Malware Analysis Report

2024-09-09 17:41

Sample ID 240614-bqeqdatbnm
Target a781043bdb65d9e1c6c6afdfd0821a8e_JaffaCakes118
SHA256 6181c237e6741e7cb16faef9eae233c131181694f7f4f7511c8142b9fee5f453
Tags
discovery evasion impact persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

6181c237e6741e7cb16faef9eae233c131181694f7f4f7511c8142b9fee5f453

Threat Level: Shows suspicious behavior

The file a781043bdb65d9e1c6c6afdfd0821a8e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:20

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:20

Reported

2024-06-14 01:23

Platform

android-x86-arm-20240611.1-en

Max time kernel

125s

Max time network

156s

Command Line

com.yxxinglin.xzid526958

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.yxxinglin.xzid526958

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.1077app1.com udp
US 1.1.1.1:53 www.1077app2.com udp
US 1.1.1.1:53 www.1077app3.com udp
US 1.1.1.1:53 checkupdate.zeuspushwf.com udp
US 1.1.1.1:53 www.1077app6.com udp
US 1.1.1.1:53 www.1077app5.com udp
US 1.1.1.1:53 www.1077app4.com udp
HK 154.89.10.177:443 www.1077app5.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 216.58.212.202:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/storage/emulated/0/JXCP/aff/com.yxxinglin.xzid526958

MD5 c64a67131a30749e85b6682cb41fc270
SHA1 5a6bbe84691a569d959ee96d454c0999a55658ab
SHA256 ee2d2f22c49f0c0848718ab28bd933d4cae5aaa88388138dca92fa8536ee73bf
SHA512 601761bf43c0a5e0b5e430f8b2abc3fd8c11741c0e0292ad7e602017c57087f6e4ef80e30ec11dacfb77d8942651a1ac3a00d864701533cbafd04889a35a6e15

/data/data/com.yxxinglin.xzid526958/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.yxxinglin.xzid526958/lib-main/libjcore110.so

MD5 304c4775c940633d9bcd763ef3c59ff6
SHA1 88cec29d0123a91bd5fc01adf460d75137592998
SHA256 718cdf15c87ac89607e548ac80b4e22499afbbdf5f5df77aa8fb3e2776e719ad
SHA512 8265e7dfc99e7ab6195d879a6fe3ad0cd5e33919d75c6ecf33d38d301b754a2c576bcaa73e56c8b305838f726577fc042ee7e8ddd88cea05e25eab4fec82cc43

/data/data/com.yxxinglin.xzid526958/lib-main/dso_deps

MD5 c778800d4b91ddc191fefcb26989ae2d
SHA1 5045df78c2b8498ee0b08399ac76f04012b05513
SHA256 18f917eb821dd079396e4e603ceb97f02c05696b56b2f73a6e048438e0d41f0a
SHA512 c02286f158dc1d7346d7f2efced220d927e358782c77543c48fe54097e7c28a1c4a39c6be16e39a5788cd5ae4f71172f24ffeea740beb97f8d016222595e7d90

/data/data/com.yxxinglin.xzid526958/lib-main/dso_manifest

MD5 f049019de27a3a937680ead2d2ab0491
SHA1 da7e30a8e411aebc0174a4029287a911bd8ab260
SHA256 055b4a2335955bb0b7fbf290cf19489b457757b0f5ff4684dce994a88aa9df03
SHA512 04089120a08f9e18fc528d84f727349c5197e6a6dd494921d7e293e6dd5824d56a10eb832b5d058d6fb8dd555c2e645c00f338ca9ca7734a6b9f70ced405e2cc

/data/data/com.yxxinglin.xzid526958/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/data/data/com.yxxinglin.xzid526958/databases/cc/cc.db-journal

MD5 7b6dc78ca243d1c7ea04a7e636d52ad2
SHA1 caeb5e20ada7a81150c7a0bc0fe724c12960da07
SHA256 e3a028e7ed17a3f08dd9d763929700680f4e5a3c23b1d0749da31ef7f5df4e4f
SHA512 8f9ebe844dad4f83a506eb109444ea3ab73c842acdf5a01506c323928acf3222e2301477f462062e3a49e75f0c52d7325e6ce1b7e26c4ddd749c12f268f7c12f

/data/data/com.yxxinglin.xzid526958/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.yxxinglin.xzid526958/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxxinglin.xzid526958/databases/cc/cc.db-wal

MD5 8fba304420569de2153e69a28b8b2ed8
SHA1 cdcb8854f3cfee32df9d23f17ba3a7d84b975051
SHA256 cd4054f4f880d39aeb30784c8ec63ea542b9ee26632cdc8df2ccab5546536138
SHA512 6f5ba855029f5c999e8da29f163a7001dcf1b5b29ee2cf5bfa574a7c8c0eaa70426301ab336dbc93b9dff79349ad141b1f4f5d5b719297c176fad6ae87e65d5b

/data/data/com.yxxinglin.xzid526958/databases/ua.db-journal

MD5 0229fd69922079f08578ca4d17b4748f
SHA1 17d316b15a8614d1cb368d84a9bd3490cd8414a3
SHA256 5360b6d1973d638a97376b1c5548371359762857a164fb5516d19aeb6ef90796
SHA512 aaf1ce7ad13faec8c921fd5b5ff13ce9dcc1432bf18cfe349037d43d24c23a623812b0779ba14e5febf7a03502651ae188ee95ddcbf19bef109eed3c0956914b

/data/data/com.yxxinglin.xzid526958/databases/ua.db

MD5 858fefc33484c8223657b498b69dc777
SHA1 8aeea6a3bd68555ebf54a052d88f6fae0e01208f
SHA256 dba94d6a7a9c46870c2bd9c4a43fd206db560122dff32fa013225e52d8812020
SHA512 ecd2b91975abddb41e72eeac0af93a477a0f11c80bfba0a9b6302deaaae890ae40bd6b6a3f62decb37361a79228f8f4a827bcf3bd6c3f67d838ab601d42a2622

/data/data/com.yxxinglin.xzid526958/databases/ua.db-wal

MD5 54190dad49e0666d160af781b0a0c8be
SHA1 5f7b3a3cfbc02b76b0a5b612c21ea6c35753de9d
SHA256 976fdb5dfe123cccc4e4ca08f8a78e81b562a8fee0765e20e7773b1a6e1b0222
SHA512 812f137aad007b95920e7696862c2771727d5a58c9b1580dd799e97e8b617ac2d1447da44b624f78db722eaf0ebaaa0c9116533437043bc9a0ef6ff9900df27b

/data/data/com.yxxinglin.xzid526958/databases/RKStorage-journal

MD5 f7055d7bb4ce4d7457369193c05a7635
SHA1 db3e1d5fbf7046947c97af979e326ac251aff869
SHA256 f8f7df53779d69e5891f99cddc2984c2f0a2d294aa228217d57e7e00a7669f04
SHA512 13be98e21579e37f93d2834548391b4533be65a9458e9b766d0dccbc9e83018584f3a0c6bc69d31b3929d68b07e06f6fa19a40d80f90488a0b593f28b3ba7fc0

/data/data/com.yxxinglin.xzid526958/databases/RKStorage

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yxxinglin.xzid526958/databases/RKStorage-wal

MD5 c2682eb01b519c69a4c3f4c5ceb11158
SHA1 3a7b9f598f446f15058479295b6e4fb9e949327b
SHA256 e927c5202c4e053005fb4442b1bea6d40a6e88d022fedb8b9649793c6b25f6f1
SHA512 54adb1be47d16024fafe642a9c00980cfbef935e6ed47ce499fcf152479438af0ab1a2c6e3cebe1fecd5f0c02d8751fc915f8a87cb30d913b5d2f5b89d3feab8

/data/data/com.yxxinglin.xzid526958/files/umeng_it.cache

MD5 9ea0a822c4087f71241a437d95f1ebfe
SHA1 f5cacb8b09aeed854a09d4ff02f40bb8f00e6613
SHA256 5dacc2378e8277602489d0378fc79dce5a49e300ff6e4caaffd31ba688119ad2
SHA512 085335f086846e5ec3fbc1c0571fbc138af43f3272dfc44f309ab04ca471b8013eed885256a5c479e36d6b35e2361d654397dab99461d4d5f571ba312a2da719

/data/data/com.yxxinglin.xzid526958/files/.umeng/exchangeIdentity.json

MD5 3af39c63d2beb482fcf71f99619e2e65
SHA1 bf074366054df1e55ae670b8b7d596afe032c075
SHA256 46b407202a8224355c23403a3de3c87aed38b12ab490ea7f5bcef7faf2c86bb3
SHA512 fd6e2b4869d0f036565e8f885d659ec2e8631785cc8b09a13cb891a4c8cdc20ba5a6ff48c4a0af9d6a8aa8cb60adfc757ab647189b8a5a8d83bef105772c7f12

/data/data/com.yxxinglin.xzid526958/files/exid.dat

MD5 f7776c8fc0e889b0ced1726848a1409e
SHA1 684ed8df2d3744df3fe57e8a83f5c28d2568dfbc
SHA256 e8a1d2515eb2f595202ff921a5d12240ce7c2da55ba14908713fb5632a7d9c2d
SHA512 bf71c6bcfc8587f3eb1a2b6b1b5fa4e51773784d5de1617e22fcbc785711c76803d6914b786ba567602273ce2c17463278b0fbfb6360ac949dcb455196c4fa8e

/data/data/com.yxxinglin.xzid526958/databases/ua.db-wal

MD5 11c2e0bd537688a4acf257008a939b29
SHA1 c029ed9dc398d459594544afd16db5c62ed5c6d5
SHA256 d6151c55bb7708fb8396ea79d0597fdc7c380608d08a5630826d6af368e5143b
SHA512 7ff4cd41420f4139bd95020eddc943e12e01293b225010958df12803483035d43bb08612af16e6cb50f8be569d883fe9e1d3a479467ff9515045eab88542e65b

/data/data/com.yxxinglin.xzid526958/databases/ua.db

MD5 d604a3bf1f8d992cc320ea5b1f7609bd
SHA1 247f88df0b55c7d523ea5398637711a0e4a483a4
SHA256 329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17
SHA512 67e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab

/data/data/com.yxxinglin.xzid526958/databases/cc/cc.db-wal

MD5 143b201e7be1b3417efc51a38e51bfde
SHA1 5453ff31d8457bd430d430611d6246d27e204a0d
SHA256 bfce86ea35f569d78c2a9c7323b1874445c46331d765857720eeff762519b99b
SHA512 41e707ff0f807e07b93dcf61274156da3a318852d69eed34a14cb679a883b67484e200522400bca6336d5b00fdb180a3ecae2527fb5f9da1d31cdc12023cc24a

/data/data/com.yxxinglin.xzid526958/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.yxxinglin.xzid526958/files/.um/um_cache_1718328181101.env

MD5 b355114708bb759171616296d3cb7632
SHA1 07730d4d26e863c80358b7f9bea6c670e4351418
SHA256 4e3a0ac254c228463b7ebc216bb28d1287ca685b1f956cc69b135a41b3e38c63
SHA512 2bb4938fc2c76808bb51a19cc8a5c796d26c5c8a30bd92338550827dcc4e5eaf4fac70649a7112b2c01a6905a4ec40a8fcb94ab3974c2a6bfa6c9f245f2bbc63

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:20

Reported

2024-06-14 01:21

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 udp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 udp
GB 142.250.187.202:443 tcp

Files

N/A