Malware Analysis Report

2024-09-09 12:54

Sample ID 240614-daq5kswepr
Target a7c112b2a395baafd369422db60b2dfd_JaffaCakes118
SHA256 5f04949e312a5d0e2dd235c38a02b6aeddfa90844b1d95ab9887c092732dbce4
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5f04949e312a5d0e2dd235c38a02b6aeddfa90844b1d95ab9887c092732dbce4

Threat Level: Likely malicious

The file a7c112b2a395baafd369422db60b2dfd_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests cell location

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:48

Reported

2024-06-14 02:51

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

186s

Command Line

com.yan.video

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.yan.video

com.yan.video:pushservice

com.yan.video:pushcore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 df0234.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.78:443 plbslog.umeng.com tcp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 120.46.84.108:19000 easytomessage.com udp
US 1.1.1.1:53 s.jpush.cn udp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 1.94.137.180:19000 s.jpush.cn udp
CN 121.36.193.140:19000 s.jpush.cn udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 117.121.49.100:19000 udp
CN 124.70.211.119:7000 im64.jpush.cn tcp
CN 123.196.118.23:19000 udp
CN 124.70.211.119:7004 im64.jpush.cn tcp
CN 124.70.211.119:7002 im64.jpush.cn tcp
CN 124.70.211.119:7006 im64.jpush.cn tcp
CN 124.70.211.119:7005 im64.jpush.cn tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 124.70.211.119:7007 im64.jpush.cn tcp
CN 124.70.211.119:7009 im64.jpush.cn tcp
CN 124.70.211.119:7008 im64.jpush.cn tcp
CN 59.82.29.163:443 log.umsns.com tcp
CN 124.70.211.119:7003 im64.jpush.cn tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 1.94.137.180:19000 s.jpush.cn udp
CN 121.36.193.140:19000 s.jpush.cn udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.196.118.23:19000 udp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 103.229.215.60:19000 udp
CN 139.9.119.173:7009 im64.jpush.cn tcp
CN 117.121.49.100:19000 udp
CN 139.9.119.173:7006 im64.jpush.cn tcp
CN 139.9.119.173:7004 im64.jpush.cn tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 139.9.119.173:7005 im64.jpush.cn tcp
CN 59.82.29.248:443 log.umsns.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 139.9.119.173:7007 im64.jpush.cn tcp
US 1.1.1.1:53 sdk.open.phone.igexin.com udp
CN 115.227.15.235:80 sdk.open.phone.igexin.com tcp
CN 139.9.119.173:7008 im64.jpush.cn tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 116.205.165.66:19000 easytomessage.com udp
CN 1.94.137.180:19000 s.jpush.cn udp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 1.94.119.240:19000 s.jpush.cn udp
CN 115.227.15.237:80 sdk.open.phone.igexin.com tcp
CN 103.229.215.60:19000 udp
CN 124.71.183.120:7009 im64.jpush.cn tcp
CN 123.196.118.23:19000 udp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 124.71.183.120:7004 im64.jpush.cn tcp
CN 117.121.49.100:19000 udp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 59.82.29.249:443 log.umsns.com tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7008 im64.jpush.cn tcp
CN 124.71.183.120:7007 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 124.71.183.120:7006 im64.jpush.cn tcp
CN 124.71.183.120:7005 im64.jpush.cn tcp
CN 115.227.15.239:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 120.46.84.108:19000 easytomessage.com udp
CN 123.60.89.60:19000 s.jpush.cn udp
CN 59.82.31.154:443 log.umsns.com tcp
CN 1.94.119.240:19000 s.jpush.cn udp
CN 115.227.15.231:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 123.196.118.23:19000 udp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 117.121.49.100:19000 udp
CN 139.9.119.173:7009 im64.jpush.cn tcp
CN 103.229.215.60:19000 udp
CN 139.9.119.173:7004 im64.jpush.cn tcp
CN 139.9.119.173:7008 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7005 im64.jpush.cn tcp
CN 115.227.15.6:80 sdk.open.phone.igexin.com tcp
CN 139.9.119.173:7007 im64.jpush.cn tcp
CN 139.9.119.173:7006 im64.jpush.cn tcp
CN 59.82.31.160:443 log.umsns.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 115.227.15.7:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 123.60.92.210:19000 easytomessage.com udp
CN 1.94.119.240:19000 s.jpush.cn udp
CN 110.41.162.127:19000 s.jpush.cn udp

Files

/data/data/com.yan.video/files/libcuid.so

MD5 b4941ce1038d10d2cb504df4ec61eff8
SHA1 d2dbfe28a2e87e2db4efcf37c7590b14d576c42e
SHA256 90ee355ce2056691cc39edaa16766cadfffd8206105df0000ee44991bcc7dcfa
SHA512 a420779526c36fb15508c1be97236e7b3374f517b4c910b29e07e1b224e19ca5b0de9958fa1b0a5e6330cfcb482e56f357f1499bf24b238780aa56bcd5fc9559

/storage/emulated/0/backups/.SystemConfig/.cuid2

MD5 b6688f74e90e6993aae1933feed5039b
SHA1 e8ce2651f5362449126df1d5bbebe84d356ae24a
SHA256 ae930893507538b9f8a9ab462b9d041cfced2261b3d509f6974b210a1f5f904b
SHA512 d7345d050565c371b6f915d2b9643831e9bf9aa12a601d9d634036f21131f5ca74717e66763601f04fe0b3312ac69ce9774ec313883d256607160d004de5373e

/data/data/com.yan.video/app_config/config

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yan.video/files/umeng_it.cache

MD5 2d2a33e1583dbec57473e52cd9107212
SHA1 3565e17db45ef1aec81efe847ac091db8da49f7a
SHA256 3f560e52711c08c546d4fca43974645e5f5113a70583abd4e2659ce2ab22801f
SHA512 26c318aa8ffcc6ffe324d2201398c4a334d79f54dfd078d24ec8c62d92c28554cdc191f7b0dc31c14b5183ee3182482ed367bba5973f92906a764832b5be844b

/data/data/com.yan.video/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzMzMzMyNzMx

MD5 5aa3fcfd8d514aa19a67696341e69058
SHA1 e8f89b881143c49e52e73f65d2db30a74e95da49
SHA256 c6d194c4f154d6ebdacffa439c83c20eaa3bb377dee385e06e7b42be6e917b4e
SHA512 664d01ffc645ac00b0157a1bcafe625c5c56d16fc44b2667137f04cb89d56a2834ed01aad09118b5b8650bfc18c06ccb5b3761f3076657c4819554c6657d8c07

/data/data/com.yan.video/files/init_c1.pid

MD5 856b62afb46414054549be765cb5f66e
SHA1 ac60ec593f1d5ef85d0e679a16ec24a7e6383bf5
SHA256 90f91a5d7187995586b613b684c80e984e4f0941fd345ac0f7c05d1c54685e29
SHA512 90be938fe63f292571a34fe0aa2922d5f5f4db7beecee086a25860c45dbf62a834c364645210bce08f1200adaa49d78589d6e078101aab3be30169368392e541

/data/data/com.yan.video/files/init_c1.pid

MD5 abf3a9a2dca358e1f1e3f4490902066d
SHA1 62100bc799e6acb9da78538dfe25702515cf32b6
SHA256 1e2f835c8b2718f752e9002671ab2801c6ea68f47ee3ee0eeeff3f6e0b4ebb84
SHA512 37adb49b3803a6f914ac5aba92da7930679640ceef7b688685f6d00aa98ff34560b709ff8af64f2613c6388d52a9f1ff9e48d85d5407cff0e20e6874c60a0d9d

/data/data/com.yan.video/databases/pushsdk.db-wal

MD5 a39a1e7b0471fbc91604bd15df045a10
SHA1 76d91280c23688996fe0e1ca5e867ec1190c877a
SHA256 a45dbf5af14fa2154f07c03ec2075d4f5e5479646eb71a1948898e8f847b8b90
SHA512 d981c11058803893049a3a592add6abaf8a9441a407b1c5446bd8b31ca0a460544354a19855a3eb6e61662a69c6a7525157fa229a94e7e6507b8e38be8768497

/data/data/com.yan.video/files/init_c1.pid

MD5 51b05e20008d8d26af6d30c3a2584559
SHA1 cf56cb70e7f4551ecf77aa19f9a60e36e1729d66
SHA256 0837c5d8d04bdffc8395f43f4e6863976c64e4d3ecacc611cbdf40c42b447870
SHA512 d99ba9674c44f70341b98ba7730d88cc69b9f8f7145db3e02de44bc15fb38058c633faf3ffc85648098d463f06d3815f8fc8a76326426960c71e53e9edab9b1d

/storage/emulated/0/libs/com.yan.video.bin

MD5 1d53d85c2e9a48ebe174576e83be8ce3
SHA1 9ab515ff69750a516ca6a7a63575334216b7e418
SHA256 8a4d771f8cb327c4f853cabf323cd5f4af1187c72c3aa32f40ab61ce0999a5e0
SHA512 8416276a138aa3a2a3e8bd5e63d78713fad0a05f65a8277d66e76c0ae31ea2b2911905c557915106670f1abc1e7dd7949358f74e049bbe4f8ddc63bcc05d79cf

/storage/emulated/0/libs/com.yan.video.bin

MD5 8453aeb28a81dcea804adb239c7a49dd
SHA1 ae08b28e26207cbca8bee3db519b6d4a13dfddc1
SHA256 96aba58ef19ff026f36340391544e0fffab115b948a661f644a2acea01ebd51e
SHA512 06f36ae9b027cad63cfb020adab9f5846c386053d6f1644e8e76abd5b26a5d8cf2f3d0435e6304e56a8a18293efab18ef6741ce8b83537abf190350a4bc2acd9

/storage/emulated/0/libs/com.yan.video.bin

MD5 67b13cc74f1fec359bf2795fd11cfc9a
SHA1 53f6ff85a9fc8d5fb5fdd77c0360142c0cc17044
SHA256 827e57cdbcde80cdb820722825d70b35f2c8e127aa31e6cdcc5f9c0e04178cb2
SHA512 d2d002d93cd36de120fb15901358222095e2f8994dd8545cd0596dbe2c8e04d9250ff1b9b25a0ca75103fad2d1ea80e93572ce99d25cb34f369349c9b22608bf

/data/data/com.yan.video/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzMzMzYyOTc2

MD5 e743d770d357b67e50a5ed99f3374e13
SHA1 7d668e30cf3345286cbfb30ba94530afb71da2e5
SHA256 12e49508ea95f3de8b9a5d5ebe2588a0e6f4981b4b8cee793227d85f585cfd39
SHA512 3bba1969466a7608120a875bb58ace7c22335b61724cf684fb6d0ed9100ae7745a7d9609e2409f9f5e312fe1da569b1bd72541f50a8dbf422caeeaccb94ffde1