Malware Analysis Report

2024-09-09 12:54

Sample ID 240614-e4av5aygkl
Target a8031149562d141b180746ee0c0ac835_JaffaCakes118
SHA256 f5ccb567b2804f016c6b16e71e0c470b289f76114a6a83a39b5ab33f1879b79e
Tags
collection discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f5ccb567b2804f016c6b16e71e0c470b289f76114a6a83a39b5ab33f1879b79e

Threat Level: Shows suspicious behavior

The file a8031149562d141b180746ee0c0ac835_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence

Reads the content of SMS inbox messages.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:29

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:29

Reported

2024-06-14 04:32

Platform

android-x86-arm-20240611.1-en

Max time kernel

68s

Max time network

139s

Command Line

com.cngameqw.jundao

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cngameqw.jundao/files/data.jar N/A N/A
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A
N/A /storage/emulated/0/Sonnenblume/res.apk N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.cngameqw.jundao

com.snowfish.a.a.bg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 s3a.abusi.net udp

Files

/data/data/com.cngameqw.jundao/files/pay.data

MD5 b3318d0f9efefa37d789745f55ec3b6a
SHA1 62794c6e107c5d6bd248fd1c883a5ab02da2d7df
SHA256 62e0bdbf50e5684c6ebf48c10491b662f1662d26c9594e852c34849bcaec856a
SHA512 bbbb19ed4c7f427e1399c2d18a4e104812514feea1bbdcda927c593e9d9d987a72051e133c94fe4c3d15d24716299dae53f172eb32b02c79f0d3c885fe748f1d

/data/data/com.cngameqw.jundao/files/data.jar

MD5 43aa6e671437df7e21ada10b9ca9c76e
SHA1 21603addc58ee1aacd36fc5a065a6c28d8348957
SHA256 bfb16339a70adf336c93d4eff1854ce69ec2f23e8473743721bb83e6c2816bc4
SHA512 42e9caa35a717e4522bc4f2c69db219762338d66ae68d3b413e1c369952e9d05e5651d9b7c52e13f4beccb597c909c4d71884ec8cdb36323094cbeada9cf05e6

/data/user/0/com.cngameqw.jundao/files/data.jar

MD5 1cc8518346734dd6224a76390abdcc47
SHA1 6b008b0bfaeb1f96b7e146cf90e6d5cdea251405
SHA256 f57bd8ca4cd7c881b8c304dad6e2530613bb287296888f5ffe1bdd39ad1d4f1d
SHA512 7c824d52c4ef673f437811315d2e2aab4fa9c84050a5814cba780eeca21ed2a82759e88d9bd36f9a402a53f64188ada8c78718d26919f14a8954624e9e939248

/storage/emulated/0/InAppBillingLibrary/log

MD5 14be0afb5b2d83dec5de5cd60edd4b97
SHA1 316b1811dbb9790412eff6e858b21cb30b56ef52
SHA256 871c8d9552efa8ef1cd855f8fbe0a273de31e4c136dca5e9d48af6f7bb5c9bcc
SHA512 a1f1baa623ff4c6c2b07d7aa4231f6281d6f611ed94c3bebc934fe59ef429c2c6a1f9f6e67c0e99477edc1b01117cfe34406f0016c420039f2ae7a0aead96d09

/storage/emulated/0/InAppBillingLibrary/log

MD5 2ab33cf7f948337b865aa1d33801835f
SHA1 a40ba65415bd370fd5cab7fb5b4c0f665204fa99
SHA256 4e1bfcd09e9d1e10da9253a433748df74b0db5ad6ec87e3c736c3ab1e09bad28
SHA512 7e009d7cbcb7c588e51f23b8d778a68dcd70992932f68de1820f8a1cbe01dcb0dc7445db3f59d54389579f5ff770484b5230e77d21ffc19ab5e2a06c0ae33e0a

/storage/emulated/0/Sonnenblume/res.apk.u

MD5 da1ccb023118926c8c0ce346b463306d
SHA1 0cba2ef06cc9775fd15e4a3d70e87ff752b8ca0a
SHA256 d7560ba5851e1fcb1ab9fef766acdd34f08511fa9c927f7ab71fdbe4419f87cb
SHA512 703d1e2c4035a0b501403edff2754e0e3cbfd8cef7f002c2f12a88b525cd8469c453676d61886ea9c43f6ede57ce74203487a80fa9940bbfa4739a5d057d19f2

/data/data/com.cngameqw.jundao/files/iapSplash.dat

MD5 c6f057b86584942e415435ffb1fa93d4
SHA1 8aefb06c426e07a0a671a1e2488b4858d694a730
SHA256 2ac9a6746aca543af8dff39894cfe8173afba21eb01c6fae33d52947222855ef
SHA512 bdc247a1a0e28a586ed40744d281993d519abe981aaef33277d4877d167e1150816e9723d068a59509991ed0cdd8c5cea0f9ecd0ef23664db7cb85db5a0dbe12

/data/data/com.cngameqw.jundao/databases/license_data.db-journal

MD5 31142e71e216391e789c90360c769da6
SHA1 fdf11721f551a34a5d0a7b9351b996acc0353652
SHA256 d92fbe18513fe360f596c93ba20c152dea90c2f52d05dd87ddf5b64398ece945
SHA512 75d9e5dfddb3b2317de2164d58032d89aac2178a81bb1b9907088a052c2cea2f03986f1b373643ff8a905890af157aadb1e6f4a5e7281e204cf220416c99e470

/data/data/com.cngameqw.jundao/databases/license_data.db

MD5 ca2bcc7a502ebe854deae37d6952b481
SHA1 29d9cacf79b5eaea6db50402bdb19fd17454ad1f
SHA256 b8c2639c6e290d8880b1ecc74cd61838439860efa104c9d68c578d8fa3da85d2
SHA512 0a6b1cb290da5bfc7641cf4df4df4a6b332f0cfc9db45a8bfe36379c8dbfb06ed6267792ef397be193d601e472b8607f441035e9a05b85546b626b90346443f5

/storage/emulated/0/Sonnenblume/res.apk

MD5 0bda2a3c278343bb5417e5556baea517
SHA1 894b1794bafb9723a6839d49c8a76ce579e2857a
SHA256 9423b0d4e9f1b3d8ddcfa46744730e25ef5993f996bd6f1737cc0676db7b347c
SHA512 f770a35375efef90f8ee7c1f182f733e57c6af43ed8ba6b9a9e791ed77763a0b95b478ea89bb65947fd09bca715d24e5b2416e2b16fdbcef806454162530d885

/data/data/com.cngameqw.jundao/databases/license_data.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.cngameqw.jundao/databases/license_data.db-wal

MD5 b8638dd66e894db0ccdc599a5d40c1fb
SHA1 7d0047781e1ecd384e5535910bed584d9a48305a
SHA256 d4efd40ca8f8b0d15e5d285ddd299a97395d56120b6f4f9b7e50d9911208e82a
SHA512 67bb9360ddec27abd76d46eca4b2929d7a815f621588910e637c1da9d49b3f59a9fa3168d8a607b2a4c7e63d7be3f74aedc99e8769be2a00bc45b787adb7fe56

/storage/emulated/0/InAppBillingLibrary/log

MD5 fa55c7959d9ca10ff35866d56b7678f9
SHA1 3cf1fa624d166a97b5e0cb14a84a1d0fee48ad45
SHA256 8e801e579e14b4ba2832392263ae0a91463f58aec0a9832bf9c7750633cb3e3c
SHA512 c7b67cc6d1011485e6d5094db3ef6c04e5825d9c5719fb2d187ea209f7bd2134393ab23f77867858397d54736179fa663bc0f40e0eff2f1b4422944ff0031a2e

/storage/emulated/0/Sonnenblume/apayment.db-journal

MD5 1c34458248ca75c2e692c8124d4596d8
SHA1 943a9812a3879d9e1c8e4802881c32d04573da8c
SHA256 55533af52c27970a86f74359c10c0ad282073eb31bfa0c5394e1443ff190db88
SHA512 b4cea942d3c7454dc58a2eb69e0d4a4fae0c1acb55a08bd66aa918bec0a1e95b02a314ba9e448a44a16b9a4b1869e9b18b0cc1409671be63ab691d4c5a4e519f

/storage/emulated/0/Sonnenblume/apayment.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/storage/emulated/0/Sonnenblume/apayment.db-wal

MD5 da182a17c305e90e611ab10767fd710a
SHA1 9b1cfb8fdb328f0900f765d7f7df908c929ecb49
SHA256 64f6a370a44180e41723c3fc0a3b01f39311c564159a1e886c6da9e2392ecb6b
SHA512 b8be150c52af06faaca05ae0ac737775998edb9ce28e41a453457fbf645d7eea0bd423cbab41558b7e439cca4bfe03dd42b8603442550c6a82df83fcc5251f48

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 9f79b49f4414cb73ec44cf348e5dbf56
SHA1 7623ffb91ce139cd851ed4c6f633d5009ed050ff
SHA256 2a9295ddbc5ec0510e70a1208f14f952af53f43c90caa16c83e6539ac97d496a
SHA512 c3a1072dc2d44ebce2dbb6e4f77e44469871844e4d6a58c37ea0c0b6cae4f7f00a90667fe37f2faeea2ef8b81c959e454f91ba60f3ca707334c25eddaf331a49

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 2a17ad543406089042b00a77a62ff12f
SHA1 4d0f0658c2b9ada3fee9daa13e86d8c1511bd608
SHA256 d40a84bf1a08fa21cd22773ab187526627bbf162c63deb56f45f573f7fb207bb
SHA512 05662f0f643d9dd51a60dcca522cb543037f188ea6f29e2347abfec098945f6c17dbb7ae9651c9e73e1de4c5a8222a0fa2fb4ff237b10836160db87853627610

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 7dcafa8891b93bc29e39b7a39831ce2d
SHA1 8da6de50016d94efc097c39c8f3f7f3dba5325b6
SHA256 a2cdc32c5ef847fbf7d88540c4b20129bf814df10820d3545765aeb9a18f8ed6
SHA512 70cb3d4e061041b77a8d7462d0d1f7674af6df7ca50e6862d5e4c5745b963c436fbb46a0dc644c960f888b596102215d02f89c0a7fef8b1038530fd65a1ed076

/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

MD5 87a928b0184988005e6ad56bf9dbb091
SHA1 ee9d95062a891f1b469e53821bf1894fcc1d10a9
SHA256 d56c9bfc2a8162c5320280681185493f48c67d666590efc5717b8ecad4558418
SHA512 f9f455174a17d62a6b292ccabd16f8a357b19c19b978025be2cab51ccb14e796fe324be19930fb3fa0189f68ab6ddcf46da32bb03823aaeb8fd78dbe9cb83d55

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:29

Reported

2024-06-14 04:29

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 04:29

Reported

2024-06-14 04:29

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 04:29

Reported

2024-06-14 04:29

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A