Malware Analysis Report

2024-09-09 17:38

Sample ID 240614-hjlcxasfmq
Target a862e0180186c5251be015b1975c30ce_JaffaCakes118
SHA256 cf4b8aaa000033711b14c1090b86906c94eab86f7baccb1036489900754bae15
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cf4b8aaa000033711b14c1090b86906c94eab86f7baccb1036489900754bae15

Threat Level: Likely malicious

The file a862e0180186c5251be015b1975c30ce_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:46

Reported

2024-06-14 06:49

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

174s

Command Line

com.ezfun.xyen

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ezfun.xyen

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 graph.facebook.com udp
GB 163.70.151.23:443 graph.facebook.com tcp
GB 163.70.151.23:443 graph.facebook.com tcp
GB 163.70.151.23:443 graph.facebook.com tcp
US 1.1.1.1:53 stats.unity3d.com udp
US 1.1.1.1:53 xyopenapi.sh.1251001106.clb.myqcloud.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 t.appsflyer.com udp
GB 216.137.44.95:443 t.appsflyer.com tcp
US 1.1.1.1:53 api.appsflyer.com udp
GB 18.165.227.126:443 api.appsflyer.com tcp
US 1.1.1.1:53 xgamenetus.oss-us-east-1.aliyuncs.com udp
US 47.253.30.93:80 xgamenetus.oss-us-east-1.aliyuncs.com tcp
US 47.253.30.93:80 xgamenetus.oss-us-east-1.aliyuncs.com tcp
US 47.253.30.93:80 xgamenetus.oss-us-east-1.aliyuncs.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp

Files

/data/data/com.ezfun.xyen/databases/google_app_measurement.db-journal

MD5 7964e5f5cfe2f05cefd7d8a2bdda3e2b
SHA1 59f2134366472c2db850877b48978917f331e9b0
SHA256 c0e6af8f7477f0ac99454d6bfa8e4a779f145e13cc283743aa4a14294b58d506
SHA512 48fec409b38b5d989bffb31f85763b06e6acdc53fbb7ce04779ac509ee06c2a425ad33708db1f3e7e688dee3a64347388a7cf69e8a0247c99dc6a4384fdcf7c0

/data/data/com.ezfun.xyen/databases/google_app_measurement.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ezfun.xyen/databases/google_app_measurement.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ezfun.xyen/databases/google_app_measurement.db-wal

MD5 296181ad02f909dc1cc13444a77cdf93
SHA1 3ca0ec13e71c103eb854ade85c36e2057049c97c
SHA256 486231d31312f175ca87a3b895279b6712ef1590f1786c8a692c02cc3e0e7b9d
SHA512 dbacd7da7023c0d2ed2cfa86aaeb0dab57840d30a4d58a852ff89d44ba47ec73967717ab41f427aa19b6e66a6091c1a58a8166e580deb4ca3337f0eee4fbf3c1

/storage/emulated/0/Android/data/com.ezfun.xyen/files/ver

MD5 a74458488179ecb21be59b4f215bd69b
SHA1 89cf82e60ebf1c835aaf911284f06dc8c10f7a44
SHA256 acf0fcf21ec7d8de40a463ce5e64e704690470de2ac13e4aba69060635bf1fd7
SHA512 2c909383910b196e27f1577b267bb0869559dffc602709104c87db1a35658491e9fdec494b1bcbd6a20de7211ff31687cb21a76149063c355a0f78da815c9590

/storage/emulated/0/Android/data/com.ezfun.xyen/files/localAppVer.cfg

MD5 6a154fe077b0d71fab747079562e97ff
SHA1 9b80ca131fbc6cb5a944359bf46b2f5f301b25fc
SHA256 2c1940937d13777dc0f2c5a890921ff13e98b91a9e9d443a42651d8d0d8b448d
SHA512 249e676e0deb22642d1ef367787c42cb6723ff276759b6dc50f664cf765e4697a4623fa9d03da59afacee8d6d999752051620922ab8c033ab387da6d664e729c

/storage/emulated/0/Android/data/com.ezfun.xyen/files/cd

MD5 40c15095fba74d423df9b33c0143cf0c
SHA1 6c9abcdb8a2f2808bb2c13c5b5173684716a2d43
SHA256 8a46a510b30b69481e6a69e527fb158fdef526f61f2cabded7082c8c8dfcc603
SHA512 5bebe9cc774c9c4c5481eceb82aabd917264c5c99a8b24936085402498c496bd03958aeb3b0c51f898875cf5034c8f87f80a7b17d28eef2a57b0f1c8783bb63e

/storage/emulated/0/Android/data/com.ezfun.xyen/files/ver

MD5 fd576c121b9abf9c28e75498fc52de53
SHA1 ce8f31dbd0ace8d32561ceb45cdf5bb0f9d3d5ce
SHA256 679f95167b6b961f56f1bade99a82a953c64ffe6ab889c9d5f94454cadcb80ba
SHA512 a775e49f2e8289608a74db39fcd411e14661acb4a6c3143ec346c895290f3a081a264206ef5b995d26e543b0971e9eca1578b8581096eb03e0f6ac30b6eb092d

/storage/emulated/0/Android/data/com.ezfun.xyen/files/AssetsBundle/abDataStruct.abMap

MD5 a87d62ef47d476e1511a07daa4d08934
SHA1 8a2336e3711874a59d028addf3c651c9952f8e91
SHA256 3126d0920ff4cef316d8eac2c0738e33102b46ee735083a8b57bd5d4c7d0d44a
SHA512 7bb5b20ab0d1809804bd696179cc14290f7b0321f07f4929a940677715f314af14428340433affae0ed4f54a64ee61f59f7423f70ac03344bf0936d62713138e

/storage/emulated/0/Android/data/com.ezfun.xyen/files/AssetsBundle/asset_length.txt

MD5 abe7cba9a0b5b038e1087dee8321e9bf
SHA1 266f50712dc9b3258e0b6b25c506dcbde0afaaa2
SHA256 20cf7fa19bbaada66fbbaee5506a7e6013a4647554c9d141348ea6d2ad9675ee
SHA512 cc48ffc72f61209a8c38fba9206f073b012415d21f171d1c2a75851c222c1697f60031e6d01fab23a1220a322c777b69281d2282afb48e76b1839cad81fc5e76

/storage/emulated/0/Android/data/com.ezfun.xyen/files/AssetsBundle/localAB.assetbundle.zip

MD5 94fd8bd65529e37d51d8394a071e79ec
SHA1 6fd784e9f4eb445ad608f3e360f2bfb8b0d72941
SHA256 9040003a634293d6d4162d15eb6454a90020ce437727d3114afccbada9dcb769
SHA512 0c778a7b739b54c12d64855c3728fdbc969f373ae6b01b7749ec62f867474afc174ad25855e910a3571a70cfa83cbd2f844b40fb0afe7966498ca7581d7bacfc

/storage/emulated/0/Android/data/com.ezfun.xyen/files/AssetsBundle/localAB.assetbundle

MD5 efe0641f06c1408d2a33d1dfca956555
SHA1 be384bbc06c7e20c94af621bccd6bbf909183f1c
SHA256 c81051f6edf079152ac1cec4fb1d0d9e818fd404bcbbce9a3bfb2ed4aaa53961
SHA512 10e3f51237420b148d196b8b8171451f423fd5bc72e1f467d93737154b9a3c9de2fac550ec4cf9c31d660c1102f41c2e39ef71a159e15b35f997e80360821f69

/storage/emulated/0/Android/data/com.ezfun.xyen/files/cd

MD5 88f27a4cc881802e69d07dbef3a3a572
SHA1 49139c6013f7f23a5510527ab29c6d7c3a141561
SHA256 ad9ba0afef7d77482c21f92da06909fd911cd7595a816cd5698918634aea8c50
SHA512 65e10430fb5b6ccea13ecbb931d9921aea5bbd4162f31897550899381501763616f791d228776cdbf5187f0ceeb275c01617f63c5bbaef6e7173918f95275401

/storage/emulated/0/Android/data/com.ezfun.xyen/files/ver

MD5 93557ef28b4884ba998dcac7eb874bdc
SHA1 0e31a00c00ddb946ece03c9cfa82e1824db8f708
SHA256 dccab60e97343b6a986646eaaa22b03fe7287dc16c3d136b76efddfa1dcbce9c
SHA512 fd672bac9673317e9b951af3ea423774d861ebdc5e34381c60ffda97f53a8c4375d5f21e99b50eb03b037ddaa5f8dd4789899d529e6792b925ccbfb03842c302

/data/data/com.ezfun.xyen/databases/bugly_db_-journal

MD5 f389e21b95b92fdff6b7599db62eb0f3
SHA1 120bd0ac12b2e829ee73f393d97378c7d1313b45
SHA256 6683c70c308bd65d436466d80302e130c25b228faf54635e3e9ec1c997bf0c86
SHA512 7e268ed9de4ad2807c8b571baf9ef066be4e7db2ae74d46233bda929ee1e204dc516a2d96b1de4070643c157e5108a683ed2549d490815bccc5f6f337827be19

/data/data/com.ezfun.xyen/databases/bugly_db_

MD5 ad5d109521c0a336537ffc6b37239424
SHA1 45ea80dc56c067e323974ed23f5fa693d35cab35
SHA256 8a3ad171cedcd403c5858c5bd83b9405fd129bd33aba899be878b9e1fc367d9b
SHA512 abc3a2e9ff208187867c819e83b8603ef274d2a77a2994303d93bd3ec4551e8b40bd8d50f2f6c317b59a098e9e4c963ae625b4418ebe5e3ecd7fcc4d488d8094

/data/data/com.ezfun.xyen/databases/bugly_db_-wal

MD5 2d24a790d56f2d875d83daba6e0eb73d
SHA1 085a68f1029d40a514658756ee32fac4d8bd6be5
SHA256 f73dea1cce9d3ce1710ed3260cf34810da8fb65e66b3197597ca1e2625eb5bcf
SHA512 194ea8d43edd08f98b205f79b9d02561e9448772c9f92fde78ac470993e3b88d62733bff496e90589909b8fd6f40e28349e56e423c05903021fa065aefdb1d85

/data/data/com.ezfun.xyen/files/buglylog_com.ezfun.xyen_.txt

MD5 d1665bc9fb881f83fea829636bc71f16
SHA1 5a1beb8e69a0e065998f631237390dd97a988e64
SHA256 400e297efbd39b148f6b14e98187ae4d74cf9191555e525c8e4192f83fc0a432
SHA512 a37a27443066d39d3642f46ed1cea8bf280fcd965c780da1dae707a06681e28afb10b1decabc3d4d88c9f3dcb8aa0601355b9970a70ae7070daa518a19dc7bda

/data/data/com.ezfun.xyen/files/AppEventsLogger.persistedsessioninfo

MD5 7d722a81be03123dc3bcd63c3fa6e4d1
SHA1 e3f76444b650ae6f30ca80cb77e68a996c2d96cb
SHA256 b2ddf2d14f3d9ad1cc4ad4d62fe48275d8637197fda160df827187953a8b7c8e
SHA512 c05ee055d7abba16fc08ea43b33fbea3b39272d7ff0fc3b58bef3f8570155d909ace3cae11ebdb6f25dbfa72462ebee15bbcc554054fa602e6742d38f3e70f62