Analysis Overview
SHA256
9cfdd1339e9665e5bb0497e04af7332d32ce227dcdc27ccb108f5a7a06e97b45
Threat Level: Likely malicious
The file b3eecd5cdad3b99265f29b3f5337c9e8_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Queries the unique device ID (IMEI, MEID, IMSI)
Queries information about active data network
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 14:14
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 14:14
Reported
2024-06-16 14:17
Platform
android-x86-arm-20240611.1-en
Max time kernel
105s
Max time network
182s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.zfw.jijia
/system/bin/sh -c getprop ro.board.platform
getprop ro.board.platform
/system/bin/sh -c type su
logcat -d -v threadtime
/system/bin/sh -c getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.build.version.emui
getprop ro.build.version.emui
/system/bin/sh -c getprop ro.lenovo.series
getprop ro.lenovo.series
/system/bin/sh -c getprop ro.build.nubia.rom.name
getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.meizu.product.model
getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.build.version.opporom
getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.vivo.os.build.display.id
getprop ro.vivo.os.build.display.id
/system/bin/sh -c getprop ro.aa.romver
getprop ro.aa.romver
/system/bin/sh -c getprop ro.lewa.version
getprop ro.lewa.version
/system/bin/sh -c getprop ro.gn.gnromvernumber
getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.fingerprint
getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.rom.id
getprop ro.build.rom.id
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
Files
/data/data/com.zfw.jijia/databases/bugly_db_legu-journal
| MD5 | be97ee6f5f09e392ed294b2e55aa6f56 |
| SHA1 | f1342a19078d4446e44914fa332781bb4cf0d8c7 |
| SHA256 | 114595752bfad6cdb4d2055f866c55326cf5ef00de25aa4a5dd75ee8c3b74e17 |
| SHA512 | 0fb0c499ce55c88f77939dc12ca34a5eb49224dae6164541a6a99508a0f68c07de9ff10c893ada0b2efc24f6f064b1bd4e1f09d87d732184513701af90342ab7 |
/data/data/com.zfw.jijia/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.zfw.jijia/databases/bugly_db_legu-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.zfw.jijia/databases/bugly_db_legu-wal
| MD5 | 3de93bf09d722c6ecd7cdeb997b3daa3 |
| SHA1 | 353113dc7be10f6c24879bc9e371b2fe8fbd5161 |
| SHA256 | 13225ca8aadc11ff71763553433107e099cfa86f00073c945e311ecde00df397 |
| SHA512 | d91314186e8df2d943cedd5bf77c6d2722ce0e1903bae401967536f0ea23273cd9aa9565d02d7c5c933f5c70d276265004819b8845cdf8946e92790402054490 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 14:14
Reported
2024-06-16 14:18
Platform
android-x64-20240611.1-en
Max time kernel
12s
Max time network
131s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.zfw.jijia/mix.dex | N/A | N/A |
| N/A | /data/data/com.zfw.jijia/mix.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.zfw.jijia
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.72:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| GB | 172.217.16.234:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 172.217.169.46:443 | tcp | |
| GB | 172.217.16.226:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp |
Files
/data/data/com.zfw.jijia/databases/bugly_db_legu-journal
| MD5 | 7b49ab01b97c96c4ed25de7e31404b0b |
| SHA1 | 81e364fbecd3bb2dd056288ddc79c6ccf22a45d2 |
| SHA256 | 21dda2f3c35b01df19f5a09f766fb8c23f2388753d1eb7dc7b8686e06a0f5a8d |
| SHA512 | 2859845c466973900435e7d583c567d723c1d19afda4c0db3adbd95f14400221f3054c7693b3f03122de52299d4bb477f49b4166516fe52f861072744926ef33 |
/data/data/com.zfw.jijia/databases/bugly_db_legu
| MD5 | fe966639d0054255f28efbd10cc5a295 |
| SHA1 | aabe56d40814f8c31d0fbd1349f1e0d989713860 |
| SHA256 | c6e14e7fcc4a3c100b5fe698250a388ba30d967c7fc4ef0a4dff89f6f566ac2d |
| SHA512 | 091a360110f6a8382accad08593d8f372de8dd8cbd7e4007483746c049f045480641e3a2afa65bcca0afdb04b70ad132a8621f97a9284be921f5f02d3bd6c6de |
/data/data/com.zfw.jijia/databases/bugly_db_legu-journal
| MD5 | 75994a14b9a77a12c3be9e3ef615fd75 |
| SHA1 | 0daebcd271973d662d97f5a9f9ed52fccce12196 |
| SHA256 | d25df362e4206ebdc133521d7b3b55c2ea2fa67c1315833b2ea73399ae69201e |
| SHA512 | 7cd4dd56410804829ccb21bf23f00c991cee1b8b023e42865bf999a5f0db40baaf7bcd0c527713091162d46444fe062d37335ce83e756a16f2362d12bb349fd9 |
/data/data/com.zfw.jijia/databases/bugly_db_legu-journal
| MD5 | 1865f9d6be0367e440427234a6e26af1 |
| SHA1 | a90ed189e90c2cb6547d35c0044693293e9b7b6a |
| SHA256 | 282dde2921896df0d7da416e5a6c8e090edefbf9171cad900d6965a6228d57b9 |
| SHA512 | 57b80dbb05d3929ed02a82a308327689e2dce91d57119ab3a2b9a2d258a874b131b03f1106f77d89b1021443215d5b079a0a6ee7a40b2e0914727f95ee406e58 |
/data/data/com.zfw.jijia/databases/bugly_db_legu-journal
| MD5 | bd69c0ed02e3fe2c2eb66b590fe6bab1 |
| SHA1 | cfae1f490db1f749569f9ea9efaa412d1eb94939 |
| SHA256 | 922b5c567c1bb62a547dd96ce1a4336e182fd5005ed0d5b239ff17485be43917 |
| SHA512 | 5e34e2f9be003aaa39aad5abe39114d42275021502a57fb6fc071983365070b943a56946c81b6f6c3ed62762946f56534094c1d5876d654b8fd29f8464788e4a |
/data/data/com.zfw.jijia/databases/bugly_db_legu-journal
| MD5 | f3efccb30e5dc79e57a7bca1e5660298 |
| SHA1 | 2ffc46010af28a32fc284b7094d8eb1f67949f6c |
| SHA256 | fce086a1bc17d748d42c84bc148201c1df6a3e45af00c14292f28414d29c26df |
| SHA512 | a9a044ce2fd0be336ebeb7d2cc308933ae3d31634c6d3fd57adac568f1e6e81e1bec31d503e7a3b52472af4a8ffd9ea0019e2b34e8998d88986eed1d4fe2cec1 |
/data/data/com.zfw.jijia/databases/bugly_db_legu-journal
| MD5 | f6d6c6bd8321e35aeda7973326521bc2 |
| SHA1 | 2313c4305d7decbbc204d42cb24c18fd7bf1909f |
| SHA256 | 22e4b038f7f5e3128c153c669a6964a7cb62240ae0a160d785751b043da7685b |
| SHA512 | d04dff5360ee920c56a6e7677b227c0ca9098defa00825608554e4e69004cf48caf736a28b352c505cdfb42fda4fe66fb40f94f8ecf84cc59be2ef1043f2af98 |
/data/data/com.zfw.jijia/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/data/com.zfw.jijia/app_bugly/tomb_1718547304572.txt
| MD5 | bd0f8f8f3ad93fa07623422ec6e72003 |
| SHA1 | c3589295e7a4ddcf35bcd7a2c13bfd381783821a |
| SHA256 | 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647 |
| SHA512 | 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b |
/data/data/com.zfw.jijia/app_bugly/rqd_record.eup
| MD5 | 68683cb1b95082b9b47cf17cd8b35dac |
| SHA1 | 848d54b5d95d4522a8b4e914b6b5698a97c4329a |
| SHA256 | 15829dc52d80a8b505da1963699d6f2c9d76090aaca591a6224db3714882ac5b |
| SHA512 | 63a544f47499959fca65e503ab1d0a50280298980725339bccbff7b087b6b56e1ae4345877568facb8b7b98f5115664f3da34cc285db1755f2d9348f37e06b0f |
/data/data/com.zfw.jijia/app_bugly/rqd_record.eup
| MD5 | ad67b6ff9aab3fb58a9688174d3e0159 |
| SHA1 | 96375c0a20b09e578abed2a5fc5f69d7e13f5701 |
| SHA256 | cd046de48f1b7a7688c49f0c3ed9406f5e73531b42b16c0555b65391aa1fcc28 |
| SHA512 | a50a36bb09aab8132c1522bada1295a018d39243e7ce729b1f0e819b709839d5f1cf6cb6e28a1be8cbb7d7042905288b03e326e92de3b64519da61d564030e7c |