Malware Analysis Report

2025-01-19 07:59

Sample ID 240616-re2c1awcqe
Target b3e7851eed828b98936fd69c5c01a567_JaffaCakes118
SHA256 1a8b160fa35904168676ab0b4c5d20574d468e1d0b40608d1b09cca7cadecddd
Tags
banker discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1a8b160fa35904168676ab0b4c5d20574d468e1d0b40608d1b09cca7cadecddd

Threat Level: Shows suspicious behavior

The file b3e7851eed828b98936fd69c5c01a567_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries information about active data network

Queries information about the current Wi-Fi connection

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:07

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:07

Reported

2024-06-16 14:10

Platform

android-x86-arm-20240611.1-en

Max time kernel

159s

Max time network

165s

Command Line

io.dcloud.UNI4F780A2

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/io.dcloud.UNI4F780A2/.jiagu/classes.dex N/A N/A
N/A /data/data/io.dcloud.UNI4F780A2/.jiagu/tmp.dex N/A N/A
N/A /data/data/io.dcloud.UNI4F780A2/.jiagu/tmp.dex N/A N/A
N/A /data/data/io.dcloud.UNI4F780A2/.jiagu/tmp.dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

io.dcloud.UNI4F780A2

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/io.dcloud.UNI4F780A2/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/io.dcloud.UNI4F780A2/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

sh -c ps -ef

ps -ef

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 stream.dcloud.net.cn udp
CN 115.159.41.92:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 124.220.154.50:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 log.aldwx.com udp
US 1.1.1.1:53 dataapi.testin.cn udp
US 1.1.1.1:53 testup.iszhiqi.com udp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 47.99.180.218:8001 tcp
CN 47.99.180.218:8001 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 log.aldwx.com udp
US 1.1.1.1:53 log.aldwx.com udp
CN 150.158.157.83:80 stream.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 43.142.22.58:80 stream.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 43.142.67.81:80 stream.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 ez4q2.cn udp
CN 112.65.70.244:80 ez4q2.cn tcp
CN 43.142.150.110:80 stream.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 43.142.166.20:80 stream.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 49.234.42.40:80 stream.dcloud.net.cn tcp
CN 49.234.44.193:80 stream.dcloud.net.cn tcp
US 1.1.1.1:53 stream.mobihtml5.com udp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp

Files

/data/data/io.dcloud.UNI4F780A2/.jiagu/libjiagu.so

MD5 f0f9ef36b67807a253b5932f865eae7b
SHA1 6a8d66c6efa2750b54cb763f4ad044bba4154e0d
SHA256 646dcd8290a30e992553186392239da39ce7c8e7c2fd87b3d6a880551782db75
SHA512 e7ea65467e557e4992e746d808cae3e2d16b42187b1a94326c47c689cef9fe21a2a9d2b312c60c8ff40e128dacbde84cd6b93a191ae38496584a45fe60c04548

/data/data/io.dcloud.UNI4F780A2/.jiagu/classes.dex

MD5 98d6156172e8f4025509ec01e52fcb94
SHA1 b994dbc3296198795aef755962f0bfa1cf944074
SHA256 ca3babe0ae89faf7e679fd1e7c515c2245d349b3399753f48e186e025f80f009
SHA512 0131587bfc091cdebef1756da15ddf44e11e93d06692ef3946a64dba88aa27617b0018590f2d273173a9ff833e2ccbca52984987d118b1602ba4c721682656c2

/data/data/io.dcloud.UNI4F780A2/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/io.dcloud.UNI4F780A2/files/.jglogs/.jg.ri

MD5 f68e894e57046aafbb8b7c970671f717
SHA1 4b26a503bbc2898e082985f14689360449678289
SHA256 fce28b8f34d1872881ece94f7c2a95f52822f68520d4a60a2086f6c4a30ef881
SHA512 7e4a2d67b64e7e87ea1466edb364fc6fbb04962d18256678d613a46a68f1c16b96980692cb6ddf93faa6ed256c9f4e23bb3a0cdb0c831496e293a5d001c59858

/data/data/io.dcloud.UNI4F780A2/files/.jglogs/.jg.ri

MD5 74b1c68246ec0a0f9a89c26c3eba3ae7
SHA1 38b4d000a86434da7bb6a45ffdf43895f80b1ba3
SHA256 ae9ece6284983074250f4fb330f1c16bf2a6ee22602f39f6083c565e7f484819
SHA512 07ebc38ca914d9f98d9620991365dffc827c3adc9967a1371f048e57d1b266bbb6378fad80d725874ffce46c2196016158a2c7e9c33edde38e43c4278ad3f254

/data/data/io.dcloud.UNI4F780A2/files/.jiagu.lock

MD5 13ce7f219f6ffb22dce08d411ca34ddb
SHA1 c5431eee2ae055a5312c0e891e157cc7ec0a8bf5
SHA256 433462e99f9cdc9655a2e75ec9fe4253404fdefc9fbe752b76eb757a4c3a5e4c
SHA512 b8e748e73906a73e50e8b88c082f45d1e47a813c2e94f579425f946c0ffa7253267ca8ee8d928d262ba755d67fa885c2fd4c4ea333edcbb18d325ea53aa6f764

/data/data/io.dcloud.UNI4F780A2/files/.jglogs/.jg.rd

MD5 595b11bb70f05243ca076e821353a32a
SHA1 c8f7970a56b35b3901a740099add4b7c649847e4
SHA256 f73035a5ba8871ea85aa64a167ed959c6dbcadf71872273376f46d7b9f845eff
SHA512 8085022e88f04d9594cdfebfee8db86e9fb6487be6a7801c06b7dcd3ed07af4dcf7b93adf99b931df8de05f19a6b0a27b12870684e94fbcd2758224c05c6300a

/data/data/io.dcloud.UNI4F780A2/files/.jglogs/.jg.store.report_pid

MD5 3df890f7f7f09caa4466f17ff8934757
SHA1 63c3f85c7d90cca012b9edba9e44a379ff9bc6d1
SHA256 2601a79b2d7eb524451a0a987bc8dde3000813081f8df6e381fb88775a06da35
SHA512 52a7551f3d63e54e9868df302e4371dc54e015c26fb34e972e22156bc824630abe8c1b49b9a9f368e5c245602fcc914b26a5361c88460c7dfdf498f43b651b33

/data/data/io.dcloud.UNI4F780A2/files/.jglogs/.jg.ac

MD5 85d5925d2b788ad7001efcf1bac82549
SHA1 763403cb533ff09ed3fd03ad0496cec703026131
SHA256 bdf2b7bffeefc457e18549985515173f0b5e7128ea04c70e82427c28ee52c133
SHA512 a1a23cba856726a57fe461b85f1060ff936f8b2d185b181e65c90199019f3bbdadc424deec330026afd3023064d0bdeedf5d4bd990316e35874a066754519c86

/data/data/io.dcloud.UNI4F780A2/files/.jglogs/.jg.ic

MD5 deb670fe210b41d1f279f764c3e2e2df
SHA1 c564079f854a23f5ed42f3b68c2e28b38aae1a27
SHA256 5a646267bb538acd6897742e7cce959efef7b3da59fd4e9dbfe4c2d9e3c6dbdf
SHA512 95b14919946ccc2740b5536235bdfef7239a6e3ac19d6091cca62d62a1dca45e1b5c159164ca8de3664c6b35cfe3c3b488348e3beded6d1489aa2f825c3de83d

/storage/emulated/0/.imei.txt

MD5 6f565a2a27191a896af5844f94e369bf
SHA1 ae532dae9768ad786401aebdb6f1fe9c625911d5
SHA256 67ecdd1e3f4970b770a5ab56235a88fcc33b579b40404a947aaa5c9a09f6c1c2
SHA512 ea80d052805f6cfcfd795676a9206382bc454d3effb011af4771614cb2a26eff2b4fb405416face33e5366669f4087aa9cf79128dc742172691e846ed8f5113f

/data/data/io.dcloud.UNI4F780A2/shared_prefs_ext/test_app

MD5 d24d5c7e4aa73946d7a7162ff4eb6fed
SHA1 ab3d1e52407b0124b16db6e845fe95724ba8fe68
SHA256 1e6d77aa47ecdfa9f3ab333e60bf2169ce26e64e905b8aeb7da36ce4b95833ec
SHA512 55479278dbd54c709f5ed55c976f6b0aa9ea1d3b401f35f249570541c58a2492b5ef26010a689b369693dd1e29632fd0b07175ed5584c8acc890184930cecc43

/data/data/io.dcloud.UNI4F780A2/files/cnc3ejE6/eje3cnc

MD5 585839d66722cfd02e40cb740cccb633
SHA1 374c19200fee201b26d0153487a281a934615884
SHA256 86a9bb4985cca6c9636c4fd071bef4b70ba7b3a5eb51af869a1299dc2b1574a8
SHA512 09bbe1bf1455861fd4732f2d1945c84bac34090906ac2fab75d144c22ffcf6bc585c8209e94a2b1919c8402df53966081a1af2993e12261ae4c4ac5568667d88

/data/data/io.dcloud.UNI4F780A2/files/.jglogs/.jg.ac

MD5 25eb4c0c5851dc3d9285d43a04016481
SHA1 cac0571d5313bddb733841c7ea7cc5370def4280
SHA256 615b1efac962845a0c32f2e2e8e882434469735f80429a7c4e27fd3379fe6815
SHA512 3b8d0ee7b689371addf9c199b32eb66ea8475dd2558efcce044de70420726d697aade27713a693bbcff5cae42c810b6c5c8cd022d2e07f89f7fee92ead9a7d53

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 14:07

Reported

2024-06-16 14:07

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 udp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 udp
GB 142.250.187.202:443 tcp
GB 142.250.187.202:443 tcp

Files

N/A