Malware Analysis Report

2024-09-09 12:54

Sample ID 240614-haeh1asdjn
Target a8577807ea0c981a146b9c2a140ac400_JaffaCakes118
SHA256 75f9f20ac006e0f088f827a70ace4500ceee4dfdc1db4a3fb14f651ccc994206
Tags
banker collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

75f9f20ac006e0f088f827a70ace4500ceee4dfdc1db4a3fb14f651ccc994206

Threat Level: Shows suspicious behavior

The file a8577807ea0c981a146b9c2a140ac400_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current nearby Wi-Fi networks

Requests cell location

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:31

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 06:31

Reported

2024-06-14 06:35

Platform

android-x64-arm64-20240611.1-en

Max time kernel

3s

Max time network

133s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:31

Reported

2024-06-14 06:35

Platform

android-x86-arm-20240611.1-en

Max time kernel

166s

Max time network

181s

Command Line

com.wgchao.mall.imge

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.wgchao.mall.imge

com.wgchao.mall.imge:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.wgchao.com udp
US 1.1.1.1:53 api.share.mob.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp

Files

/storage/emulated/0/Android/data/com.wgchao.mall.imge/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/ShareSDK/.dk

MD5 9d17d54951f81cbb5381726ed56e3502
SHA1 d6696e7eb620e6526278e7034e0682370ba56b8c
SHA256 13f40c485b53c1a4c2a569804656a83e7d44411af5a315097addc426db5e9de4
SHA512 80756cde654e1f22d098b156e33af34d3e8efece428f88706ad57ea939884b32ff8be172041851ac16a463e716464159c9440ce5e0b8acd08e573b92a2c0e3ad

/data/data/com.wgchao.mall.imge/files/umeng_it.cache

MD5 8ec3489c1931f2eed66a93e0b753320a
SHA1 7efcd7e592cebbbd75f15511220dc4a5f2064705
SHA256 a75046fb3c077f56db373ffa15b473b982d66938f4af6ae18a62fe2f6caa35c3
SHA512 8488ea5a2f56dfe0fd80ba4e6539e414001533bd3b03c995272c41bc6172ca3898be0950cca9485c1d9b55d27e6870949d253a3462fbaaaa4868c9313b48ab87

/storage/emulated/0/baidu/.cuid

MD5 8640d945499a41aa0fb7f0bdbf774bbe
SHA1 55093892103ac1800c9546c98fba244df4fa189d
SHA256 d285535c12d4cf096666b4eb80972c80fdd00433407938fb600b6e1592a12e0b
SHA512 634176686671802baf3c340117b4c65b1529e43df6f656ff37726e467a7480dc5624c0d9aece0bf4fbeb170f13ba4885182fe991695af872ac3905c5cc995718

/data/data/com.wgchao.mall.imge/files/__local_last_session.json

MD5 a9e77777872cdaab8d6ea23c15eacc52
SHA1 a631eabcbaff83a34830dcf17782ce41e6553544
SHA256 2387d711aa402da3f41e3366caba76391c86a345db3573ea75778285852cc427
SHA512 f3c28721e257007969554742103dae32bf90e870d9c9d45d156ec1e1b1a5ce23a288411cfacaf9ebe47f91df8eb5fa567fbdd087687557a20d79d0eb0f9dc5c6

/data/data/com.wgchao.mall.imge/databases/pushsdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wgchao.mall.imge/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/com.wgchao.mall.imge/files/.um/um_cache_1718346784075.env

MD5 1d6cab0cff658e1ab94b1deee07f05be
SHA1 fc5b936846d53df37a01d05cb5c942864605a781
SHA256 3ba107696ad80fd8d51f6648dc3da2baea3679aa2959b7242262c478870eee43
SHA512 d1d27058fef19d8e82e2a7c04cde4ed17e12b36087a64c9979b7d06e2d16682b0685b16aa5d68400bf13dc0d00543ef2c7689ae4ea715f4e4c05976d4c27759a

/data/data/com.wgchao.mall.imge/databases/sharesdk.db-journal

MD5 4162c4674d86652dd9cb22e144fc875d
SHA1 ea0e7d8b6bd3075941918e1aa6371dd78a42fb77
SHA256 572713a5db97cd1e03687d747ba11338b533c7610374d3bbf03e3c7814ad7103
SHA512 5ee77d0730188551b8b4582863f341b0c6280b1e2724b1a56d465241205b8c39bfe6a7dedc44bcde4a8406c06504be57f05f1c4e1bf7929922bf13be084d75d3

/data/data/com.wgchao.mall.imge/databases/sharesdk.db-shm

MD5 ab153707f0902f789d44ce3f9f58a17d
SHA1 46b466dafa662fe392aeb5c82c907f0bd262113f
SHA256 b120e543ed2de4d27a4fa2ad91626135f4b5bf89134c8bae5a1cbcf543ecb381
SHA512 728db01eeb0f112baf689527a2aa43bbd52975dbbcb94d1d5be414ec5606d235d53e7d7192c5a768485443bb9bdfe02b24c3674534aea46c308801e4615e23b3

/data/data/com.wgchao.mall.imge/databases/sharesdk.db-wal

MD5 784b869cebd209596c7ec9f3844c4d89
SHA1 0d6c3ce5ee85e29fb53c87f47daccbfb792bba46
SHA256 1bd94bd8b3b83659ba2fee6579d69c4fe6bc8a42d914439729d7741c4daf6d98
SHA512 fbcc1cef17f05a6bb838e263a9b31152ec9d011dd495da35c02ade438ffd42f2a1bcb9790d6b07aba06508611a198dfb798db7bd4fadf946ca0fd1ca024052bd

/storage/emulated/0/ShareSDK/.ba

MD5 3c6b443fbf7e09288fd057d534c336ca
SHA1 1f69d6952633d9aa187996a7a9e442cc85b20bd4
SHA256 31bc987b34517800b51248be6354bc06faa27046878d4e0178eefd144a8655ed
SHA512 1e700e587bc5da7db714e2725ab5f593b16ace7c3a1def7e31ae1d39fd77ca7dd9de74cd9004dcbfe7e489eab9a28992001d40a725328b326a697adcd09198a1

/storage/emulated/0/ShareSDK/.ba

MD5 5fd99185b1d23f2984ae04fccc895688
SHA1 820022d934195e103c0ba711913eb3b6f8cbf776
SHA256 d097d9e07cb02ea9e046dbc878407bf029933999c8af1b9f68932c13ef44cb40
SHA512 b184a980d98befc340a61b72842ed38e3436f1a91f6e33eee95b178329a54f6f7350678faaf9873f2f24681908aba048f892dc9981a33dd49091f23b39cd1a92

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:31

Reported

2024-06-14 06:31

Platform

android-33-x64-arm64-20240611.1-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.74:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 06:31

Reported

2024-06-14 06:34

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

161s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 06:31

Reported

2024-06-14 06:35

Platform

android-x64-20240611.1-en

Max time kernel

3s

Max time network

151s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

N/A