Analysis Overview
SHA256
09d0ea53bd7a2640e3493523d4f821cbcd736effbd047c9619891dd75d4749b0
Threat Level: Likely malicious
The file a77cbac8eccd4a3a24da9bfb975fb608_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Queries information about running processes on the device
Queries information about the current nearby Wi-Fi networks
Declares services with permission to bind to the system
Queries information about active data network
Requests dangerous framework permissions
Queries information about the current Wi-Fi connection
Queries the unique device ID (IMEI, MEID, IMSI)
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 01:15
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 01:15
Reported
2024-06-14 01:18
Platform
android-x86-arm-20240611.1-en
Max time kernel
65s
Max time network
178s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.wefriend.tool
ls /
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | log.umsns.com | udp |
| CN | 59.82.29.162:80 | log.umsns.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | share.weiyun.com | udp |
| US | 1.1.1.1:53 | ulogs.umeng.com | udp |
| CN | 223.109.148.176:443 | ulogs.umeng.com | tcp |
| US | 1.1.1.1:53 | hzvip.cs33de9.com | udp |
| CN | 116.62.218.218:80 | hzvip.cs33de9.com | tcp |
| HK | 43.159.233.95:443 | share.weiyun.com | tcp |
| CN | 116.62.218.218:80 | hzvip.cs33de9.com | tcp |
| CN | 116.62.218.218:80 | hzvip.cs33de9.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| CN | 59.82.29.163:80 | log.umsns.com | tcp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| CN | 223.109.148.177:443 | ulogs.umeng.com | tcp |
| CN | 59.82.29.248:80 | log.umsns.com | tcp |
| CN | 223.109.148.141:443 | ulogs.umeng.com | tcp |
| CN | 59.82.29.249:80 | log.umsns.com | tcp |
| CN | 223.109.148.130:443 | ulogs.umeng.com | tcp |
| CN | 59.82.31.154:80 | log.umsns.com | tcp |
| CN | 223.109.148.178:443 | ulogs.umeng.com | tcp |
| CN | 59.82.31.160:80 | log.umsns.com | tcp |
| CN | 223.109.148.179:443 | ulogs.umeng.com | tcp |
Files
/data/data/com.wefriend.tool/databases/fans.db-journal
| MD5 | 7001fc61bd65766f5b30ac09ff11d515 |
| SHA1 | 986d3bd72088c8445cfb94702983ae4899ba2614 |
| SHA256 | d597b2cf184ea04fa0c63d43414be9f22af69b8c92192403ed2770b2b4d38d05 |
| SHA512 | 056ce21433fab6a60d52af3c5a2538997a811f70ef46200f8c90d766d52cf4478d69d7c490b27b023f196749c07a14fbc464fccea55d185d0d60cfd08a41b130 |
/data/data/com.wefriend.tool/databases/fans.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.wefriend.tool/databases/fans.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.wefriend.tool/databases/fans.db-wal
| MD5 | 163d6a7e1df26ed55b0824be2b302cfd |
| SHA1 | 8cf95f601b62ec3f73dd376b757ebcbc7f1a4391 |
| SHA256 | d426f809f259d7c57216c1a211c6b983f42a393371b7116737fa82f73b5cb3e2 |
| SHA512 | cf1e07d49f6cb7a2bb58eb8268cb1c26d4013df40467d926eeb7815adabc39f71069d54691d303c21b02103b639d44b032fc70910953a438dc6d268aec8269bc |
/data/data/com.wefriend.tool/databases/phone_list-journal
| MD5 | 07d85d3b90df78c9ff44a0cbcc40826b |
| SHA1 | acd2629dad49aa1bde05a9519973b45eae2b9638 |
| SHA256 | 758682140feab7d4055d27fabb0d3269b22201737d945e340f84212b8e605101 |
| SHA512 | c06923e0535cfde9f955e72199c1d0d67211e9c7fe0d79342e239a3bbc0f28cc270b1fdbd1c18bdef6972972ff7f80b559cd455cafc6230f9a5067c10e461732 |
/data/data/com.wefriend.tool/databases/phone_list-wal
| MD5 | f2f791411174f253db7b1a9b180f29c9 |
| SHA1 | 0df9f69dd1b302201954a368157450330e23a6bd |
| SHA256 | 9ab358c6c2a5e01fc459a2ed14030ba14ca29d0eff20144176c4d4daa2bd7709 |
| SHA512 | e66effd2891e09042e56fd6cfd452785629f330c06734fb9e3479a3d7d52d53166b72fef50c487ded97d9b0668ad021e38d8e135777d26d6d9304b26b62c333f |
/data/data/com.wefriend.tool/files/umeng_it.cache
| MD5 | 15bbb60728d1aa4a061723a4f65c8d8f |
| SHA1 | 52f1c23bf65923a54fe82db543657e14d47dbcc7 |
| SHA256 | 7c69fbf30d7fbe8e9188fb4e6effaac5a7b00e7558b64bf54ee31485b96af122 |
| SHA512 | 6f310f233f6ae7ea35db51ab330bde0456ffe528add186b6e18a7ab2c44027ad4e28c151051a8e1825d0f1976300f068efc06c758e7709294e276b0475e4cee1 |
/data/data/com.wefriend.tool/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzI3NzQ4NTI3
| MD5 | 1b145b8066e66a50545dc288341587eb |
| SHA1 | c288d91710d1c3a99a2c2746baefa3b484ee16f7 |
| SHA256 | 33ee88993993b772581a928986506fae95b20ecfc1bf5effe9ea1a3c3322f320 |
| SHA512 | 3256eaf0d254801f7ff70d1ac941764fcf9938e10eba105eb6e65da7c2917dbe4075e17926393cfbf9c10b36e15a561e2c17ad95c4b23be48ae9e7492c30183b |
/data/data/com.wefriend.tool/files/.umeng/exchangeIdentity.json
| MD5 | 7ea085fdf14675b7530a62be1fff5777 |
| SHA1 | cc9e9968e150ef79a3e195d4ea5cca925ea64424 |
| SHA256 | 27aba86e53d4e20da4f09fc2fb4ee50a7dea70e0471bed3a51fb014a412c5485 |
| SHA512 | a57dd172129b0b5dd4e32b91e53ef5d79643b82bd552df134184c78126fc63dee05407e02a4ce45e909d1920bc30434abe0deaac77f2d64f095260fc9fce334e |
/data/data/com.wefriend.tool/files/exid.dat
| MD5 | 2b610c26c7e384e98ab9d23629782ecf |
| SHA1 | 39024f10b3e0af4b86d5889373929873d1bd689e |
| SHA256 | 69c4f1c06befa6b083145f79267d8281c3b6a6d017cd3f9abc69ac4bda5a8bcd |
| SHA512 | dafd9b6e06d8e6888a527efdcb8abba978e50129a05979f9dcb38288141eba41f517788219e83755317e94f389fa243ce8c042b8ac1951d4ed4f7f96a719637f |
/data/data/com.wefriend.tool/files/.envelope/i==1.2.0&&2.2.6_1718327749208_envelope.log
| MD5 | 73fac6dfad8f141ec791b2befd6a5cbd |
| SHA1 | 8e85361c9b97d9908add3c3e80cfb6bb644e8ee4 |
| SHA256 | 48b54a63b70e897a0f4866bcbcf6c848dcadfeb8a201b3f7509c122cef1b17a7 |
| SHA512 | 73b349baf10f7d8a266d4cd3137a3887a6419d6faa772a89df9d50311f50b5deb8816b057f8811e7ebf6bddd2e2be2f6f4e7b01ca78f854217245060db4ec4f3 |
/data/data/com.wefriend.tool/databases/ua.db-journal
| MD5 | 5cd49b8bb670b27d2344076d4d793a16 |
| SHA1 | 285f441a38637098e7d4b5c050928fe65808fff1 |
| SHA256 | f8556237a72a36afdbe6c64d1c3daa2a2ad2d2f58f7b7abe58e6c759da4c1a43 |
| SHA512 | 0ca386c1753e087c9e3d414935f2eb7d36b2b0201bb3787dff1a32e45c17f44840a04e4135146b0e8ab9b1091efe4603ce9a17e9f4b6068fc831a8255579f11e |
/data/data/com.wefriend.tool/databases/ua.db
| MD5 | 0adda9c85a5e4808f5b1b74c0a8591a5 |
| SHA1 | 5048107883ab1e345af9cf2e6849ce46e0e612bf |
| SHA256 | 1e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1 |
| SHA512 | 646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1 |
/data/data/com.wefriend.tool/databases/ua.db-wal
| MD5 | dd176407ace356a8d3fb52f81b124278 |
| SHA1 | a8e4ba3b0ae7b2a335bf11cab830de3f8af25ceb |
| SHA256 | b42ff9b06aa30cdbabc96e02dbfba4941184f148e97326a5c4d691afe6a36e35 |
| SHA512 | 91a449019f38dbe75a833917dea7e470af5991d0598681dbecc6d1f2a7273462fb77d27f3953af5257620974ea54198e2af21da6fe167de025b1306b7370ede6 |
/data/data/com.wefriend.tool/databases/ua.db-wal
| MD5 | 56b493bcd9c2f9cd2268aefc4eb254fe |
| SHA1 | a5405ab510b91ee5c31cf081d7be223ea34b9be1 |
| SHA256 | 0b18fa0c8877004c2059b6eb651154794e838a15949e6937b0e56de4d48df589 |
| SHA512 | fe466547ef5be6fc679f620fedf05183d517b4804d7bffc0a3a28ca2c6e3de026b1418e2105692775cff5a033953d34b66a678e6bf836c637ebe9579ee46180b |
/data/data/com.wefriend.tool/databases/ua.db
| MD5 | 88e343294d3ed9aea84cad6cdb847932 |
| SHA1 | e206f8af86764580297f7bde91dddb2132a9555d |
| SHA256 | aad407bd4e0e99d900de5c00ee5d562329a149f607ed429a236df940e28e5d26 |
| SHA512 | 6aecc063e67c2873dfa61de5fe5926711859256af258d3d70c3609000a4575f636fd6e9c09fce3925c18b0cf863653cc15248c9d0c7c29c525f9303909ecafc8 |
/data/data/com.wefriend.tool/files/.envelope/a==7.4.1&&2.2.6_1718327751438_envelope.log
| MD5 | 99bee4c94e54bebeff6573aae7e9e3d8 |
| SHA1 | d12e33f904cb1980f5f39e097142efd742f543ff |
| SHA256 | bcc0a2f540e6bba40a1caffbc92ca15801d584663d57207dedbe4e2e9e5b5d6b |
| SHA512 | 6094ecdde62aa19aece0392752f3162fba9edd74554446d9649965b48e1d32a9beaaccb5fff13e03b595ececcd16eebab4ee4727bbe636dff67352fbbf0edad6 |
/data/data/com.wefriend.tool/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzI3Nzc4ODE3
| MD5 | e0dba5defc8c9999285d3932dc69770c |
| SHA1 | c9a3286e53e7c0801015e2f947b639e17c58eb08 |
| SHA256 | d49231a6b8a3255f8b36d433700d00e99b2ae2c389aa6a5dd7679779a7cd0368 |
| SHA512 | 9a8aa2e43f7898fd93e915c57294e4bf1790f40135e5a16051185be1eb383c45d4528cfbfd8546ae84c1a43a0dd3713497596f7ef27d61369991457e501ecedf |