Malware Analysis Report

2025-01-19 08:02

Sample ID 240616-sp8qhasdmr
Target b431c1c652ba847e80752ee4d77042d7_JaffaCakes118
SHA256 0e6da71cbcc523222855d7cbbc2349873fde38bea998e2f2320970143a291267
Tags
discovery impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0e6da71cbcc523222855d7cbbc2349873fde38bea998e2f2320970143a291267

Threat Level: Shows suspicious behavior

The file b431c1c652ba847e80752ee4d77042d7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 15:19

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 15:19

Reported

2024-06-16 15:22

Platform

android-x86-arm-20240611.1-en

Max time kernel

171s

Max time network

174s

Command Line

com.junyue.him

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.junyue.him

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.imnow.cn udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 utop.umengcloud.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 140.205.160.70:80 utop.umengcloud.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 fb.umeng.com udp
US 1.1.1.1:53 oc.umeng.co udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
CN 140.205.160.70:80 utop.umengcloud.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 140.205.160.70:80 utop.umengcloud.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 utop.umengcloud.com udp
CN 140.205.160.70:80 utop.umengcloud.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 140.205.160.70:80 utop.umengcloud.com tcp
CN 140.205.160.70:80 utop.umengcloud.com tcp

Files

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 a3846142b44492fcfe632581c34adec8
SHA1 7a5ca32f8161cea00fce91c0d3833618f07a71d7
SHA256 7a2054dcb1af68b52054bcda30a812cdf755084edad1ad8c7143902af7a6c244
SHA512 8d3470151977b20724640c32e59f0aebdcc06beecc1829b3d5b446ac897b39297968ef69f8c7d05ac30f5601313f85cfb86e6cacf619f4a462d5cea1a2b66457

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 c15a756ede16a6a04a4264aaffe32915
SHA1 dc7205da5447685676283871e48724ba4eb617c7
SHA256 07b6bc7d645f4835822fb2131d6517d345d1c197d4ba7f19c675c45d57eb0b4e
SHA512 c1bc78cf93c5cf9e0ebe45a8ff526945b68f1dfddb90f7041e254b126add528f989dd1ade940e68aa8be3ec2d16c3c63cf443081ba38985612dc2b3b5552f34c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 15103f34aeda8e219bfd7a02ec096a42
SHA1 4ec9d9d267c649fcf037f542413926ea05ba55e5
SHA256 ba0ddb31296bbbbdebc7d169f35db97db5b3b0dec6f4c95ec441f7dbe54afafa
SHA512 15044c5b0379c4e7d38be055ccc3ab94d9dd46244f6911c22d3ef302acf7a570ac7bf77161ef2202b154c4ceffef1fa6c98607182d46c88718b4538904d15d74

/data/data/com.junyue.him/files/umeng_it.cache

MD5 058127d3d8b8a9f78e158c60c9dc1d62
SHA1 870b4b205b0d0a69f28067bafcd56f5bf8bed47d
SHA256 de0c5ab5ddc2633304e41a210e47fef008fbed2a57d1d64773c085dac8ab7290
SHA512 6c6cf31e8a3275824a6119c62f50264d236e61b7bebe853b9394c68c437f8ba0323cd9c6f5f09d31ef1d38d658480f8635e13ab88335595b4b47792ca6e89c62

/data/data/com.junyue.him/files/.um/um_cache_1718551230098.env

MD5 0f6dd26840d0f481e8d0b0624d3726d0
SHA1 a1d43ab5e274dba8551b261bab0407d2dca35532
SHA256 ef4cf3a7df4222f0e9d98cab0860f2d3081c8cf3d4c3a96ed61a3fbb831fd536
SHA512 a4993183ebf05d6972105dbafb57c75a45b22c85670089d0e352bd76006b544dc3ec8ce1c787496505c76986482807847f0e62d306b317576fac3f2be945146f