Malware Analysis Report

2024-09-09 17:39

Sample ID 240614-ef52csthlb
Target a7eb06a589f09380dbf42e5dbea0698d_JaffaCakes118
SHA256 916c8c70c91f4106ea10e1034d10a0500577fd1698c6be593b64e5456b19dfc7
Tags
discovery evasion impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

916c8c70c91f4106ea10e1034d10a0500577fd1698c6be593b64e5456b19dfc7

Threat Level: Shows suspicious behavior

The file a7eb06a589f09380dbf42e5dbea0698d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:54

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:53

Reported

2024-06-14 03:59

Platform

android-x86-arm-20240611.1-en

Max time kernel

15s

Max time network

131s

Command Line

com.zhuoyianbeauty.beautyparkour

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex N/A N/A
N/A /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex N/A N/A
N/A /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex N/A N/A
N/A /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex N/A N/A
N/A /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex N/A N/A
N/A /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex N/A N/A
N/A /data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex N/A N/A
N/A /data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex N/A N/A
N/A /data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zhuoyianbeauty.beautyparkour

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/oat/x86/classes10.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.zhuoyianbeauty.beautyparkour/app_md/x

MD5 88bdecb774a8064fa04101414cf011e5
SHA1 b05bbac75fd36c0a5f25ec7bd9fa873eb0439be2
SHA256 32e2462586dcdfe27b3f7d42fdfc8d9c0da3e7d106a01cf16a1890f23a2139b5
SHA512 95cb2795796a27cf620ca6c0f17dff10301cc3c8389ce435cd35663c4599f5e4bd342f5f653ac8842fb4ee8a39a0790f873f63271208af92acf2bc734b9c8f45

/data/data/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex

MD5 9bf77105f794d97ef415f1f34e4514e0
SHA1 eb6bcb9034a1b7521e02a47030d2b00a54fabc43
SHA256 d3448d62a728fdfb4506cea5eb8f38f616426bc3c0f59d08e38ee770de2781d0
SHA512 b9b7b36c98cd0a5956d7a82b5aa7b4b1308b5093f7e6a7c4672a7e1e6dadc42d14793e797e0d3e784193fb97b67bd47a06bac217d084685b1d5f811467d0388b

/data/data/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex

MD5 add761770372c6a1557d2c7408682ff1
SHA1 3fb2b29959cd16c7502a2f930578963f7bea2d0b
SHA256 536bd347a0cfe2f4e74731301348a081a49791b189a589cc81692e496d7a7f98
SHA512 e9b41546a674a3039de87ec8c8b7cd5f7af5878fac0dae60018d6c2d7cf42cefd8703e187be59a6145fcaa5a58cef61697d2007da31cc15337455ecd983375b3

/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex

MD5 abf94f2a7b99e3912362c4c7b6b0553f
SHA1 6e96cc839b4b4ffd001591190d73646d593bac66
SHA256 6b4c7bae2b25e6ab0649f712afb4882fc9c3ed35528af13db4580e839cb5abcf
SHA512 cac18d3532d8ec3626ef8ad7750949b0a51ebbcd8fbf1a2d52c33f7aff36f62b06d89cac952e9e065f529a34e1803698ca40ffefe45861d7cbdfa2c6f866456a

/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex

MD5 e0a4c9101eac1d9216513314d06175de
SHA1 4bac24ee07afa8883e4997358411c12f9bf2dc1a
SHA256 e1e04232f32c6f933f1f4bdcf2fc07df9a643cb4dcf88531ba93910599a494d7
SHA512 2e3976031f8ab29890e10ae9dcd2c3135147541ea2aaf7b69b73860ae4b956c6e189ca9dc26dd9df2dd8f84014fc24bcae3a45f4d5cda452bfc15180497dcd65

/data/data/com.zhuoyianbeauty.beautyparkour/app_gp/t

MD5 04f6f301989aff5355cf318df8d6dc55
SHA1 a4c3e079096c506767375cc6c506cd092d34b634
SHA256 327d6345fae25f15e50e7ad01ff455c9d933ab3e46bc003d12c6d5e33197d518
SHA512 b54dc34b0e16c82d8b46892a1a1f2ea23fbac72fc1b6e811322da4a33150b0b64a89dd22d40cf1681dcf74622eca50445d4d039878720c0109b1c804dfb442d6

/data/data/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex

MD5 da805724e150bfea2986d5f5c0102327
SHA1 5545754631da913a9afc837ffef857ea57dba233
SHA256 433fec52c533980c0b5430633751460b3e2e276f7799fa012dc6370ac87f5ebc
SHA512 e8f9706f5ad368ea71046f7f93f4668415312413f38d6ff93d056f666bc06f1ae118114252deb6a63e8c67e973be3f654e25debd702bfb31fe3cebaf7ae1b92f

/data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex

MD5 2defb6b4874acffec1ff896e7455550c
SHA1 8e8c5d5dd10846d96b89ad142ca591a54321fe85
SHA256 50eb89c24b4bf055b21c36d87bd099ae73c9911d757917f0c4e7f6657bea2e3c
SHA512 152a8ff7843fa591f42155d4a6f9aa17cccfc3ed34cf94f0bb3707394c05e508b8e3a6755e5e8f7b1668dd3f17e3b640d96279b62619f0f596739aab28055e5e

/data/data/com.zhuoyianbeauty.beautyparkour/files/.hljrhp/hljrhp

MD5 8c66b2a88f0731ca23b594daac68c309
SHA1 2215e08c50769afbd40177ec7c4c041b000f1016
SHA256 8b2fb38ec222ef6690bf8c3c15e87278b9011ba7a680e80e6fa167d685634049
SHA512 0b414daddd9dadb86dccdc0a6ac7950d0af4d88103d1f285f7e62e3ad70ac6f685c22aac7662ec9e0930ebb02f752c828dd4fe768e0fc067e2ada39b53a6141c