Malware Analysis Report

2025-01-19 08:02

Sample ID 240616-sb38vs1hlk
Target b41b1ca70e5f705cfa3260c2b41ce452_JaffaCakes118
SHA256 c1458e36de87705bb9ed14c96d0d3f67a9dd53a6ee2f8c8d7c74e1bb35e9fdd0
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c1458e36de87705bb9ed14c96d0d3f67a9dd53a6ee2f8c8d7c74e1bb35e9fdd0

Threat Level: Shows suspicious behavior

The file b41b1ca70e5f705cfa3260c2b41ce452_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:57

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:57

Reported

2024-06-16 15:01

Platform

android-x86-arm-20240611.1-en

Max time kernel

151s

Max time network

177s

Command Line

com.yxxinglin.xzid61913

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid61913

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 s.9377.com udp
CN 47.113.43.102:80 s.9377.com tcp
US 1.1.1.1:53 sujie.passport.ktsdk.com udp
US 1.1.1.1:53 h5download.sbk-h5.com udp
US 1.1.1.1:53 sdkshouyou.602.com udp
US 1.1.1.1:53 log.trackingio.com udp
CN 52.80.2.18:80 log.trackingio.com tcp
CN 54.222.177.184:80 log.trackingio.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sujie.passport.ktsdk.com udp
US 1.1.1.1:53 sujie.passport.ktsdk.com udp
US 1.1.1.1:53 h5download.sbk-h5.com udp
US 1.1.1.1:53 h5download.sbk-h5.com udp
CN 59.110.146.111:80 sujie.passport.ktsdk.com tcp
CN 59.110.146.111:443 sujie.passport.ktsdk.com tcp
GB 169.197.114.137:443 h5download.sbk-h5.com tcp
US 1.1.1.1:53 sdkshouyou.602.com udp
CN 52.80.2.18:80 log.trackingio.com tcp
CN 171.15.110.132:80 sdkshouyou.602.com tcp
CN 175.6.201.100:80 sdkshouyou.602.com tcp
CN 183.204.149.134:80 sdkshouyou.602.com tcp
US 1.1.1.1:53 gskuld.receiver.extranet.kt007.com udp
CN 54.222.177.184:80 log.trackingio.com tcp
CN 47.94.217.203:8081 gskuld.receiver.extranet.kt007.com tcp
CN 47.94.217.203:8081 gskuld.receiver.extranet.kt007.com tcp
US 1.1.1.1:53 9377-zcry-loginwan.sbk-h5.com udp
CN 113.219.144.86:80 sdkshouyou.602.com tcp
CN 113.219.164.219:80 sdkshouyou.602.com tcp
CN 52.80.2.18:80 log.trackingio.com tcp
CN 113.240.100.218:80 sdkshouyou.602.com tcp
CN 116.162.28.219:80 sdkshouyou.602.com tcp
CN 116.162.210.139:80 sdkshouyou.602.com tcp
CN 54.222.177.184:80 log.trackingio.com tcp
CN 119.36.90.133:80 sdkshouyou.602.com tcp
CN 120.226.0.132:80 sdkshouyou.602.com tcp
CN 122.189.226.138:80 sdkshouyou.602.com tcp
CN 123.6.52.145:80 sdkshouyou.602.com tcp
CN 123.6.65.56:80 sdkshouyou.602.com tcp
CN 123.6.72.100:80 sdkshouyou.602.com tcp
CN 123.53.183.132:80 sdkshouyou.602.com tcp
CN 8.129.26.245:80 s.9377.com tcp
CN 47.113.43.102:80 s.9377.com tcp
CN 8.129.26.245:80 s.9377.com tcp

Files

/storage/emulated/0/Android/data/com.yxxinglin.xzid61913/logs/com.yxxinglin.xzid61913/20240616.log

MD5 11af6bc75a604b3104edc1af9479e307
SHA1 20572bc2e39a0d18cf4339f6fb607adee8c1ebc1
SHA256 62ccc6481e771051442bd882a7b6a66950c0fbe7c2964673d383f9a13fb0664e
SHA512 3ce759d2b4ad6709c68eb326219de81b7fecdd94bad79dcb10cc896185e8744873067fda89ab3b7397ddc0000f0873f7967f67f2a8053deac849780966643859

/storage/emulated/0/Android/data/com.yxxinglin.xzid61913/logs/com.yxxinglin.xzid61913/20240616.log

MD5 37136a461d285a0637e6725a85e5d8b4
SHA1 d9cba76dc231877be7675a843e7bbf794a4beeab
SHA256 ed9e0c250779f1805e939b7bbb6aeecef835e312615afe65a04fa28308e8f4c6
SHA512 9be9d8d6da4de8b7bac8034eab740023c258ada88c900a2c9954cf35b5391874cb879dc5f5f7fa2f8654e7703a448389c48db8b6a7267fa5bb9c68b43c6d36af

/storage/emulated/0/Android/data/com.yxxinglin.xzid61913/logs/com.yxxinglin.xzid61913/20240616.log

MD5 d15bafcf535a111a660f7af4f825cf51
SHA1 dccfed85ded82a0448b31075786bf867f8271c38
SHA256 9ccd96aa30f33124477a27932fdb041aa0b78af7abd79e09097b513567259cc6
SHA512 bb51d599e3d40a3b4712991c3b746a2de1c45c13e3012fe346d8e723c8ac9d212480b876dc1e0829a9b9292bb0a8befec4843dcf86262ac150ed68bd12f84757

/storage/emulated/0/Android/data/com.yxxinglin.xzid61913/logs/com.yxxinglin.xzid61913/20240616.log

MD5 64a49155b994fce1140febc949ba2bce
SHA1 7e988756d2cbf14077b46aef4a8bcfbc525bad90
SHA256 36f19f1cd26849cfb0118ca136ed9f82eccd011a89b9c82b6e93f45bb1e77057
SHA512 c437dccddced600c4c9e6cc8f2edea101ef374b07ca41d54af86f20328aa63518e598a12c5e5c062a1b2ea61a7c57c0b215a4454bbebad537e8ea2af6b40d3f0

/storage/emulated/0/Android/data/com.yxxinglin.xzid61913/logs/com.yxxinglin.xzid61913/20240616.log

MD5 f667bd8bac0f746596eb3b66c31086dc
SHA1 96faed9b501d92091102f3d107e95c311af990db
SHA256 c63ab13414046c1c5bb2b018f2daa7a9cdfe6d0019d46f164804ba7d51729364
SHA512 0a377d0ffa99b57c16aab2bc775d02c424a6917b9874a1959266667cfb429826a2ae2f0b4834647adb55c198a6d26138d2c8e22c5bf348fbbb75e994efcbe111

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db-journal

MD5 afae8846f208826f97a75f9040a2238c
SHA1 8ad63d0c9879e67eb31a915000a3eccac6fb3ce9
SHA256 2339f95ed2ccf5002acfa569f529bdc83e20038273fa2b06ccbf5130235542e5
SHA512 fb490af7ad96e0aa1938f02cde6568280e70859d7f3166819b33c00fd45ffe10d27e11e0c4e2a05bab4903ccbc0f84b85ee30d7860e0d3114e1d593a0c20a99a

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db

MD5 d96559f88f6c166ea2828cd9ee54cc7a
SHA1 c108deaf44f8e49caf6e37650055752ca9a713b7
SHA256 37e57f155cfd7672bf94cf4a256c952093b6c09ddad2ea0c0c689a5f9922ad93
SHA512 98d442c0bccd5bf0ed1f586327943ce9c98f43941cfe4896444a31459ce24d30085f70204bb86f7c845b27e832dd310dc57d405f82524dc723e8502506aab9c7

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db-wal

MD5 f7811dddb877937fc85fb383bd3a0244
SHA1 9a07c9f88ce3afc798269695ec281abe513c99f7
SHA256 3815d34bc091fdfb207b5687d41308594143afff45249042ed8d06588b0b86bc
SHA512 f4ef84c1c4247e91cddafb58fc9c74b91863403657ff9b2ace07aee9bf1161da4dc2ced2b21c06266141007c70577b1fb430d125a93dcf2f2190ddb92b66b69c

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db-wal

MD5 9641ffb825c71b0161cc5b9938e14081
SHA1 a8a6e003361916a5c4b1a7b311face84856ee965
SHA256 293defac6cb12a5dda336305880fd5fa2d10fc154a89c49c3f7c775648b2d4d8
SHA512 b303a89676490f4ea7a057f16b284fd82d677dbe2ba6ac14b73d6b81cadfda336c4fb6ffb0c433a3482cda079a7ea977692c3ca0b077a80571648102b3425947

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db

MD5 39b41fdd18c1116e2850035ce989a9b7
SHA1 496513df76fdb4ebb5d4f25c382d45a8cea0466b
SHA256 6b6153e054b074094eabc5c4e4f72552a2f6e54e764d423323405369f703397f
SHA512 8f53ae776259321e46aa0bdb37daabddfab75cdce8344ef3aeefcf38874ba4a8ecb411f8600c35dc46d6bf9e493f9f357f4dca71a484f5d56c9e458ed12ea05a

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db-wal

MD5 00aa82f06327a896cdb2cece8b115432
SHA1 ba5b0fce3fcdc40eab2497750e0a8d8e013385eb
SHA256 e40603bdf85bb4d7c188eea01900211ad4f0f0ec9ebb5cf25b3dd22fd831e9e8
SHA512 b29d8503d371c302815e6b8d191c0752d3aa967f95ba7ec92bd5a611f3bbc8da6e612bc223b538e2733f60a6d241a469604645de7667d5c7c3b578a736b7bbb0

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db

MD5 468073340ad171e9f883ff856f0c4450
SHA1 2fc089812cfa3ccea708e2fa97e04d2854f876d4
SHA256 0d229644f855e00ae81618fa01a1d96d91c01ec3d8e269d83f4a6b41b703f95e
SHA512 455c4c113891f0d741c1398a8ede590f54848adf30cd85a9bd6b1a23b7cd734a2c1d93a7a992fd4bbcc50bf8e96f8c84c8786cbed59aa649550a3060cf77fbe0

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db-wal

MD5 d17b49c17b799c839af4a8f8e55d1e73
SHA1 369fdc765c479722a7f9caa0086219f7a5c926b6
SHA256 afa2a5c3f8a3fde041a54c81a34c51f9a397c323209a26b8e180b4144d44c4c5
SHA512 fbbf554e3455e1b9f73f138bf696afebd023e9a38a33d5749932ae0205617d0b240fb401323ef5932dd539e72ee43de14406918654b07149426db140b4773164

/data/data/com.yxxinglin.xzid61913/databases/Reyun.db

MD5 b63b38ec2b0fe136215ecd114074bbb6
SHA1 9ad5e855bdbf39ef692acbb9dca0b4128b69b9fc
SHA256 6fd65ea19f6303e3dde6d0f42ac09ab61ad2699c3d2fc91f6cf67e4791e363f3
SHA512 a54ad48b15a1c545ca5f0ba5291d588d47ec1c113ac286463dab077f29646924f2576a985cf6ac28de1dae1f8e46da0ccbdf731ee582f38b3deee79ebe55960c