Malware Analysis Report

2025-01-19 08:02

Sample ID 240616-sqwsbsybkf
Target b432b9b7f225a5d09ea82301c8eecba0_JaffaCakes118
SHA256 9cf56d0b11ae389dfca8df6d7a1bb9bf6e6ab29284525187d702c8312714cbea
Tags
discovery impact
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

9cf56d0b11ae389dfca8df6d7a1bb9bf6e6ab29284525187d702c8312714cbea

Threat Level: Shows suspicious behavior

The file b432b9b7f225a5d09ea82301c8eecba0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 15:20

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 15:20

Reported

2024-06-16 15:23

Platform

android-x86-arm-20240611.1-en

Max time kernel

33s

Max time network

138s

Command Line

com.gxnnfundapp.app

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A f.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gxnnfundapp.app

chmod 755 /data/user/0/com.gxnnfundapp.app/.jiagu/libjiagu.so

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 f.appjiagu.com udp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp

Files

/data/data/com.gxnnfundapp.app/.jiagu/libjiagu.so

MD5 6c9d83b90aa9c9f904d22eb9b16f8f95
SHA1 4d5e0ce3c55a22475b58a982d67ab9aa84384c40
SHA256 2432ac0b864b33cd599129578c42c43811461dbcb83e2a21301ccb8d0810c5e7
SHA512 07d16f67cefc986c0d6974e3bbc38d95b5b184520ec8f3c9ae59a2f0e76213d359b35dc507d482322d2c045ee75183def8e3d7659ff5fa78f6afff931084e90b