Malware Analysis Report

2025-01-19 07:46

Sample ID 240615-bqzesaxgqj
Target ac6278a2e88268826d0b20a36c161b44_JaffaCakes118
SHA256 ebcb0f6979b1d307419d76c98dca8e3517cee8d500ec3a533252f4e559526fcb
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ebcb0f6979b1d307419d76c98dca8e3517cee8d500ec3a533252f4e559526fcb

Threat Level: Shows suspicious behavior

The file ac6278a2e88268826d0b20a36c161b44_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 01:21

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 01:21

Reported

2024-06-15 01:24

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

184s

Command Line

com.longcai.app

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.longcai.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 a1.easemob.com udp
CN 101.201.233.110:80 a1.easemob.com tcp
US 1.1.1.1:53 apm-collector.qtestin.com udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 s.jpush.cn udp
US 38.48.139.156:80 apm-collector.qtestin.com tcp
CN 123.60.92.210:19000 s.jpush.cn udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 123.60.92.210:80 s.jpush.cn udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 124.70.211.119:3000 im64.jpush.cn tcp
US 1.1.1.1:53 oc.umeng.co udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 47.95.246.247:80 a1.easemob.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 216.58.212.202:443 tcp
GB 216.58.212.202:443 tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:80 easytomessage.com udp
CN 124.70.211.119:3000 im64.jpush.cn tcp

Files

/data/data/com.longcai.app/app_config/config

MD5 935de2368b85d10cc7031b0a2242c9d6
SHA1 b30cca907ab2c030e38d384b0da805e643fd829a
SHA256 4ebba4f5ee93eab25edb68a06efd099da90d7d660f1be4c20a8952aa4e2d6a9b
SHA512 4304786ff2e4e4ac725d0879457212285111353e9b1e8c9f60caa049272a9811458ee3ca6d2d69beda99c57b17f6606ac8280373c9d9407d99439110e97fee01

/data/data/com.longcai.app/databases/trinea_android_common.db-journal

MD5 810ccaf29e61933cb9ef6c2f364829ce
SHA1 b5ed3b8eeaac2f2c2336ff291ea8f0df102f06f3
SHA256 a0960d05605ed7a18c9fc155327986101cfc5827ca3279dc3f75c1b3266dec48
SHA512 2bba9a3f0ca52dd9446228ea2c940f90c95835cd3a97aa4bac6c1d366610f0cab3e8bb35dd502b6a75c3dba606b2f57fca9d0d92057bd468bc2941306a2450fe

/data/data/com.longcai.app/databases/trinea_android_common.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.longcai.app/databases/trinea_android_common.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.longcai.app/databases/trinea_android_common.db-wal

MD5 03cf0ea14f7f6a8012e3c5e5bd46e8f3
SHA1 6438fc60037d6f9f2d137a79c4d9c61982e1a4f9
SHA256 bfcc2c2911094203c37d9a21dc108fc2f533ad7034eadbb50e976f518f52c35a
SHA512 36258d432df07432b21e81a138cbfaf6c10cf704af88119279b3696ea2f45014d15a7de808c4a556a21ddb9c1bfd36b285ebb5cdca4ff6be173a66f230451ab6

/storage/emulated/0/Android/data/com.longcai.app/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/Android/data/com.longcai.app/230104100137878#xiaocangshuchuangye/log/20240615/000.html

MD5 d9412fa5b2c0d74c8e2066a6c7c13d27
SHA1 0adf80559414ab3334ab86d945faf0cd76338129
SHA256 1693be955d6afea551937aadedcb03a4d110eff7411733db06e7e9e2a7233c80
SHA512 346e7b497a074cc4a0fa3eb11d932ceca79c756d1f74352ca52257806b3fb8edc272c2b9e14a53ae34a9d95fefcbaced14df7054647461abf511a25872a5d692

/storage/emulated/0/Android/data/com.longcai.app/230104100137878#xiaocangshuchuangye/log/20240615/000.html

MD5 a630fdb95a97521430e317895ec3d0fa
SHA1 e96c3b0d4efdf3512525e7a3773bd0013a60555e
SHA256 025b41c3135d562e509b6f6351f5a8863b0542e0a5e38bce2ae4cd48a1d06903
SHA512 728bc6fc1e695d274d0eef892369fef16a1fb9e27c7c3d07d12dce3b076bd66fa793b7325ea1e7a4166bdfd11174801718474cfd38e49fc810b50265c0b60fa7

/data/data/com.longcai.app/databases/crashannals.db-journal

MD5 e2ace740a3d26e68cf700e2e26319b38
SHA1 93006465fc5c65b0a064787ef70611595b94fefe
SHA256 697c906c01b5387a1f6be149b027ce33dc4d536f556a7b80a7b7cb4da36737c1
SHA512 2af0239067d5e46c79a9e35220326b15f250dee90d383d44da074355e3dab1eebe8696214bf6c760e55efad389a2253034dfc92188327fd8902642bf662439ee

/data/data/com.longcai.app/databases/crashannals.db

MD5 b6d6410653c0d3a9e07151a6e2fbaf41
SHA1 ec986f26ad897acace4cee77eb0d7059f4400864
SHA256 7d65f02102de4d8525eb1df726710fb08e06508dcd2c32601c58c13e53c85198
SHA512 92af642e2517cd2c50c3e69537772ca83ca36f36e6b8ce98329801edb622888fec3182bddec1cd268d0489a1df22d707daba3d0122372e85e4cb77bb54bbbbc7

/data/data/com.longcai.app/databases/crashannals.db-wal

MD5 e50ea542f7409e483c7481cfd32c741e
SHA1 f5389d5734a98bf80908ea769aaf967380f8b900
SHA256 37a866c69842d9ade0784669ec6458a8c940b0af3a7063a800bcbb0454a614c2
SHA512 7f14ba7d96f51bb36404f62facd8aabb7825c6663e03b85bca1c972d8c5d847872ebafc2a6e6b7ef9899f63fe785709877e291de7d062267637a046236375aa0

/storage/emulated/0/Android/data/com.longcai.app/230104100137878#xiaocangshuchuangye/log/20240615/000.html

MD5 0c447a77a544a46696a7d6f0808ce896
SHA1 159acd536699aa794b984b3a2a7ac003a78faef6
SHA256 0ba455f4e33abb7ef407cc0a0a654c5da8084de0bb0f9572753343510f109e72
SHA512 74969a1f0677222398c7c8189b78a5363db5a48ee9144729ea3eea49f7c8f53169b0c79af14c17278689e3294964bed7a4a54a3dee688adbdd9856c0e6ada0c3

/storage/emulated/0/Android/data/com.longcai.app/230104100137878#xiaocangshuchuangye/log/20240615/000.html

MD5 dcc88baca1ab608f47dc7579ddbe44c2
SHA1 471b5bf71fbbde3171c5e256adba6d9f5722c0ec
SHA256 8d2b80fdc2de34daaea825d384fd4f5c3f00279d250df2f91983e4fed9d3cefd
SHA512 b4247a197757da053816949ec8137af410eb33906c9dbeb78b9a96ad2b4cd641498ca736daef6d0223994fe6d844be46b9218c60763e3fa05cda979ff25ff208

/storage/emulated/0/Android/data/com.longcai.app/230104100137878#xiaocangshuchuangye/log/20240615/000.html

MD5 39cd96e19e4f42a821df083f4e42b89b
SHA1 1e79d7ea7fffebe17dde0e0d7b28a13987e26459
SHA256 4f63dd369461267a2a1c6e44d0fdd3845bdfdcbabfbc8ea84ec0e7dc755c9358
SHA512 4191ececc562d7b0a946a4584c05af9f5c40c13b96442dff0262d3f5a470d0a9129403eeb24ff761df06d8f747af2912cbc21008999426892fee71cfcbc2de6b

/storage/emulated/0/data/.push_deviceid

MD5 a994a91f555a0e660f0724a3e7cb8d48
SHA1 6162761eb187db10b8d29083b35fe4155a49828c
SHA256 e6ed88c670175c9f1aa735a1a03859ace4e21b22119470561dfa07752fe9bd69
SHA512 31ae5a3e9a531ad4db82a184ffc92e1a4f7ed9ba78691737d80b31bdfcd63cc1e3f2c4edef18fbc2d9b44f742fd356dc3cdf13e650296970be30a9f0bf65bc99

/data/data/com.longcai.app/files/jpush_stat_cache_history.json

MD5 5b5a47180ee85e0529f1cf1e18c681da
SHA1 6e5aefee8ec6283ddc212484eef585a4cff729d3
SHA256 e3dae20fffe49c59cf32833e833c83fe677967cb1172b1c24c6af03addb4315a
SHA512 6f5673f21bde8c7a08bae15b1ec575bd97659d157f03dfbf192cd7a1da2d219d87bc40e346d3a0bcbad1a4636b4779d316c048ba309588e0b9b80e07dfddf83f

/data/data/com.longcai.app/databases/rep.db-journal

MD5 ae268db9b4631212947231cf49b7c233
SHA1 109b2d4f3cb7d48e73ba0a16367d92f4186612ee
SHA256 3eede15eba1ca2fa3ff09d9709096d17a1c8afced1dbf26430ad5c4e4b9e38c6
SHA512 7711a3b64d21f0cd63ec85032ec91ee9170d257aa70351ee285dbea7529f633f222829afa3c7e9de365ed8797029778601d5f01206fd739e83a18be4d487a362

/data/data/com.longcai.app/databases/rep.db-wal

MD5 11ee7973157f797672c092481f0f3707
SHA1 948afcbc3f97de1ebb16233ea8149b7b8d770efd
SHA256 4d0abf159b95c6ab6f34e770af3410639aa1c3b3a90484671dcfb806ea09e886
SHA512 b84fb3904ff803a21f158a8e7e346e4c31cf67e3345ec123522f09ebfcf38f9825eab53f911ec47ed625c10a6d404d2f284940dfd30d3a2f42025c31885f5924

/data/data/com.longcai.app/files/umeng_it.cache

MD5 f1aaa587271ad71134643720e6db1c40
SHA1 32661167c5a5c1864b9b05461b82e8eeb5dca3e8
SHA256 bbe131d5cb0f9b6e94ad19e2f0df37a2a81956c0816c4802da6502e3936804ae
SHA512 e2eb3973295886f18b3f6e2e62c16a4a061e616cd118b433c87058fbafc06876fc8ab8d9ca2d0febd1a8821db59d37e019b0ffe8dbe6d29a73105a6bf1e4164c

/data/data/com.longcai.app/files/jpush_stat_cache.json

MD5 98bd1bc9309fad63d9dfcbdcc4c27968
SHA1 c10036890c47f09fac4c2585309c21bd70d358ff
SHA256 572d60bc94be98a010533800f949c0e410ae4c49f3c662fb87207f9d78215fe1
SHA512 feb7d39d3923805094cdc394a008c31475173927a3b378efdf6f4ca73ab3a80a92437c8dba3e3924d895e6bab14c49a293bcc18573c7e47120caa0d02c6d7245

/data/data/com.longcai.app/files/.um/um_cache_1718414575275.env

MD5 41dd26302675f941a72251c19e5b0cb1
SHA1 42b81b2e9e532d9e2aadd9120af5b89d5be7e978
SHA256 f1e4c38a8bacf524c84fc97187324411bf522ef1015ea114babd70f85d567eec
SHA512 7b879b0cb5c1d3be6a49be9f67d01d5a2eb7637760d2d61831d10e41608a1a461f108c10299a7a4f8e4c0376008b07ea0ea7a5076ef456e25897bfc0e003cbab