Malware Analysis Report

2024-09-09 17:38

Sample ID 240614-j6aelawapn
Target a8b15d1b29165f61b73433bb32d93e5f_JaffaCakes118
SHA256 5aace895c04ea73887458ffe2e718b7278c667f748c8291b08c74ea3f3a58af6
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5aace895c04ea73887458ffe2e718b7278c667f748c8291b08c74ea3f3a58af6

Threat Level: Likely malicious

The file a8b15d1b29165f61b73433bb32d93e5f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 08:16

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 08:16

Reported

2024-06-14 08:19

Platform

android-x86-arm-20240611.1-en

Max time kernel

65s

Max time network

177s

Command Line

com.yxxinglin.xzid449155

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.yxxinglin.xzid449155

getprop ro.product.cpu.abi

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 plbslog.umeng.com udp
US 1.1.1.1:53 log.tbs.qq.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
HK 129.226.107.80:80 log.tbs.qq.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.177:443 ulogs.umeng.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp

Files

/storage/emulated/0/Android/data/com.yxxinglin.xzid449155/files/tbslog/tbslog.txt

MD5 c37368877711436a8e8b8c2cd9bbb484
SHA1 95ec86e5b8cbfa91e766e4988cccfbc681fa899a
SHA256 c6e9faf28253ce145335992bbf05acf68c47de2244729f8f65391842622353ea
SHA512 d866c2d14ca546abf5d58cb92f1fee2d2f53cc60392a0f966f49b3f8ec5a099f794e93f88603bd58141166d632435053c08ba86ffb3977ad3e46efb5bbacb8de

/data/data/com.yxxinglin.xzid449155/files/umeng_it.cache

MD5 cc6734a570b549f9a6edbcd543edcfe9
SHA1 8de2cab84839d7d3c1267a6019ece658edda64cb
SHA256 f25ff97f64747456acc8b7afa410a633450b8df3facfabf900e29a53d3fd5359
SHA512 747253fd7f7739f0fc7f19337948d1e1e2023dfa8dcd1cfdc4ba2f3d94bc8bf75cfcccca2a1376970baa9e666cedc9274b4eed6f1b7efd4e4e43393d5c53191f

/data/data/com.yxxinglin.xzid449155/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzUyOTkzOTk0

MD5 109b15d59e643d07d6aaa3d622415851
SHA1 fdf0daf94e087eb76f22da7e58771a2553ac20c8
SHA256 a5c516af5211dc28e99d2e1a9adf7e8de692c9563c197ab65ce999579b902308
SHA512 00dec4327b7e4379dab99c38a67e34c10fe1c0d4ee31c7247ee3edc6e844210ee46f433b6dea11daf408edcc216229d97979079f1f1ab7435fbe9e864baa70c4

/data/data/com.yxxinglin.xzid449155/files/.umeng/exchangeIdentity.json

MD5 46796555b7aef0eef920aaeda356b42b
SHA1 d3a63b4274b3458c2ec04f5a9e421f63827674bd
SHA256 00cb4e7698a596665413f0fe4cf1e34030f77147dc3f3ca77f6298d1d96bc22f
SHA512 63cb6a375e3f0260f2108224bc50d0c62664035d376a8b247ba7c186b4d2e096a02f8b1fff821752a51c9f085204f5cb09b58ecb0b43aa2b0a68880bc9000153

/data/data/com.yxxinglin.xzid449155/files/exid.dat

MD5 e645730a4fae19fde39d9ca92ceb605f
SHA1 418bc9ecabfa338e08f1cef5c072d35309fe1b8c
SHA256 8b927859dc6c63dbf041f5e5b6c0a9b47af8bc14f77476c49b6e725e5aa9b11a
SHA512 466076baf3d3e973ac8a9aa9b98d767fc772f3068d12c793862734d2ccb0585aab78bf22416f1da1de3cdb1ec255e3dd8a5e2a50b23f976f6f8733bc257738d5

/data/data/com.yxxinglin.xzid449155/files/.envelope/i==1.2.0&&1.0_1718352995108_envelope.log

MD5 5f536f78af87e181d75a3ca3d0f9eb8a
SHA1 7a0c0a959bebe280b357cb8b8a3040f97991ce06
SHA256 cb31567ad510d76574ba3ae97c3ce0c4688e16149e4b956426b8008de17d4fda
SHA512 71de19890fb68644356e227f3807fd43dad1785590c1127c41da763a1177b02a6bbcf28d585a577408e0882240023d2cc238b5a0a2ecf853f5e867a4c64ee6ab

/data/data/com.yxxinglin.xzid449155/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzUzMDI0Njgx

MD5 f48e812fb7f7fcc54cec9bdc4b4ebc7b
SHA1 8ef4b87a5d07451e9fecdb3073601a7e57da7199
SHA256 7272120bba73f564e848cccba850dda12a8e33054719cfbeff91dceb9979816f
SHA512 1df66746dafa68b534f932641b6a7dba4beb7f72812d2f11a5f3c3c09b53d1f962a6282dfca0bc7a6ceb438d281e26e426ab7aa2c8c7873e4a1da9fae3b20653