Malware Analysis Report

2025-01-19 08:02

Sample ID 240616-w7aszawdjl
Target b497283345deb9ab04ec4487e993c9ee_JaffaCakes118
SHA256 e119b1bfe109244449ac662aa95452410b69071f86e71ff2d0a4869f51e09673
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e119b1bfe109244449ac662aa95452410b69071f86e71ff2d0a4869f51e09673

Threat Level: Shows suspicious behavior

The file b497283345deb9ab04ec4487e993c9ee_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 18:33

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 18:33

Reported

2024-06-16 18:36

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

189s

Command Line

com.xiaoma.xiaopa

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xiaoma.xiaopa

com.xiaoma.xiaopa:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 apps.xp.growbook.cn udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 apps.xp.growbook.cn udp
US 1.1.1.1:53 apps.xp.growbook.cn udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp

Files

/data/data/com.xiaoma.xiaopa/files/init_c1.pid

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.xiaoma.xiaopa/files/init_c1.pid

MD5 203bbe4303f8517a16a146630121280b
SHA1 52c7edac4785582b917129cd64596ac7310db839
SHA256 8d92ef530022022d126085728d2c9d54fcc63a9f3e95c2acb4e7709cafffa317
SHA512 8afce4d07744d256ea45bb995075ed981866c95c57bf87911996a9c1cc68bf3f59d804d0d2f011420d4bebee86e4398bec9d5c496ce9354994dc3b9129498948

/data/data/com.xiaoma.xiaopa/databases/pushsdk.db-journal

MD5 c953ca44ba39e87d3b5c264dafb94085
SHA1 0f1c6e89bef97e92c972ce074bb7e7160e4b3fc9
SHA256 a63e1adcb175b7f77fcde785089772365e7548f6e2f341b0e6b1757e6e533499
SHA512 cae84ac3f4411de83cd341738d0d34b7b3dcf246dbae445a7e3d25bfb00ef212d51988893a904e61e820b6f50d53dd8c2aea174fb0fc504b7c752cf18b7cc133

/data/data/com.xiaoma.xiaopa/databases/pushsdk.db

MD5 3e43027b52181f23867eb1ae10c7affd
SHA1 56ee2068557c51e4884a56aa3b9f8443b7bafd67
SHA256 cc5281f343b6a0cf6604980515ea57067f1dcda546bb91b60a939855b62de856
SHA512 830c8bceb924a023e7cb947c96941cb5c8ccef94046a0e77423b188bcd161adc78c8cfc41f75c442e6a5fc541db5afa3745343176af68e2e49d5beaecf88ab98

/data/data/com.xiaoma.xiaopa/databases/pushsdk.db-shm

MD5 182e45467bcd792760f96f57ecc0b5da
SHA1 843cbd86786cc0185054b1154b6e7e12e4124421
SHA256 4924f1f1d2a804d3deaa03206e0957c0ecaf5ae82563040eca211aff43973204
SHA512 54a8b93c66b104b9663e395743b5214d0ec3e1104d5fe9f99dd5baacabc188e19e2cd53e6c532624a929dbcf1c42aa357cc6e6d4a6557da48b80389558960804

/data/data/com.xiaoma.xiaopa/databases/pushsdk.db-wal

MD5 331746fcdd7c5f49d5e76fa8b2e46392
SHA1 665037c3519a17e5d2df3af25d104d755c7fccd1
SHA256 4094cf386944d91c7264f669ce96ad442632c22875b1cfc57b6539d018c31a6e
SHA512 12797868ab66adeea094887e36eed9bdb5c66397c54f2655df0584fab727eb982c2cc966139ecc72d4ac7a9f2d7f3d7cbc21e289d1db68f2b661524c8a324ba4

/storage/emulated/0/libs/com.xiaoma.xiaopa.bin

MD5 1d41598870e0ccf4c1260956152f92c9
SHA1 fcff658b8266f6d92f21782d0b2c91fae721d4b0
SHA256 5832f67a2f7b80e4bdb40318a7a1c1a03e34acfee6e7b17ee103211fd28aa813
SHA512 1d4878dc8cabb78f13e221901848381ea9dfebbda37af266376f7a0453f0655b71c6384d007ad4f3f2b9d1cc2b17f9560797ff116d558478d8c09d55c2d2db54

/storage/emulated/0/libs/com.xiaoma.xiaopa.bin

MD5 cd40b037ecab762bbe550b602149adbc
SHA1 edc29fdf93a8005ba9acdee9bf897e6fe12bb3c7
SHA256 a0b3c567c4e9da0dc7a1d91623f9e194b18f7df365229d48180254b7f89cd04d
SHA512 d6cce9e2701a077a50726b9e143653291724bd446714010b9f25bb2fdbfefee17ffc2f1488cdefbc845d455d7152dd64392c00ce4755e0d0b394463588dfc190

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 006d2e9b584be14889e0c244827bff39
SHA1 3db4eda98bdb24f11cfc0b6107c9ce9b3e822612
SHA256 4a7def51587e96b4646761dbd831cbf2f9f44ccaa0ed6558afa29ce5b60598ef
SHA512 f206ce7266e4904b8325af991431bd651ec2d80744c790e78b419ed1144481fa7c68aa24341f79aa9155684aec77a607d61753e1b5ddab0421fd4f1f88eeacec

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 c49420a7a56e50f45e1cba6cc4f9ba46
SHA1 5ba819139913f7e68b34ae866f32ed2611bb047e
SHA256 29e83d09294616dfa63ae8e928db2bd4514afaf1c86f04af396ee5b91dad7714
SHA512 8554fde992b3023c2610679fafa09b775c40ea0bcfde7594b1995a4e860ed1e4d86a792656d676fee9644a7b43e7c88f179f7da84ac288d21eb61fb1c924c4f9

/data/data/com.xiaoma.xiaopa/files/exid.dat

MD5 aa7647996e5dc6f8cc94e4e72da7c3df
SHA1 907a01b531d2cb3796d9b71ee1d9c83f86681cf7
SHA256 88c9f7486c72b86a911e5769e5873cdab72076c82ca749d219bd3e6a0d0c823f
SHA512 aa8159a43bf0d5dea689bfd12766f150217773340ca059a2816524c317a2e07a86e7b44c72af7ea9c0808a02559bc8e793cc0fb9cc8d62e6d4f74af4d61d9a35

/data/data/com.xiaoma.xiaopa/databases/cc/cc.db-wal

MD5 2448c418c01c747b29a5131b697c3453
SHA1 126004c0ae0cc450c165469fc1e0ff9d9d3b8703
SHA256 3f1a10ca0725be27b251f8696185f40e3dc03886d179163bd71413ba10e27a25
SHA512 918f91289b661a6c0454c61ae4d91b9c000bb439edef761172affc13e8b3f73393d05475283189861dc075cb2f46203134f1c48b942723603b9e3ca2a9f9fbe3

/data/data/com.xiaoma.xiaopa/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.xiaoma.xiaopa/files/.imprint

MD5 e1a01e9b23aad9ed3ff6efa8c6fa4b99
SHA1 ed3a5de6adcfda39afe6691bda2621be49df8032
SHA256 027be11ffaa31c6a5f379ac35e4c2fc6698f379532255b559bd59052059d0fe1
SHA512 5f20d936082428533b5d3443a71684d4413b7346d97552db5944cf268a0089377598b5329600ad10256af99d6fdda661a5f5726c9e0c9ec8be7d3b41f1ad746c

/data/data/com.xiaoma.xiaopa/files/umeng_it.cache

MD5 64e2ebc23a6430fb013e096795be4279
SHA1 ad3b14f5c8ab361dca5f984cfe6fa27a16bf3445
SHA256 c786a44a00fea46b722c655b5ebce598b70eb360b75b8f301b193cbdaff1bbf9
SHA512 a7ee8d5d1fc1ba15607aba019bbe1ab5c90acb681eedb599b005599538b753cd8741faa4b2708da3ce66a117d5d0828dbf20949db212408df71f62320a545b39