Malware Analysis Report

2024-10-19 11:48

Sample ID 240615-etscesyejb
Target acd8c7b82e39a3eb699c913016d9db55_JaffaCakes118
SHA256 396d5ab7a7d6dcd8ec927573f64e9a06203bad68000c2f0560cd596faf7633ce
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

396d5ab7a7d6dcd8ec927573f64e9a06203bad68000c2f0560cd596faf7633ce

Threat Level: Shows suspicious behavior

The file acd8c7b82e39a3eb699c913016d9db55_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Queries information about the current nearby Wi-Fi networks

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 04:14

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 04:14

Reported

2024-06-15 04:17

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

173s

Command Line

com.eliujia.app

Signatures

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.eliujia.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 59.82.132.217:80 apiinit.amap.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 restapi.amap.com udp
CN 203.119.169.174:443 restapi.amap.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp

Files

/data/data/com.eliujia.app/databases/dynamicamapfile.db-journal

MD5 4589a28e30505ca30d7580be64fe3a6c
SHA1 d69c10c473723081bfa6a4aa04871dfdaed16729
SHA256 6e67786450b16b6790dbb7b45060b1906cfc64e2ea7f112b0a12050fd90c1cef
SHA512 42e1c04c324d8b6d0d4ad58fd620dbe4feda8b0df9fa8734d31dd014198e6368b7654069412853d98336ea94e05ee5d06367792c71cdd0e074cdd238b97da461

/data/data/com.eliujia.app/databases/dynamicamapfile.db

MD5 d505db4bb9a0c36589db4d1853867791
SHA1 aad475b5974f46d8cb5eae497a1fa541ffee99c6
SHA256 6d82ef6a44919e1e77d94e4d6fcfb33b0f04d48a7846fafa58d343b20968af32
SHA512 2edfc04b01683a4df0ae3b5ceb7b34448f06551743689842f18ce88ff979577171ccbc179ca6f06f1e238dfdbe035e411239797ae23780ddb35a778fe6d03a87

/data/data/com.eliujia.app/databases/dynamicamapfile.db-journal

MD5 a79d261c8c497fba17ba7617275e45df
SHA1 ce899bc9710017a1e6f6d8cea45b2ec0fdb67c6a
SHA256 e96769cc6d2bab001a9534a1a8d5f7d96b2cf54aa80ec8d22f01104dfdcc8268
SHA512 f572c4258bf0b4ee426f0e7baa837230cdb4246224235a41eec32ffc375016b7240f85608a5afcb309b6eef4306ff378dfeb55976fb3f2092166651d7957bde1

/data/data/com.eliujia.app/databases/dynamicamapfile.db-journal

MD5 a0d21b61e78869baea01c9a1a43922f4
SHA1 2b8d5f07d9ee6ea0fb9b497038aa3c7d6a9b8f21
SHA256 79abeb735893e835c54ff2f1e158b454a69fd42db32db1efb6435f592b8b694e
SHA512 30371bc9a2091736b76c27b9d9c1487b42c811ff05f14668819e484ec78db78db50fd53cb63bd31508fdf29b810bfda1d13b8807e2a3427ca4fef9bbb652df44

/data/data/com.eliujia.app/databases/db-journal

MD5 e6ff3731af1e14d6c9cb6fd1346237e9
SHA1 9873ee27ccf6bad5abb8c328e35aea01baf58d72
SHA256 192cd3d05622b607499ead229e365bf5b1209d23f4d22fd8d3352d5f866c7127
SHA512 9074c13be2ea152f56524669c2245ace66aa70f1214280a5206938f638e434051534dc7d2f1fefa2e70cb7955cd01843d59a57093679e52e7b8501fe13cc79d4

/data/data/com.eliujia.app/databases/db

MD5 ea628e04765adaf4238a5dcdff4bbd51
SHA1 a801947619ea8c368efe9c006a324dc6339ac60b
SHA256 885e337c2156e4dbf2176a9677ade50418740532d222ccae5ad4aa371b54c6a4
SHA512 c0287b0e7b690a7231a37d1745c49f3d861b22aa65dd769ba6a8b5ab9da55443f749957781ee05a405019c39e1be45d37a971b821bffd62a1d5620bc39119abe

/data/data/com.eliujia.app/databases/db-journal

MD5 7882c61495c36e6a916a778d68bbcf6a
SHA1 13eed40ee6be64bfd9cc14d6915ef16f05871c69
SHA256 86b379ce95c95ac5e1c663e1b13d035be928112df02752c0dddc4462d2d5fe2f
SHA512 5483e7f53c28898dce6ea906e7947150452aea8a3c467ae6ed213521eaf3ad0fcb516030a0182ba1e7fd378bf500df4cd3a042c56be8321469b130a87b435d07

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 04:14

Reported

2024-06-15 04:17

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

172s

Command Line

com.eliujia.app

Signatures

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.eliujia.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 59.82.132.217:80 apiinit.amap.com tcp
US 1.1.1.1:53 restapi.amap.com udp
CN 59.82.132.217:443 restapi.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp

Files

/data/user/0/com.eliujia.app/databases/dynamicamapfile.db-journal

MD5 b9d613d8d2e71a42892c54ec4c6b46f5
SHA1 ab97018745ac70f91e417c2d8aa305b023a4328e
SHA256 58dce92f7ce54d11aeea837628084e168db01dab519625a753ec2c36096543f7
SHA512 6ed3c153addde2ecaf10200c8669061fff388799806f7e0423823834dac18f9bfa65d79b9e726c2c4491f43db7a7ee78becd01d33d54f05ec3e1f7cf4ac44caa

/data/user/0/com.eliujia.app/databases/dynamicamapfile.db

MD5 4fa65216d7c7a0d708f0fc39947bc574
SHA1 df4d662c7336532c40ab966647bdfb2b74d8a0f0
SHA256 90efb1b89a9732f3da0cbfc20437ceb7a03e6607cbdb3eed1ddb8521e28c50c0
SHA512 9f38d1fb651f61a8b7c95460c0a6a55b7e0d60523c680f7f11d1fd8887078d6694ae5d68c2cd1207a86b8e7e8aeedf8117a6cea47d1fc38719be522be062063c

/data/user/0/com.eliujia.app/databases/dynamicamapfile.db-journal

MD5 112afe585648b10b29ac6abebdabcb91
SHA1 ead4b88a0e8468af1317ffbf49d0cbd79fd06834
SHA256 71143883cf17a48ba2638556aab5a39f76a008d790a723ea0f8b50610a32179b
SHA512 5980ef86f8f47feab44d5d8ca06702f9208e10be1ee3c76b59a0d95b2335d29eb7cbed60e03bdd1009090c17154b13c572b4ef76bd26733ee754e74858654786

/data/user/0/com.eliujia.app/databases/dynamicamapfile.db-journal

MD5 e7bddcc6c79644134611e12afbaa78a9
SHA1 bf645ec7741a000b69823303217916e67596c152
SHA256 904bcfe67052887e4e2327adc59dba2c8d9c4b919568d8134129bdf9b925620f
SHA512 3faaa0f031419f298bff6f998b37cb5dc0535b6e83a65f26c5bdf23edaef3ed3336054b733cf71a5c2cdc9bc213b934164bab67073d5e3f548212562a07eaa6d

/data/user/0/com.eliujia.app/databases/db-journal

MD5 6affb9c0fe5ff9ea934222d3b07ad648
SHA1 0cba3d60c1969ab9d713ffe04af28f2f13c5b71f
SHA256 57632760a490ca0bd6398bee4411b43a07511fc22d1a7fada624e21415331a44
SHA512 b7f01b984f8106eadd44ca2cded95a8a2988d32e4e3297c67cd2efd80b29a8e422301876356cf9d06c28c3896f088a103f13270e639508524d6f34ddef8d6909

/data/user/0/com.eliujia.app/databases/db

MD5 171aedf968e17a2744d2585715606cb9
SHA1 bbeddeb3b89fcf809619c35b4a318a80e7d5b029
SHA256 d2ab452d9360848f46af866b870b5c6fc98230b09c72b89cb1a4b2778586678e
SHA512 78a0f517ee3d21c153dda6dbfec4187ebaee9d520d7b1b63f358bcb125d08aea53f26943907a56fdeba40161d9fc7e4fd63f9ae3154dd2ad887ba0162738285b

/data/user/0/com.eliujia.app/databases/db-journal

MD5 1d6416b46a2d492674bff8162fe8d22b
SHA1 bb0438b4af39fd67d9946b5dcaefe0e3dbb51d14
SHA256 9d29f8de093f997b2528f0c03d92b8e5b7a81dbaba06daf495e93413ba2610fb
SHA512 91e280a6b5cab2e509e7b8e81f95752e6205dc3a798941802fea2c221a3d370542a750d4430f9fec3114438fd925debdceac2be1d40fcc3a84972c7c8b0f0dd1

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 04:14

Reported

2024-06-15 04:17

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

187s

Command Line

com.eliujia.app

Signatures

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.eliujia.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 59.82.132.217:80 apiinit.amap.com tcp
US 1.1.1.1:53 restapi.amap.com udp
CN 203.119.169.174:443 restapi.amap.com tcp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp

Files

/data/data/com.eliujia.app/databases/dynamicamapfile.db-journal

MD5 c4f0f0809bec2a3eeafd50a88157a1c9
SHA1 58ba04d3592ea8bd930dffbd711ef45bc6fea76a
SHA256 ae3042c310e4635d6916b9ab42f29a725c8e51de3e382c3965047aa9151c1f3d
SHA512 9a17fe7ea45d89ec471edd0a6b92db93c0b9c84d4209ba6eccaba9c0d2d0a3e9b5aae6960e0706f48f06a5b1b7608cb9d19b48b55a67e67cf4016384cffbce5a

/data/data/com.eliujia.app/databases/dynamicamapfile.db

MD5 d5950b4302984c62ae015c70f8359000
SHA1 44de2b51c2942afc6706cfd591bd17e0b22732a2
SHA256 b25855280d949ff775756116e72d78ac73561352dfa33866835ccd355d037f9d
SHA512 39c732e681ba5913a12d78056a128a2f7a2cf3b78f5735727e629b15bd5f498ea22ca1bee6bd0c7580c2443cc08e4416c454679bf52ca34fb91366f6374b334c

/data/data/com.eliujia.app/databases/dynamicamapfile.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.eliujia.app/databases/dynamicamapfile.db-wal

MD5 4f53bb84a7a0bb48cf68d3edfd3ec681
SHA1 ff3b2c39de9e14322dbb0dec29c54233695d09a5
SHA256 18f889d77662ca612db65340c4ba67eba4bd7743a21b5746b3a6c2bee0cebb1c
SHA512 44c2f0003da9f9f16ce93844ada315b127769ffebb86938e789a5baa7110ec9e027359277d246a8a362fd8e38664caff71cc5dd126db2a7f0690a75eb475db57

/data/data/com.eliujia.app/databases/db-journal

MD5 2922c3200d01d9d166bf55b4b9abde5a
SHA1 a0fa58dd1794896a62578966e1298bc18a13c37e
SHA256 45fc17091abfdae09545b0a235cf4735ee4f015a6df395207bf49064dc00f1e0
SHA512 b6caadcbc405cea4016a068edaa07f23dfd5baca607b43f7658d10c7f26eb01a941db086726c0fd3a1c6bbceb700e2553d48129b247785b18c5f82bc2f782713

/data/data/com.eliujia.app/databases/db

MD5 3fe30614d7e0d11db870b4624f6c50e0
SHA1 053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA256 67c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512 c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae

/data/data/com.eliujia.app/databases/db-wal

MD5 0f7986be06cfc76384a0a7287d3fc965
SHA1 8a75230e201781b5f33c4542d823b634bb5b437d
SHA256 ef595933f62498b6bcc2e4c17a53012588242e445ef1c43c83449e4fc5531ce9
SHA512 bb6da0c00d0c167ea9e111d76f931f6f12942857db19b7f3b9c71d9dbc68682ceff6d258594eca377a63469c31f0574387a37a0f60cc9dccb5b467f90eb99cea