Malware Analysis Report

2024-09-09 17:38

Sample ID 240614-hcy1essdnr
Target a85bd42e53a9eb891b1740c0551aa34f_JaffaCakes118
SHA256 c4649c2082f3bc51fa4be167ba2c154dcb464b4bab347ab27c3916f0981f744f
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c4649c2082f3bc51fa4be167ba2c154dcb464b4bab347ab27c3916f0981f744f

Threat Level: Likely malicious

The file a85bd42e53a9eb891b1740c0551aa34f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:36

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:36

Reported

2024-06-14 06:41

Platform

android-x86-arm-20240611.1-en

Max time kernel

6s

Max time network

149s

Command Line

com.czy.store

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.czy.store

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 rs.easemob.com udp
GB 193.118.32.53:80 rs.easemob.com tcp
US 1.1.1.1:53 api.daishucgj.com udp
US 1.1.1.1:53 a4-v2.easemob.com udp
CN 101.201.233.110:443 a4-v2.easemob.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.czy.store/app_crashrecord/1004

MD5 9d7e65130b1b5d60cdbb8cdb9f4b3d04
SHA1 61f7ac2734729062a70cc3784d99ae545efa722c
SHA256 c2356bf66c889f860dad889538be9f15ba6496eb7ae195b18b07dd558e94e292
SHA512 180d4cf4bd0606f496d69de20f074ccd49b84a91b5698d4e5843a586127bd5d208934b010c4ab8b7abbd1b8019de2c13d37e6934a8a251b2700d332b779a5e85

/data/data/com.czy.store/databases/bugly_db_-journal

MD5 e3c02ea0942bfa274c44dac12543fb7c
SHA1 1be1c9b5d3ba7b598aeefbd3a783863c14fd8432
SHA256 0eddf4d22fc570d8b8528b3f82afbe94ef49ddcadbba9dd7b54fc2abe45d6dbc
SHA512 250ad2050d4e394ab0f4d43c126fb501e420e8f751b440ae1d554246c04eef1a4d47a22dd45fb95560814d11b78341212f935794dd290879f1dc0d6f9c20c0d2

/data/data/com.czy.store/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.czy.store/databases/bugly_db_-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.czy.store/databases/bugly_db_-wal

MD5 a58aee38d822ced3839dca75f5066180
SHA1 7dc3a6d8c245588d56eb8a42fffabcf521511a96
SHA256 f2f347388d6e79ebbd5407abc30c39e66e55e40c5f7d7e16321e2387ba572279
SHA512 0a49e516bed3b6715c67ff7e3e6be15041a81f727aa297f36689db9245de27f2fd9879de22dc13ae86689bca836b3a95de9e25cb9466b5af0fe405f29f2d7dd1

/data/data/com.czy.store/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.czy.store/app_crashrecord/1002

MD5 0fa7dcaf4d94642e900ee3be9a9144a7
SHA1 4404ba253e03b1bb29439e3ee12c49e532482554
SHA256 faba53f299a14a846e6e638f0dc0fc60c64b5208c59c1be87dac1d5f09e917a1
SHA512 0e9d809bdabe96092c215d3fe2094864bf152256bd99967a09228cb2c5abb054bda58614a4e95fa6084d5a3eb740e3f49b22dc81fca67f733f4e28830fdc3794

/storage/emulated/0/Android/data/com.czy.store/czyttyc#dsgj/core_log/easemob.log

MD5 859275912e43715eabfe16ea4c5511a5
SHA1 cf8d8adbcce5f22358316be05a179714cdf260da
SHA256 be63e52027c816c3d5bde06e409c857b15bb8a60a52da1a3729e90f3cb1e7c92
SHA512 fe7337d2f373e55a385fafe307ee2a73ecfe5ea44355633a0dd13f8846a9800482b3b61bce428f4788d2df8c8d9a970913f760cbad171ecd99c1ac20692f5fbd

/storage/emulated/0/Android/data/com.czy.store/cache/diskCache/journal.tmp

MD5 d8cbadc488082d94b53ba2e1ee65c299
SHA1 48f72821143551146958f76576ba3856515189c7
SHA256 9bdea3d7488b8b31906c426b71efc57e2cfdb1086638d5dc885adc513da5d945
SHA512 97a936d747b7ab54774012ec81fd95699df873e178496f97ab71ceb10da27ee533760a3d094051e4340bb4b0696e22fa2eec3c4cf91145f2fd440a62e19c9365

/data/data/com.czy.store/databases/xUtils_http_cookie.db-journal

MD5 c177a0005630cd71326175f4fb3692b8
SHA1 512f4b6e53a66b19502bb2f74aa6062729ba3b96
SHA256 dc75978520c2e7cee25cac4647a93316d6c5247c458374fd82a0059a4d9fe3b5
SHA512 2cf5d5fc4469eca6e2111f4dfde781d44722c18c43f5335567f1d2b31b682570987d1663551370712818f72a5b032267cca768d55610ef50edec172fc81a3f64

/data/data/com.czy.store/databases/xUtils_http_cookie.db

MD5 3fe30614d7e0d11db870b4624f6c50e0
SHA1 053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA256 67c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512 c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae

/data/data/com.czy.store/databases/xUtils_http_cookie.db-wal

MD5 63c3ae5cd59e54e0275348cb59a8a4ac
SHA1 0cac595083aca4b6f6b0654ffff29212b2a7b99b
SHA256 482f8c73e6c02744c88a9e4d7f23a5222c05f4eaa2fc66b5e1e0c37d57b9df4e
SHA512 744545536ad17fbdf54d6f8e7d05390818da7ee3c12bd657b27b26254b7c1529ac191a9bbdfc6b8e03a47acaa8771d0b6b7d836a8751983e2e6ca73581921593

/data/data/com.czy.store/databases/xUtils_http_cookie.db-wal

MD5 6d6c6b22f8c939041a4c23448dc47e09
SHA1 ae28b2d59642a882de82800c7be5c4b2f0127049
SHA256 b37b4d6c62680629b33b3b6807d87e28ea73f8c186836c5f0de8da7863a396d0
SHA512 9be429e446bb0805c29901420b1fb01914bdb8850f6e8a90774a422eefd3c01ce0da3cf119152bfff0561ec3c35ae12914a104b5917d0715e128bf73d7858108

/data/data/com.czy.store/databases/cc/cc.db-journal

MD5 a444a31246d7957bb35076b412912972
SHA1 638099b926670b49d4ad48d6c489c3ce8485c8b9
SHA256 dc5a23bea5ff4243680d9dfd1b61311361a11a907580bc78dbf528f21749c6fa
SHA512 8e44fe11e3c92c218ee06ccdf7df4780db40e86513421a8761349cecbb42bf83aeaff1e58ee88f0917f95079afb9d8392c1e3ab448f2cc0e8a666f1f4992a9b5

/data/data/com.czy.store/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.czy.store/databases/cc/cc.db-wal

MD5 b436bc0bdece6c1b282175953878ffb5
SHA1 72743e44a62bd200392161e16302c881e1db0d90
SHA256 a232b63198d4a9472c5731ff74a3eb530dbd84566df3699d18a4068a5ebfb4fd
SHA512 2bc0820afb7517499c0aa51f1ca05744d39d447d7313bfbb94dc47650abc41934b5e8de6a6ea1e2ffd668aba97c6269afa3aafdf52705153fe4668d67de40821

/data/data/com.czy.store/files/config.json

MD5 f5f1b3b2881eeaed40bd709723a2b547
SHA1 0f3b761f0af5b8f9cef72bcf40a7d93a3a5c0c68
SHA256 8d28058c34d5bf80ce0ad0e6bd6378fec59e2e5df0cf660780da220eaef861c7
SHA512 9ae3c84b8233aafa3045d4097dccf54fa3ce2275059a85de581067aa047cab31076d1353341c32b4e8dee15103a4cba327cd651c3369354c9bc784d4698270c2

/data/data/com.czy.store/databases/ua.db-journal

MD5 1bfffc036d9db6861988a9ff334dd094
SHA1 6c179d24dfc320ac7334d41bae5768c386aa1aa4
SHA256 41aa09eedf82fe47254c7839ef0aa400d6070f4920203526337a0fcebf714fef
SHA512 c1797dab0cf1144e88c2860a87de831782b4a9f3fc5396246a0b61a68b4dcd81e07d6569881205900c311ed37d1d4f352771c4cabc954ae343890afe813f0ab5

/data/data/com.czy.store/databases/ua.db-wal

MD5 a11b6576a1ad9648bfd46142561fcf4b
SHA1 a412ca49f815674b25a20fbf3659bd65aaab8de8
SHA256 36a217bf084d467d57e99362859e0db83459d998a16e770c79eceab55e75d816
SHA512 17f42711b1a79f38734023cdcbda6ecee5dc144d07c6cecf4b3ee514af1bdb1e7ca9efac73930073d49a5cfbbe43de85fc667eb5aa0552a7cfad10d7355daf85