Analysis Overview
SHA256
8fda5719f38b95dc43c2133b37cd107519c79fb179a51fc8ac4674d00890e3ad
Threat Level: Likely malicious
The file b3f6e5ba6815a30e5f88c0968e7318a3_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Queries the unique device ID (IMEI, MEID, IMSI)
Queries information about active data network
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 14:22
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 14:22
Reported
2024-06-16 14:25
Platform
android-x86-arm-20240611.1-en
Max time kernel
179s
Max time network
178s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.xhh.kdw
/system/bin/sh -c getprop ro.board.platform
getprop ro.board.platform
/system/bin/sh -c type su
logcat -d -v threadtime
/system/bin/sh -c getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.build.version.emui
getprop ro.build.version.emui
/system/bin/sh -c getprop ro.lenovo.series
getprop ro.lenovo.series
/system/bin/sh -c getprop ro.build.nubia.rom.name
getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.meizu.product.model
getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.build.version.opporom
getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.vivo.os.build.display.id
getprop ro.vivo.os.build.display.id
/system/bin/sh -c getprop ro.aa.romver
getprop ro.aa.romver
/system/bin/sh -c getprop ro.lewa.version
getprop ro.lewa.version
/system/bin/sh -c getprop ro.gn.gnromvernumber
getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.fingerprint
getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.rom.id
getprop ro.build.rom.id
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.74:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
Files
/data/data/com.xhh.kdw/databases/bugly_db_legu-journal
| MD5 | 19b82134c9a292fc13890706149c9729 |
| SHA1 | af031adfcf48c61f29ea975f88a6663125e32b68 |
| SHA256 | e794ffa9416bb12bb882f2a8d3a7d7b571702ac8108496fbf45df47303b8e3da |
| SHA512 | 92e2115bb1fe7d817cd7f36445ee7bcaadb474cda7324d33b0ab933276d580274fa228df23b665d498ecf70ede34a9cd1791559f327f18a1118f33db88ca11a1 |
/data/data/com.xhh.kdw/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.xhh.kdw/databases/bugly_db_legu-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.xhh.kdw/databases/bugly_db_legu-wal
| MD5 | 7cdd2a469115b3f5059bbb5d551113cf |
| SHA1 | 9b01c2e1e0095f4b7c2ea822456d761f0368b4eb |
| SHA256 | 20754eda7197b3a05d1bd512a1095cb449f7b409636f5d4bf8c6d664b336b30e |
| SHA512 | 2fb03fb52608a88c2ef0a069fe8b5146a9b57916f8e343b57cfaf2f3c644eddfc59d70ab3cdb1b13d1f953f08f06607fe64180c95de834117cd346811db82f3f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 14:22
Reported
2024-06-16 14:25
Platform
android-x64-20240611.1-en
Max time kernel
11s
Max time network
131s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.xhh.kdw/mix.dex | N/A | N/A |
| N/A | /data/data/com.xhh.kdw/mix.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.xhh.kdw
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.234:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.206:443 | android.apis.google.com | tcp |
| GB | 142.250.200.14:443 | tcp | |
| GB | 172.217.169.66:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.204.78:443 | tcp |
Files
/data/data/com.xhh.kdw/databases/bugly_db_legu-journal
| MD5 | 2ce3b61fdf6cfdfb52684fdd6999156d |
| SHA1 | 11ccc31708c8214273d029a04c1ec8c431db98d5 |
| SHA256 | adbbb9422626bbd27509ced2f4d803719ee94e8718a3e67c06c9cadbc46746a2 |
| SHA512 | 719ced34a2d3f4edb6935e615f616fbae1e0b4fba7f08bbfff7fcf5b4ea69fee52d81a7b837e1e7bbfab26bf6ac81ee454d643602e855a2db9916ef3c3c448d0 |
/data/data/com.xhh.kdw/databases/bugly_db_legu
| MD5 | 7bb5a02836fb9c91a51c6e438fb48e4d |
| SHA1 | 179f1ed37b4eca0c96f556710be3f38a40224b6b |
| SHA256 | 761eaea1ae151e56da2ddf15eb1309896c20601a1b25891ee3fb03a1eb2cf3d1 |
| SHA512 | e6de6765c1f1314f91b4d4853c19aaf7276d12470f2f2430b2bd28ad2c12a311df47a9db06d16c4cc30a64a795581fe9d50035f3d3bc45fc3685d5317ac41d3a |
/data/data/com.xhh.kdw/databases/bugly_db_legu-journal
| MD5 | bf35ad6a79a9db6d7fdd94ba01eddb33 |
| SHA1 | fe75ef4e1911ab1ca9d359debc742dee17ad9797 |
| SHA256 | 4d09eb3c1b3bc071ee7e54f00b5271606f2b58a19a89d07661e825117cc5a574 |
| SHA512 | 719b173f9bf831bf63569f4b57bb4f52a1f129333570bd3f2149b85378052c6942e6637aab86694d7e611d4282e023b6c73c54cabad5c557ba2ca405b240ce83 |
/data/data/com.xhh.kdw/databases/bugly_db_legu-journal
| MD5 | 0e41e668a1d966de8b631ab80470e14f |
| SHA1 | 4de6058fff928bd3a19e0eec314ccec2ff2e79a9 |
| SHA256 | 2f4b0a1fee3942ff2a235863d00c11c94cc85a23feb5e0b957b45f07b13dec8d |
| SHA512 | 081bf1142a99b0ba597d7ee679f1ac1f05053801eb084ba94d4bf21cb59fd73c4678ffd4c656f057db4bcc25058be4a7443d260e1b16c790f4d405741055d898 |
/data/data/com.xhh.kdw/databases/bugly_db_legu-journal
| MD5 | 41a4fbf47a1fd21ab5960a6420bd7ce7 |
| SHA1 | 2fc94ae5dd6575e6627de874de50b52e54b6998e |
| SHA256 | 55394bcfd9b3f1a9a8d104b60529a03565538fd0f28ba1d1ee4b843686ab673d |
| SHA512 | 8772306aea55a5a23eaf636a42a987d91ae237eefa5867b57cef89b04dee6b4111e4ee3100a9f5a404ac92c24c699d5daba2917502cae315053e2921bd3ddb60 |
/data/data/com.xhh.kdw/databases/bugly_db_legu-journal
| MD5 | cacbea3b9bca747e8d3dc130b0fc7804 |
| SHA1 | 718d1135fb97efb3b48bf97ea1ad6640c80367ef |
| SHA256 | 4452e0e7d242fbe28612d9e94948d71ab98f8d92d6e63704784284c968534974 |
| SHA512 | 89e5dc17cb1a09ad6ec76d6c6b77246c09df1a734d60a49b3240311ec9788878c404eab42cfd805e61ed1dce5e0b8d9997f62b33f296fa8e510b18fe3037d69d |
/data/data/com.xhh.kdw/databases/bugly_db_legu-journal
| MD5 | d32a0700b859f963e5498b0feea31fba |
| SHA1 | 34cdb32f06b5db1e85752ad99d956595e369583f |
| SHA256 | 57b9804482374c8c2b6fcc6657a479e59be5267dbcfe655b4c4797120ac9e083 |
| SHA512 | e85c15aa3f15aeec31a3c4c498f0e627a1a971ff31373cd781d6351f79e4a7680e69c7f9cb33138c29e3edcd8955b3f49637f4641d9263110f14165405e81a15 |
/data/data/com.xhh.kdw/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/data/com.xhh.kdw/app_bugly/tomb_1718547776895.txt
| MD5 | bd0f8f8f3ad93fa07623422ec6e72003 |
| SHA1 | c3589295e7a4ddcf35bcd7a2c13bfd381783821a |
| SHA256 | 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647 |
| SHA512 | 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b |
/data/data/com.xhh.kdw/app_bugly/rqd_record.eup
| MD5 | 25cb5dc2b7698f8fb1367f67b1124e27 |
| SHA1 | 45df9eec3747c49a2ddafb73e065639bf859d358 |
| SHA256 | bd3715055cfb8dbcc08595ceab3c1c813d59d61c86737e5e7eb06f62aeb5f99b |
| SHA512 | 5c6440087298de153a5648cc12c041d008fcf519c8bbc64ccc010a38ef434fef6b0786bd7d4a35c1a12ca4a142969bf4660de0618b127329bc381ca430ec3ebf |
/data/data/com.xhh.kdw/app_bugly/rqd_record.eup
| MD5 | 88727114cb9bffe2dba56815c84abb88 |
| SHA1 | 13c79d432bd2fec612a7f31234066417d2633190 |
| SHA256 | e8ff9a87c187c0f565fdfc994ecffb804ba15a56a5d84393c4088bd33a799c2e |
| SHA512 | 0e6cacca30c5a9788764260581eecdabf747766674f038cf46306a2fe942625f9bdf59144f6f0ef7cc1ef6b2dc770960ccb49aea3e9c0b3d524a70a6ed9c5250 |
/data/data/com.xhh.kdw/cache/tomb.zip
| MD5 | dedc1123e8328afbd3bfe7f40ddd3e93 |
| SHA1 | 16b2565facff0de1a58ced6f4c34b7956c2fb962 |
| SHA256 | b30394242ea20da00e357661d795639c0197d4d4d28a4b07f70df358c1a90769 |
| SHA512 | 604ff08ea8f189bccb290eca3f4d87d262650440c92ff275c3432b026a6d70d7437d1c77503ba48d51531359b90e48b11915034cc4baac03fb9ff6be4a546542 |