Malware Analysis Report

2025-01-19 08:01

Sample ID 240616-w8nffswdpl
Target b49981fa81b203b9b536649c80d337ad_JaffaCakes118
SHA256 38d85af110842812f35a6e3e4b548bf6107849936fd35b1b24c5044d9a05ce27
Tags
discovery impact
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

38d85af110842812f35a6e3e4b548bf6107849936fd35b1b24c5044d9a05ce27

Threat Level: Shows suspicious behavior

The file b49981fa81b203b9b536649c80d337ad_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Declares services with permission to bind to the system

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 18:35

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 18:35

Reported

2024-06-16 18:39

Platform

android-x86-arm-20240611.1-en

Max time kernel

34s

Max time network

158s

Command Line

com.work.kyo.fuzhu

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A f.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.work.kyo.fuzhu

chmod 755 /data/user/0/com.work.kyo.fuzhu/.jiagu/libjiagu.so

chmod 755 /data/user/0/com.work.kyo.fuzhu/.jiagu/libjiagu.so

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 f.appjiagu.com udp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp

Files

/data/data/com.work.kyo.fuzhu/.jiagu/libjiagu.so

MD5 1383b616dee6678b3591e577ace67225
SHA1 f2b0f5968b52f9c3ed022f3b3ba67e6142df89ba
SHA256 945e12ea3019404a01754579a234b21ff3c7c17c175750e514c0d404e9f30554
SHA512 72dda5b9833701c52e44260d979f6b91dface07899aa20ea686ef3d09f3225826140b7e8c336072aca21d51e88151a3fdb6952fc53b9749051f16197e8086b60

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 18:35

Reported

2024-06-16 18:35

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 18:35

Reported

2024-06-16 18:35

Platform

android-x64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 18:35

Reported

2024-06-16 18:36

Platform

android-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 18:35

Reported

2024-06-16 18:35

Platform

android-x86-arm-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-16 18:35

Reported

2024-06-16 18:35

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-16 18:35

Reported

2024-06-16 18:36

Platform

android-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A