Analysis Overview
SHA256
9923d55c77e0b4a877fc4c7a173c5ab0d18123a359eea1045d9336e493d575d4
Threat Level: Likely malicious
The file a7934dee69bb5118280fc64d90141071_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Queries information about active data network
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
Queries information about the current Wi-Fi connection
Uses Crypto APIs (Might try to encrypt user data)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 01:39
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 01:39
Reported
2024-06-14 01:43
Platform
android-x64-20240611.1-en
Max time kernel
109s
Max time network
183s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.xiandong.buyer/mix.dex | N/A | N/A |
| N/A | /data/data/com.xiandong.buyer/mix.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.xiandong.buyer
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.234:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.40:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.14:443 | tcp | |
| GB | 172.217.169.66:443 | tcp | |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.204.78:443 | tcp | |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
Files
/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal
| MD5 | 05730240bd220344fa1d5feeee52303c |
| SHA1 | 2acf68f715aa516131cca2740bf6b56ac28806ad |
| SHA256 | ac017b5266c577cb106bd3112c44205fb40e02ffc0abe6cf1b725e934e713338 |
| SHA512 | df2a7d4a1b1a5fc5468928dbff24c92daefcbca9111020c3163048dfbba5991eb8799685ef65f39257d6e98e3784bbed47c98caa1c66bb561320917e603f86df |
/data/data/com.xiandong.buyer/databases/bugly_db_legu
| MD5 | a99bcfb3ff0ddd7012e6e769208d5be1 |
| SHA1 | c5a225e06d249cff7e66e13de84f55457cf0ec37 |
| SHA256 | 33dccf6d26811e254949cf47fc33ca7c3d8b86daa509eff4a8b66259dd075f1f |
| SHA512 | 025a46eb1521a0e271a91d1f97c0fcf747aee20554efcacc36a31cfb24a12a242ea9c54f194c8610ff64d2d5db085a81ba93214ecb1bb84e95622ca8fc3fc7f8 |
/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal
| MD5 | 46284e0d893526e739f40bcd32214356 |
| SHA1 | dff5abaa53d5cff8ba86e9a7684a454d5c08ea4b |
| SHA256 | 9b19b20e18c048365a98ada37b37f849b5f25eb21a08371df13c94c575005441 |
| SHA512 | 1f92f6b12be6b9e36d6680d0802114097dd5711f0de8bdeda164a6355933bd02d50f5ba93ad40ddf8dd9bea936999e63c179075efbcdbe5429d44ff9f5b955e2 |
/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal
| MD5 | 246294128df4827acff108d3e559a965 |
| SHA1 | b6422df1ce34b6b65b1c110d1a7056d7ce5a8946 |
| SHA256 | 4dc40eff8cd5105ea738de40485e8ae2bc5b2beea94e12de29c592e3dabe007e |
| SHA512 | e7fc939bf2fb2c9d5cc2179285fb09cf2d77c6f175eb479dce39a75fef0e1bad1ea0283733ac1a9d311262a74ac56d36c8a62d30810c31885cd981b4fad61284 |
/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal
| MD5 | 5896626b92aa5ff761e1923ab757eff5 |
| SHA1 | 9ea23792c975c13cddfde2c93d030171189945b8 |
| SHA256 | b358dbeb10fcd29148e9ffcac704d4eb74cdd38164f99541098dce6ce09d0e87 |
| SHA512 | 1b0042182308f22738805edc3095509db5d98d69f54b095760e806bb80e8d28a5ee5fc5b606a6dc3c6f3375732e63e0f19f707077f7e160d5e3d16c11d898618 |
/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal
| MD5 | e0b3f4d81df0ca44f477b22934590e3a |
| SHA1 | 71dc70dadb2a0ebcabdaa904a2c5582c2bdab371 |
| SHA256 | a7c5ec61db3087e922c8678b18b368bf252c04e738f663dfd8dd026397a3d6f3 |
| SHA512 | fb287e9868ae35563c742e3a648b20594c884c97a318be1f42ff5c65cce7f1af0feb3eeb8fe6e42c74325360d97c9c49de1ec0c137369d0129fed7ddfeae6f7b |
/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal
| MD5 | a9061d685a1db55ef06bf51adedddbcd |
| SHA1 | 3b7edba576fe04149e5d581bfe386336adf7c6e6 |
| SHA256 | fafd00e24ee5a20126fa3873e7a180d90600e6a6654d6c13dcb39d3243c13697 |
| SHA512 | 8397cad8cf62d8956e40480b763b0222ddccf6473195ab3f699b2f96293b348ceea9fbafc8afd10fbf31a3f9710086840ae5e5348307fcad1d3dee2e379f6fbb |
/data/data/com.xiandong.buyer/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/data/com.xiandong.buyer/app_bugly/tomb_1718329203937.txt
| MD5 | bd0f8f8f3ad93fa07623422ec6e72003 |
| SHA1 | c3589295e7a4ddcf35bcd7a2c13bfd381783821a |
| SHA256 | 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647 |
| SHA512 | 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b |
/data/data/com.xiandong.buyer/app_bugly/rqd_record.eup
| MD5 | 1abd0c3e899595a4fae03864ea8bd6b6 |
| SHA1 | 69bdb9a005f2384b0a0d96df2d9b6602360aeaad |
| SHA256 | 026d43869b7983a1c74043195290f2542e3588b246b2b3b77d7700067a2159fb |
| SHA512 | d766ebd419f2bb46322dfe4d3df818c02e7d9e80161eaeabeb6471fa02d9ef702cda031297d1083eefcead80a11e4c6d0216b0749865f39406a416395c9f6623 |
/data/data/com.xiandong.buyer/app_bugly/rqd_record.eup
| MD5 | d3df066757b2878b6ee5f9c6fbdc4a34 |
| SHA1 | 4b9db881e74d10024e56ce58c4bc0fae31dfe48b |
| SHA256 | bfc0b767cf98e93fd0140b38b8ea26af9f80806e48e5f09c7459a089cb784fca |
| SHA512 | f6466e77a979162a81ce894c4dc21acb19736bf73f7d1aa4629fcfd7054f92c1bb23751b030012c92a6ecdef23780b967752d776f8a7b370114bbeb4e255d3a0 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 01:39
Reported
2024-06-14 01:43
Platform
android-x86-arm-20240611.1-en
Max time kernel
3s
Max time network
138s
Command Line
Signatures
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.xiandong.buyer
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
Files
/data/data/com.xiandong.buyer/databases/bugly_db_legu-journal
| MD5 | d35bb9a0caebad08f0977c637bef7625 |
| SHA1 | 6267f17ce1ab5504f8396a8799c8b9583e3655b1 |
| SHA256 | 1d16a74f1da6c88a5a383e30fe2b114c8c871f7a9d7430a04cf1c5367a85ef9d |
| SHA512 | e8722691fc5e28df48b4f464eb5261ec5ac50c52f7f89ea09ba88dce89bb099e4cda5d89937a11249069b17751416a4c215c1e09dc74e1befc39e99620f93312 |
/data/data/com.xiandong.buyer/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.xiandong.buyer/databases/bugly_db_legu-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.xiandong.buyer/databases/bugly_db_legu-wal
| MD5 | 4475360a6638d821606cdb4f7b920d86 |
| SHA1 | e08ccc589a013fd156647b3e1eb2342eaee819b0 |
| SHA256 | 28ee0c933b3f6da2029f3fdb970b78d3845efac58c2468f9a1fcb55a806c529b |
| SHA512 | 06a601adbcd06bd461de97cbbb31ce23a74e689622d9891ecf2b574f5056de0b5c4cbb0f4370b036ea818405f5315b755f7b66e1e6100a230cfcc42e1c7e2784 |