f5315b755f7b66e1e6100a230cfcc42e1c7e2784