Malware Analysis Report

2024-09-09 17:39

Sample ID 240614-czvcvssbrc
Target a7b9a32275df978cf2b97e62b4a31b31_JaffaCakes118
SHA256 0b22a9eb73a0496db31db29482ed3e428479c181ac164a12c54fe469aaf340f5
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0b22a9eb73a0496db31db29482ed3e428479c181ac164a12c54fe469aaf340f5

Threat Level: Likely malicious

The file a7b9a32275df978cf2b97e62b4a31b31_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks known Qemu files.

Queries information about running processes on the device

Loads dropped Dex/Jar

Checks known Qemu pipes.

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:31

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:31

Reported

2024-06-14 02:34

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

188s

Command Line

com.emodou.be.bigs

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.emodou.be.bigs/mix.dex N/A N/A
N/A /data/data/com.emodou.be.bigs/mix.dex N/A N/A
N/A /data/data/com.emodou.be.bigs/mix.dex N/A N/A
N/A /data/data/com.emodou.be.bigs/mix.dex N/A N/A
N/A /data/data/com.emodou.be.bigs/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.emodou.be.bigs

/system/bin/sh -c getprop ro.board.platform

sh -c getprop ro.yunos.version

getprop ro.board.platform

getprop ro.yunos.version

/system/bin/sh -c type su

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.emodou.be.bigs/mix.dex --output-vdex-fd=51 --oat-fd=53 --oat-location=/data/data/com.emodou.be.bigs/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/sh -c getprop

getprop

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 119.3.253.130:19000 s.jpush.cn udp
US 1.1.1.1:53 api.emodou.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 39.106.201.75:443 api.emodou.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 124.71.159.41:19000 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 124.71.170.130:19000 easytomessage.com udp
CN 123.196.118.23:19000 udp
CN 103.229.215.60:19000 udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 117.121.49.100:19000 udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.138.15:7007 im64.jpush.cn tcp
CN 139.9.138.15:7002 im64.jpush.cn tcp
CN 139.9.138.15:7003 im64.jpush.cn tcp
CN 139.9.138.15:7009 im64.jpush.cn tcp
CN 139.9.138.15:7005 im64.jpush.cn tcp
CN 139.9.138.15:7000 im64.jpush.cn tcp
CN 139.9.138.15:7006 im64.jpush.cn tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 139.9.138.15:7008 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 119.3.253.130:19000 easytomessage.com udp
CN 124.71.159.41:19000 easytomessage.com udp
CN 124.71.170.130:19000 easytomessage.com udp
CN 123.196.118.23:19000 udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 103.229.215.60:19000 udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 117.121.49.100:19000 udp
CN 139.9.138.15:7007 im64.jpush.cn tcp
CN 139.9.138.15:7000 im64.jpush.cn tcp
CN 139.9.138.15:7009 im64.jpush.cn tcp
CN 139.9.138.15:7008 im64.jpush.cn tcp
CN 139.9.138.15:7006 im64.jpush.cn tcp
CN 139.9.138.15:7002 im64.jpush.cn tcp
CN 139.9.138.15:7003 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 139.9.138.15:7005 im64.jpush.cn tcp
CN 119.3.253.130:19000 easytomessage.com udp
CN 124.71.159.41:19000 easytomessage.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 124.71.170.130:19000 easytomessage.com udp
CN 123.196.118.23:19000 udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 103.229.215.60:19000 udp
CN 117.121.49.100:19000 udp

Files

/data/data/com.emodou.be.bigs/databases/bugly_db_legu-journal

MD5 b0484d0733407ee188dd06808f98d3c5
SHA1 5b73699bf8cbfc8400e31db29c07d641f967edd9
SHA256 0578c1276e54116ae9aaa25dc830221bb9d7cacc2b933b7c156d3396de8fd49e
SHA512 df93365dd19de57f83370ac3e15a606481d9817698312b8485e2cd1e8f66c258b7e8ff9d21d87d72e411ac0ae7717e4b449982fd97999e176abe68c20b14ca73

/data/data/com.emodou.be.bigs/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.emodou.be.bigs/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.emodou.be.bigs/databases/bugly_db_legu-wal

MD5 4e17574347d65a3915ff50dbefff0094
SHA1 0678b7a2045e033f7ffe74084a6c96d6290209db
SHA256 10f50602cc9d8ae725887f9277045e633f28743f09357593ed73d87ed683f91c
SHA512 43f40206883bdce10a3144af889c22ddd5f30ed0ffeb7a96125b6a7a12a8b62f90c470e476917823bab13d3edb69786b2cafcf4915927431a041c187027d8a0c

/data/data/com.emodou.be.bigs/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.emodou.be.bigs/databases/bugly_db_-journal

MD5 1f1c0917db0bab4082a7305432a0beff
SHA1 82c9bf660f497bc2b183e9bb43b024b7c9a5ec45
SHA256 074f900b3b5e99c614579f51c77b04ab6d8ca19d2372357c72ea693b3a74ac49
SHA512 9df07295e587060af6a3f6d63a6cc100ec939a40d331cd4f1bf9b91f4a1b5b484220688ad2fb8538f3eb864508aa5825d08e112fd19d9e2985dfb55a88bf02ce

/data/data/com.emodou.be.bigs/databases/bugly_db_-wal

MD5 f3094c9dbf1faa8605047c1352c30f50
SHA1 85a9e4df9df6cae84de7c1381797121f18c9e5e7
SHA256 3f65455c8ec3d6103c0d901ab76397ea83e96105592b71fca1f834c7e845902e
SHA512 26679aefc1cbe57f22854f607122fd093a3fa7388737eb145f998cad41c2801829a4fa8201b99e02292235751f4d04747c50efe517d863def38a6a0627193948

/data/data/com.emodou.be.bigs/app_crashrecord/1004

MD5 df1ae5ece27ed4688755288d190528dd
SHA1 2148dbe6314f16e2b954312096ed55561cc133fa
SHA256 5796c7f27d7ea9aaf796feb37c7810c339dc7fa149492ee950135fa93d558c74
SHA512 e6056a574f2a4cac29938bd09e28fa2f04dc923621c29084c559d87b6dc3e117a86aac6b91af779faad79b97dd050bf2cceaaac24554600842fbfc4a93ae81ed

/data/data/com.emodou.be.bigs/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/storage/emulated/0/data/.push_deviceid

MD5 6f53767f9f6471d2f6724105ea4d4a14
SHA1 09060e863bfd76e67381d83ab6fadd58b1479662
SHA256 746a6fc5237818033e3b9c853ac64bed04a9280047f88531496ef5c8f70953cc
SHA512 c8d514f0d44eaae0ca160ad08734d996ed5741b83482920ed9fe3d47db90426cc8e3a14c34cac856dd7f9a2a07a64cc38b6a126e2a3e82b609d9672c2d9c25ff

/data/data/com.emodou.be.bigs/files/jpush_stat_history/active_user/nowrap/47f7ecc0-7791-44cd-96d1-9fb9a020e073

MD5 c28b14be8999d229d2e56fdb3d2fcbcb
SHA1 7668546773972479adfce1d375fc7234f3b83237
SHA256 a290a94efd6100a8fad354a522167e95858874f865f5745b824b4e5c5b3fd8a5
SHA512 37dfc1025ed1c10477d5df2f312d04b65b253551ddc938c1b1be9256a9f7c5c2a2f8a01457d3c8039b31f8bdcec86c5215cede64659bd525228a837791090cb3

/data/data/com.emodou.be.bigs/files/jpush_stat_history/normal/nowrap/b6a9e5d5-6591-4596-bece-d49096fd79ec

MD5 c7e6255f2a563ffc4a1e075ac98fbba4
SHA1 d2319709b503de1a55192089bff6f4b30b2b9b16
SHA256 4cf919c6cddc7a9ed76cd5a0f9d4edf501efba90c17dba8350fc49af6e933ff9
SHA512 36930a8e146b695e5335f0aad7c2d4fd43089310c7caf48a69d441978db7d4bb7b38b7c69059b01f4da9000c383f861c5513a013ce3dac2eb32dae938bff3c0c

/data/data/com.emodou.be.bigs/files/jpush_stat_cache.json

MD5 6afde8bf4314d6c4f85584c96e50a6a7
SHA1 a1603b5bcbb5ed15128874065e98a1e058cefc47
SHA256 0682cb1d9fae83c8db4f04667645d358d2bdd6f0895cd73d333bb056f9d62885
SHA512 52eb6806bb0ea9fe7d72d2412ab02240d658dea36af6c732638a3ba55b0c2f5b095f44f32e71e5c79da6783e7b10d045f58b7d465be4f12798a46726c7e45fa6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:31

Reported

2024-06-14 02:34

Platform

android-x64-20240611.1-en

Max time kernel

6s

Max time network

187s

Command Line

com.emodou.be.bigs

Signatures

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.emodou.be.bigs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp

Files

/data/data/com.emodou.be.bigs/databases/bugly_db_legu-journal

MD5 cf6b5d41ac490133633a721c34d412d1
SHA1 d649078c81ebc99748a66f8656b1fcefd667c254
SHA256 c691ac07e7acb90ebd6db02599e0f4f0de484a6fc57f134dfb2acc9109544480
SHA512 dd9d560eda08a2b05a17b93fba3ecb988f8b26d0bc871018774de57669706f4856ee22f355ea3bbf001f011a948c4f8eea5101826a06a126d96d6ca349abfe9c

/data/data/com.emodou.be.bigs/databases/bugly_db_legu

MD5 389ba9467272d04a06bc669e641fbc2a
SHA1 b536f089a965839bbfda15a16613d658bc6a0870
SHA256 7df2e8a2d2a3075421cedf7c8e0ebfbd1a09fe8511cf8e8703843694c1ca7cbc
SHA512 d442a25ad1fd55ab9adc274407897d17a4591c4746764b7b4ab5bcd6f6843a0848d443e0d138a0e136eb9743937612dac897c6a863deab8a55ef90d02fa07c02

/data/data/com.emodou.be.bigs/databases/bugly_db_legu-journal

MD5 4d96ec6fc05f9ed4892a0e11828de86b
SHA1 98daba481c7884be6d180e9b669b899a5743181e
SHA256 864fc3b1eb286fb409c677954d034ebfac9933bfcd51ddd95e0ec3a7b1630132
SHA512 a68567c281bbcaa0a16abb8ce4e854b4c7586e5fddf09b47148e54a0908201161e8de83e2a3fe8cc9793d925265f38e24bdbd626d1b490b34f633888daede4a5

/data/data/com.emodou.be.bigs/databases/bugly_db_legu-journal

MD5 16ced79c41c15552e762c21231bcbe68
SHA1 d7f01fbadd19e03be3057d574ae7676b06a4338b
SHA256 bf9916c9822f14e513ab703398dd1326c66f2ee26efceb041e522b4ddf85507a
SHA512 afdc1647ca32c400b164a808c21e155fbd54ea80a6214340e7f5d17ce8fa120525cafaf57854b86c953ad5e6b21813887657919decd25f4a9dd080967f408828

/data/data/com.emodou.be.bigs/databases/bugly_db_legu-journal

MD5 789c912f759ea3c22927ebff36373293
SHA1 2366bcdab527fc8355497e059a6de59eefeff97c
SHA256 2f5108e365c5b933d3221d5e02d268173a99c2dcab960a48683d2131d075396b
SHA512 d7b5c2754f75f6012274e2bb90358cc904d857179ea57c93f9c1d081becb6c4858e966bf63e59af1be91a303e497b063537ea9e5b5158c3c55c1a931234157f0

/data/data/com.emodou.be.bigs/databases/bugly_db_legu-journal

MD5 22519876faa033790506d6d453a9fafc
SHA1 42f3eb13e1d32670d9485d1f642523ac577ab7e4
SHA256 99a2de46e385fd0039f9b9b72f281eca4a879f17c39e272bc2df88490c18c45c
SHA512 b5d3776866c328a400e495dabcb1decd79c3fa0f4a8526bc92833e1a9af3d7da6f499c93d10841b2db780e4be9c25f6c35a9b7ede35a95410b4efa8703dbaacc

/data/data/com.emodou.be.bigs/databases/bugly_db_legu-journal

MD5 5abed6ccb734b1c92bebecc2a2b1fe09
SHA1 3d6ec611471140b8e95301c0f1cc901edd7c05ac
SHA256 1c1b5facd9dc8f0f3cd2575b2b4a3d2b7409c9a7abd8d8df752f32f6337b70dc
SHA512 0fa48e67af21cf4995cbc908dad888b7d2c4e2a62bb10898f24f539e00621736e667d409767aa7f6480462ad1b54514a5758ba8d1c073ef973b9eaed7709e4b0