Malware Analysis Report

2025-01-19 08:02

Sample ID 240616-s511layfph
Target b449d54eaa0ed3078213e3e863938c88_JaffaCakes118
SHA256 8577e999f484aea502dc150e6b97d0e8e383bf8a3c2d35a89b27b46a39fea4fe
Tags
banker discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8577e999f484aea502dc150e6b97d0e8e383bf8a3c2d35a89b27b46a39fea4fe

Threat Level: Likely malicious

The file b449d54eaa0ed3078213e3e863938c88_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence

Checks if the Android device is rooted.

Checks known Qemu files.

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 15:43

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 15:43

Reported

2024-06-16 15:46

Platform

android-x86-arm-20240611.1-en

Max time kernel

68s

Max time network

130s

Command Line

com.yxxinglin.xzid81436

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid81436

chmod 755 /data/user/0/com.yxxinglin.xzid81436/files/mycpuinfo

/data/user/0/com.yxxinglin.xzid81436/files/mycpuinfo

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

com.yxxinglin.xzid81436:pushservice

/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.yxxinglin.xzid81436/files/GameProtector3 /GameProtector3 /data/user/0/com.yxxinglin.xzid81436/files/GameProtector3 0 1

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 track.37.com.cn udp
CN 1.14.168.226:443 track.37.com.cn tcp
US 1.1.1.1:53 m.api.m.37.com udp
CN 42.194.157.10:80 m.api.m.37.com tcp
US 1.1.1.1:53 dlied1.qq.com udp
CN 1.14.168.226:443 track.37.com.cn tcp
CN 1.14.168.226:443 track.37.com.cn tcp
US 1.1.1.1:53 dlied1.qq.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 42.194.157.10:80 m.api.m.37.com tcp
CN 1.14.168.226:443 track.37.com.cn tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp

Files

/data/data/com.yxxinglin.xzid81436/files/mycpuinfo

MD5 2e19220b28d1f608f4c96ac0a0b3901d
SHA1 2398fa0158beae9141f579e358cccc86fb450759
SHA256 4bee420ef0dd56669132785be6f44a4f3dfd053c58ac6ddc83461a96d0319c9e
SHA512 3b253c070f739fdce1d9dceee5c0a0f0f66c838bae83412675fd795c3223c4c6945da2e54db336ce2695d2ccbf1e8148bf35292d0ee679a99998a6bbeb702b08

/data/data/com.yxxinglin.xzid81436/files/tss_tmp/tss_lcp.dat.tmp

MD5 7969662cbeba79dce2031a64edcb2b30
SHA1 dade6f14b6b1890835eaf67779acbfb35668b3c1
SHA256 7d919d13562d5d283449887ebbd77c2fe80955c3dcec5d897b379fb30ee344a2
SHA512 c084759b3bdc0b170a4f7086862190e538db80a2c1f3db127292259dea0ce08b791059ffc5f1680211064e49cbc725ef76d36c6d63b8d1f9365c5905caf317fa

/data/data/com.yxxinglin.xzid81436/files/GameProtector3

MD5 735a2d9feec4e1ed7c68f7723170cab9
SHA1 2a7240d1546305a93672b05bfc69249fbf337ec3
SHA256 eee622dbe2ffd4a1f874b27fbebd614811646c683166ba29d7ebc34017ae4f61
SHA512 57a01cf367cc6dbf55073d19f30b3efa9e16ba5714b782a15287fbf8c764c025e1a8c9f6f42e14174adfc6e369fa9faf3349b29e7c72a93370bbf93536dd6adc

/data/data/com.yxxinglin.xzid81436/files/tss_tmp/tss_emu_c2.dat.tmp

MD5 addb2b6de9c7cd4947521d875ab06bde
SHA1 0132e659612c2a5aa8839e86830de5ad0615f29f
SHA256 b02e59a360c3b622fd53ba5ae86330a0c75110e5ea70b6aac29ec9a95bb154cf
SHA512 dcc97338fea1d27c5b3ec661581fc46190cc33094d2c67e7b300594c80525899703684411218551c5d4a4d0f24515c1d96fe7ac4f69717a497cc07b43425f153

/data/data/com.yxxinglin.xzid81436/databases/pushsdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yxxinglin.xzid81436/databases/pushsdk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxxinglin.xzid81436/databases/pushsdk.db-wal

MD5 653a5373bc6efdc4e9648af466f10a66
SHA1 fa5e0bff555416a8fcc9a0767d83db335d53fbfd
SHA256 b2ad30780455b4e78cc1dd0a62e400d75dbe44a7918651a30eede274a0bde892
SHA512 f8f2b52f4df8ff5e0de7b66eb9ae66e23d74fdd0614604e8c55227dabf6bebb2da085e1ada84342d0cee48ab2f622a25ff19315b06fe17aec4813f2a228ac61e

/storage/emulated/0/libs/com.yxxinglin.xzid81436.bin

MD5 ca061aa9d42ae5308c949d2c5fbcf31d
SHA1 106dd3147d8da7320a435a0ca154cd6a444cfbad
SHA256 f7607b5ec9a1fb34ab7ac6070d010c0991c0bf2eaa1c2a31334ff0cd2911de40
SHA512 e3d5e54716d41230d88c719de174821d11cd5cf635a79eeb9ca3223a1e542dbb7cadadffaaebc26e88cc0407c2717cdbd0848cd5bfbcac61fd0a64c90c3ef44a