Malware Analysis Report

2025-01-19 07:59

Sample ID 240616-rxab8s1cmq
Target b40146f58479c5db5a1f49deebae25e3_JaffaCakes118
SHA256 ffe36c98dc30c0f83963f172150cd44558d4e50144a2ae4e245bad4627b19f00
Tags
discovery impact
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

ffe36c98dc30c0f83963f172150cd44558d4e50144a2ae4e245bad4627b19f00

Threat Level: Shows suspicious behavior

The file b40146f58479c5db5a1f49deebae25e3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:33

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 14:33

Reported

2024-06-16 14:37

Platform

android-x64-arm64-20240611.1-en

Max time kernel

10s

Max time network

134s

Command Line

com.chenghaicys.jishiqi

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.chenghaicys.jishiqi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/storage/emulated/0/download/ads/clst.dat

MD5 b232f2e1c8b3866013db1fd897969ec9
SHA1 6aa3c80d4403d7a56be70c49a85a191f76033413
SHA256 3ea867420faaacaabb71af9488decd468e96882d5279aa5e47e306a4caca983a
SHA512 a441643e0d1d1ab26094fd590a68e6023005dd185f06782422ecad1819475e76aad124e9848b57c5cd769be5313046609de8277f4de1a705cde52f4e9eda7e49

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:33

Reported

2024-06-16 14:37

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

141s

Command Line

com.chenghaicys.jishiqi

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.chenghaicys.jishiqi

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 img.ninebox.cn udp
US 1.1.1.1:53 s.ninebox.cn udp
US 1.1.1.1:53 b.ninebox.cn udp
US 1.1.1.1:53 sp1.jufuwx.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ak47.cooguo.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp

Files

/storage/emulated/0/Download/ads/clst.dat

MD5 a89a16b40b1471f046f67128d6d16efd
SHA1 123d90a16199e940340d889d8b2c4508a034e9d4
SHA256 b5ac815b6e79cee5b6b67052288a23659c27bd96c5c5494de506338d42bbec44
SHA512 08bcc2fd7ae89368f5a58cc1db062df32be84185f0b2ec4ccb961e8d59b90f4b08feaab5421225b48198ec01122bde9c472a773e7e38c61fc7eca0a14413bb3d

/storage/emulated/0/Android/data/code/KI.DAT

MD5 2b53b6b030d7bdb5da6ea0d501b6a165
SHA1 fa4e9e8d724d91963a3fa3def11790559cac11c1
SHA256 d8209526853a232417c586b6c130ed3ec53af8a2928b95d032ddcee37b4698fc
SHA512 dceddb69f3c907593c47edd56cea3b5cd68e560f020244e6abf9e63c58263d38b36e8736617758f2c5c7292bffd815af44fee3805217aa9065cd143e0599b128

/storage/emulated/0/Android/data/code/MID.DAT

MD5 c679783f144b5b77cbcc89952b9590de
SHA1 339c29f74856fbb0a27070d1d90c1acde4d49142
SHA256 03e9e03b09bb456d2e730f787e5b232d119d59547959fd73617cbf44dcf56de3
SHA512 5ac8cdf1e7950029ccd418c6df2991e9763083cc631f549ab2302758b0cd634817c1f712db7310927ba39aa9612e7be746532142434d314fb7231e2f97d4aa2f

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db-journal

MD5 c488f304d51e485e4294a3fbc2a73fe0
SHA1 43f7569670abba2b0be31c5f04b84b56ebdd0d23
SHA256 e4a01afa6f4836dfa452d50c1b3c36b03d0f4636c3cb32e96362c71b39b4f6ce
SHA512 202226e6db328d0213fd807bee7c4a678aff5e7f0b7349149a9a59adea1391f7f8f2003d75be04d35db1944c3a66673af3571f342eac65ed042f2e7af75c8777

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db

MD5 2d4c32d9b5d2b94d28430ea7e3e50cf1
SHA1 3b9b1512adb3ada23e710cb9812249922063e1a4
SHA256 9c8ab800392a3884b907473b265d5bba4ba210f8a247abf98faa02fce7a4e626
SHA512 7638a5b26a30e6bb51576d61b7b388188d813a635d030a120626927956a93d983824497b6b9f20aeffafdb0d014fb8c23605388f28e83ce13782daeb33ef8f4d

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db-wal

MD5 57ece89b1cd63940dfd451e6bfcd2af4
SHA1 b2815a3ee780b61caa968c888e054462dee0c596
SHA256 97ce4b244ddbcf229e615369f6301ba5bd4e7a9680feac1e1c8153520ab62821
SHA512 90aa51b865814eb7436d720b32a8ac4606a2958fd755bee475542e1dd0915ec6324d4873df9b29e8459739c6560bbe3a61688dc109342c151c5291a683ba412a

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db-wal

MD5 90297b9611006dd387b51fabea7ecd11
SHA1 ed848064b9d29f38f11a527dc4d237c274fe093f
SHA256 b93f6dd799db5fa691b9c967f075b01b888388a4967b288f9edbd706b7b02c8f
SHA512 3319439ae4fdaf0b14470e7eb8247c0586dd0187abca06b118c80d7117b7fc989fc44dbac99020cc7760007dc0382230649318151d3ee0d847fa8ccf4f1a4ec8

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db

MD5 e217cc13dbff428636ea6fb9fc3f697d
SHA1 0016636a07831f7482d84cde5991a7147dea03ae
SHA256 09d174b61ed0609976e5cc83bb311533f3d60689ceb8ff2bc18697f17551d047
SHA512 b552ee716a942879b6f378e94bdef4baf65e36052a3c6a2f97008574c7f329cd9a5050c89c73e2fe125910c3e39edd6e3b0eed04cc188defcaa52fa090ebd080

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db-wal

MD5 4fadcd481cdc285461f3411bba8a97a9
SHA1 b86cebdb298c627a6262e5fcca7bca6c84ed4eda
SHA256 9a9f365b17edd81866a7f869fe67fd48d7672f704eb5e8b81ce24a3adc04b0e8
SHA512 cd71911c9dd4909ee5fe7eb9a4b637ba32a4f032d8ccfbadec5c16745fcd6fab1c40b8e2a90f0f8bca1023ea1d0c267dcda99069fbceff5eb3a4b3e15bf0f169

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db

MD5 9250e7057acdf1f038d0a219a7df534a
SHA1 b168a191570a15343b7f7d640f4941a9c5b62e17
SHA256 8ea56a03116a0c81ee4f4f8fe3a82f0a579069c3ccb54f8dd8402cb1d5459de1
SHA512 6603d925dda055c5c700dcb4bae37331f4c45b096fb4ea060a770cc4b4b2fcac5a53b08e71b22471e2c5b8290b10e3414b70fb3087218fa1b9eeaba621748fb3

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db-wal

MD5 c59e047f95993cc7111ee5c975ac94c5
SHA1 7f2f80d5a283835dca717e8b0fd6e1686dedcbf9
SHA256 80259963325316310c6bd08579194b86f32735eb1517ab37bedeccc4e0d0279c
SHA512 d30a53aee4a3104b4d84633921e0090cb6b29cfa256961ea3ff51fd00d123391580ed483ad0aca43b1851caf8e986eccebdcbc0908d9b005d4a29e6e6541d534

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db

MD5 c1899d5d1b11c396d33f50fbdae7ea48
SHA1 ab2a9d5b4d6457c5836956d3a5a82a34d7a42bfb
SHA256 79d310dcb89dea7513562074067af0e938d9a90f6d4a9067b18b6b020cab55ba
SHA512 36ac626ed3eaba7290d6cfe71f6ccbe8c1a7e6fc679ced1794810aaa0d5d9a47479d922bffbc2c34bea97efa503535560a71a96bf25bbc430618faa8c684d528

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db-wal

MD5 af80b1aa0bac343f03df61202670fb0c
SHA1 3c199d84e2c82f782a90b8419cb3c32364bb1611
SHA256 53fb41289fd654753aa8682ea15c681e760079af12dd572dcdaec27df4178924
SHA512 0ac4dfb6722f24f4037ff2e110199977003ebc96c63d8df97468e41fd2f298810bbf3b65fc3a8d7522536fa9b88cfefd73495856cefadc57e46f372699aaa5aa

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db-wal

MD5 c05af1525ebb99af9fe7f717b1258f0d
SHA1 b22823254a36e15503aafa10a57cc9e4aad316a7
SHA256 139311bf7cf55c52ccf6f8d954db4f4069c695798df422f877fef3d1bc83cec7
SHA512 2b147e12d9b5a61a4f0ff4f0912d9c9f17ee2eac74ee82bf90510d88c89a36361a4c3ccd87c54279e9b79421f5b805822d9aac11751462b420907cb1377625d4

/data/data/com.chenghaicys.jishiqi/databases/down_sidebar.db

MD5 23792a25b20e48013f48e5ee8fa57577
SHA1 d28d7b576dab6d0251b52a63423f66b4c5fe68bb
SHA256 16171cac58d2dde99a7d1409261e36be60d5d8a8edc99c51c0397884c862f1d9
SHA512 c8c10623279602f1d353c68e6213aa7b5cbf40b6d705be9dfe73058a1638f8b4532cacd944d9dadeb202f0dc9e22703e11e97f2a9aeb3a6f27918c86a21c5025

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 14:33

Reported

2024-06-16 14:37

Platform

android-x64-20240611.1-en

Max time kernel

10s

Max time network

149s

Command Line

com.chenghaicys.jishiqi

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.chenghaicys.jishiqi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/storage/emulated/0/Download/ads/clst.dat

MD5 943d41e5991bce264e54ed9a36ebf5e0
SHA1 3b036c267fd3bb9e19f6285d59d1215320eeda08
SHA256 b06c4bbc3fa69431627f1f155fd6cb503e0aad8dd7ce3d235793074a206370e4
SHA512 78614128061003abe36ea09ad89d8ac9208dadd61edf679cca4d7afa3e6a8d1e354ce38150561abdd64dc961846d973b30153b745601da67c5d74c7828a97e14