Malware Analysis Report

2024-09-09 12:54

Sample ID 240614-jaflqstern
Target a8861f86a1391623596957e2219dd4e5_JaffaCakes118
SHA256 9adb41e9efb686bd5fabe8958cbc5c58b94912472cb2c40e35f19b025b6b15a0
Tags
collection discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9adb41e9efb686bd5fabe8958cbc5c58b94912472cb2c40e35f19b025b6b15a0

Threat Level: Shows suspicious behavior

The file a8861f86a1391623596957e2219dd4e5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about running processes on the device

Queries information about active data network

Reads information about phone network operator.

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:27

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:27

Reported

2024-06-14 07:30

Platform

android-x86-arm-20240611.1-en

Max time kernel

90s

Max time network

159s

Command Line

cn.knowbox.rc.parent

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

cn.knowbox.rc.parent

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hxqd.openspeech.cn udp
CN 114.118.64.119:80 hxqd.openspeech.cn tcp
US 1.1.1.1:53 data.openspeech.cn udp
US 1.1.1.1:53 scs.openspeech.cn udp
CN 117.48.148.47:80 scs.openspeech.cn tcp
CN 117.48.148.47:80 scs.openspeech.cn tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/cn.knowbox.rc.parent/databases/cc/cc.db-journal

MD5 e16ca851a0c1bbb00b9548c1a7a7bbb2
SHA1 8de32c1eaa5e197da8019403eefd4a610bb6ecae
SHA256 d330dbb17a70114a0e54211b6045feeb9c1f9f8e482edfeb4f8bcc2008fb4853
SHA512 d87c05402eff0bb77dfe9adcaca4f43781ebffa4c5739202aa9a51794e05dab31491c2b3f12f0db0c05d4421281feee2ccdee00ecf64868a4e3e4e8d10935894

/data/data/cn.knowbox.rc.parent/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/cn.knowbox.rc.parent/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.knowbox.rc.parent/databases/cc/cc.db-wal

MD5 9b2a77d51130710b138ca30eff7d822c
SHA1 04cb889e80b07fb309df12a194cccf9d5d97303e
SHA256 2c534f95175d0700cee2c91969cc0a0461432197ed9532fb1f4ceae756e404b2
SHA512 07d23b5a9782541590e21f056020d8ccd01265c8eed1231e8cfa74e693e0cfc46308a4d279e922d4ed62ee909d06536ecffc9fe0530ee726b602a488f61e0313

/data/data/cn.knowbox.rc.parent/files/umeng_it.cache

MD5 3a4e112115334a45223a76699e3e738a
SHA1 f2bff3c407d3cad4cac8fe6969de7e41da07cf76
SHA256 f03c83385683fd9f7e661d2508aa365184d10d398d7df4b0a6a575513fc6c03f
SHA512 ff87579dee8be65dc1f01d715f9f6afa6116961755d16aa99ead4a8391e3fafee4a7ff8ba0cf343f372c575e7781705ab45be0b2295bb47e7b76f51b9d48e03d

/data/data/cn.knowbox.rc.parent/files/.umeng/exchangeIdentity.json

MD5 bccc159dcf26476eeceee27c31dc80ac
SHA1 3df09aeb436042b59b1e4b1ac4a3c7b1630a65b6
SHA256 62d27360c8bf2cebfb00b75f6a4cb5e7230925531aadfd673df85d8a92a58bb0
SHA512 298badd22e44a53e9111ef281abecef0f3164757dfb0dde71fcf52bf7e9986b4a4c164471dd7cb78ec8d6be3c8cc276ac0f47f1c6dfd2bb23984ef8d9eb002e2

/data/data/cn.knowbox.rc.parent/databases/cc/cc.db-wal

MD5 f69d8ccc9258fc17f7200ed8bd8b58aa
SHA1 1b2c90b410708e293855e8ae132c6a37f4e8ae4c
SHA256 fc65b3260bf34ec6a2b952d080de30d8a83b7b0bbd3ad858177bc78a88a077c3
SHA512 4f13340ca825ceab2a92596cf9ee10f36fe88f0f8f0cc86d7fbfba5dd01bd80c1cad45965efd2b66a0c4c2cff97d3f65c21eb1f083baa24fc52ba7e8949bac11

/data/data/cn.knowbox.rc.parent/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/cn.knowbox.rc.parent/files/.um/um_cache_1718350141247.env

MD5 4df6a7d2d4f4f32e043bc0855700dd58
SHA1 7f8be8c1ae27b5b1005e6e23b82655d8fa9c1b50
SHA256 1dd53c953987ba331fe8f275da63b3577dc0a1b4c7ba9a328ee7480232a096d8
SHA512 86e37ff321b4adf7fb9e2604df440e39cbc4390fc0814a3910e10f4cc1877aeaab55a74abf102f6dde68737bed16ccd7f6e1886219b009a11194a8186d375f7c