Analysis Overview
SHA256
5aace895c04ea73887458ffe2e718b7278c667f748c8291b08c74ea3f3a58af6
Threat Level: Likely malicious
The file a8b15d1b29165f61b73433bb32d93e5f_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Queries information about running processes on the device
Queries information about the current nearby Wi-Fi networks
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Queries the unique device ID (IMEI, MEID, IMSI)
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 08:16
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 08:16
Reported
2024-06-14 08:19
Platform
android-x86-arm-20240611.1-en
Max time kernel
65s
Max time network
177s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.yxxinglin.xzid449155
getprop ro.product.cpu.abi
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| US | 1.1.1.1:53 | log.tbs.qq.com | udp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| HK | 129.226.107.80:80 | log.tbs.qq.com | tcp |
| US | 1.1.1.1:53 | ulogs.umeng.com | udp |
| CN | 223.109.148.177:443 | ulogs.umeng.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| CN | 223.109.148.179:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.130:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.141:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.178:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.176:443 | ulogs.umeng.com | tcp |
Files
/storage/emulated/0/Android/data/com.yxxinglin.xzid449155/files/tbslog/tbslog.txt
| MD5 | c37368877711436a8e8b8c2cd9bbb484 |
| SHA1 | 95ec86e5b8cbfa91e766e4988cccfbc681fa899a |
| SHA256 | c6e9faf28253ce145335992bbf05acf68c47de2244729f8f65391842622353ea |
| SHA512 | d866c2d14ca546abf5d58cb92f1fee2d2f53cc60392a0f966f49b3f8ec5a099f794e93f88603bd58141166d632435053c08ba86ffb3977ad3e46efb5bbacb8de |
/data/data/com.yxxinglin.xzid449155/files/umeng_it.cache
| MD5 | cc6734a570b549f9a6edbcd543edcfe9 |
| SHA1 | 8de2cab84839d7d3c1267a6019ece658edda64cb |
| SHA256 | f25ff97f64747456acc8b7afa410a633450b8df3facfabf900e29a53d3fd5359 |
| SHA512 | 747253fd7f7739f0fc7f19337948d1e1e2023dfa8dcd1cfdc4ba2f3d94bc8bf75cfcccca2a1376970baa9e666cedc9274b4eed6f1b7efd4e4e43393d5c53191f |
/data/data/com.yxxinglin.xzid449155/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzUyOTkzOTk0
| MD5 | 109b15d59e643d07d6aaa3d622415851 |
| SHA1 | fdf0daf94e087eb76f22da7e58771a2553ac20c8 |
| SHA256 | a5c516af5211dc28e99d2e1a9adf7e8de692c9563c197ab65ce999579b902308 |
| SHA512 | 00dec4327b7e4379dab99c38a67e34c10fe1c0d4ee31c7247ee3edc6e844210ee46f433b6dea11daf408edcc216229d97979079f1f1ab7435fbe9e864baa70c4 |
/data/data/com.yxxinglin.xzid449155/files/.umeng/exchangeIdentity.json
| MD5 | 46796555b7aef0eef920aaeda356b42b |
| SHA1 | d3a63b4274b3458c2ec04f5a9e421f63827674bd |
| SHA256 | 00cb4e7698a596665413f0fe4cf1e34030f77147dc3f3ca77f6298d1d96bc22f |
| SHA512 | 63cb6a375e3f0260f2108224bc50d0c62664035d376a8b247ba7c186b4d2e096a02f8b1fff821752a51c9f085204f5cb09b58ecb0b43aa2b0a68880bc9000153 |
/data/data/com.yxxinglin.xzid449155/files/exid.dat
| MD5 | e645730a4fae19fde39d9ca92ceb605f |
| SHA1 | 418bc9ecabfa338e08f1cef5c072d35309fe1b8c |
| SHA256 | 8b927859dc6c63dbf041f5e5b6c0a9b47af8bc14f77476c49b6e725e5aa9b11a |
| SHA512 | 466076baf3d3e973ac8a9aa9b98d767fc772f3068d12c793862734d2ccb0585aab78bf22416f1da1de3cdb1ec255e3dd8a5e2a50b23f976f6f8733bc257738d5 |
/data/data/com.yxxinglin.xzid449155/files/.envelope/i==1.2.0&&1.0_1718352995108_envelope.log
| MD5 | 5f536f78af87e181d75a3ca3d0f9eb8a |
| SHA1 | 7a0c0a959bebe280b357cb8b8a3040f97991ce06 |
| SHA256 | cb31567ad510d76574ba3ae97c3ce0c4688e16149e4b956426b8008de17d4fda |
| SHA512 | 71de19890fb68644356e227f3807fd43dad1785590c1127c41da763a1177b02a6bbcf28d585a577408e0882240023d2cc238b5a0a2ecf853f5e867a4c64ee6ab |
/data/data/com.yxxinglin.xzid449155/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzUzMDI0Njgx
| MD5 | f48e812fb7f7fcc54cec9bdc4b4ebc7b |
| SHA1 | 8ef4b87a5d07451e9fecdb3073601a7e57da7199 |
| SHA256 | 7272120bba73f564e848cccba850dda12a8e33054719cfbeff91dceb9979816f |
| SHA512 | 1df66746dafa68b534f932641b6a7dba4beb7f72812d2f11a5f3c3c09b53d1f962a6282dfca0bc7a6ceb438d281e26e426ab7aa2c8c7873e4a1da9fae3b20653 |