Malware Analysis Report

2024-09-09 17:41

Sample ID 240614-bmgqkatakr
Target a77cbac8eccd4a3a24da9bfb975fb608_JaffaCakes118
SHA256 09d0ea53bd7a2640e3493523d4f821cbcd736effbd047c9619891dd75d4749b0
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

09d0ea53bd7a2640e3493523d4f821cbcd736effbd047c9619891dd75d4749b0

Threat Level: Likely malicious

The file a77cbac8eccd4a3a24da9bfb975fb608_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Declares services with permission to bind to the system

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:15

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:15

Reported

2024-06-14 01:18

Platform

android-x86-arm-20240611.1-en

Max time kernel

65s

Max time network

178s

Command Line

com.wefriend.tool

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.wefriend.tool

ls /

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
US 1.1.1.1:53 share.weiyun.com udp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.176:443 ulogs.umeng.com tcp
US 1.1.1.1:53 hzvip.cs33de9.com udp
CN 116.62.218.218:80 hzvip.cs33de9.com tcp
HK 43.159.233.95:443 share.weiyun.com tcp
CN 116.62.218.218:80 hzvip.cs33de9.com tcp
CN 116.62.218.218:80 hzvip.cs33de9.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 36.156.202.68:443 plbslog.umeng.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 59.82.31.160:80 log.umsns.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp

Files

/data/data/com.wefriend.tool/databases/fans.db-journal

MD5 7001fc61bd65766f5b30ac09ff11d515
SHA1 986d3bd72088c8445cfb94702983ae4899ba2614
SHA256 d597b2cf184ea04fa0c63d43414be9f22af69b8c92192403ed2770b2b4d38d05
SHA512 056ce21433fab6a60d52af3c5a2538997a811f70ef46200f8c90d766d52cf4478d69d7c490b27b023f196749c07a14fbc464fccea55d185d0d60cfd08a41b130

/data/data/com.wefriend.tool/databases/fans.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wefriend.tool/databases/fans.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wefriend.tool/databases/fans.db-wal

MD5 163d6a7e1df26ed55b0824be2b302cfd
SHA1 8cf95f601b62ec3f73dd376b757ebcbc7f1a4391
SHA256 d426f809f259d7c57216c1a211c6b983f42a393371b7116737fa82f73b5cb3e2
SHA512 cf1e07d49f6cb7a2bb58eb8268cb1c26d4013df40467d926eeb7815adabc39f71069d54691d303c21b02103b639d44b032fc70910953a438dc6d268aec8269bc

/data/data/com.wefriend.tool/databases/phone_list-journal

MD5 07d85d3b90df78c9ff44a0cbcc40826b
SHA1 acd2629dad49aa1bde05a9519973b45eae2b9638
SHA256 758682140feab7d4055d27fabb0d3269b22201737d945e340f84212b8e605101
SHA512 c06923e0535cfde9f955e72199c1d0d67211e9c7fe0d79342e239a3bbc0f28cc270b1fdbd1c18bdef6972972ff7f80b559cd455cafc6230f9a5067c10e461732

/data/data/com.wefriend.tool/databases/phone_list-wal

MD5 f2f791411174f253db7b1a9b180f29c9
SHA1 0df9f69dd1b302201954a368157450330e23a6bd
SHA256 9ab358c6c2a5e01fc459a2ed14030ba14ca29d0eff20144176c4d4daa2bd7709
SHA512 e66effd2891e09042e56fd6cfd452785629f330c06734fb9e3479a3d7d52d53166b72fef50c487ded97d9b0668ad021e38d8e135777d26d6d9304b26b62c333f

/data/data/com.wefriend.tool/files/umeng_it.cache

MD5 15bbb60728d1aa4a061723a4f65c8d8f
SHA1 52f1c23bf65923a54fe82db543657e14d47dbcc7
SHA256 7c69fbf30d7fbe8e9188fb4e6effaac5a7b00e7558b64bf54ee31485b96af122
SHA512 6f310f233f6ae7ea35db51ab330bde0456ffe528add186b6e18a7ab2c44027ad4e28c151051a8e1825d0f1976300f068efc06c758e7709294e276b0475e4cee1

/data/data/com.wefriend.tool/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzI3NzQ4NTI3

MD5 1b145b8066e66a50545dc288341587eb
SHA1 c288d91710d1c3a99a2c2746baefa3b484ee16f7
SHA256 33ee88993993b772581a928986506fae95b20ecfc1bf5effe9ea1a3c3322f320
SHA512 3256eaf0d254801f7ff70d1ac941764fcf9938e10eba105eb6e65da7c2917dbe4075e17926393cfbf9c10b36e15a561e2c17ad95c4b23be48ae9e7492c30183b

/data/data/com.wefriend.tool/files/.umeng/exchangeIdentity.json

MD5 7ea085fdf14675b7530a62be1fff5777
SHA1 cc9e9968e150ef79a3e195d4ea5cca925ea64424
SHA256 27aba86e53d4e20da4f09fc2fb4ee50a7dea70e0471bed3a51fb014a412c5485
SHA512 a57dd172129b0b5dd4e32b91e53ef5d79643b82bd552df134184c78126fc63dee05407e02a4ce45e909d1920bc30434abe0deaac77f2d64f095260fc9fce334e

/data/data/com.wefriend.tool/files/exid.dat

MD5 2b610c26c7e384e98ab9d23629782ecf
SHA1 39024f10b3e0af4b86d5889373929873d1bd689e
SHA256 69c4f1c06befa6b083145f79267d8281c3b6a6d017cd3f9abc69ac4bda5a8bcd
SHA512 dafd9b6e06d8e6888a527efdcb8abba978e50129a05979f9dcb38288141eba41f517788219e83755317e94f389fa243ce8c042b8ac1951d4ed4f7f96a719637f

/data/data/com.wefriend.tool/files/.envelope/i==1.2.0&&2.2.6_1718327749208_envelope.log

MD5 73fac6dfad8f141ec791b2befd6a5cbd
SHA1 8e85361c9b97d9908add3c3e80cfb6bb644e8ee4
SHA256 48b54a63b70e897a0f4866bcbcf6c848dcadfeb8a201b3f7509c122cef1b17a7
SHA512 73b349baf10f7d8a266d4cd3137a3887a6419d6faa772a89df9d50311f50b5deb8816b057f8811e7ebf6bddd2e2be2f6f4e7b01ca78f854217245060db4ec4f3

/data/data/com.wefriend.tool/databases/ua.db-journal

MD5 5cd49b8bb670b27d2344076d4d793a16
SHA1 285f441a38637098e7d4b5c050928fe65808fff1
SHA256 f8556237a72a36afdbe6c64d1c3daa2a2ad2d2f58f7b7abe58e6c759da4c1a43
SHA512 0ca386c1753e087c9e3d414935f2eb7d36b2b0201bb3787dff1a32e45c17f44840a04e4135146b0e8ab9b1091efe4603ce9a17e9f4b6068fc831a8255579f11e

/data/data/com.wefriend.tool/databases/ua.db

MD5 0adda9c85a5e4808f5b1b74c0a8591a5
SHA1 5048107883ab1e345af9cf2e6849ce46e0e612bf
SHA256 1e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1
SHA512 646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1

/data/data/com.wefriend.tool/databases/ua.db-wal

MD5 dd176407ace356a8d3fb52f81b124278
SHA1 a8e4ba3b0ae7b2a335bf11cab830de3f8af25ceb
SHA256 b42ff9b06aa30cdbabc96e02dbfba4941184f148e97326a5c4d691afe6a36e35
SHA512 91a449019f38dbe75a833917dea7e470af5991d0598681dbecc6d1f2a7273462fb77d27f3953af5257620974ea54198e2af21da6fe167de025b1306b7370ede6

/data/data/com.wefriend.tool/databases/ua.db-wal

MD5 56b493bcd9c2f9cd2268aefc4eb254fe
SHA1 a5405ab510b91ee5c31cf081d7be223ea34b9be1
SHA256 0b18fa0c8877004c2059b6eb651154794e838a15949e6937b0e56de4d48df589
SHA512 fe466547ef5be6fc679f620fedf05183d517b4804d7bffc0a3a28ca2c6e3de026b1418e2105692775cff5a033953d34b66a678e6bf836c637ebe9579ee46180b

/data/data/com.wefriend.tool/databases/ua.db

MD5 88e343294d3ed9aea84cad6cdb847932
SHA1 e206f8af86764580297f7bde91dddb2132a9555d
SHA256 aad407bd4e0e99d900de5c00ee5d562329a149f607ed429a236df940e28e5d26
SHA512 6aecc063e67c2873dfa61de5fe5926711859256af258d3d70c3609000a4575f636fd6e9c09fce3925c18b0cf863653cc15248c9d0c7c29c525f9303909ecafc8

/data/data/com.wefriend.tool/files/.envelope/a==7.4.1&&2.2.6_1718327751438_envelope.log

MD5 99bee4c94e54bebeff6573aae7e9e3d8
SHA1 d12e33f904cb1980f5f39e097142efd742f543ff
SHA256 bcc0a2f540e6bba40a1caffbc92ca15801d584663d57207dedbe4e2e9e5b5d6b
SHA512 6094ecdde62aa19aece0392752f3162fba9edd74554446d9649965b48e1d32a9beaaccb5fff13e03b595ececcd16eebab4ee4727bbe636dff67352fbbf0edad6

/data/data/com.wefriend.tool/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzI3Nzc4ODE3

MD5 e0dba5defc8c9999285d3932dc69770c
SHA1 c9a3286e53e7c0801015e2f947b639e17c58eb08
SHA256 d49231a6b8a3255f8b36d433700d00e99b2ae2c389aa6a5dd7679779a7cd0368
SHA512 9a8aa2e43f7898fd93e915c57294e4bf1790f40135e5a16051185be1eb383c45d4528cfbfd8546ae84c1a43a0dd3713497596f7ef27d61369991457e501ecedf