Analysis Overview
SHA256
15bf04f4eac4f43692090618fe281f7a1234f7c7972e1a950b55f7350f4416cd
Threat Level: Likely malicious
The file a7a4b99b40d527f9e62e6f9c4532a8d7_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Requests cell location
Queries information about running processes on the device
Queries information about the current nearby Wi-Fi networks
Reads information about phone network operator.
Queries information about active data network
Requests dangerous framework permissions
Queries information about the current Wi-Fi connection
Queries the unique device ID (IMEI, MEID, IMSI)
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 01:56
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 01:56
Reported
2024-06-14 01:59
Platform
android-x86-arm-20240611.1-en
Max time kernel
167s
Max time network
179s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.oil.jycjt
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | api.map.baidu.com | udp |
| HK | 103.235.46.245:443 | api.map.baidu.com | tcp |
| US | 1.1.1.1:53 | cjy773857813.github.io | udp |
| US | 185.199.108.153:443 | cjy773857813.github.io | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | ulogs.umeng.com | udp |
| CN | 223.109.148.179:443 | ulogs.umeng.com | tcp |
| US | 1.1.1.1:53 | m.shanyouxia.com | udp |
| US | 1.1.1.1:53 | ymc-oss.oss-cn-hangzhou.aliyuncs.com | udp |
| CN | 118.31.219.212:443 | ymc-oss.oss-cn-hangzhou.aliyuncs.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | m.shanyouxia.com | udp |
| US | 1.1.1.1:53 | m.shanyouxia.com | udp |
| CN | 118.31.219.212:443 | ymc-oss.oss-cn-hangzhou.aliyuncs.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 223.109.148.176:443 | ulogs.umeng.com | tcp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| CN | 223.109.148.178:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.141:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.177:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.130:443 | ulogs.umeng.com | tcp |
| US | 1.1.1.1:53 | ulogs.umeng.com | udp |
| CN | 223.109.148.141:443 | ulogs.umeng.com | tcp |
Files
/data/data/com.oil.jycjt/files/libcuid.so
| MD5 | 806267a0f49f093b2bf13ad189022197 |
| SHA1 | 51e118befa475272e17235573cfcba406f16367e |
| SHA256 | f02e2c2e7fe2f17879b28e090398347c628ef2799258d165dd13d1a7058ae1a1 |
| SHA512 | 4cc4d83c09953bb2693a135c8b89884b1ce35f4bd4ea083051bd3a997a4dbf5ae8f81e9f08911fbc8a4aaacbe71cf12a471a7fcf79a308f6a745a359c661b794 |
/data/data/com.oil.jycjt/files/umeng_it.cache
| MD5 | 721c131ab10633d930e328f1a00675fb |
| SHA1 | 29ceeca443a0a38e0be8098f7a3732225c5f85db |
| SHA256 | eaa88dadb59174f7da5d7bf627fc63811a3c908fe18dffef4c907e2eb0f3b1e2 |
| SHA512 | f91427aaeedc87948303fd68a7d073b3ad6044a30152b43c5a5a0ffa5c87724a76d571f15ff9af0bacd6062ee93232205cecd7d5051953b5d29853319e5d23db |
/data/data/com.oil.jycjt/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzMwMTg2NzQ0
| MD5 | 640071bffdf71efec73007ce973ab62d |
| SHA1 | e2823b1b9ba73e5ea25a3c4dc7cc6faad2fa0d81 |
| SHA256 | 7ea5ad7906c7978ac2a7d832073acc3aae10619cc5b106afcaa5f2bc8c4f5d0c |
| SHA512 | 342e48952c4441c057e73982acd69ac8e86c96007e0adef04ec9391afefe494549cc4eb21d69a2822e9aea9861f85f771cc10e3f69ade4e58058cfd7a9ab7ebc |
/data/data/com.oil.jycjt/files/.umeng/exchangeIdentity.json
| MD5 | b462e948314c80a58a17d67074ad54d1 |
| SHA1 | d6f1bd998d8fb30549c99e90e040b16863b3c1e6 |
| SHA256 | bcac3c96a2636495ffc5147ec77a8f4d2e287add876e325c92f91759a95caa10 |
| SHA512 | a11ff8ef28056ac4977a716c6b16f860226cb2f9810e06984747bb8163e4af1b098c651a16487334952c8b70b807607cff710576568d6d7f17b0ae75576648d9 |
/data/data/com.oil.jycjt/files/exid.dat
| MD5 | 20b1839392aee6c28561a52199e2f420 |
| SHA1 | 4574b365deb4a579ec97644dd095817dff203852 |
| SHA256 | 8ad309a88fcfb0b364745db3c16039092305322821a5a916993249eea313e204 |
| SHA512 | 0f9d01ea9427ef14d4ad214749015a4eb02fb1f195f315f9fd5b1870931bd28ca3e2b2bb875fa98917e68b90282e0c8bd006525131a96311d626f80b11e4c421 |
/data/data/com.oil.jycjt/files/.envelope/i==1.2.0&&1.1.0_1718330187423_envelope.log
| MD5 | d3d802a8397885e74f0f58bc84071ebc |
| SHA1 | ef48bcc1e70f3c0319955e6dba132d18ccd11cc5 |
| SHA256 | a307eba5513bdbd70f0b4f9090ec694d74c8528a4fff31efe8272247693027c9 |
| SHA512 | 601482ad3309ba3be5aabeaeb0885a93af88971dd63dc3f778e5b21059caf14f12f8923822b114a7c6338b27e837960e797d9849c06002f483565ca79bba4597 |
/data/data/com.oil.jycjt/databases/ua.db-journal
| MD5 | 2ab1d972a70282fee22ba2e6bcbc1664 |
| SHA1 | dee27cfd58752752a7475c358176161e3b52f33f |
| SHA256 | 94f15add2dd6b6e7fc7d111bb6a6fd5b569de9df1cf5f62ea8daf818b1d30930 |
| SHA512 | 67a7e06ab1e1197067837bb0390883e1d52898044783799a514c815b1aa0403412a71180ad317a95e7039f4b2940c00d766b448e77867f69b74fddcb8fa881ab |
/data/data/com.oil.jycjt/databases/ua.db
| MD5 | a2c8ea957c4597e5db4c0a0d8e0c5ed9 |
| SHA1 | 60e20b2855a3cf0725332849c7717c6d98875e1e |
| SHA256 | c821fbe5f760f9087a3e1618936eab77433afb71558cffc0624ba2999bb33866 |
| SHA512 | 780de46a7729ff1aad53afb51388c1cea55a8bb2f8a9de6e76c979c4bae0f9d58c83e772c443a2cb8b8e507a9aa399f0ad1400bcdcdb916d17f6c73061172b36 |
/data/data/com.oil.jycjt/databases/ua.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.oil.jycjt/databases/ua.db-wal
| MD5 | da4a0f5cf9df0370f0b795ba252e3cd3 |
| SHA1 | 593078328126823194e0ddec376abb89fb51ff3c |
| SHA256 | eef424195efb651ab2dd624a9fb64f88d4b9ac358ce1900fdab6104eba81b557 |
| SHA512 | b9aeda334fd566afa4dfbcb93f3906f49f37ecc9fc233fd42e457daab1099b2beb2a8a1f5d51dd0b864842287064f8499d272a94394966978906c41e17245e57 |
/data/data/com.oil.jycjt/databases/ua.db-wal
| MD5 | 55bc1cf045750669a0b1b686a359c2eb |
| SHA1 | 91daa2cad170676b2a95e315189294ea1dd2e4c6 |
| SHA256 | 9494dc3202418f3b12e1f5b48c6a2522b4a3def17879686fe087e277f14475cb |
| SHA512 | ffa4341b593c90436020624fec9cb20b4a44e5f0da4adabc086585468ca916bdde7f9c6ae7ddae7796d3d5f960365ec8f9a63cb617f192465a66b04c8bb59311 |
/data/data/com.oil.jycjt/databases/ua.db
| MD5 | f5319e073d829898604028f491d52f7a |
| SHA1 | 84de8545e7201a0cf2bbba6aff3c4879c3e8edb8 |
| SHA256 | 860f0f913ae8606d2be43dca47b9c9d97138d3c46de61c8d4946f6ab0bb8bdd7 |
| SHA512 | 14cee6f878f15e9c7f891ceb1e4feacd0878ce45ae558bafad6893f35e41d5b6f0ff60ef0db504b9139a906f06ec8f2bb0c8371e90777f95bd7bf84906362ae3 |
/data/data/com.oil.jycjt/databases/ua.db-wal
| MD5 | 8ec25d93ee7a65c00c8203c44f908138 |
| SHA1 | d48b0274c9a8e9aaca44b9d966929bf3c91e736f |
| SHA256 | 075589ef55f7aedee9a90387d15a139f6930720fc2cf660c5aa0d3ede1ae368d |
| SHA512 | a34a34b301cd3c88a0f0cc8c90ce64ea0e737a85bf02a6b482ee9148e11d32c275944c443120eaac052b64c6af32341aa47bfb4377da67fa01c60bd76680de08 |
/data/data/com.oil.jycjt/databases/ua.db
| MD5 | 64a725c07fa6290e5d974c9cbcd1b5cd |
| SHA1 | c61b1ca2a90f835c87d99f4189adf857fff8af56 |
| SHA256 | fa4f21e441919c156c918e4e79a56700452a7c9f045b97633b20207512cfce63 |
| SHA512 | 9e966c92c1f80bffa45a5619cbc48c52504e63fde668f05c4d2ab79250a0997fbf7bf909c4e4a30ab50899bf05d73851706f485d525857abbc27b1694f8e44b2 |
/data/data/com.oil.jycjt/cache/image_manager_disk_cache/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
/data/data/com.oil.jycjt/files/.envelope/t==8.0.0&&1.1.0_1718330189150_envelope.log
| MD5 | fc505ce5f93c0e7ed31277a618750e1f |
| SHA1 | 5308ecefab9911d35573ce3195f3ea7a15fab5dd |
| SHA256 | f5094a9397a30218d30285ab0c9f5b2868fc5595eaa358c942381859178295ec |
| SHA512 | b2f7be53d429e9c27aaf80349bd6ecaf021c85371736e371d78a57e5e7ae374e4b92f20bd8b3008ad51b4b274e4db64a0256704e76044824600cc27aaec9e831 |
/data/data/com.oil.jycjt/databases/ua.db-wal
| MD5 | fd908af9c522688d781d58b92d987af2 |
| SHA1 | 40ead80c38fcf907e45503abfc76e079a8fa3b7f |
| SHA256 | 509979287cdce09e79521bcad1022cae697e73aff850a11ceacfb9e5cbfc1fc6 |
| SHA512 | 7fc6d138943abf513bca697cf1778a6f69db09e27596be047499892a47d01d552f2a4bc87606ba20505d0c69afe9d1dc8fa550b56ea5d551b260708bea499aa7 |
/data/data/com.oil.jycjt/databases/ua.db
| MD5 | 78b0e343412dfb6528e68da87f124af1 |
| SHA1 | 01de4d49b9cca4bd0a2c0772d3107d0c0d72cf6e |
| SHA256 | aef1bebfa4b35659e96d79ea512977e9a88c93cd98cc0a490abd19d43022c5d3 |
| SHA512 | 69e7a85fe7ca69198baf6a286362703ee7ad6a3f8cf16c3f6ce6682d32ca262241141a80801d4054569e8d5d5948088f543e453ad9aedf896ba8d1c87c162b8c |
/data/data/com.oil.jycjt/databases/ua.db-wal
| MD5 | b392b0b27b059a6ab3683ffbb43da2b6 |
| SHA1 | 0c24245d9a87915e235d3c448c3d164984bfe068 |
| SHA256 | a0be497aeb1c2f4bc7de30d40af40dcd928ab23b362f05c16125dd4f1da9a131 |
| SHA512 | 95c12e161ff6c501483d608f08f5da21695c84f7b2f89fe3dfe9a8ce58dfef36788975dbfe7a823327925dd682fcbfb6e9fa50b39cd4c048ce00f6d45695393a |
/data/data/com.oil.jycjt/databases/ua.db
| MD5 | 651587f83d5d307a9b31fbb793cf376d |
| SHA1 | 4dba50580b358b576e2d1a1d9e55b8d3fe6987b3 |
| SHA256 | 7c122d800e720a191d0fb7e3d2066b65e54147bcabcee588e64355078961e128 |
| SHA512 | 59690bcd538ab25db455cd73ed98494686b11a51e298a436bcd2fae497ff53d16c8f5417fee68155c58047167e47dae908ec14ad0f076046110c8f8fa99e7592 |
/data/data/com.oil.jycjt/files/.imprint
| MD5 | 40a5c0b91a5a024dcc92b6e58db6061a |
| SHA1 | 5247dfeb8a77d14a16430970910d787ccc278dd8 |
| SHA256 | 7ff583579305f29862b4bdbf3d5f2263ad7f2a8ca97bcc756a048329348d0836 |
| SHA512 | 98f8bfc8f0c1da16c09eafc33821ceee98b156fe66eacc868ebd11770df90d2d14e8da1ce57f707b7ce120480770cd190c111afb0027932b203ff024aa1eae79 |
/data/data/com.oil.jycjt/files/umeng_it.cache
| MD5 | ca3529c796426f7040f1e0c99fb3e5b9 |
| SHA1 | 4835b93b5915dbf6c670f2e9d66916ee4b350b2f |
| SHA256 | d2ce4713ca4a13f6968463debda75b58695eb6ccce5b0803605b05f07f2ab2e7 |
| SHA512 | 95dc5105a1a3ce7e6923f234d4d84d9608dbb1e32a47d82db3b21fa1ec35735903524fee07894a64e5932221a2b2748190ad14543b3d57236bf6b3165568aa8a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 01:56
Reported
2024-06-14 01:56
Platform
android-33-x64-arm64-20240611.1-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| BE | 142.251.168.188:5228 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 216.58.204.74:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.68:443 | udp | |
| GB | 172.217.169.68:443 | tcp | |
| GB | 216.58.204.74:443 | udp | |
| GB | 142.250.180.10:443 | udp |