Malware Analysis Report

2024-10-19 11:47

Sample ID 240615-e3lw1ayfra
Target ace22f6605190d1dd03d9e251ec9d795_JaffaCakes118
SHA256 348d26ac2267c9785208b205ec6389744f63ae9cc464f51048c447103345a412
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

348d26ac2267c9785208b205ec6389744f63ae9cc464f51048c447103345a412

Threat Level: Likely malicious

The file ace22f6605190d1dd03d9e251ec9d795_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Requests cell location

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 04:28

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:31

Platform

android-x64-20240611.1-en

Max time kernel

10s

Max time network

156s

Command Line

com.youku.cloud.apk

Signatures

N/A

Processes

com.youku.cloud.apk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:31

Platform

android-x64-arm64-20240611.1-en

Max time kernel

8s

Max time network

132s

Command Line

com.youku.cloud.apk

Signatures

N/A

Processes

com.youku.cloud.apk

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:28

Platform

android-x86-arm-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:28

Platform

android-x64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:28

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:31

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

140s

Command Line

com.kidplay.bbtgs

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kidplay.bbtgs/app_plugin/PlayerUIApk.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.kidplay.bbtgs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.kidplay.bbtgs/databases/MessageStore.db-journal

MD5 e0c55a4263cb0d73fe1630052e7fe966
SHA1 4ee5142dffd725f03785d9f300d413d539fd14e0
SHA256 66f2ec80d403ff224126ff6e99be337b6e33df891208bff72fb7b49d1ea9af2c
SHA512 7c29d6f6c8d21095f2f1dc80e6e0682d0770b1b5d969fdf49856e8cb2e015bdbfbe326a43c188afcc95b69275a62b6e18521c0ac7e4a2d8fd93fd4e02ebb0ada

/data/data/com.kidplay.bbtgs/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kidplay.bbtgs/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.kidplay.bbtgs/databases/MessageStore.db-wal

MD5 a3c200cb1b384ba262b093cd7e248a55
SHA1 98aee39b97db679cd2b4be5a8eb5393003a14ede
SHA256 a007ebdf2fddba922bffbea6ec721197e04be25f104a4cd2b2e1265e5998cf22
SHA512 f8a5038f2f771a184dfd7c0b82f4f002086e00da2584ee93c4146f6e3e1b9fb5ae01f09f6ec706f9bc6eaed03085963f8a1720d479b261140ef851d9aabf1a91

/data/data/com.kidplay.bbtgs/databases/MsgLogStore.db-journal

MD5 489d313cd66390641eede4409ca32262
SHA1 4c6b9ed277994221f7d2ad609668887f7a1e8563
SHA256 051dcf929313fdc7dbeb2fa341240a7536555773a9723c272694411af32ad1b5
SHA512 998aca7f350c9f7f446f7ed2c7e9ff02ade57b22e4ccc1d30bca7d853466889d732482223c4dc76de0954965b165504bdd00629701412ca9df13fdd58b9a2ad2

/data/data/com.kidplay.bbtgs/databases/MsgLogStore.db-wal

MD5 30b877046479ab1944bf58af4691d826
SHA1 1019d4da6770a069b9a112c5df03d77e32f5df17
SHA256 f46a3c25616ca0b2e0dc35ade0ac47bc75901c5fbc32ed57870d2f33019c6f2f
SHA512 b5d3d8864ea50b64321e02933f3703b02a9b524347fe00767b1ded574c727dc33a4bfdcf208bd6efa44dd46627dde6c01e3a4849bca97b450056708ad5b42d37

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 c3e6ed45023a0bd17abf49893417cba2
SHA1 105ebe6b9d282f87ef44f5e21f05462ce249448a
SHA256 30624d8d44d2932c4502c690a82e67972d9f2fc013a3527088ca34e34fb2ebfe
SHA512 13f379f821f337c1fb87e6f41e2a7bed494b96e8563e2485be8ddae7247f0bd68afeeb95bc00ace949591dac1c04e0df7a04038b32e2184b21e6a71b5408fe18

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 b04789083f6135d5242536c06afb5f6f
SHA1 a68e3368319190c0ea8a604f7c23f34edc9c3bf7
SHA256 7a65cc366074d4344e7b90680cb263a67b2609bc0e9b678a7d3faa26ae770d3a
SHA512 939e6cb9799b543752850b0aa76188852fed947a52a0b3fd6aca2188430484632de1ebb69fc58ebed03182ca080eb61a08294939125d771bea080e6252e11608

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 f85df6052af13f1cda677758723e25d9
SHA1 3607374920f108bc6d7a20d6544cace5b87258fc
SHA256 7df0cbce3f8c11af55685dfae7fa3986ebaa53cd4c4481b05fe3e4cab90a547f
SHA512 75d8de42e16cecdc916baa9b0145dcf62ff9bd02fad21d96a527bbddc2118c5a29c287a677da1a3962b382a79f9b646c155898fe1838084f401252d6a65f9ec3

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 5b1f75f4d0b149eb43039f327b8365ea
SHA1 f9d73f87bc0f4b7bbb3c0b4d1ddb01b1a57d4d4a
SHA256 7d2c519ad438f16a7a339c2285e31f4ed3c8e1be99ba40c8e0accf5193dada0c
SHA512 d38ae8c881b7bc17b9ab91e4330dfb34a4f23cb683a3e63c9b3de861ed90c280e04d033a5343f88bc95811c9dd154067037362d51ef520a4604a62ee80933617

/data/data/com.kidplay.bbtgs/databases/accs.db-journal

MD5 854be3b10ca25a6d5e043d7f64226a16
SHA1 9ae89748847bd83eccc585adcae8ae472a41fc59
SHA256 7ef7e6246427c0e7e09d1916e8bcd0e91aa1d308d6188d1ff058207b4c742c63
SHA512 54fa48f65305397c78ba179deb628c823d0777d5d0aa8a09a91b4e3dff8b2d5dc38f11c0e174d92534ed369af2020ade411dbfa693751090f39c5060ec0f8484

/data/data/com.kidplay.bbtgs/databases/accs.db-wal

MD5 f36dbb2791d6b5852d656acba1d3b629
SHA1 6412c522ea22f1951df1bf9c33f1503a2acb3f2d
SHA256 9139eccf943e7d93dca180a24d65e2f91a55e7029769e240c5cc2f6181e91868
SHA512 bd4560a35c3209d42d894df2f7377698aaffcc5944d11fcec501618c41be58a84b6f13a6a01bb2e6990c28a220c4955c54ac41e557c920843dd82f22fc69f319

/data/data/com.kidplay.bbtgs/app_plugin/PlayerUIApk.apk

MD5 4c300a61d0d96ebe8a74cc1219c7d489
SHA1 851cd913f1c6bdfc18d451197120369c7235d8b1
SHA256 861d63ed266c4f63f3061a1a05fb2076615248534f400e48216e67f25e6be92e
SHA512 11288c439961a723ce68499769e9c14a4bedf2047d1609b204d2ee0776f81ffdba1b474d169c4e0c0c52c1fb43199893701fffef7b682d6c25adf557002868be

/data/user/0/com.kidplay.bbtgs/app_plugin/PlayerUIApk.apk

MD5 99e99c9ee2184a722ca10b850b221516
SHA1 5a946d7157a028b9356675950e189a2e44c06ffb
SHA256 18120f8875cdf7bb542337748fb8998bb3be5393ce27165db56ed163954211b3
SHA512 fd8bc479b18e8310931f6285ef8e8834e94ee7a4b042e8fe67581bef8c35edf0bad09515c332cf383d2737eea1ee05b5770972d91703cc50a9db894bfb577313

/data/data/com.kidplay.bbtgs/databases/ua.db-journal

MD5 2aadc766c69d778049930737ece24dcb
SHA1 428aec6b861ee8d2bafc947aa76325c0e3cdd144
SHA256 1f7a360263fb5b9217d0f86de29fa1d0d0bdec3b66b1edf4bba8ef8ce871ef07
SHA512 5e53ca86fa3b7c070492ceb24864baebeaf12f527dfe315ee7a3762f4e458ff5023bdb098b9ccb0a9b5f74e7bf2c60bafe7397700f428e832a3451be360a1ed2

/data/data/com.kidplay.bbtgs/databases/ua.db

MD5 ef6878e55b39d82d774e9d212bcb6f17
SHA1 0c860b84ffd662266c074bb2854c4010a2befa2e
SHA256 83ec92923e7fa7c9e7276ee8a7f0f5d4dfaa615006252dad0d4a6932a93119f9
SHA512 4365974602cd29411543798ea4a8afb146151511952fed263e300cd44cdf90b558a4f23f7144e98de8492c9b00bd4e0f52c3e2a73bb7c3111ea6593dc71ce5d8

/data/data/com.kidplay.bbtgs/databases/ua.db-wal

MD5 e13c7f50b492a882e7b6651c109ffcca
SHA1 3c765930b2828be276c566935bde984526f057bf
SHA256 c9a928b98d29be885faf378fd2b25600bd266dceb734c252ca23c1fe9a0d7421
SHA512 604ad64a9a66726b6200a9a8c84c50c4a85e1a911b34181db87f708f8fba0220e2c302bd61237042f9c5b04b0af70a162e58d0f21e08ac87bc5a2383e6333b9b

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:31

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

139s

Command Line

com.youku.cloud.apk

Signatures

N/A

Processes

com.youku.cloud.apk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:28

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:28

Platform

android-x64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:28

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 04:27

Reported

2024-06-15 04:28

Platform

android-33-x64-arm64-20240611.1-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
BE 142.250.110.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.68:443 udp

Files

N/A