Malware Analysis Report

2025-01-19 07:45

Sample ID 240615-a8l2qstapg
Target ac50670f7deeed7aa80c32a15d6c83fb_JaffaCakes118
SHA256 fa33e6dd87f8f4c6b1f3929537af56826f1d7b6e1454a373021e7b7e3430a6bc
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fa33e6dd87f8f4c6b1f3929537af56826f1d7b6e1454a373021e7b7e3430a6bc

Threat Level: Shows suspicious behavior

The file ac50670f7deeed7aa80c32a15d6c83fb_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:53

Reported

2024-06-15 00:56

Platform

android-x86-arm-20240611.1-en

Max time kernel

157s

Max time network

148s

Command Line

com.vikecn

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.vikecn/mix.dex N/A N/A
N/A /data/data/com.vikecn/mix.dex N/A N/A
N/A /data/data/com.vikecn/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.vikecn

sh -c getprop ro.yunos.version

getprop ro.yunos.version

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.vikecn/mix.dex --output-vdex-fd=57 --oat-fd=59 --oat-location=/data/data/com.vikecn/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&

logcat -d -v threadtime

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 rs.easemob.com udp
GB 193.118.32.52:80 rs.easemob.com tcp
CN 39.97.9.52:80 tcp
US 1.1.1.1:53 app.680.com udp
HK 8.212.115.227:80 app.680.com tcp
HK 8.212.115.227:443 app.680.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 a4.easemob.com udp
CN 47.95.246.247:443 a4.easemob.com tcp
CN 101.201.233.110:443 a4.easemob.com tcp
US 1.1.1.1:53 a4-v2.easemob.com udp
CN 101.201.233.110:443 a4-v2.easemob.com tcp
CN 47.95.246.247:443 a4-v2.easemob.com tcp

Files

/data/data/com.vikecn/databases/bugly_db_legu-journal

MD5 529e25d6df9e808c13f37cfc8fe4348e
SHA1 e914e7d1260b0f6cd166f448eab3c07fb07941c5
SHA256 3e5040f611ff6e7996c6c4f1ce6c370dd3ddc98f79d651d30da3346d504a0d31
SHA512 eba5ace30a52c9db8822067447e1da04fce4834fa542e74221c2284a5ac902e7f6cc39f9f793d192203d1fc88ea11e0bce5448398f6221ff8113a8299c5af787

/data/data/com.vikecn/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.vikecn/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.vikecn/databases/bugly_db_legu-wal

MD5 ab028a2f7ffe50acce6a76d13ca25c4f
SHA1 1ab5607e5274406015c69117bb699009f31ebb77
SHA256 41e12c6bf0215d84148b2e7562ee72623d2c360ac137d2268f8fec0df1b6b6bb
SHA512 d82aef335c1f95c233c593484eeb47d7171d769d4a10c1d53b54dc4fced7cd17b869adbdc7d1482a25343ec172fd3b3aa0e574336a67b0bb802534b226c5bb32

/data/data/com.vikecn/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/storage/emulated/0/Android/data/com.vikecn/1196170302178697#sjcfwk/core_log/easemob.log

MD5 08ba20a76bb7066dd6823b7cf07193de
SHA1 d1a1e34595cbb6da0dca0e7944effa8e4f46a12b
SHA256 d1ca4d2520b069a3885b0565449a07c408df1917543dff2f535187afd77425a9
SHA512 7819561694bd041e74c5d8b505d954bdad09b0d49e328809170edfa3dbabd81f999e697e64680c5fe88d2c135f2f59d44be2133963c95e2cd59eba1db337917c

/data/data/com.vikecn/app_crashrecord/1004

MD5 a7fd38db7276ab07a6618a66f00d9b3f
SHA1 a0e0e8a714e0675077b532267550fdcba53643c2
SHA256 cc396b377b62fb543fc140313abf2c12a32bd33d4f5f4bb98eb513969e66d0d1
SHA512 3d0fae17ebae7fa38f9cce238afeef44c39fc5dcc067868bf4caa34b1a77044286585a8158796b328bd61181448bc08fd53566e68f84bced014170331c47a704

/data/data/com.vikecn/databases/bugly_db_-journal

MD5 88577306b493037ddafeda37103fc5b4
SHA1 e34f815a3eed46482ea12b8794bedb9f1967d519
SHA256 287416dcb27c8c7d73cb4126736d812bdc36acc80faa7b6a9f9d065326b68597
SHA512 0fd6c8aef7a27ffc1ec4f8d7289bc979d20af24afc0748c406653e23fc38d053e3551e1d7decdd4d4e01368166d6c0ff1b4cda048ee726c723b9148d3435583c

/data/data/com.vikecn/databases/bugly_db_-wal

MD5 ec42b3f498b44b91d38ed3889f8ade9d
SHA1 b033a5a6d5b038c4b028a02056ccb3998e15b8a9
SHA256 ba9af9fccd2537a13b1730182ca0cbc39a6cf6c1a32ead891b9724c556557fcd
SHA512 a903917267f4fb920c5b170a5881f9feb38461e61e46ecf599c0d2028e954d9f8e9d1dbd286ad6d07f240a844caa80e3bd25086250ca49e139b790b9eff58072

/data/data/com.vikecn/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.vikecn/files/config.json

MD5 cec903432fc37f2813975fb987d9ccdd
SHA1 0d8c950670e851112cf6ba25def4660f0c8cf169
SHA256 bafed52f6afb611dd683cb73626494610834573c57c45f654d37d2209deff9b4
SHA512 adbe90c855cf3c4a49e14916226256e32d8eaa470bcdf5a6dc125ac3b33efb150a1f2564845630ffb735797b5f0a144454a183acd90316a4ac87c1b441119585

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:53

Reported

2024-06-15 00:56

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

3s

Max time network

132s

Command Line

com.vikecn

Signatures

N/A

Processes

com.vikecn

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
BE 142.250.110.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 udp
GB 216.58.212.234:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.180.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.180.3:443 udp
GB 172.217.169.68:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.227:443 tcp

Files

/data/user/0/com.vikecn/databases/bugly_db_legu-journal

MD5 b34fffde3f3679b68a9815d3bcade08e
SHA1 513ec213db086c112057f0dad15ceb5c92b47cc6
SHA256 c60bb88761894fbbcf88f89bbd9c0b5f817abd2aea72b5a6942383f60497e3c7
SHA512 e3515da4faa9ad2df9323976711652b62c5d0b072d37eea1c4af5dba99aa2f4787c48de0fd93fd02823041f0cb405c91b4b27544b4e5a26ecccdcfd957c7098d

/data/user/0/com.vikecn/databases/bugly_db_legu

MD5 7b1945295118b933801638bd96546bfe
SHA1 77a47a15d3ded4a8e10487da596405f8d1af6ab9
SHA256 03adf1b0c9e36ab2f7d270f1d16815911cf62652d52cb6d02ed9d96a7a2723c6
SHA512 1ccc2fbafe031f25a457a313875ecf23542c9fc2d5e75b296835dad7ca12013665833bca29431bda2fc389b337b6b573f4a9260c82b78bc70111493c4cce5dbc

/data/user/0/com.vikecn/databases/bugly_db_legu-journal

MD5 1e60d49ef159b3127005cc281270c545
SHA1 e1e91cdf9060f841ad3c25afd0bb0cb8329d6ffe
SHA256 e61a142304e6861363a9e85f3013c3e4e4b18d32f4e576cd998745ed9a65f1b6
SHA512 c03186f46be8408a7efb84ea59bdb2c822e4868b36595148a876dbf8d284004bf07b3eac1d420edbe26a5b180b13be57208c3b1926b24533948623b43e1615d3

/data/user/0/com.vikecn/databases/bugly_db_legu-journal

MD5 bd14502b703e2cfa3ddea4524c7502c6
SHA1 a778e65c821b855461d83887b3ba021fb176a485
SHA256 3b3ab79e891ec658d9454c840b0aa23d4eb0e68a0f2f9ddce0a9ba665ce41def
SHA512 fc6ac2d50c41bb4a11590d00950fde0b326be6a7a6980e8ab4a77649b3c54b0dbdabed50fee478eb7e17b0e9d30a49437a180340b206d375df0309b997e6869d

/data/user/0/com.vikecn/databases/bugly_db_legu-journal

MD5 c1b7fb56076c8da3a18c71c2bdf1ce9a
SHA1 4af9cea355f005607c55c2d33e1d9c62bda6d8df
SHA256 69e0b3b19a772110e06f7058092156a61597a481e72a5cadaa18c7f3e0516ff9
SHA512 696f0ed1bc22f71a698beb4f2b1ba59ff4b09c808500c0d070cddfc67baddcae69edc6d0b2a6043c890e1408dd61ab123bf974477c6f88ec539854b9343822de

/data/user/0/com.vikecn/databases/bugly_db_legu-journal

MD5 c2d818fc8433d80110348f6eee1386d6
SHA1 49eac9cbe3e48bc0e87e8b045beed301743b1943
SHA256 f8232dfa6ce1f5019352758aafe727798394f235a6b0910ecbac61b407e99cda
SHA512 2dfe4f38c4ddd73388444702272c7c7247b1889806939ce520343d4822d3224a74879d931a2407f924dac5faf0aeec5e2453a23d34754291b35079b001b7ffa8

/data/user/0/com.vikecn/databases/bugly_db_legu-journal

MD5 276b5be722da3af997d4935f55f31b73
SHA1 17164aa05e2ecc13a322142e66d29ba306be7dc9
SHA256 4504b7978a60bd89898b34831d1914ced8ed670840b94eb408dcc877cef135bd
SHA512 03023617f543d2ec4d7367d736ef4aafc5ab68e2b96479d2880868ec30197ea9d213e0e2dc0d8f514cf38b218d4764e3a8541eaf27a08553c7964bae8e219177