Malware Analysis Report

2024-09-09 16:02

Sample ID 240614-ntynwashjk
Target a97dcfe02c28b44dace50693e4b14016_JaffaCakes118
SHA256 503b2b5b161845f4a00466796da15c204b5cafe456d1bac0dba1e8ae0d09c729
Tags
collection credential_access discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

503b2b5b161845f4a00466796da15c204b5cafe456d1bac0dba1e8ae0d09c729

Threat Level: Likely malicious

The file a97dcfe02c28b44dace50693e4b14016_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about the current nearby Wi-Fi networks

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Queries information about active data network

Queries the mobile country code (MCC)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 11:41

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 11:41

Reported

2024-06-14 11:45

Platform

android-x64-arm64-20240611.1-en

Max time kernel

66s

Max time network

132s

Command Line

com.yxxinglin.xzid76468

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid76468

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 wendsldj.com udp
NL 78.41.204.27:80 wendsldj.com tcp
NL 78.41.204.27:80 wendsldj.com tcp
US 1.1.1.1:53 ww1.wendsldj.com udp
US 199.59.243.226:80 ww1.wendsldj.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 partner.googleadservices.com udp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
GB 172.217.16.226:443 partner.googleadservices.com tcp
GB 216.58.212.206:443 www.adsensecustomsearchads.com tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 216.58.204.65:443 afs.googleusercontent.com tcp
GB 216.58.204.65:443 afs.googleusercontent.com tcp
GB 216.58.201.100:443 www.google.com tcp
GB 216.58.201.100:443 www.google.com tcp
CN 36.156.202.73:443 plbslog.umeng.com tcp

Files

/data/user/0/com.yxxinglin.xzid76468/files/umeng_it.cache

MD5 144e5af91ca695fe6a3738ba4c8ecc4c
SHA1 e039cba11183a921f9e9458afff619a9e89f05d8
SHA256 bfbaab28516a61bbbd184ac9711310f545edf274aedd7b8473d3d150b39ed100
SHA512 367a4a1a5ed4f638fa46fd343f9c417e47dd76e038edf7db67ed9e342d3a54746b812a0e3fdcfa376c70a89d3a2b5b37a239c8b9324b71c365bb4bd46ca739da

/data/user/0/com.yxxinglin.xzid76468/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzY1MzMzOTg1

MD5 a383e67bee14bcd0f7c38be58a7ef51e
SHA1 38e102f7eb594ddc420b01879bdad2bad97cb46c
SHA256 6eadd369a2ac02a78f9630329931239096ea677629bacda6e9e23f6c81160ce6
SHA512 9331a115924579e2f58fcb6b77f53936360dceb994c6657a3e65170207cddf9ccf9c70c9ebc720ff77947d24105061902cdba02c087859711bf0d35325e5f8a9

/data/user/0/com.yxxinglin.xzid76468/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzY1MzY0MjQ3

MD5 5b73d0145cd591500d07793ee3510699
SHA1 9634fbf82dfba58af5660a02c659ff5b0e3b798f
SHA256 28a571037339b8053ae7608917143cef3a71bcf89de572b6e55bbdc06ad82741
SHA512 d7746e22c1a5248650d5159235c310b74f409ec8c57cea8edcbdb012456dfa677b9081a77124743ceb3124fd231a3cf6c3ba7a1123c818ea2fda18f0b73351e9

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 11:41

Reported

2024-06-14 11:45

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

131s

Command Line

com.yxxinglin.xzid76468

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.yxxinglin.xzid76468

ls /sys/class/thermal

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 11:41

Reported

2024-06-14 11:45

Platform

android-x64-20240611.1-en

Max time kernel

67s

Max time network

182s

Command Line

com.yxxinglin.xzid76468

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid76468

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 plbslog.umeng.com udp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.176:443 ulogs.umeng.com tcp
CN 36.156.202.68:443 plbslog.umeng.com tcp
US 1.1.1.1:53 wendsldj.com udp
NL 78.41.204.27:80 wendsldj.com tcp
NL 78.41.204.27:80 wendsldj.com tcp
US 1.1.1.1:53 ww1.wendsldj.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 199.59.243.226:80 ww1.wendsldj.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 partner.googleadservices.com udp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
GB 142.250.179.226:443 partner.googleadservices.com tcp
GB 216.58.213.14:443 www.adsensecustomsearchads.com tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 142.250.179.225:443 afs.googleusercontent.com tcp
GB 142.250.179.225:443 afs.googleusercontent.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 partner.googleadservices.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
CN 36.156.202.68:443 plbslog.umeng.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp

Files

/data/data/com.yxxinglin.xzid76468/files/umeng_it.cache

MD5 8e5c2342f629ad1dccec80ba45765347
SHA1 33d25dbef38f764c34b4dc8ad77f33d783c9b63a
SHA256 a4c7fd6d94cb6e27e6f438120c9ac816ab2c45e6c67cd92177d3d7097b99306c
SHA512 11addf16a42f8398f2e5bbb87a8c25b5ded14d004a92bcf38ffe0a84e3e814ce69eaaeb043bc7e26f47bf804de8edbc887f2457e46fb2798ba88202357a976f4

/data/data/com.yxxinglin.xzid76468/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzY1MzM1NzA1

MD5 aa9415f32c530c227eee452220df4d68
SHA1 2fa36239ca0cb5a755dec47f236e915afa7cdf52
SHA256 de5b2a45d9c90fd551ecba8a8f00b045f5dd4ef16f47a7cd7fa151e9ba1ff5a2
SHA512 61f918c97d080bc12363311064d369adf7654f8eafc3262daea1b8a08e43d68469f8596fa65a9cd7f242d646a030dbb03f548e2872a8754a92d858b8de44e357

/data/data/com.yxxinglin.xzid76468/files/.umeng/exchangeIdentity.json

MD5 877c86ff8262f401389a8183feed5084
SHA1 5ad4ae769c751cbd40c7e12ddff3a36f415993b3
SHA256 4bc9b9d31791e207c3083bf81e0fd5c29991c9a4e979e00d269cac6fa52c7488
SHA512 c54d1f7633dde189b349c7a73e32be8dac5574f12358e1a2c3ccba433e534dba3f0f46580c808c3c708f1359ced60dfb2f61b478528896f544900d2babfaa2b3

/data/data/com.yxxinglin.xzid76468/files/exid.dat

MD5 162b798c0623d619ae7da02295de5e50
SHA1 fd977c594928139ebb6c6f3b3014ff0fb6bceec6
SHA256 2c0ff049983ca195d6aba19951803f2ebd8d830f0d4a9f2732c5bcc5caaa688a
SHA512 64fc8724dbb93161e2feeb1a1a15faec716c7869d4499ed5b2ddeeea2c52b4ee77c1b270e239c3f066e8ca5ba25d47770fba77acecf5329b9dd858f508eb7146

/data/data/com.yxxinglin.xzid76468/files/.envelope/i==1.2.0&&1.0.0_1718365335760_envelope.log

MD5 64981a96ce756eb79d7e5938b39c14c1
SHA1 2e670c1201b84cc3efa09808667a0b1fac04df4b
SHA256 4bbe8b25880616e3475fcec686368f78a536952fa540aae42967b7c87d7828c2
SHA512 101ad0b4c9f46389ebedade9cc43ac514a4e55a247040c6c38bff1fe48d3c77d16a555060799e329855098caf3061c68f9d2ad8d191a1cddfd55a550eda09e66

/data/data/com.yxxinglin.xzid76468/databases/ua.db-journal

MD5 f6767a082dd37d4ac8ff6c6debea0194
SHA1 ab8e81ab1f43f30db38474bdf6b4539305f1ff6a
SHA256 45a42a041b27e686a2bec7914eb12741be37dc311c90cdd3fe254df5f4aac9b0
SHA512 ed680fdbb7cdd166467009d1e838b04015834c4688b3456ebe4c9ebbb823dc2b37ddf243c7558978356a38fa8bc1443fe92dcedc80f991740ebec28c83b8b8cd

/data/data/com.yxxinglin.xzid76468/databases/ua.db

MD5 b7036131b84bdf2b66c67fde18d62308
SHA1 18b1e5a358d68c846495cab5cfef7c6679659093
SHA256 c2c0bc8842203ccf1665dbb5b3333b22ae5a6ae3ef8eafe83e7f43adf32d0295
SHA512 256bc83e1a516a58f5d1d024d27dad3c26723df0f96e0deca6baac86d84518000212570b06996a14bcbeadff05fed05125862aba2d4aa08c15a6999563dac067

/data/data/com.yxxinglin.xzid76468/databases/ua.db-journal

MD5 2fb0d911c0d699b159f0a479b670c4d3
SHA1 29f53b15293f715063ef69d83b5aea45560ebb41
SHA256 36d17fa609982824271f90bc9e87acf13b0df8c2ab8a001600a8cc7494ea5808
SHA512 6ab524de6927ef103fbc26385aa18558912023c0265a0be8b315d0243c9311045ebb2ea0f0f826a834186b9cb4be87967814f61eb64b3d0681349daa3d913e24

/data/data/com.yxxinglin.xzid76468/databases/ua.db-journal

MD5 efa5ee33ce1c9d21c3a4617e48307ae1
SHA1 38d51bdc2534eec74ca2a641bf2fef51b146e1e0
SHA256 f635c348234b44c7d0fba32242cc310a54d12d41c546c566e5c69236322a8095
SHA512 fe1825d40a9848891115eb0e57c1bbec66dbcba2f4c40404c35bc5aeb6de6a5d39ca9e531f7027ed7cc52b72f7d7089f4c5c303cfba15c71b0a1fb91b0197964

/data/data/com.yxxinglin.xzid76468/databases/ua.db-journal

MD5 e3abc97adbbf3815262f561aacfe6f4c
SHA1 d3e22655c7e4b4985a381200d1eaa6de83209217
SHA256 1ad23d47e7c239a7cb581dfb560419ef48f56b0247dfc733d3c0ccf3378a8d8c
SHA512 17b689878baf0581d7c30fd6122a4dcf4317a993c363d8a48545f2775524377a0ebecdbb9343d3aa8cd82e397694805d435bf64305da3d66eef905374a4f4c2c

/data/data/com.yxxinglin.xzid76468/databases/ua.db

MD5 4e3b78c0df05ef4a74b1979fcccdb080
SHA1 f814a0b66084a26b62ec2fd901f7766780e15772
SHA256 cc65d9658b1f88069a418465ffc74f39ef41833eba04db69b0042cc74639e128
SHA512 5533aef9a095ce0b7800b99eadf1c54b8eb82e573b47e9997345b29aebaccd1b4e5a89978542738426c72a0976c4124741002711b9379eee2874973e05884faf

/data/data/com.yxxinglin.xzid76468/files/.envelope/a==7.5.0&&1.0.0_1718365342105_envelope.log

MD5 171093dd5b0137164cc5c79d206496be
SHA1 ee657dc80d7b874da07c42c53549956db04a53a4
SHA256 f8a29fe0bed8cd78e2b72210b6724647873a5537b0e822c0c78bf72aa0517e40
SHA512 656cb2ea814d6fc2e04df82d5dca5058b22fd66793a8e8ff61651d17bf3c408856db35f8a344151a758e54070acd83625d56a3e02fff311d08f9c720b8522eb0

/data/data/com.yxxinglin.xzid76468/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzY1MzY2MTE2

MD5 e48490a4bbec5f0d59854b1b551d22a2
SHA1 796cb5ca3c9660466c1dd96d039035e052e9d07a
SHA256 bb7fd25e839593beab24695b0653dc296fe06339298588b43963b541fd2cb99b
SHA512 21837d4a4992e121c5d1931f4f8852bf2e322454a86baae04ccded06def047c8e3e209254f1991d5ea09f03f227107dca6d0cb4436d5e288d5132c6d737b833f