Malware Analysis Report

2024-09-09 17:38

Sample ID 240614-j1c9asvgqk
Target a8a9b1f07f04219e9063d8c352076558_JaffaCakes118
SHA256 3a153d4f7a3995209cfc44cda6f0a59bd6f32ed908393d6004e4d16a9df88854
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3a153d4f7a3995209cfc44cda6f0a59bd6f32ed908393d6004e4d16a9df88854

Threat Level: Likely malicious

The file a8a9b1f07f04219e9063d8c352076558_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 08:07

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 08:07

Reported

2024-06-14 08:11

Platform

android-x86-arm-20240611.1-en

Max time kernel

130s

Max time network

185s

Command Line

com.txtbook.reader

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.txtbook.reader

/system/bin/sh -c type su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 203.107.1.97:443 tcp
CN 203.107.1.1:80 tcp
CN 203.107.1.1:80 tcp
CN 203.107.1.1:80 tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 203.107.1.100:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 httpdns-sc.aliyuncs.com udp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp

Files

/data/data/com.txtbook.reader/databases/ishugui.db-journal

MD5 a19ec50e3f8a3dbc7ac2f9b02642789d
SHA1 47824440de99a5a01c98cffabd9e104328ed6539
SHA256 59418453934368ea70743e41afee042d0df74666eea8636db15a4dbc37e13796
SHA512 2b3a04dcb092d36352e5514a70be8c7040e87461717d0ef56bcee804e791e4aa6780a7946220dd42097b84a557d7fe1b24704ec10c0895c4210ee6cc627fb66a

/data/data/com.txtbook.reader/databases/ishugui.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.txtbook.reader/databases/ishugui.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.txtbook.reader/databases/ishugui.db-wal

MD5 0d08c9dc47f5697f1f048b8f3068f5d6
SHA1 ed4e04fa6385dbdb9bdad6e8b4304ff4f43a5faa
SHA256 536688dc4ce6f40d47f506b1c19fb8464c789911233b40b2ad6f4f999d26ed6c
SHA512 1cd5e26b22d7792fb2d729cf90ef1b53f8d846dcef3a32f54e4f5158f20e2efc0a4ff8e373a961b0edfb2e6cb0060f8a9fc4dc52f6e9c3ea3f93bc4d2338aa35

/data/data/com.txtbook.reader/databases/aliclound_httpdns.db-journal

MD5 fbfb482ce5da38e28bfaec1e378e1e99
SHA1 fe01106bd36037ea73167118ebfe25e3d6fe7560
SHA256 8586999eb78a7d6980e8e8a6bc8449e4e8e9c59090ae6cd721b60fd19d57f2bc
SHA512 f3b0b52a511e99f570e83d0a408417d1eb4253fc7d1f85e17d375f273b1d8560d9b440662bce18f0067a3905b7cbfe7f014baa620c9fe9bd3957ba94d88cab1f

/data/data/com.txtbook.reader/databases/aliclound_httpdns.db

MD5 eae6de26f251dfcb85fc3cbca903609b
SHA1 f5008c61280f4fc4e7a6501e2d4361ee6edc2bc4
SHA256 f01f5d5120c24e8aafb4517b0b90f8c1b975b89b958c94f49e5db33ad023dbc9
SHA512 f8227b51cc64b66e0ca02b7ea47520c55e1a2187798b8cde412bef95fc6234f9254d61085baa333a28a067e8ec2a38bf465c75d99d110cac72ca95d628260792

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/data/com.txtbook.reader/databases/aliclound_httpdns.db-wal

MD5 d9948f03a112cffaee0602bf35b7a081
SHA1 0cb396ef7c4fc5b2663aa4f1e85a5b240c8fe856
SHA256 2d6b35bb944799463dbf21003d49b6b1394aaf967f3540153f3ab061b3e0cc18
SHA512 4bdda826a8ca8f8b5e405990fd74554c0c94a13b384a43a65098887c1faca6c09efcea5f724369480ebbe2b27d321bd4576a8d26a028397e3898ed49efba23cc

/data/data/com.txtbook.reader/databases/bugly_db_-journal

MD5 04928a0fbe900876e102f6af2148c0ba
SHA1 a5ab6c46ce1f9673f541d90b0167f60ff58ac6f8
SHA256 63b9433d16e08209c5397c7e313b18767365365fefbef2dec135aa15a4103008
SHA512 3b89cfcd7c40107b7542caa0ce8fe25161933e710471d4694a5b3c557685f1810dc236be4d073741d66ab7d33b265a4ae96d6161965827df992211c5f422b55a

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9a985df9e41675ecc4d767bb273347e8
SHA1 fc14681a3069a3b4d64a22dc690ba936e0dad8d5
SHA256 e8a9e46112ceab9ec936dc794301d2e62967002fdab0be39635f018b9805d60d
SHA512 d293bd47fb1d8a391b05c952a71692363441e97cbb52e8537ff57bf2246b1b1dcfee6e314c5537ee10d5a4af62423be6acc7262eb5729d3fba003130177d5f8b

/data/data/com.txtbook.reader/databases/bugly_db_-wal

MD5 842308e1f4f638bb938ae7d79c7d3500
SHA1 0132e56ae2a01e6d8b77b83f6f0909b6c12bfd11
SHA256 6da737a8fae1d6dc13caad859d0d7aefd236ea2d2441f68757c38b4f6b024bc0
SHA512 9a58218b78995dd3461a04a5960f3dd7cf21af56347a78f002b3c51c9d74722eb730677a273c2036cf99fb9459d6bf0d96f80b5d170da6a0e6c308caa44e117d

/data/data/com.txtbook.reader/app_crashrecord/1004

MD5 4336755bf87986cf476241a0688b8c0f
SHA1 ff64303e65a9ba038879adaa82ecd430e7ec9ca5
SHA256 e58defeaa0ff497abfabd45bed66f4a73438a7cb805812b81114e7f55abf1c3c
SHA512 313d6a55a8c3798e0b8795233021660fa6e677f54ac18f333f349a5ffe0e0e098f4951a81fb3442bba0e7ffd5eff42bf94209fd3a0c5edd7b509a8c6a5e03b55

/data/data/com.txtbook.reader/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 0c143618fdc2b002f6f65385c13de6e1
SHA1 dae2873caae395fbed504dd3771457a934b92956
SHA256 9f80733bb2acb24131a23eefd03803ee0cbac42d6a49997e737dd0b661f79722
SHA512 a919b0aef32a4b8f662cf7f7c6a47d22dd6acf2240870d333b245a8638972aee0cfffd37310b3b6ef0478dfbf2e2698fdbe1d7ca03f470df1da13c6b9369d210

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 6c2d15ed4d7752e02239c873abfc6c0a
SHA1 d747529e22c600a56ff54a0cf4e04b9499c41571
SHA256 22bd8c050be8a3f4a22b54d209d5751dcaedc0316dca2bbe51b8bfb8619c62f5
SHA512 9f3e20237fd131a75371c9801f9ca9167232e37ee20df2159f7aa94b923d766cdef042bbecb34ec465e18b5d50ac94e3987d0ffbc5e88fcc414c9f7f8b357b1b

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 4a60b97043385c429c86358e7e76943b
SHA1 ebb01e140979162dc653d97fbb7cecc0076b584b
SHA256 d3fea38951453fd28a04f416e6a164257bf33c1104e20a072b95facb61968c87
SHA512 c3b664d51f8966fe93bc073cd19d03c8152e9e2b8b05368b5ce984c0b3c59679051e7de7b8c58cb4fa2d4fc41d6966be360736bf14f0653d264048944d02a05a

/data/data/com.txtbook.reader/databases/cc/cc.db-journal

MD5 8f77673f07b884cda4a851413740c370
SHA1 7e2c91a92c1b7a734a5977ef95a970282f58f983
SHA256 72821d345c7f62c93954621a9b2ba1c16303f0c57d55f52a8feec097f41fa73f
SHA512 3d2429547f026ccec3b8a47f21fea3793a2719507e207c3740687ea39067890f18f4cc7a0bfe283ca8c973377557c0a8192fffdfad457634f229c3d44476fb03

/data/data/com.txtbook.reader/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.txtbook.reader/databases/cc/cc.db-wal

MD5 47991f6d7a07bac1c606de6f4b5af600
SHA1 d0907e593d8b9eb160b14a16eca11d21e1793136
SHA256 0fa355d449d26e68020f93e0079819fd0c3505082fd97832c5300be60580ef9c
SHA512 cec035101951daa1d524777051f9cf1ce551d890e7863dcbdf9ad2035d3b83c2fd46363ef856da24a636c13dca8e07e4d47cd06222e8007105701a7371ab2f2a

/data/data/com.txtbook.reader/databases/ua.db-journal

MD5 06a2ed52310d6e5d0cd3e79a0b252b80
SHA1 db903814713beee33b19611e03a03c30a8fbd53c
SHA256 b3da189630116edda7d5390676261debc8f97a7aaddbb840a805753d51b15494
SHA512 a1d3efbd51d12d0101f00e3af40826984358a66fe855271413be1338a120936f2cb69a9d49346aa655955d078c294af4144a732e2dda8df401a5719713ff4e75

/data/data/com.txtbook.reader/databases/ua.db

MD5 af4360b4bf02cda50595f79b910c2416
SHA1 a2fae50095026171a11143ba2af5a1fe570b6986
SHA256 5f58639066e81261891677509b7ace0d91819a8d2908efb2896c4b72480ef90b
SHA512 b582c235f8d9eb5af9881c1cb544e3d1a590318e37972dc3818a3ae49ce397841d394f5d5d403d5b8f91150d8223a3e6e457dbce1d69a826a0aaed8fd97cb3ec

/data/data/com.txtbook.reader/databases/ua.db-wal

MD5 87b2c1d7796302d7911ed2f72e852dce
SHA1 3e9ff79f0a84dddeb32eb8651ab63b8b47e351bd
SHA256 c54af5198b2937876ddd0e114ebd69829858d1aab163c4457d4ded0f26913b85
SHA512 2e8ac953472f0f041f62469f0bf7c8ada82f21d8478f1f3e4e72aef78a31222a422d5168bf8b5f8e81858c8baa98923f0443f314af6c7cf2c9e769ffe5ba31fc