Malware Analysis Report

2024-09-09 17:38

Sample ID 240614-jk423s1and
Target a8940b31d9dfe1a827a633cff3e1f7e2_JaffaCakes118
SHA256 c1e42f226ddd55b8096893f911faa71578fedd5812c79d556d82736b6db4592d
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c1e42f226ddd55b8096893f911faa71578fedd5812c79d556d82736b6db4592d

Threat Level: Shows suspicious behavior

The file a8940b31d9dfe1a827a633cff3e1f7e2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Reads information about phone network operator.

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:44

Reported

2024-06-14 07:47

Platform

android-x86-arm-20240611.1-en

Max time kernel

174s

Max time network

183s

Command Line

com.wta.YdbDev.jiuwei129276

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wta.YdbDev.jiuwei129276

com.wta.YdbDev.jiuwei129276:pushservice

cat /sys/class/net/wlan0/address

getprop ro.product.cpu.abi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.106.211:80 log.tbs.qq.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
HK 129.226.106.211:80 log.tbs.qq.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 pdeviceandroid.ydbimg.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 116.255.131.209:80 pdeviceandroid.ydbimg.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 apiinfoandroid.ydbimg.com udp
US 1.1.1.1:53 www.iwdjy.com udp
CN 116.255.131.209:80 apiinfoandroid.ydbimg.com tcp
CN 119.23.56.239:80 www.iwdjy.com tcp
CN 119.23.56.239:80 www.iwdjy.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 116.255.131.209:80 apiinfoandroid.ydbimg.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 devs.data.mob.com udp
US 1.1.1.1:53 alog.umeng.co udp
CN 180.188.25.17:80 devs.data.mob.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
US 1.1.1.1:53 static.ydbimg.com udp
US 1.1.1.1:53 www.yundabao.com udp
CN 116.255.131.209:443 static.ydbimg.com tcp
CN 116.255.131.209:443 static.ydbimg.com tcp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.106.211:80 log.tbs.qq.com tcp
CN 116.255.131.208:80 www.yundabao.com tcp
CN 116.255.131.208:80 www.yundabao.com tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp

Files

/storage/emulated/0/Android/data/com.wta.YdbDev.jiuwei129276/files/tbslog/tbslog.txt

MD5 921166956a7184839674d3862088f7e8
SHA1 1114bc8839dffcd5590d6590a49efd702e595620
SHA256 df7cbe72d732f2b74705ef09116b7c2f97d40f3b13c9afd2b59faf0eb5c950e7
SHA512 3dbc61be717e23d6a8fae3ac819750bd09eb676ac21422070bed40d8acd20b77d75fd9bff88205139223806604593f28b10bba1d7fd3f1dd665b1c811f694b9b

/data/data/com.wta.YdbDev.jiuwei129276/files/umeng_it.cache

MD5 6f3063dd099595edaf5c3484aac9fca0
SHA1 2b1b1db7926f41c27d0e36e9e8d9161d76eff458
SHA256 fd3038303dd5998837792ea28d408c56be889f72f2c8a5e54e21b210bfa39e71
SHA512 c7532557d0d7e9fe26e4784f60aba2cf23e55bb68b5aa10646d17f972d80ee89eae22c8072ad36852457d9168a35dce0929ae211963aa4258ecb25eab2f3b684

/data/data/com.wta.YdbDev.jiuwei129276/databases/pushsdk.db-journal

MD5 5090ddabaeee0a81019387a11bad18ee
SHA1 d8453c254136f080e10faf0a4003c6eab98e2709
SHA256 4c5b78c39032a9d743e4c792aa54304a08b4c0ed20eb8acfe0bf82b9544b4f38
SHA512 89d17dac243a65d1b134bf09ae20549570abd5a2c51580175be8affe84e44da79cf265df8986dc6b36352dee45490d66d41dae50fb9c4c294b922412fffd546e

/data/data/com.wta.YdbDev.jiuwei129276/databases/pushsdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wta.YdbDev.jiuwei129276/databases/pushsdk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wta.YdbDev.jiuwei129276/databases/ThrowalbeLog.db-journal

MD5 fbaabda2cd881e010611b99aa590da89
SHA1 7ec87fa047b85a8ac4b56e69c32f5948df770377
SHA256 8c598273d991835507fd2d63f09234fbfda34011cd2950c105df79467d812a4e
SHA512 140b0ecf7cba45f8bd70f62aeaad546e5345f9b1b9662d9f410e3d43c2da9b1ed4d1115b412a478c2dba286b878d96ec0ad814d6126179136009f019a0f128ec

/data/data/com.wta.YdbDev.jiuwei129276/databases/ThrowalbeLog.db-wal

MD5 ba408895dd16c931689666bd1b9b0f04
SHA1 b55c86caa14205ae27787dfdf19e6c1218e0948a
SHA256 0d385cc752352b045b778a1dc08b3c3571502b8960b1485d118a49ff41acd7fc
SHA512 c63fd5f48f9e9c503c1fd67e5a44c94cf4e2a413b131dbfc3f1868eeaad016b619e6b5edbf82af89f60d5a6055979dfccf53a6f367d29c1f0e461518463d410f

/data/data/com.wta.YdbDev.jiuwei129276/files/.um/um_cache_1718351151784.env

MD5 8ead3de247836a40dbb0cbbd06511bb1
SHA1 05c328dc912d4aba2a3bc5449e8f637dc59cf964
SHA256 08960f4cfa69785849c1e1529d200ee080dbaa17c1fe2dbb5633dd1b834ea91c
SHA512 d2e8694a688affdbc544c64521a5c717c4defdebbc955d34105b630488d8ee3c772505dd022c850c5e2cb6db4649e6c5e45efc20d2f7dc7ba181db2adaaea305

/data/data/com.wta.YdbDev.jiuwei129276/app_tbs/core_private/debug.conf

MD5 f418f4932b9c478a59c81cad1e9a3579
SHA1 e3bee620e3d120d9e23acd623e00434a7d8a2cb7
SHA256 0196c278a54795f13ca9bb36f2fa141812185e38724614e1761eb7d37a61d5b2
SHA512 5abb90d57db23ea19e882deaaed9c284b91dccf7d850c2f1c39cf6e61e59cd4a44ba972aef7ca50d4c08fc05cae6da0d84940223779d54aef453640c8434770f