Malware Analysis Report

2024-09-09 12:56

Sample ID 240614-kgrs1swerl
Target a8c2249bcb3b74db9d777dc2567cb05c_JaffaCakes118
SHA256 b9ffce66df35d35ffa83d15473d834e279ae1c8fe2f8e96d19299a164059b3bd
Tags
collection discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b9ffce66df35d35ffa83d15473d834e279ae1c8fe2f8e96d19299a164059b3bd

Threat Level: Likely malicious

The file a8c2249bcb3b74db9d777dc2567cb05c_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion persistence

Checks if the Android device is rooted.

Requests cell location

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Queries information about the current Wi-Fi connection

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 08:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 08:34

Reported

2024-06-14 08:37

Platform

android-x86-arm-20240611.1-en

Max time kernel

10s

Max time network

157s

Command Line

com.app.zero_syb

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.app.zero_syb/.jiagu/classes.dex N/A N/A
N/A /data/data/com.app.zero_syb/.jiagu/classes.dex!classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.app.zero_syb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 47.92.174.63:80 tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
CN 47.92.174.63:80 tcp
CN 47.92.174.63:80 tcp
CN 47.92.174.63:80 tcp
CN 47.92.174.63:80 tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.app.zero_syb/.jiagu/libjiagu.so

MD5 39d77dcad8e2a44dd7226f442b3a6c92
SHA1 6560fa96c6b5a038abaeee5f139a16e46088d9d7
SHA256 99cba035cae818dbdef989e70e738463798528b8ca52dbf38d2b8a72152680c0
SHA512 7ddfc6c05839160813e58e8f8c50d2dcda7e7b5e7f1d27cffb802ee91de4bb664bc5c257137d39152ed6e8cad0d3c1b067bf8aeb7e53f884893887b54480a5e5

/data/data/com.app.zero_syb/.jiagu/classes.dex

MD5 6eb92ccf823250024f17be90ee653586
SHA1 b1cf7a5a879298a1781a23d31379c0db97629c70
SHA256 f07cc3aa2b8c41692ed7ef879f5ee47b253ec92e479c98ad7477a8c6d84952e8
SHA512 4bc7d8dc7db3a20d4b4f9706975aba77922766ff62df75166e607065eb9ff01b0d8b333dc88a0ad50b6767d463ca39a21045cf834296d78cce89d358c3d2726f

/data/data/com.app.zero_syb/.jiagu/classes.dex!classes2.dex

MD5 ab96f9aaa662b304d027ceee8b40d614
SHA1 f4bdea5a0593a81581e76f15104faf1847739968
SHA256 7b981fb5ba32a98f3045d1a3928f51cca83d3d0fa2c4131270e081330c6e0696
SHA512 73948c8493dc3f1878973703ecfe31fcfd603767d49767bdca1caa90ae7afa7d5c19576c37e7f8f8c1c1ea3c1ab35cf4b77c6680ec74a64a2bfb93ec61fe353e

/data/data/com.app.zero_syb/files/.jglogs/.jg.ri

MD5 db60b4ee9f82666250b9540f5dcb3b4a
SHA1 288c72e3b5b1235f93ce2bc66bf6c6cc604c01c4
SHA256 57c3e7b1e02a88075d2a766c5396d79b81a818fbe37ce82a0ea646b23176b3ed
SHA512 a5e79a2362b1d38ca4e719085bb67135307fa41204b7e028921fa5263748aeed3b896f183f3d113394b0e57aa4a02617537c68b205752fad7ec6b7f42733f60c

/data/data/com.app.zero_syb/files/.jglogs/.jg.ri

MD5 4e740f7f951c716807d3fa2e9ec7c87f
SHA1 8f4a68e6c1182b514b035da11850816707b035c6
SHA256 155f464f78512b2833f3dda5a43250e559c3f591f46eeaedcdb974b79355b4b2
SHA512 e948424b12baaee553e58875f271b22b9141d90610bf52fbfc3e539b928ee5620534d8434909f8b2eb824521088a697a99cf44f4ccb1d685ff50fdbe5bd9ac85

/data/data/com.app.zero_syb/files/.jiagu.lock

MD5 2ed4728120f61d318503e46049a62dac
SHA1 bc2ba03cd1b65ee155e27f7fdb217ed013031a90
SHA256 a267761ad65ec797b64cc540ef6caf2151e9d3b2f2cf01ff718323aed0c227a5
SHA512 1a0d9252bbb6ff5c151b3569267cb9798e8c51b6c6da7884094da4647374693c1cd0bdd96996654301298abbd80f1517d0d6664956711d9d95f93545f891e5fa

/data/data/com.app.zero_syb/files/.jglogs/.jg.rd

MD5 6b2d97b39ae378b25a6079fc5e5bcd40
SHA1 80aefa19fdc7c1410482b82a96738fa251c9a5a9
SHA256 d5fd13a2614b8635ba962c81fbfe4552cbaf84c07650778e6c712e14651a73f5
SHA512 02fc5e7d181e27fa4e40eec2ec63775fb91b64bfda63251d8a01c09bc8b0d981fb8da440b398e28faa8528b2cedb6a6265d07ff76a7d429f79da0ee4f5c57c90

/data/data/com.app.zero_syb/files/.jglogs/.jg.store.report_pid

MD5 219b2ee2fddba0eecda6949ee0b1fa88
SHA1 ac3f3548f7c54f1c911a34278ed0015826e982a5
SHA256 3b174890db11c1edb68c4ca391c33a14e1e804bd1fdd1deeb2ab419b03407bdc
SHA512 d92476e1d07f93f5e0ba05536e25cc01b87452943955cca9d7efec1ee08533f39a644e4eb5a3bb40c8e9f4f10fb7f5976bfd98f485a1ec133d6b1cd1a45fcd56

/data/data/com.app.zero_syb/files/.jglogs/.jg.store.report_pid

MD5 d21fa4f3dc0c01798baa12f61514a752
SHA1 cbb6be424c013fa0cbba84fb94ef7b7ac645c941
SHA256 1a6a65848ead284af1665b92b9b9b44ea515f546549695fb7d7f60028bb11325
SHA512 474f3b7ddb9110b745907499edda325129e71a34d6f9b8a8b584805ee426bf2815a2a75ea50957ba3e309ce9d03183dd77d435b3046e62d2826ffb2f511e2ed3

/data/data/com.app.zero_syb/files/.jglogs/.jg.pk.h

MD5 a2c924e708404bb4fed5cd7d346bf1d1
SHA1 85884235845db8b137b252be261d51b9c72a4280
SHA256 275c18cf31d3cdc86be1c159e53d94f57b511378c1e3d3e3e47569737b706ea7
SHA512 16c392672436741464c898f365c173999fd6dd2beb990718215acbed1f0fbab9ed84896960fec34febafef35d9518791824b524012ced78b0ffb88cc9bf1baa1

/data/data/com.app.zero_syb/files/.jglogs/.jg.pk

MD5 a44f5113a8816080e1b2e3efbff8f98d
SHA1 008518053b6854959055be1f7dbd9ad4996a15d4
SHA256 5ef40840192b1d297add507b8129eb0511e6e23264bafe8d00a9bfeb3ccee9e2
SHA512 1b8a63fb6ce5eb0743ac0c34c534255f3ac0f641533a267a96e9affe72e9f22b7eb331cc1745e2c80237ded6d42576c664dc02ed2749bf151c374b8063cc515a

/data/data/com.app.zero_syb/files/.jglogs/.jg.ac

MD5 d6cded37a04422fbcf11d3ceda3998a0
SHA1 695201cab0d380c8d30488b2edd649fe6f045416
SHA256 07f8d416456527e0a65ab6e1c433c54a8dd1a66ac1d29462f537eaa1299611ad
SHA512 e290903488e19ed9d3fca55513780f046a3d74769c4993d866342e1880f0ed3bde6d05793036abe3f29d5a36c72c9345a2d4651468f9b8468dccfbbd2667ffba

/data/data/com.app.zero_syb/files/.jglogs/.jg.ic

MD5 e4b19f253aa91a0e968b53227535e2a2
SHA1 d5fe0f9fd8cdfc9cb0bbc9ca861e8629ef56dfcb
SHA256 ce7002e3b649712f1801152cfb9a433898de075e3199a1d561ff6fd6e7df02f9
SHA512 114def9d5b6ed7edd65bf0039b2f996cc6b45233f0f38f5811556bdf2ff3f52fff246d95773e4c07254caf6d4aa3ed5eaf45649dd53259282dc0f1a20b7a2303

/storage/emulated/0/okHttp_cache/journal.tmp

MD5 37e8e716e0e2f4a0b05cd9571d95b84d
SHA1 f8d068f6931707bddb8cd69f706f2224ad1fea3c
SHA256 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca
SHA512 e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

/data/data/com.app.zero_syb/files/umeng_it.cache

MD5 dfd0d62e017e3eb92d3e08caa4300e90
SHA1 db762d8a097b11a136bbef262681fbfbdb6952cc
SHA256 04b4d29759d9fc1cb40496304175f902bf652a435734171bea6ab8b5a77cdb07
SHA512 8dc83c099c33b1900c4762847254476c8771489a70142e7c86c9ac7f124640f9959ae0114f84bc18ed816da828d0f21fb4eb7afc43de6177ec8ab3f12a56b213

/data/data/com.app.zero_syb/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzU0MDk2ODk3

MD5 2d9b42f3da9e2204b4cb0e6a6d565981
SHA1 2ddb9dea70173650c0f7b7a6f26b07c2ef713fc6
SHA256 da7b576b7aec404243c7f80a16bf7ddbf374296e818e53e3ab909a41cdf07f21
SHA512 8351fdb39babd1e0ddf9a1febe2a57846bdb5a2e7801db35581d3cbe6f4e2adebe523af973193ddbdbe113c4c4ba7c5abc277403357e76ffdf88f0e56e374855

/data/data/com.app.zero_syb/databases/bugly_db_-journal

MD5 ec2c7b3a8e55464257756600513a5bf6
SHA1 ee88f919b8a292a9c2a06ac60ed10d8b8d6dd8e2
SHA256 bcd10edc8058e8c0fc061807124a248da0eb7e394eccaf31154f49a5880f0e7e
SHA512 cb56fa120fba99c7acba80fff89a2f19d4ffb09541b03c38d99b756bcf62506a2a764bd4593deb3355f44230fe380602db75a7b00c9fadd70b14da3485ce7130

/data/data/com.app.zero_syb/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.app.zero_syb/databases/bugly_db_-wal

MD5 3e718e6ec2e2600ee0ed0f1ebc27f493
SHA1 2360ab968fa0022fafb280329b673922c89f478d
SHA256 5f23af436f0533b3325f88cde30cfb4efcba33adccaed38232392902ebb78b6b
SHA512 6c5a72d1934d0ee552fda5a7e373aedde2f1794ea1b512439b99c157ff98bdcd0bf79726f64ce89ccfc86be47a6406e9ddc1e599927bd5345431d9b517274d12

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 08:34

Reported

2024-06-14 08:37

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

138s

Command Line

com.app.zero_syb

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.app.zero_syb/.jiagu/classes.dex N/A N/A
N/A /data/user/0/com.app.zero_syb/.jiagu/classes.dex!classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.app.zero_syb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
CN 47.92.174.63:80 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.app.zero_syb/.jiagu/libjiagu.so

MD5 39d77dcad8e2a44dd7226f442b3a6c92
SHA1 6560fa96c6b5a038abaeee5f139a16e46088d9d7
SHA256 99cba035cae818dbdef989e70e738463798528b8ca52dbf38d2b8a72152680c0
SHA512 7ddfc6c05839160813e58e8f8c50d2dcda7e7b5e7f1d27cffb802ee91de4bb664bc5c257137d39152ed6e8cad0d3c1b067bf8aeb7e53f884893887b54480a5e5

/data/user/0/com.app.zero_syb/.jiagu/classes.dex

MD5 6eb92ccf823250024f17be90ee653586
SHA1 b1cf7a5a879298a1781a23d31379c0db97629c70
SHA256 f07cc3aa2b8c41692ed7ef879f5ee47b253ec92e479c98ad7477a8c6d84952e8
SHA512 4bc7d8dc7db3a20d4b4f9706975aba77922766ff62df75166e607065eb9ff01b0d8b333dc88a0ad50b6767d463ca39a21045cf834296d78cce89d358c3d2726f

/data/user/0/com.app.zero_syb/.jiagu/classes.dex!classes2.dex

MD5 ab96f9aaa662b304d027ceee8b40d614
SHA1 f4bdea5a0593a81581e76f15104faf1847739968
SHA256 7b981fb5ba32a98f3045d1a3928f51cca83d3d0fa2c4131270e081330c6e0696
SHA512 73948c8493dc3f1878973703ecfe31fcfd603767d49767bdca1caa90ae7afa7d5c19576c37e7f8f8c1c1ea3c1ab35cf4b77c6680ec74a64a2bfb93ec61fe353e

/data/data/com.app.zero_syb/files/.jglogs/.jg.ri

MD5 4f553a3f0859c25ca7734d66c63953e9
SHA1 bc6d2044a9ec03b88872908a588b6b1290df78c4
SHA256 a6e684937b3c1b1b076d6da89b59c8c71348260afff801167765acd6f8880301
SHA512 da91a137d27256e856c955bb08727fd1cfd501aa079f2380281f95f17cf437f27aa1bbcd4cee1dc062b639d2c60fd3f4510779224b8e3a9051f86a324e27f860

/data/data/com.app.zero_syb/files/.jglogs/.jg.ri

MD5 73be6df4462d3b3afa45906e4ad641c2
SHA1 06d8307ed13d73e6ea014ecaa7305c449b81e1dd
SHA256 b99dfb22a898db1330f08d9005183b543de3148fe628cc0103c44e18f784da8c
SHA512 e1b8a50fbdadf5a284ef56ef6d8971546a608f425cf44ae8ad7c99c331a015dd08501a171ce5fe416828e584f198fb09d838f29f0d549cda60c6e41a4d39c3ea

/data/data/com.app.zero_syb/files/.jiagu.lock

MD5 42fcc58ceed7090912c27a8b47620604
SHA1 3b2645aef51eb84bf227b7b3fee19798d5ca97fb
SHA256 be574510e964ee4ea269f3f197e65b42be32f7bedd1489e62918e77b8b8b2507
SHA512 0ca84232779c45ed5a6327b3f3d4f832c497beafce9b179fb20dd0a5f9ea0ddf8fba2063ff596f89d06d4833d9cc5612b7f9b865cea4c7f627544ec0a10b5167

/data/data/com.app.zero_syb/files/.jglogs/.jg.rd

MD5 db68b967b9e9cb42ef8ea966dd2037f4
SHA1 297195535eb362bd213d59a1b3d2f1ef844ad67e
SHA256 d6af70a762c6446c3486190c03ea46c17d2d0ce73639228b85104a5d4818f716
SHA512 766a2a1b123744392407c6675b507ab3065bbb8fb2cda18125afc82501d55953801b2b4c05a606c307b9bbc213b4ba1a8813a3928f3ecafec2bf11ce88979094

/data/data/com.app.zero_syb/files/.jglogs/.jg.store.report_pid

MD5 219b2ee2fddba0eecda6949ee0b1fa88
SHA1 ac3f3548f7c54f1c911a34278ed0015826e982a5
SHA256 3b174890db11c1edb68c4ca391c33a14e1e804bd1fdd1deeb2ab419b03407bdc
SHA512 d92476e1d07f93f5e0ba05536e25cc01b87452943955cca9d7efec1ee08533f39a644e4eb5a3bb40c8e9f4f10fb7f5976bfd98f485a1ec133d6b1cd1a45fcd56

/data/data/com.app.zero_syb/files/.jglogs/.jg.store.report_pid

MD5 d21fa4f3dc0c01798baa12f61514a752
SHA1 cbb6be424c013fa0cbba84fb94ef7b7ac645c941
SHA256 1a6a65848ead284af1665b92b9b9b44ea515f546549695fb7d7f60028bb11325
SHA512 474f3b7ddb9110b745907499edda325129e71a34d6f9b8a8b584805ee426bf2815a2a75ea50957ba3e309ce9d03183dd77d435b3046e62d2826ffb2f511e2ed3

/data/data/com.app.zero_syb/files/.jglogs/.jg.pk.h

MD5 a44f5113a8816080e1b2e3efbff8f98d
SHA1 008518053b6854959055be1f7dbd9ad4996a15d4
SHA256 5ef40840192b1d297add507b8129eb0511e6e23264bafe8d00a9bfeb3ccee9e2
SHA512 1b8a63fb6ce5eb0743ac0c34c534255f3ac0f641533a267a96e9affe72e9f22b7eb331cc1745e2c80237ded6d42576c664dc02ed2749bf151c374b8063cc515a

/data/data/com.app.zero_syb/files/.jglogs/.jg.ac

MD5 d6cded37a04422fbcf11d3ceda3998a0
SHA1 695201cab0d380c8d30488b2edd649fe6f045416
SHA256 07f8d416456527e0a65ab6e1c433c54a8dd1a66ac1d29462f537eaa1299611ad
SHA512 e290903488e19ed9d3fca55513780f046a3d74769c4993d866342e1880f0ed3bde6d05793036abe3f29d5a36c72c9345a2d4651468f9b8468dccfbbd2667ffba

/data/data/com.app.zero_syb/files/.jglogs/.jg.ic

MD5 e4b19f253aa91a0e968b53227535e2a2
SHA1 d5fe0f9fd8cdfc9cb0bbc9ca861e8629ef56dfcb
SHA256 ce7002e3b649712f1801152cfb9a433898de075e3199a1d561ff6fd6e7df02f9
SHA512 114def9d5b6ed7edd65bf0039b2f996cc6b45233f0f38f5811556bdf2ff3f52fff246d95773e4c07254caf6d4aa3ed5eaf45649dd53259282dc0f1a20b7a2303