Malware Analysis Report

2024-09-09 17:38

Sample ID 240614-hzbhmstbqm
Target a8762fcd2bca8e03d8cccc9a0e4ca9ff_JaffaCakes118
SHA256 bc324a8d229b383bb3f68012b2be966b65fd2ea7b716c1c4f01ea49a30400734
Tags
banker discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bc324a8d229b383bb3f68012b2be966b65fd2ea7b716c1c4f01ea49a30400734

Threat Level: Likely malicious

The file a8762fcd2bca8e03d8cccc9a0e4ca9ff_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:09

Reported

2024-06-14 07:13

Platform

android-x86-arm-20240611.1-en

Max time kernel

11s

Max time network

138s

Command Line

com.xueqiu.android

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xueqiu.android

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 xdrig.com udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 rqd.uu.qq.com udp
HK 43.135.106.42:80 rqd.uu.qq.com tcp
HK 43.135.106.42:80 rqd.uu.qq.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.xueqiu.android/databases/bugly_db_-journal

MD5 154e611f4f105c91f775968086899439
SHA1 bab8cfba34ec9d798c5d3c07f8231b4e15c6d317
SHA256 9fd867839ea3ed131f6bc4e3b70e2663d41252bb135d8dc15329fda68654dff6
SHA512 14c8420dd9a391fac02fd216571b07df89013a952fc0241da5aa1eb20b11bbcd6c40736217deba2189d0c8417074e2ec5bf19c2019787283116273922bc52471

/data/data/com.xueqiu.android/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xueqiu.android/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xueqiu.android/databases/bugly_db_-wal

MD5 5d7608de0130baf3950221440531b739
SHA1 9de8bb5812a500a2a2c806e5453fb99fd9733758
SHA256 a675fc72076413e7f04a34c3192c010c50c084260da8f241a55e56d71c090198
SHA512 8235395f38462891539716b1eb4548c7977dc586804224d25337248a08832542de2536220882ffd6247cb00bad652fdf16fbfe824e8152934e583500a61d2d32

/storage/emulated/0/snowball/image_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.xueqiu.android/files/0/db_home/je.config.csv

MD5 17190918a9e081874d8d93da9b01fb64
SHA1 331e3f2e63d852e9c4866107f3ef8f96fb55c5e2
SHA256 41132d4ca925925ff27bbbe6ac05783b6b32cd595c6e0d70ab60fc81d4031603
SHA512 ef602313cda3f686b20c1894343a14b2aa7928040670eac4a3555cbb967dcb77a702d221147c00d3fd28589ae560336e4888fb0dd92bdf1ccabfa92fef7c2454

/data/data/com.xueqiu.android/files/0/db_home/je.config.csv

MD5 46ac356cc2e201531b176690b2462c44
SHA1 aba559556d09bc8bd9015789fb890a150eebd28e
SHA256 ace8e003ed20e5bb3c208d1c7946c8b911b544a4ad288264cd73d44352624ce6
SHA512 b170a1c18b437a87e4f82fb6fc1e7135e65fcc789c25e1391436c18be2773ad027e1b9e4fb815dfb3a572b31fee93b18a09eae848c2a7d6f14ad83246750c95a

/data/data/com.xueqiu.android/files/0/db_home/00000000.jdb

MD5 ba5ca6e0f9ab7a56de0f1e93b3748035
SHA1 6373e79e43e94a386b8d185af30b69231fcb7299
SHA256 71c3f6a5843626add8104e0575cd740c8c227e075eea8d8af07adc0be9b686c3
SHA512 481522ac5dafbdf8d72c94e79a6e362ea414a19b8fb6b24683530be72e8d83f1578fb88f67a02348f5a21a7126e9adeb5abe040db5f30301e88d8254173bbf24

/data/data/com.xueqiu.android/files/0/db_home/00000000.jdb

MD5 b61024487b9a350ca6ca42eab0056233
SHA1 2cd569d90a620c69afc50e6f76df0e5963384649
SHA256 359b28bb430418b77a5f5e3e1c3c90b5a376c1c8b083223aa2c9795b5b8b3f52
SHA512 c251ed711a0fdfd435f87c73ec43897238a5ab32e2f5ab771565e32e7117034126fec95a187a78365dd6a24c0604279727a94f0da2379a296dfa273b1886018b

/data/data/com.xueqiu.android/files/0/db_home/je.stat.csv

MD5 2e94749a31748e0e1bf938cebe5bae0a
SHA1 87705c2a8781f3e8e1a44d0b6157427d1e69c43d
SHA256 4757cbd53cb3224000c92bce4d901be950834436a88c139a8e220018f055157e
SHA512 0668f4ca5fb813a956caa90d8a41d69b0a230ff79bb14c2033e18690cdb96b1fda810179a632dcbb32fbd327bba81243e7cdd1b91a61218232977d7cdf829c7d

/data/data/com.xueqiu.android/files/0/db_home/je.stat.csv

MD5 2f0d43739517d052a696cdc304a9bbdb
SHA1 436da898f35bc02f05d7a5e5509ec10224490290
SHA256 89fd85ccc03ea213578772e853feab033e603b06d59b536bcf19b6b2c0a25b8a
SHA512 7021a04fc4740e450591a9d4b39deba6ef877f5f2338a54c0b5d095c95ca4f5dfa8fa6d53814fb4865e9084e3d7f9f8fb717a4c69bb4c2f86652ff921cc1c4cb

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 07:09

Reported

2024-06-14 07:13

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

134s

Command Line

com.xueqiu.android

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xueqiu.android

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 xdrig.com udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 rqd.uu.qq.com udp
HK 43.135.106.212:80 rqd.uu.qq.com tcp
HK 43.135.106.212:80 rqd.uu.qq.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.xueqiu.android/databases/bugly_db_-journal

MD5 c139303e4fa6756b6053d9c564d9687d
SHA1 f25c324d3aa241298f0f7c89d5ba33277c384044
SHA256 f2550992a3db40728c5fb16010214486d0dc123dc6b0ead07042465d99608543
SHA512 67e47b3d143a0d5df58a4a677aca29c8c828d57a517a7bddb6a52c8582cd24df201f9159da629429878a28de59744cbd5b325a0bae364d007f2a07bfa773d108

/data/user/0/com.xueqiu.android/databases/bugly_db_

MD5 90b95b3bce9fd6095547687737824c7c
SHA1 6bdee3678498613197871556b9816768d733932e
SHA256 91df2fc0f3b2f1d3d27b790dfcaff36993bca050cbad5aa35d4f13605427d5f9
SHA512 3e0f4f0be1d2d3effc8da2f9e659f54fed815cc850db745a5278dc89f879b7359aab93cac97ae5a0e67eb613bd6f24693e039da7e780ace35ee09426d8a6565b

/data/user/0/com.xueqiu.android/databases/bugly_db_-journal

MD5 906376345c5a0ed462d14440f87e7676
SHA1 a78a0b0cd16f1345fdd2578a323bdb133516777f
SHA256 0d73a877d5e868a440948c9f720f74d16456cbeeedb2787ba7eb95d906bd46fc
SHA512 ac981eafb91f72b325641cfa3b244d34a888c9a0382dd847ba5eb83b554147eb8804b101fe7ce7d672861d3a3f6b91e567a60aa96fbef2d582859817ae9889e7

/data/user/0/com.xueqiu.android/databases/bugly_db_-journal

MD5 e2e1790c1f9d3e2093481f388896c288
SHA1 f3c88694b97fae246ef47c73798faf1d174b109d
SHA256 c1134fec76ecee9e33a1cf1c7ebb24d6b43641eed94ad864db4b7a59a014e9fd
SHA512 db9df1b035f036230fd72329fb550366620bc7c7d183ab565f901d0e7ca68d74e917bf82cbf5dcbc196ccf08ae96125ee59b7f60df6f8bf25192e632b13fef91

/data/user/0/com.xueqiu.android/databases/bugly_db_-journal

MD5 03e1176f908876346e962c4428316407
SHA1 9d9122a59895117268a69a4f13014a9423301232
SHA256 494fd27680578a2e23ee0f6b05a53e9b007e3a4da4fed98d7165e1239ee5b886
SHA512 b092453b8f3e8c4696a24aad64f1937640a77eee9003b62975e9fedc92314425664349248de52abe57d86e9269604383813148583f3f2f84b24326e73cf9e8aa

/storage/emulated/0/snowball/image_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/user/0/com.xueqiu.android/files/0/db_home/je.config.csv

MD5 17190918a9e081874d8d93da9b01fb64
SHA1 331e3f2e63d852e9c4866107f3ef8f96fb55c5e2
SHA256 41132d4ca925925ff27bbbe6ac05783b6b32cd595c6e0d70ab60fc81d4031603
SHA512 ef602313cda3f686b20c1894343a14b2aa7928040670eac4a3555cbb967dcb77a702d221147c00d3fd28589ae560336e4888fb0dd92bdf1ccabfa92fef7c2454

/data/user/0/com.xueqiu.android/files/0/db_home/je.config.csv

MD5 72f9b6c82c22db73406accbf283c0277
SHA1 a88f0fc867eb6f9670cce27e1bbda2cd571e17a5
SHA256 9de5f46296a6461a83b7e8e6bdb210033725d581160de58417d3234a2ac6ba9f
SHA512 828727e7d96308c5ed1a49de5a5063e33208235d31ab5e94f41615d12d5ef223c72746bd13ca3c3127c0ca10b035095ed120312edb9ecd54d964944ee9483120

/data/user/0/com.xueqiu.android/files/0/db_home/00000000.jdb

MD5 fa1d880c2c8872b98a27c43812451527
SHA1 4472d70258e6af1cf1b176e555952a7ed4ffbeaa
SHA256 29d2d4306cb59c24a1cb89872435b6d4e3948b2833d037caf0c399428ad29bf6
SHA512 deb3cc49f8f4a14fc44ffa577d490367b0e29cd91a01cddb29423ed455acb1a971295097c690cf49398ff1c2472e78d74f2af55dfd6b44db661f6454a879e13b

/data/user/0/com.xueqiu.android/files/0/db_home/00000000.jdb

MD5 98f6faecab84ede98692894e990218d6
SHA1 a0129f4076fab61d46ed752e0be33549c183aac5
SHA256 7cc215213d256ae9eea351805c94432d83d08eee0fc0374d5489c032b427d3c2
SHA512 4e07ff66df6545a4b6257a14b73a6b8fb969e4ad9080dee788e52cb5c2ca5ca5735549889111045416d2f8f3de6e6d81d5cb1f29680e3834f9aaaddfc635ad66

/data/user/0/com.xueqiu.android/files/0/db_home/je.stat.csv

MD5 2e94749a31748e0e1bf938cebe5bae0a
SHA1 87705c2a8781f3e8e1a44d0b6157427d1e69c43d
SHA256 4757cbd53cb3224000c92bce4d901be950834436a88c139a8e220018f055157e
SHA512 0668f4ca5fb813a956caa90d8a41d69b0a230ff79bb14c2033e18690cdb96b1fda810179a632dcbb32fbd327bba81243e7cdd1b91a61218232977d7cdf829c7d

/data/user/0/com.xueqiu.android/files/0/db_home/je.stat.csv

MD5 db9633455acdf75f24494a513ae2451a
SHA1 5957d740acd0f66d81d1473e53509e94f81964fd
SHA256 9ed384b43cc084af2037b7248bd6e4481994d712301e4c215edd3fbb4cb8d445
SHA512 d5dbb75244e28d27a8744715d50c5710c16872034fe21231bc965897e3bc5f2604ed5f771c2e46e253f831a0e4499895dcd39a18ad56c11cddbb3cf128b11ac5

/data/user/0/com.xueqiu.android/databases/bugly_db_-journal

MD5 33f51730f7de8368313aa55bfeef1899
SHA1 302acb086ba6f366675222a574417d40dfca1191
SHA256 6905ec5a7457ab081548718dd1f83cefd63f3249b485fed8fd1a3db43f89225f
SHA512 e40a045259e18349bd46ee7a22c595bbaead9b2c4104c993388a804002da3fb3a07e374a65b6ed01a312575ae8fb23579df3d88cef768ef0a151f59293d9f22d

/data/user/0/com.xueqiu.android/databases/bugly_db_-journal

MD5 8a60671dfa4d0f3cb006c1bb5bcd41f8
SHA1 4eaf13fa5e6ded64a7f7fc9f86c2abd8ac89ae81
SHA256 2b3554923c38edb498d923e1908b6a1fa47dfb2f3d629310983ebbb96e84013a
SHA512 80cdebe33cf46a66e70cb24330cf1196fead4c835a831e1e62badd4886f7805f9c8d8c9dfd07c751ef189349c4a13ed0a6fe78c3a3fa43a2c598d4b301c0a847