Malware Analysis Report

2025-01-19 08:02

Sample ID 240616-rpw62awfqg
Target b3f6e5ba6815a30e5f88c0968e7318a3_JaffaCakes118
SHA256 8fda5719f38b95dc43c2133b37cd107519c79fb179a51fc8ac4674d00890e3ad
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8fda5719f38b95dc43c2133b37cd107519c79fb179a51fc8ac4674d00890e3ad

Threat Level: Likely malicious

The file b3f6e5ba6815a30e5f88c0968e7318a3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:22

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:22

Reported

2024-06-16 14:25

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

178s

Command Line

com.xhh.kdw

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xhh.kdw

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

logcat -d -v threadtime

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp

Files

/data/data/com.xhh.kdw/databases/bugly_db_legu-journal

MD5 19b82134c9a292fc13890706149c9729
SHA1 af031adfcf48c61f29ea975f88a6663125e32b68
SHA256 e794ffa9416bb12bb882f2a8d3a7d7b571702ac8108496fbf45df47303b8e3da
SHA512 92e2115bb1fe7d817cd7f36445ee7bcaadb474cda7324d33b0ab933276d580274fa228df23b665d498ecf70ede34a9cd1791559f327f18a1118f33db88ca11a1

/data/data/com.xhh.kdw/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xhh.kdw/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xhh.kdw/databases/bugly_db_legu-wal

MD5 7cdd2a469115b3f5059bbb5d551113cf
SHA1 9b01c2e1e0095f4b7c2ea822456d761f0368b4eb
SHA256 20754eda7197b3a05d1bd512a1095cb449f7b409636f5d4bf8c6d664b336b30e
SHA512 2fb03fb52608a88c2ef0a069fe8b5146a9b57916f8e343b57cfaf2f3c644eddfc59d70ab3cdb1b13d1f953f08f06607fe64180c95de834117cd346811db82f3f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 14:22

Reported

2024-06-16 14:25

Platform

android-x64-20240611.1-en

Max time kernel

11s

Max time network

131s

Command Line

com.xhh.kdw

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.xhh.kdw/mix.dex N/A N/A
N/A /data/data/com.xhh.kdw/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xhh.kdw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/com.xhh.kdw/databases/bugly_db_legu-journal

MD5 2ce3b61fdf6cfdfb52684fdd6999156d
SHA1 11ccc31708c8214273d029a04c1ec8c431db98d5
SHA256 adbbb9422626bbd27509ced2f4d803719ee94e8718a3e67c06c9cadbc46746a2
SHA512 719ced34a2d3f4edb6935e615f616fbae1e0b4fba7f08bbfff7fcf5b4ea69fee52d81a7b837e1e7bbfab26bf6ac81ee454d643602e855a2db9916ef3c3c448d0

/data/data/com.xhh.kdw/databases/bugly_db_legu

MD5 7bb5a02836fb9c91a51c6e438fb48e4d
SHA1 179f1ed37b4eca0c96f556710be3f38a40224b6b
SHA256 761eaea1ae151e56da2ddf15eb1309896c20601a1b25891ee3fb03a1eb2cf3d1
SHA512 e6de6765c1f1314f91b4d4853c19aaf7276d12470f2f2430b2bd28ad2c12a311df47a9db06d16c4cc30a64a795581fe9d50035f3d3bc45fc3685d5317ac41d3a

/data/data/com.xhh.kdw/databases/bugly_db_legu-journal

MD5 bf35ad6a79a9db6d7fdd94ba01eddb33
SHA1 fe75ef4e1911ab1ca9d359debc742dee17ad9797
SHA256 4d09eb3c1b3bc071ee7e54f00b5271606f2b58a19a89d07661e825117cc5a574
SHA512 719b173f9bf831bf63569f4b57bb4f52a1f129333570bd3f2149b85378052c6942e6637aab86694d7e611d4282e023b6c73c54cabad5c557ba2ca405b240ce83

/data/data/com.xhh.kdw/databases/bugly_db_legu-journal

MD5 0e41e668a1d966de8b631ab80470e14f
SHA1 4de6058fff928bd3a19e0eec314ccec2ff2e79a9
SHA256 2f4b0a1fee3942ff2a235863d00c11c94cc85a23feb5e0b957b45f07b13dec8d
SHA512 081bf1142a99b0ba597d7ee679f1ac1f05053801eb084ba94d4bf21cb59fd73c4678ffd4c656f057db4bcc25058be4a7443d260e1b16c790f4d405741055d898

/data/data/com.xhh.kdw/databases/bugly_db_legu-journal

MD5 41a4fbf47a1fd21ab5960a6420bd7ce7
SHA1 2fc94ae5dd6575e6627de874de50b52e54b6998e
SHA256 55394bcfd9b3f1a9a8d104b60529a03565538fd0f28ba1d1ee4b843686ab673d
SHA512 8772306aea55a5a23eaf636a42a987d91ae237eefa5867b57cef89b04dee6b4111e4ee3100a9f5a404ac92c24c699d5daba2917502cae315053e2921bd3ddb60

/data/data/com.xhh.kdw/databases/bugly_db_legu-journal

MD5 cacbea3b9bca747e8d3dc130b0fc7804
SHA1 718d1135fb97efb3b48bf97ea1ad6640c80367ef
SHA256 4452e0e7d242fbe28612d9e94948d71ab98f8d92d6e63704784284c968534974
SHA512 89e5dc17cb1a09ad6ec76d6c6b77246c09df1a734d60a49b3240311ec9788878c404eab42cfd805e61ed1dce5e0b8d9997f62b33f296fa8e510b18fe3037d69d

/data/data/com.xhh.kdw/databases/bugly_db_legu-journal

MD5 d32a0700b859f963e5498b0feea31fba
SHA1 34cdb32f06b5db1e85752ad99d956595e369583f
SHA256 57b9804482374c8c2b6fcc6657a479e59be5267dbcfe655b4c4797120ac9e083
SHA512 e85c15aa3f15aeec31a3c4c498f0e627a1a971ff31373cd781d6351f79e4a7680e69c7f9cb33138c29e3edcd8955b3f49637f4641d9263110f14165405e81a15

/data/data/com.xhh.kdw/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.xhh.kdw/app_bugly/tomb_1718547776895.txt

MD5 bd0f8f8f3ad93fa07623422ec6e72003
SHA1 c3589295e7a4ddcf35bcd7a2c13bfd381783821a
SHA256 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647
SHA512 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b

/data/data/com.xhh.kdw/app_bugly/rqd_record.eup

MD5 25cb5dc2b7698f8fb1367f67b1124e27
SHA1 45df9eec3747c49a2ddafb73e065639bf859d358
SHA256 bd3715055cfb8dbcc08595ceab3c1c813d59d61c86737e5e7eb06f62aeb5f99b
SHA512 5c6440087298de153a5648cc12c041d008fcf519c8bbc64ccc010a38ef434fef6b0786bd7d4a35c1a12ca4a142969bf4660de0618b127329bc381ca430ec3ebf

/data/data/com.xhh.kdw/app_bugly/rqd_record.eup

MD5 88727114cb9bffe2dba56815c84abb88
SHA1 13c79d432bd2fec612a7f31234066417d2633190
SHA256 e8ff9a87c187c0f565fdfc994ecffb804ba15a56a5d84393c4088bd33a799c2e
SHA512 0e6cacca30c5a9788764260581eecdabf747766674f038cf46306a2fe942625f9bdf59144f6f0ef7cc1ef6b2dc770960ccb49aea3e9c0b3d524a70a6ed9c5250

/data/data/com.xhh.kdw/cache/tomb.zip

MD5 dedc1123e8328afbd3bfe7f40ddd3e93
SHA1 16b2565facff0de1a58ced6f4c34b7956c2fb962
SHA256 b30394242ea20da00e357661d795639c0197d4d4d28a4b07f70df358c1a90769
SHA512 604ff08ea8f189bccb290eca3f4d87d262650440c92ff275c3432b026a6d70d7437d1c77503ba48d51531359b90e48b11915034cc4baac03fb9ff6be4a546542