Analysis Overview
SHA256
8577e999f484aea502dc150e6b97d0e8e383bf8a3c2d35a89b27b46a39fea4fe
Threat Level: Likely malicious
The file b449d54eaa0ed3078213e3e863938c88_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Checks known Qemu files.
Queries information about running processes on the device
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about the current Wi-Fi connection
Queries the mobile country code (MCC)
Requests dangerous framework permissions
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 15:43
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 15:43
Reported
2024-06-16 15:46
Platform
android-x86-arm-20240611.1-en
Max time kernel
68s
Max time network
130s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /sbin/su | N/A | N/A |
Checks known Qemu files.
| Description | Indicator | Process | Target |
| N/A | /system/lib/libc_malloc_debug_qemu.so | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.yxxinglin.xzid81436
chmod 755 /data/user/0/com.yxxinglin.xzid81436/files/mycpuinfo
/data/user/0/com.yxxinglin.xzid81436/files/mycpuinfo
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
com.yxxinglin.xzid81436:pushservice
/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.yxxinglin.xzid81436/files/GameProtector3 /GameProtector3 /data/user/0/com.yxxinglin.xzid81436/files/GameProtector3 0 1
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.3:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | track.37.com.cn | udp |
| CN | 1.14.168.226:443 | track.37.com.cn | tcp |
| US | 1.1.1.1:53 | m.api.m.37.com | udp |
| CN | 42.194.157.10:80 | m.api.m.37.com | tcp |
| US | 1.1.1.1:53 | dlied1.qq.com | udp |
| CN | 1.14.168.226:443 | track.37.com.cn | tcp |
| CN | 1.14.168.226:443 | track.37.com.cn | tcp |
| US | 1.1.1.1:53 | dlied1.qq.com | udp |
| US | 1.1.1.1:53 | sdk.open.talk.getui.net | udp |
| US | 1.1.1.1:53 | sdk.open.talk.gepush.com | udp |
| US | 1.1.1.1:53 | sdk.open.talk.igexin.com | udp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 42.194.157.10:80 | m.api.m.37.com | tcp |
| CN | 1.14.168.226:443 | track.37.com.cn | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
| CN | 183.134.98.102:5224 | sdk.open.talk.igexin.com | tcp |
Files
/data/data/com.yxxinglin.xzid81436/files/mycpuinfo
| MD5 | 2e19220b28d1f608f4c96ac0a0b3901d |
| SHA1 | 2398fa0158beae9141f579e358cccc86fb450759 |
| SHA256 | 4bee420ef0dd56669132785be6f44a4f3dfd053c58ac6ddc83461a96d0319c9e |
| SHA512 | 3b253c070f739fdce1d9dceee5c0a0f0f66c838bae83412675fd795c3223c4c6945da2e54db336ce2695d2ccbf1e8148bf35292d0ee679a99998a6bbeb702b08 |
/data/data/com.yxxinglin.xzid81436/files/tss_tmp/tss_lcp.dat.tmp
| MD5 | 7969662cbeba79dce2031a64edcb2b30 |
| SHA1 | dade6f14b6b1890835eaf67779acbfb35668b3c1 |
| SHA256 | 7d919d13562d5d283449887ebbd77c2fe80955c3dcec5d897b379fb30ee344a2 |
| SHA512 | c084759b3bdc0b170a4f7086862190e538db80a2c1f3db127292259dea0ce08b791059ffc5f1680211064e49cbc725ef76d36c6d63b8d1f9365c5905caf317fa |
/data/data/com.yxxinglin.xzid81436/files/GameProtector3
| MD5 | 735a2d9feec4e1ed7c68f7723170cab9 |
| SHA1 | 2a7240d1546305a93672b05bfc69249fbf337ec3 |
| SHA256 | eee622dbe2ffd4a1f874b27fbebd614811646c683166ba29d7ebc34017ae4f61 |
| SHA512 | 57a01cf367cc6dbf55073d19f30b3efa9e16ba5714b782a15287fbf8c764c025e1a8c9f6f42e14174adfc6e369fa9faf3349b29e7c72a93370bbf93536dd6adc |
/data/data/com.yxxinglin.xzid81436/files/tss_tmp/tss_emu_c2.dat.tmp
| MD5 | addb2b6de9c7cd4947521d875ab06bde |
| SHA1 | 0132e659612c2a5aa8839e86830de5ad0615f29f |
| SHA256 | b02e59a360c3b622fd53ba5ae86330a0c75110e5ea70b6aac29ec9a95bb154cf |
| SHA512 | dcc97338fea1d27c5b3ec661581fc46190cc33094d2c67e7b300594c80525899703684411218551c5d4a4d0f24515c1d96fe7ac4f69717a497cc07b43425f153 |
/data/data/com.yxxinglin.xzid81436/databases/pushsdk.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.yxxinglin.xzid81436/databases/pushsdk.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.yxxinglin.xzid81436/databases/pushsdk.db-wal
| MD5 | 653a5373bc6efdc4e9648af466f10a66 |
| SHA1 | fa5e0bff555416a8fcc9a0767d83db335d53fbfd |
| SHA256 | b2ad30780455b4e78cc1dd0a62e400d75dbe44a7918651a30eede274a0bde892 |
| SHA512 | f8f2b52f4df8ff5e0de7b66eb9ae66e23d74fdd0614604e8c55227dabf6bebb2da085e1ada84342d0cee48ab2f622a25ff19315b06fe17aec4813f2a228ac61e |
/storage/emulated/0/libs/com.yxxinglin.xzid81436.bin
| MD5 | ca061aa9d42ae5308c949d2c5fbcf31d |
| SHA1 | 106dd3147d8da7320a435a0ca154cd6a444cfbad |
| SHA256 | f7607b5ec9a1fb34ab7ac6070d010c0991c0bf2eaa1c2a31334ff0cd2911de40 |
| SHA512 | e3d5e54716d41230d88c719de174821d11cd5cf635a79eeb9ca3223a1e542dbb7cadadffaaebc26e88cc0407c2717cdbd0848cd5bfbcac61fd0a64c90c3ef44a |