Malware Analysis Report

2025-01-19 08:02

Sample ID 240616-rkaggawejd
Target b3eecd5cdad3b99265f29b3f5337c9e8_JaffaCakes118
SHA256 9cfdd1339e9665e5bb0497e04af7332d32ce227dcdc27ccb108f5a7a06e97b45
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9cfdd1339e9665e5bb0497e04af7332d32ce227dcdc27ccb108f5a7a06e97b45

Threat Level: Likely malicious

The file b3eecd5cdad3b99265f29b3f5337c9e8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:14

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:14

Reported

2024-06-16 14:17

Platform

android-x86-arm-20240611.1-en

Max time kernel

105s

Max time network

182s

Command Line

com.zfw.jijia

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zfw.jijia

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

logcat -d -v threadtime

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp

Files

/data/data/com.zfw.jijia/databases/bugly_db_legu-journal

MD5 be97ee6f5f09e392ed294b2e55aa6f56
SHA1 f1342a19078d4446e44914fa332781bb4cf0d8c7
SHA256 114595752bfad6cdb4d2055f866c55326cf5ef00de25aa4a5dd75ee8c3b74e17
SHA512 0fb0c499ce55c88f77939dc12ca34a5eb49224dae6164541a6a99508a0f68c07de9ff10c893ada0b2efc24f6f064b1bd4e1f09d87d732184513701af90342ab7

/data/data/com.zfw.jijia/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zfw.jijia/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zfw.jijia/databases/bugly_db_legu-wal

MD5 3de93bf09d722c6ecd7cdeb997b3daa3
SHA1 353113dc7be10f6c24879bc9e371b2fe8fbd5161
SHA256 13225ca8aadc11ff71763553433107e099cfa86f00073c945e311ecde00df397
SHA512 d91314186e8df2d943cedd5bf77c6d2722ce0e1903bae401967536f0ea23273cd9aa9565d02d7c5c933f5c70d276265004819b8845cdf8946e92790402054490

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 14:14

Reported

2024-06-16 14:18

Platform

android-x64-20240611.1-en

Max time kernel

12s

Max time network

131s

Command Line

com.zfw.jijia

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.zfw.jijia/mix.dex N/A N/A
N/A /data/data/com.zfw.jijia/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zfw.jijia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.46:443 tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/data/com.zfw.jijia/databases/bugly_db_legu-journal

MD5 7b49ab01b97c96c4ed25de7e31404b0b
SHA1 81e364fbecd3bb2dd056288ddc79c6ccf22a45d2
SHA256 21dda2f3c35b01df19f5a09f766fb8c23f2388753d1eb7dc7b8686e06a0f5a8d
SHA512 2859845c466973900435e7d583c567d723c1d19afda4c0db3adbd95f14400221f3054c7693b3f03122de52299d4bb477f49b4166516fe52f861072744926ef33

/data/data/com.zfw.jijia/databases/bugly_db_legu

MD5 fe966639d0054255f28efbd10cc5a295
SHA1 aabe56d40814f8c31d0fbd1349f1e0d989713860
SHA256 c6e14e7fcc4a3c100b5fe698250a388ba30d967c7fc4ef0a4dff89f6f566ac2d
SHA512 091a360110f6a8382accad08593d8f372de8dd8cbd7e4007483746c049f045480641e3a2afa65bcca0afdb04b70ad132a8621f97a9284be921f5f02d3bd6c6de

/data/data/com.zfw.jijia/databases/bugly_db_legu-journal

MD5 75994a14b9a77a12c3be9e3ef615fd75
SHA1 0daebcd271973d662d97f5a9f9ed52fccce12196
SHA256 d25df362e4206ebdc133521d7b3b55c2ea2fa67c1315833b2ea73399ae69201e
SHA512 7cd4dd56410804829ccb21bf23f00c991cee1b8b023e42865bf999a5f0db40baaf7bcd0c527713091162d46444fe062d37335ce83e756a16f2362d12bb349fd9

/data/data/com.zfw.jijia/databases/bugly_db_legu-journal

MD5 1865f9d6be0367e440427234a6e26af1
SHA1 a90ed189e90c2cb6547d35c0044693293e9b7b6a
SHA256 282dde2921896df0d7da416e5a6c8e090edefbf9171cad900d6965a6228d57b9
SHA512 57b80dbb05d3929ed02a82a308327689e2dce91d57119ab3a2b9a2d258a874b131b03f1106f77d89b1021443215d5b079a0a6ee7a40b2e0914727f95ee406e58

/data/data/com.zfw.jijia/databases/bugly_db_legu-journal

MD5 bd69c0ed02e3fe2c2eb66b590fe6bab1
SHA1 cfae1f490db1f749569f9ea9efaa412d1eb94939
SHA256 922b5c567c1bb62a547dd96ce1a4336e182fd5005ed0d5b239ff17485be43917
SHA512 5e34e2f9be003aaa39aad5abe39114d42275021502a57fb6fc071983365070b943a56946c81b6f6c3ed62762946f56534094c1d5876d654b8fd29f8464788e4a

/data/data/com.zfw.jijia/databases/bugly_db_legu-journal

MD5 f3efccb30e5dc79e57a7bca1e5660298
SHA1 2ffc46010af28a32fc284b7094d8eb1f67949f6c
SHA256 fce086a1bc17d748d42c84bc148201c1df6a3e45af00c14292f28414d29c26df
SHA512 a9a044ce2fd0be336ebeb7d2cc308933ae3d31634c6d3fd57adac568f1e6e81e1bec31d503e7a3b52472af4a8ffd9ea0019e2b34e8998d88986eed1d4fe2cec1

/data/data/com.zfw.jijia/databases/bugly_db_legu-journal

MD5 f6d6c6bd8321e35aeda7973326521bc2
SHA1 2313c4305d7decbbc204d42cb24c18fd7bf1909f
SHA256 22e4b038f7f5e3128c153c669a6964a7cb62240ae0a160d785751b043da7685b
SHA512 d04dff5360ee920c56a6e7677b227c0ca9098defa00825608554e4e69004cf48caf736a28b352c505cdfb42fda4fe66fb40f94f8ecf84cc59be2ef1043f2af98

/data/data/com.zfw.jijia/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.zfw.jijia/app_bugly/tomb_1718547304572.txt

MD5 bd0f8f8f3ad93fa07623422ec6e72003
SHA1 c3589295e7a4ddcf35bcd7a2c13bfd381783821a
SHA256 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647
SHA512 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b

/data/data/com.zfw.jijia/app_bugly/rqd_record.eup

MD5 68683cb1b95082b9b47cf17cd8b35dac
SHA1 848d54b5d95d4522a8b4e914b6b5698a97c4329a
SHA256 15829dc52d80a8b505da1963699d6f2c9d76090aaca591a6224db3714882ac5b
SHA512 63a544f47499959fca65e503ab1d0a50280298980725339bccbff7b087b6b56e1ae4345877568facb8b7b98f5115664f3da34cc285db1755f2d9348f37e06b0f

/data/data/com.zfw.jijia/app_bugly/rqd_record.eup

MD5 ad67b6ff9aab3fb58a9688174d3e0159
SHA1 96375c0a20b09e578abed2a5fc5f69d7e13f5701
SHA256 cd046de48f1b7a7688c49f0c3ed9406f5e73531b42b16c0555b65391aa1fcc28
SHA512 a50a36bb09aab8132c1522bada1295a018d39243e7ce729b1f0e819b709839d5f1cf6cb6e28a1be8cbb7d7042905288b03e326e92de3b64519da61d564030e7c