Analysis Overview
SHA256
134f4629a97a49b63a9a1383a1361b681e4aa384240dc9330fc9daa4bb78bc13
Threat Level: Likely malicious
The file a780c2eda875aa56730a31593639e935_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Queries the unique device ID (IMEI, MEID, IMSI)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 01:20
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 01:20
Reported
2024-06-14 01:23
Platform
android-x86-arm-20240611.1-en
Max time kernel
104s
Max time network
187s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
cn.fast.fast4ward
/system/bin/sh -c getprop ro.board.platform
getprop ro.board.platform
/system/bin/sh -c type su
logcat -d -v threadtime
/system/bin/sh -c getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.build.version.emui
getprop ro.build.version.emui
/system/bin/sh -c getprop ro.lenovo.series
getprop ro.lenovo.series
/system/bin/sh -c getprop ro.build.nubia.rom.name
getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.meizu.product.model
getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.build.version.opporom
getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.vivo.os.build.display.id
getprop ro.vivo.os.build.display.id
/system/bin/sh -c getprop ro.aa.romver
getprop ro.aa.romver
/system/bin/sh -c getprop ro.lewa.version
getprop ro.lewa.version
/system/bin/sh -c getprop ro.gn.gnromvernumber
getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.fingerprint
getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.rom.id
getprop ro.build.rom.id
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
Files
/data/data/cn.fast.fast4ward/databases/bugly_db_legu-journal
| MD5 | 5b50253c7cc0490e932b0401cbcd5959 |
| SHA1 | 4c812e66b324d9bf5a72f4823c6eaf8ac8ad1d3b |
| SHA256 | cba0cd9927177b3743f1c084550439b5fc753fdc5f51e8d6cd5dff98efca8547 |
| SHA512 | 882ee68b78730f853fe1601d6170d06b882c200253e5e31b1cd322095d239c1954091a0b753872bb48ce419b0adfee8fa77c7048d7143acbbe1b40fb145a7695 |
/data/data/cn.fast.fast4ward/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/cn.fast.fast4ward/databases/bugly_db_legu-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/cn.fast.fast4ward/databases/bugly_db_legu-wal
| MD5 | e2b25979f8c99d63bac07a87226a2d62 |
| SHA1 | 62743b8435ca5222da5d88d1d5405a722a786832 |
| SHA256 | f4a36d83557ba79413d4652c4babda93c443176d79200fb6cd61415d90235d22 |
| SHA512 | 041cd318ebfcd2fb4a5e7cd4f246eaa543268fdc84b03f3909b3360c6749b77ef282f214809e79479937e79c51e3e9666b8593377a6e6ca6b12e469e54161065 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 01:20
Reported
2024-06-14 01:23
Platform
android-x64-20240611.1-en
Max time kernel
9s
Max time network
157s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/cn.fast.fast4ward/mix.dex | N/A | N/A |
| N/A | /data/data/cn.fast.fast4ward/mix.dex | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
cn.fast.fast4ward
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| GB | 216.58.201.98:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 216.58.213.14:443 | tcp |
Files
/data/data/cn.fast.fast4ward/databases/bugly_db_legu-journal
| MD5 | af366c7a18373cc35603d9a371f7298f |
| SHA1 | ab27818fa119f32eb1f42dddb9650736d91aefbd |
| SHA256 | dd0489e20d3c267a11fa36d28fe261851a8ea5cec4857ddee4fa0be43e49a3b1 |
| SHA512 | b03990eaddbbd284cfb4592fad7869237e08186c1d714db01a696a564bb229b4cfb3b731174278eb5aefac101344d6224f445a52a217821c89a8c6f650649ade |
/data/data/cn.fast.fast4ward/databases/bugly_db_legu
| MD5 | 0e5f70fd0d8fa903209c4dd236b4fbe3 |
| SHA1 | 87fdb33666f73f604f3b6c9766a05f6d7779ce73 |
| SHA256 | b65a827b5b4570c805d46627500628da0fff7a84d998763001a8f5a2e4bcbe46 |
| SHA512 | 1549929b7cc8d0af9366e29c31c6b84689a16dcf57676f235aee47738e99a9c1daa8a6e8fd2253fe41591e4988b9362d41cf806615dbffcef766ede8c5428754 |
/data/data/cn.fast.fast4ward/databases/bugly_db_legu-journal
| MD5 | 87e08d55c7d7eb5dacd184fc2a04a7de |
| SHA1 | 694c2081ce997a51f99c0e1bc249c281e1bdf9ae |
| SHA256 | 48ee0da80b5ad3bf2e21615a8ff9e888f4bbcf8d2c999b7d2e25e467d06e068b |
| SHA512 | 1bfceb9a780679017ddb4b58538c09263c35b8715945aaa3cf13c22401aaa32841a367829b69cb5f58d9f67b0fed2aa20cec37c707cbcf9fd1146d41b1a93528 |
/data/data/cn.fast.fast4ward/databases/bugly_db_legu-journal
| MD5 | 6d2816cc1858217e9cd275900e811e53 |
| SHA1 | 37416c9618c91d5996c6b738acb6320aa5b5ca4e |
| SHA256 | 4e969ce732c90c8005b76d7cc8167fb775926d246bd8b4f7c8b92bede5de77a2 |
| SHA512 | 4bc1c146b9c71da3a4d3f257d20803199033a80ce005de756038dd86fc38b6dc95de7f83a9c0460e4816c7cbb80d93fb8dac2155967d30c41b9ff8a806400001 |
/data/data/cn.fast.fast4ward/databases/bugly_db_legu-journal
| MD5 | a8c1e009fa392963938c26076aa85eb5 |
| SHA1 | 639b7517a6b1d0b4d1ee764fe65b4ec2852fa096 |
| SHA256 | 8542d11d64362c0590c377d11d0b839cbd6f69a69c369f3b55e16b0493f608aa |
| SHA512 | 3e4b733a2de511e5833ac0438459a352df5f1bbee5bb22589c54e0d3bfabd16ea6dbfa9839c21aad9f6665b31140f1cdea6313a29ab414adc631571196b0c906 |
/data/data/cn.fast.fast4ward/databases/bugly_db_legu-journal
| MD5 | 1ac51b6b76aab8a87307012197da222d |
| SHA1 | e81855e2b0802213d5de0d6310b2e13e59ba31ae |
| SHA256 | 8b245d888c92f62fc9de4dabe638e7260d55a53caa2cf916502ea60349e85352 |
| SHA512 | 8ef7b7fcadd1517d0353fcfa3383cf5b408b19ca44e7a98062cc713728bcc7525138db91e2ac1cb3dd03a7de719c69e22f5bf17395858b8b9f58cbda34f26c77 |
/data/data/cn.fast.fast4ward/databases/bugly_db_legu-journal
| MD5 | 9a61bddff910eb609e29aa6e4f938aac |
| SHA1 | 4388ff2fd76b9562eb530928b72f3c9aed53e929 |
| SHA256 | 20eea424b5a85d3f2ef48562ef679f745c8ee147dd099fba877f89d98a70c57e |
| SHA512 | 2b7a0044a827251c45d5e74025ebf94f173cc9914f08cf509c44931bcabf7bad82c4ae5289b2a9cdf042fc6baac9945a93a396c12fbdbb39bda7ceea62c14a00 |
/data/data/cn.fast.fast4ward/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/data/cn.fast.fast4ward/app_bugly/tomb_1718328041133.txt
| MD5 | 6bb81935072bf7a2488e6be28277949e |
| SHA1 | 0180f22cfc0850ac4b4478306c7c9e27305429cf |
| SHA256 | 17f047fa9e6d822953e90736b9f5b7dc8832132325991852dc6e497035f48635 |
| SHA512 | b296b2e77c62d63cb0ba8d96050b2fbe939d4a2864d5b80d4cc3b07420e2688f673e4bcf6fa2c572c050cb7b8abcc38810eed619d8393f623cdd22150d07df7b |
/data/data/cn.fast.fast4ward/app_bugly/rqd_record.eup
| MD5 | dcda7f8ceb4f60ce6458c5e4defdffab |
| SHA1 | cd9a49c4fdfc0f6408c92b892ce349c102d08004 |
| SHA256 | 19da27e5e676383ffef5f1269dd8ec736f1cf22f1fdebbbe8b73e692723c55dd |
| SHA512 | 5b91d853eb82ed801306462218209fa723d9f61bc261d9fd5cda7f4b2cf7364fa3ba6967a4bcc343795d09c89eba6b149df16f3751be0b67547a3a36fd81c8a4 |
/data/data/cn.fast.fast4ward/app_bugly/rqd_record.eup
| MD5 | 2fdfe05081041895d756ff6265262de4 |
| SHA1 | d8522a0f34272e2a525d3ceaa4d83fe8c9f4a2c0 |
| SHA256 | 768e71022e9fcf218abb5547d6043f8776d1cae13e538afabc43fff29909bc2f |
| SHA512 | 8c60537d6accf7b65dbbc3eb89b3aaa14fc46a385e498cbc3cd41705cb71477407c81b30bf4d48ce38d2a291996df68778860faa0298618c99948631624689cf |