Malware Analysis Report

2024-10-19 11:47

Sample ID 240615-e7ctwsyglg
Target ace42ec76b44121cb9b3cd6b1f0b1ac4_JaffaCakes118
SHA256 2a393a1c17096432cb99715fd17b5968285e64c51ddf6e3e011ed241d19c429e
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2a393a1c17096432cb99715fd17b5968285e64c51ddf6e3e011ed241d19c429e

Threat Level: Shows suspicious behavior

The file ace42ec76b44121cb9b3cd6b1f0b1ac4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries information about the current nearby Wi-Fi networks

Queries information about running processes on the device

Requests cell location

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 04:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 04:34

Reported

2024-06-15 04:37

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

185s

Command Line

com.sageit.judaren

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.sageit.judaren

com.sageit.judaren:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.easemob.com udp
GB 79.133.176.213:80 www.easemob.com tcp
GB 79.133.176.213:443 www.easemob.com tcp
US 1.1.1.1:53 s.jpush.cn udp
US 1.1.1.1:53 alog.umeng.com udp
US 1.1.1.1:53 loc.map.baidu.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
CN 123.60.92.210:19000 s.jpush.cn udp
US 1.1.1.1:53 a1.easemob.com udp
CN 101.201.233.110:80 a1.easemob.com tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
US 1.1.1.1:53 sapi.skyhookwireless.com udp
US 1.1.1.1:53 dns.map.baidu.com udp
FR 13.37.206.148:443 sapi.skyhookwireless.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
CN 182.61.62.50:80 dns.map.baidu.com tcp
CN 123.60.92.210:80 s.jpush.cn udp
FR 13.37.206.148:443 sapi.skyhookwireless.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:80 easytomessage.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 121.36.193.140:19000 sis.jpush.io udp
N/A 10.0.0.172:80 tcp
CN 121.36.193.140:80 sis.jpush.io udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
CN 182.61.62.50:80 dns.map.baidu.com tcp
CN 113.31.17.108:19000 udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 47.95.246.247:80 a1.easemob.com tcp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.92.210:80 easytomessage.com udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 123.60.89.60:80 sis.jpush.io udp
US 1.1.1.1:53 sis.jpush.io udp
CN 116.205.165.66:19000 sis.jpush.io udp
CN 116.205.165.66:80 sis.jpush.io udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 123.60.92.210:19000 sis.jpush.io udp
CN 123.60.92.210:80 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 123.60.89.60:80 sis.jpush.io udp
CN 116.205.165.66:19000 sis.jpush.io udp
CN 116.205.165.66:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 123.60.92.210:19000 sis.jpush.io udp
CN 123.60.92.210:80 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 123.60.89.60:80 sis.jpush.io udp
CN 116.205.165.66:19000 sis.jpush.io udp
CN 116.205.165.66:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 123.60.92.210:19000 sis.jpush.io udp
CN 123.60.92.210:80 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 123.60.89.60:80 sis.jpush.io udp
CN 116.205.165.66:19000 sis.jpush.io udp
CN 116.205.165.66:80 sis.jpush.io udp

Files

/storage/emulated/0/Android/data/com.sageit.judaren/sage-it#judaren/log/20240615/000.html

MD5 123f433cc708e389acb576f9185859e9
SHA1 ab254533bb542c80060653ec315f0484adec4478
SHA256 2d9b4c9d79ec33485228550d78f908ecb89ba73da069df3e90c56c538089b30f
SHA512 9b6590f3cd069006347b131798843d95fd9c024a8a8d43538efd98046a548771aba0ccc9e5128b71fe3f6a43267ced246a47fd6aec3e70b12dd729eb5071e0b7

/storage/emulated/0/Android/data/com.sageit.judaren/sage-it#judaren/log/20240615/000.html

MD5 0d3e99204c6401ea499fe9e6d9855497
SHA1 09829f00ca458eab7374d5079393a2cd69a2348a
SHA256 63ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca
SHA512 8d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68

/storage/emulated/0/baidu/.cuid

MD5 1106f40f06b948a31bdfe7f11ae9ebc2
SHA1 fcaa329e3a45f126dfc50a2437319dfd747d5f9b
SHA256 4faaab6ab6298511011006303989c3df481b52a136a18405e8e0c055a4406bc1
SHA512 090e042e4d708c9f8ff22caedfc123eb7ae011dfe74d831888fb8a5e05515d8a411fdfd0a928b464a6373df3cec4cbfe7f865ef4f6c7c1747e24749575894152

/storage/emulated/0/Android/data/com.sageit.judaren/sage-it#judaren/log/20240615/000.html

MD5 e850dcd00f5447576584a802d3bcece4
SHA1 dde9675428c868184f175158eaf340ecbe32738c
SHA256 4bc6ec4a3d9e0c10def057f4e0f75e77856d45a8a0ce264f45df1e3b65fe21ba
SHA512 c97a16c7b61d4a9212589da76297f4ea93b97a662407584c990002d4f3c117c7cf0deb1d680a56a33ed5c614cc830661cdab702e35ab59e2552793b95e2edd37

/storage/emulated/0/Android/data/com.sageit.judaren/sage-it#judaren/log/20240615/000.html

MD5 932a1ae809dd27b08cc41f3f7dfc0f78
SHA1 388ae991515efb5ff6d6e581531cc1cc559d1f38
SHA256 3c884bc5d0de1fdaf2394bd3ed31461581f3a0444e8e3f06847019f494d5d06e
SHA512 b867e62f67b0b7b94db4331e743b22d6a21fa8a93355a7926cb269a729b6a3c53886d9117b6c187c455e47e6ec31f1be0d19e69d0eafc0b2e9b75fe1fbb316b5

/storage/emulated/0/Android/data/com.sageit.judaren/sage-it#judaren/log/20240615/000.html

MD5 93eab46eb74339b66b6a4ef613983108
SHA1 d253c225d34b04b4e9e0b2970f53ad3ece02d4db
SHA256 31e9c454d190ca8d74d201da9c6ea63786fabaa296c3eb51adb3338d3793b2b5
SHA512 850326cffe34f8493650f8028582df38025c8ae6b07b110e9c947d5a005fdef05c4106843d09ff67474085a4164a9ee2e360bf81622436d33098147d552250c2

/data/data/com.sageit.judaren/databases/rep.db-journal

MD5 74e58ede1666ca3e5ca062f7e5cd362f
SHA1 cd1bacbd774627836818a4670cb10857c9f11c4e
SHA256 f0d8fa2da5d2c06bdb34769d829e92f95bcd763de9fd4231cae9aaeccf2a567e
SHA512 906574d90d827ac0823ea19c932994f3a38006baafe2a493c9f9e682086f98ab42a782372a7ceb193dfb86f63803c18f0831561ea0be164c4375b020b1eff779

/data/data/com.sageit.judaren/databases/rep.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sageit.judaren/databases/rep.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sageit.judaren/databases/rep.db-wal

MD5 28edd63d184822ed927b12106409f790
SHA1 8dbe7054d645505560619fc3246d36c73c2205d8
SHA256 9fe05c39cc2a9f88301b5e019f2c098215936d76717b3289c221872d756833fc
SHA512 4da683d036397951e07b325dedd0a9f7e36ea9ab0e74c92446c4bed6b0d11513200a9bb30d12930b7c7440f0648f3f39370ef174fef60f3c9c93883eb163a6bd

/data/data/com.sageit.judaren/files/umeng_it.cache

MD5 63a3583e9aecec56b51380a68764e2e2
SHA1 1b2cd8b22d40c27aab8780252d15e735adfb15fa
SHA256 234959b26acd9e551ffae17fe21329bacb096c77088ffa155dfc55af8c81cb04
SHA512 b035d94c42bd7b3b34670d1ddc1f75ba2a78ac898cf57de660ae9b007c51d8bddee509d5a9fe063c4c9fd3b75863af36e303a7a51547636fa41ba1906c16ed81

/data/data/com.sageit.judaren/files/ofld/ofl_statistics.db-shm

MD5 a94381b5bbc4309e48dc05616faddfda
SHA1 63de39ed02603e30d794e01b48b4c3677f835c20
SHA256 1bd3574c5055a9d22ddfb77b6fc835d8b28296eef0045cc8e85d1724c22374bf
SHA512 6eea15e6e735cd306dcd42a1c9541ac6a76eeb8f0325393ab62c8f9daea59f2d72f5b51790d308621c137d01b87d6e4816d5b25b74a40a1d8aa6539095a33f96

/data/data/com.sageit.judaren/files/ofld/ofl_statistics.db-wal

MD5 b7ab9d1af6952c3554616da59332c246
SHA1 4c9f526971a4865117853a326d1b5458a637463d
SHA256 3ce64a2d3ca0eb16c9222b8fb3cc5cd31ae8aa923f31d29e6f5a4fe3ae6b3c11
SHA512 4cf77ca8ce0106a44d5e18ae13482ba61b17c6b3b9d38ddc15900d7fcf896bab87b61d0efc3d9113c3eb40c0898958585fe6acaa90d08bae7a43639108dc690c

/data/data/com.sageit.judaren/files/lldt/firll.dat

MD5 76edb062b330f4d46f326b1705a2e116
SHA1 8adbc40b844268b1ad104fc10274835768580ea8
SHA256 90f3be77b6914d1e253d3893944c0d0f98c652fe14bf69f26b511ce3ebcc91b0
SHA512 71df24733a70c01b7d480ee9d9aaa3c3d1d06470b6218befdcaf8cb32716a639d54021b75ab73c62d75305a4cda105269243cb2c604048a0dbcd34ce3f939031

/storage/emulated/0/baidu/tempdata/lcvif.dat

MD5 fcf6954a0812e94ee14296c8cf503f68
SHA1 d1d632bcc4ba1975a87568c58480904b41aef949
SHA256 380c22e21dac3f39772b87155616528d7b3fd847bc2270a6051c596e4d5a800c
SHA512 a720c05137d3828e1ee89ad1d378049c46ac6778cac48b956edcf9b7addebabe649c714eaa7cb25c6fcd4387c7c211c99333553848081401e45f60c3f0d86b51

/storage/emulated/0/Android/data/com.sageit.judaren/files/baidu/tempdata/llg.dat

MD5 161557b06b4a4d3ce095528dea370eb7
SHA1 8bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f
SHA256 f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4
SHA512 96ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449

/storage/emulated/0/Android/data/com.sageit.judaren/files/baidu/tempdata/llg.dat

MD5 6c117be37ea17ebf2aa6594412fc5950
SHA1 bbf8845c8d6f5cc67b5e413b72c89decfdd2c79b
SHA256 22d4bf8cee5a23a8a760c57c308a532d7cd02aa4186fa8564e203aa7ec1ec1cf
SHA512 9156f4182d8f8d83a99569641de25970ab5a4b4c583e4dd9ddb8bf469f7c8e9b4c750f2d0f7462fa27b3dcb92626836e3bdaddc50fe54b2a650effd8a00fbebd

/data/data/com.sageit.judaren/files/ofld/ofl.config

MD5 f11f6b25d7832c90448b76f42b6c575b
SHA1 33e80ee19bedba54e058346ac86f15746ace1206
SHA256 63ef4ad5a2f25812cf55a01cd76aa6a69896f8820a91d46c6e3893ec3da91371
SHA512 22b1da4ff20885e6ebfcc26041d7e52f9b1fd39be763bd051562afd48389bd7a77d531bf6a04d1220824caf749803681519391f0d68cd6b1e97c52d7504c3510

/storage/emulated/0/Android/data/com.sageit.judaren/files/baidu/tempdata/conlts.dat

MD5 8d80bc8ea90e9cac010d3ddf97bda5f5
SHA1 f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07
SHA256 f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93
SHA512 9ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7

/storage/emulated/0/Android/data/com.sageit.judaren/files/baidu/tempdata/conlts.dat

MD5 2b6c767aede06e091acfb6a649fec5dd
SHA1 d12e1209237a7b90c8fe6ccad63348e1505990aa
SHA256 fb46bf11b0222954bbdec654dd69c22a5c5464a500646975a0127b0098b91d19
SHA512 28051d65d6b16c49e37d216c54d67ea841b37082b16d59ed4e2d296524f728c45deb1bd4635b8ebb8e9cfe677624ffb01ebda52e29b7f729167b94ab652ce1cb

/storage/emulated/0/Android/data/com.sageit.judaren/files/baidu/tempdata/llg.dat

MD5 66268a9aef5078256d96965a3656a3de
SHA1 e5f8c1191e7840e185142fe4f975a49c1ea12669
SHA256 b8eb167fa8a0050d6896d3598c606774522a0a7151569bc1b28e044b3416f2ad
SHA512 e6da4789b3304b9d46fcfb32bac72cd995986b45c6f088edbc621e27d66c1aa1376d125864ff431b9ec8df140c1f64a2c00083fa28511b9c797bbd2161169f05