Malware Analysis Report

2024-09-09 17:40

Sample ID 240614-dy3hhsxdll
Target a7d7facbafebf3ea5b97318fcbee85b3_JaffaCakes118
SHA256 2ce01ceca8d535e4bc6a20f46661a8b67bb3ebfc7a126dd663547b09271ec0da
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2ce01ceca8d535e4bc6a20f46661a8b67bb3ebfc7a126dd663547b09271ec0da

Threat Level: Shows suspicious behavior

The file a7d7facbafebf3ea5b97318fcbee85b3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:25

Reported

2024-06-14 03:29

Platform

android-x86-arm-20240611.1-en

Max time kernel

165s

Max time network

183s

Command Line

com.ltcsfkb.guandu.my

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ltcsfkb.guandu.my

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 serverip.sdk.quicksdk.net udp
CN 180.150.189.181:88 tcp
US 1.1.1.1:53 sdk2.99maiyou.com udp
US 1.1.1.1:53 login-tlglh5.hz.6d4d5.com udp
CN 180.150.189.181:88 tcp
CN 47.110.79.173:80 sdk2.99maiyou.com tcp
CN 180.150.191.127:80 serverip.sdk.quicksdk.net tcp
CN 111.230.189.186:443 login-tlglh5.hz.6d4d5.com tcp
CN 111.230.189.186:443 login-tlglh5.hz.6d4d5.com tcp
US 1.1.1.1:53 sdkapi00.sdk.quicksdk.net udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 106.75.35.13:80 sdkapi00.sdk.quicksdk.net tcp
CN 180.150.191.127:80 serverip.sdk.quicksdk.net tcp
CN 47.110.79.173:80 sdk2.99maiyou.com tcp
CN 47.110.79.173:80 sdk2.99maiyou.com tcp
CN 47.110.79.173:80 sdk2.99maiyou.com tcp

Files

/data/data/com.ltcsfkb.guandu.my/app_crashrecord/1004

MD5 4df56e97bce76ddc5de75a21e5cb53d6
SHA1 99df56d4ab2281a0e7a57e5e5af66b76bab6d4ee
SHA256 d60eccb8d4101db0e7614fa10a986a7898c4b478d5ff37760da1cec7c04c8dea
SHA512 d9daf018c3c77b6a3a93d8ed46a20940b72a3311a058a6b13a09ecb93362294e7c6dc8d3130f91569cb866f11d93974023ce73c946d630cfd72c112fbbcc40e7

/data/data/com.ltcsfkb.guandu.my/databases/bugly_db_-journal

MD5 65f3b0b93d362223d285641812c0238f
SHA1 312fa42a92e3d1d1ab5c5e97980da0377cfb8e19
SHA256 aec69b8bf6e75d8341b666f857ee6830382e20359b28b5fbbe5c1293348bf3ea
SHA512 e93e3137900d9f97d8cc14c4ed55691070b9084ecaceb4c66ded68e571c2ae5e46c65a8670ff3e2678559362773c84f332384cd20e07ae72f5b2a06cd1b7a5c1

/data/data/com.ltcsfkb.guandu.my/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ltcsfkb.guandu.my/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ltcsfkb.guandu.my/databases/bugly_db_-wal

MD5 fbc648a474124166dc22a4185b9e046d
SHA1 e0891a3d68f4ad66dc52d50b5913e684f42ba011
SHA256 3d269f5ba1fce2b7fd392d0a45059ec49b224fbd635c7e0105a86cf626d4ded4
SHA512 1beccb0d34cf80b2bbc46cc0bac2db2b73c4d77437bb395a3bf473cefc52163b1522fecd2ab1d5f4a9e800774ec786cb54863396fc3cad88eeb1822e345f70ab

/data/data/com.ltcsfkb.guandu.my/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/storage/emulated/0/UcQkDir/qk.dvid.txt

MD5 48872b0d90589b0270ccc3512d7af779
SHA1 269f2f8c7768e9cab60609ea77578af75e430f29
SHA256 f62e327d64642fcafdc5b1b36584ec92fa81c72fc091c25448dafc411f77941e
SHA512 5b66c581848e1248a29423c60f46758cff68aacf27d59b1a1f57332510dbe8b087a8fe1fa94f9b36defa819e45328e424b318bd971b84da6f81709437c7357cd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:25

Reported

2024-06-14 03:29

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

169s

Command Line

com.maiyou.wechat

Signatures

N/A

Processes

com.maiyou.wechat

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 03:25

Reported

2024-06-14 03:29

Platform

android-x64-20240611.1-en

Max time kernel

2s

Max time network

188s

Command Line

com.maiyou.wechat

Signatures

N/A

Processes

com.maiyou.wechat

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 03:25

Reported

2024-06-14 03:29

Platform

android-x64-arm64-20240611.1-en

Max time kernel

2s

Max time network

132s

Command Line

com.maiyou.wechat

Signatures

N/A

Processes

com.maiyou.wechat

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

N/A