Malware Analysis Report

2025-01-19 07:59

Sample ID 240616-wkxdfs1cnc
Target b473574198a64c77b2cb6918f2339f0e_JaffaCakes118
SHA256 122288db7310aef7738bad25e04e4b4c57fb93ea93d51e3cb631914c976b2022
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

122288db7310aef7738bad25e04e4b4c57fb93ea93d51e3cb631914c976b2022

Threat Level: Likely malicious

The file b473574198a64c77b2cb6918f2339f0e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 17:59

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 17:59

Reported

2024-06-16 17:59

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-16 17:59

Reported

2024-06-16 17:59

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 17:59

Reported

2024-06-16 18:02

Platform

android-x86-arm-20240611.1-en

Max time kernel

12s

Max time network

153s

Command Line

com.xunlei.cloud

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.xunlei.cloud

/system/bin/sh -c getprop

getprop

com.xunlei.cloud

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mobile-login.xunlei.com udp
US 1.1.1.1:53 mobile-login-2.xunlei.com udp
CN 101.132.110.239:443 mobile-login.xunlei.com tcp
US 1.1.1.1:53 mobile-login-3.xunlei.com udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 101.132.110.239:443 mobile-login.xunlei.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.29.162:80 log.umsns.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp

Files

/data/data/com.xunlei.cloud/files/.jglogs/.jg.ri

MD5 5a6e3592030fca68eceddc80a9464cd1
SHA1 2aeaf49959728651825c90d3a1742b4e0ac516fe
SHA256 c46ea8d99a800c3f23da93f2a03993aa1bf6a344b87d83a6aa7a5a28c9f8fe51
SHA512 e8663c9287e1c455924536cb59a1ea648cd83dfc6be640a3d314b385bfb7e0e7f27985e78092e1a5e5ac2f3102a69788a406b38185003fbcc4ed84bf99c5b262

/data/data/com.xunlei.cloud/files/.jiagu.lock

MD5 baf5603640970858dfb1d9b87b7ab857
SHA1 0029e052cef66b006cc62651d3f54041f80fec30
SHA256 1d32026ae0a8481663c1563546ed4c912061ab4c0e152e848e19dbf567a3fbd5
SHA512 2aa5c876aaf059e588cdbe7766374dc2a672a8aa610708ecc7a9edfc9a588c85b64876b835e94b076446282388fd85a8a17f449e7c4b1e81f7fcda246161ea4c

/data/data/com.xunlei.cloud/files/.jglogs/.jg.rd

MD5 7631b3c62c08e328920a84451e45174e
SHA1 d099c151e45b8153cbe1c27cf27517b1f4c5fc26
SHA256 831eed8cfd0a8655ff03c4202698c52ad04542cbddd7d601c1c4e27432f32d1d
SHA512 0b41636f8dd85cc593db79e9e05d1ffe2e28f09fab5acc0038aec352bcb2b57a48f5cd0cee6f08d62f9b20ee7e2ade8dcbf82dc6a8d0f6f7ad6c00356445af28

/data/data/com.xunlei.cloud/files/.jglogs/.jg.ac

MD5 fcc924f7f1c45b37e0993c9bbf95204d
SHA1 a43dbdd21ae37886421387b6d33e3e7edf5ccd7c
SHA256 52bbc2d213a6455d57206505bf527b7d7f3bfc7acd5ec052fe2d128450da802e
SHA512 2c9e208a49117217f0be46deaa891c106e7f164c1e356e8d388b859a02497c53bab28cde789b310f703c04c6ff0e60b1cd285a196ddd106e6c5c03e12a0257f3

/data/data/com.xunlei.cloud/files/.jglogs/.jg.ic

MD5 758046886c6ceef7002aeea3f43b21ee
SHA1 8e099c9fb0c2eed127d9b2b1e3a022b3a2c2287e
SHA256 0155720cafdccb2209ba4e2755c5ac7b11e0731914142d45d8f253b518575a0f
SHA512 2b5ec32b06b188f232ebda9b479bf80b1238db42df9505587516c4f1d5a52294912f17d9865482aa51301f9a46c80ed51f3d57ae47e89eb6005453d9ffbe6fd3

/data/data/com.xunlei.cloud/files/.jglogs/.jg.di

MD5 00ef5e62d9de6def67f53cc4b225420e
SHA1 a21d06704790451c020f85a2097ea25764aa26ac
SHA256 65f5a37e4971ee55f9122e04cc2e63fe4c9a03f023f2d2a3f97e8e10c925b4bc
SHA512 c623fb7f1cadcc11bdb68cd16e84640cd3beeb57a0a32859dc72d647621a71f3d05a5f2ec7fdc8ba9ac5a271d3c1da6390aebfda82bf0c8186ad6c380f9ef093

/storage/emulated/0/360/.iddata

MD5 1921694fdd6fba3d6beb28909d48dd6e
SHA1 0b2241e1567261ae98a85f292dede09e941b5070
SHA256 fbf05884aec341688343548b02baac46ad22d5feb63631dd99faeb8e0fde0988
SHA512 96062661804fd36a2543e9e3650f0a58eb17a13697d7bdf6e7cdf4062318689a4fd627bffd97db1ab2b48ae10e2a86c468eb1d719af9256b8aaa39f31a36b35e

/storage/emulated/0/360/.deviceId

MD5 dc214cf3c3645464208e03816b71f6e7
SHA1 3b317431770c7eec890a5053ee1a9d11462166e2
SHA256 26c192fee07065b1b110f5b70d8fab7451e41e4b57ab83406cc8232c9c2b44dd
SHA512 e95af87b285d6bd1501919c9301575296fb99163ea54e61152358e4598d2f27953f159cfc8007cdf9cd6663f1c04911c7c9778f2a3f3180ccb774eda8152c62f

/data/data/com.xunlei.cloud/databases/MessageStore.db-journal

MD5 dc653aa18e90eb6f3a48c63cfd1a67e3
SHA1 e800a0dd4814f7b54ad4dc8dd9dad46f682dcb85
SHA256 2ad2f959411350a5e943c1b6f8ecf2d3bb65d71c98d0e07134fbbafa42bfa5e1
SHA512 48a8ac11870ec089a81de7dced6c112ec436240561a07cd601bd4f93b58441e523b39548e9ee9045056b363b2d655f46be4b327cc0a7814eb303a571b0e2aeb6

/data/data/com.xunlei.cloud/databases/MessageStore.db

MD5 aa99281ce0cd69a9302f8b64b918ad75
SHA1 ccafc0e5fb16198e466b209a888301f4100fafe8
SHA256 a3cde8388c50e78c7b3c8dab1d0c46c64c375248031adbb6a5802e3da65bb431
SHA512 a8b80f09a555652d3e4b9775b6aa58341dad7fb120509e128df417533ba361353b19530306e8691f1ce5fc0c69f1a89d29bd2eb176291a5e85b945d14c9eb085

/data/data/com.xunlei.cloud/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.xunlei.cloud/databases/MessageStore.db-wal

MD5 2bd28672d069b6dc32637f39de322678
SHA1 cd238a409593ac0219aca2060c02fdd06aa880a5
SHA256 c072a8d17165395ab3b8f1022fb8db626516e03cc423b837e6e819233bd3d738
SHA512 92c46933bd13ed914bd3f40414b7f668cde56a3757b43861d275c704652781889fc8161274f222befbdb5f4d0953f7a3fcb1b286b79bf57fe7a0e40c97ca3dfa

/data/data/com.xunlei.cloud/databases/MsgLogStore.db-journal

MD5 4ff9feea07afa1dc503b081c2412bc67
SHA1 545d7b874500416cc7e7e705bbdb0881efc4780d
SHA256 62dff12a5d06ae611e66a6c54c046f754916d49a5fbcf8245592486e420a895c
SHA512 ac38fb0fef05f687c0d060de718034c9566cba35b130d62fa910d518f9eff9fc4060b10a93e0719b6ad2e2f0c9c58a5a5a2f4460b4c6db8f5c1e50861fcb32ce

/data/data/com.xunlei.cloud/databases/MsgLogStore.db-shm

MD5 b354a3798d70ae0a36c4359aac6a5a58
SHA1 591bf4d73a4ea2ede29f25db14d53f0a63b0323d
SHA256 9e3ca451e62c6db03da38f24710d89f83aaa89b5278cecaee6931edb367c249f
SHA512 96a1831defe9bf18c8a1b5b22e7c102da6f63c2e42b30ddc9a428fde7a986d877f0fa848ba8d860946007557146c7d94a87ca9e967dde46e53574b56318eea96

/data/data/com.xunlei.cloud/databases/MsgLogStore.db-wal

MD5 917108afeef642b75f4ddfe5a5eca00f
SHA1 bb654acff5040712865f276a029afe6cab929f36
SHA256 634e58329fbb29025c7888d56cfb6ac6969a9acc667b3bef0d41845301451c31
SHA512 745e3bb8d47f932c1b43cf6095f50959ec767185626eeaade243b575aa36c84721255fb221e00e19c151c14bf924a86b952d6542cc367fdebb2577deb2bbb530

/data/data/com.xunlei.cloud/databases/bugly_db_-journal

MD5 2b1c2d805524e4aa65cbeb54ce58d7c9
SHA1 e671acfc4034df3026ac08b667f0b35e008d76a9
SHA256 c3208da3d5a05c385b333f7049bfca7ef460dd9405db2cd7e96b071281ca4698
SHA512 7d6e9cdbb14124ce4441d349d021ccd728bfb7a1dd14845a26078dd060943091b970eead53b449c5be20ad10cac1d6da258c1ffe0f3d48e863f45c2b5502e04f

/data/data/com.xunlei.cloud/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xunlei.cloud/app_crashrecord/1004

MD5 2a091f88330d696a53aab7c3abbd886b
SHA1 c66a3d247114b549573d3d9096af086b10ebb431
SHA256 c2f084734fb81f80a710be94be8b8806a58bd576cc64ae22cfc8bf4ffad14ed2
SHA512 484063c92dbd614103733e85cbd5caded3d52a562ae999205ff794485b503cf4b72c637c8dd4e62654d25cc0de7af201b8fb89e8122b31993f4f36f819812885

/data/data/com.xunlei.cloud/databases/bugly_db_-wal

MD5 fa7f0dbd09939b430b180edffb74b21a
SHA1 18e988289c60fb61dcf334f1918e3af181fb75cd
SHA256 fcff709985835b8a2f966807d9a10b8abf63180a4fcb21ccf886046f274411a7
SHA512 88968f7c801a4e87325c77e5c41ea07e829ed004000aec75fb778a639bd756d8ea6bbf528ce6927008cb505d493ea0a5337ec6c557c66cbbb4ffaefc4b1ee976

/data/data/com.xunlei.cloud/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.xunlei.cloud/app_crashrecord/1002

MD5 1dcb211553ff72366d0f3d8eba00ff95
SHA1 731c9bad38b4dcf237d38604edf6869ecd574570
SHA256 9f67401f239ff758cfa2c6c0cf4a650f073a6b202bc2afde2a06516e48c42d3c
SHA512 0b97aa49170a8794d5a480b89207e2206ff6e187b112479ee5fa520192c238f2c7e7075ab10a0d7118d121bdc39bb45c21932716af78dcf744e31b6e012f6d90

/data/data/com.xunlei.cloud/files/.mainiconfig

MD5 7403d7d312f7a9efce2b5e13fbd5cb9d
SHA1 7f091a0fec19867bf84f74dba2dd21738499d772
SHA256 18d31c26f9897178e2846a3e76178f4e9d5ca89e5648faca3a78b8f5700c9a10
SHA512 997f1b155c9f6eac8df239a22756860ed87302e46182d51ff1f23c795fd94f3c45c51ee1fe1b1b8e5a36f2becab6fe88987bc6d357dc08618e6d5a8210e135b2

/data/data/com.xunlei.cloud/databases/xl-acc-stat.db-journal

MD5 89753a77ee527b4799194c9f2d022647
SHA1 cfebd5dc5f4dbe4cb8344df6789fe8452e5681c5
SHA256 ffbb3e49237bee0bbdb6b3595e878d33fee24278f30650e098ab5c7b3d6a272e
SHA512 694f1746cd7e96926b5e224f1db13642bc6c4a14694d693eb4646f3a29e0fefa90fcc92429b656cc4e7d36a5b4e5c39c429c4605a9398173a10484efca2de07b

/data/data/com.xunlei.cloud/databases/xl-acc-stat.db-wal

MD5 1fb27171327879bfa2213edccb72db31
SHA1 6d2c5b9f121d34c7abc312d894c7a0f3476a2d89
SHA256 ac085c3130da465e37f8d7dfc7764013f841f1e5595eed6ca6c6cca79c9e6564
SHA512 08ae96695ad8f9a41ff1f719674b0397726eee8470f15edbcdcea6bbeb82dee9b1f94f14f1684440f4d4a99b1d713f2c7459ecac929169f52d75ded191b005fd

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 3cac29bb53c5a6865b3ce0f92371894a
SHA1 36df5ea2bec6261198ca71d817b02dd2a8af0502
SHA256 f2ff5d8089811b0686e2ca450877ab38b487e066a9076722cbe158fe988915a5
SHA512 351c64004e9b989cf758db1b15a8c035d2ed9b040219c6d5d9d6fe85d7ccc6125e7d6e21b7b24c23d2cbb136210b90c5abe6061a3cc27d1824179d97b556d4dd

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 02fe59ad424e6924cc6f8a011edb27ee
SHA1 5c61943ce07ff5b67c573a2a12476a85d1162371
SHA256 d635ae1b9fb105b1cc17331189d773038c2e827974d10228f1eee4ac6203f74c
SHA512 abbbc032a3538ebbbf58ac42de621be6975c1f81cb151a88de342fdc5159bf11c7b9a00b70f21e76f408f08f31b3d8f827351e7bf06a4f37f789d45aadf05c63

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 ff5fe73b70f2d3eaf0cf568fc20a2bc9
SHA1 dc93737a8dcc0a6cef90631f22dcbad4ac0597c6
SHA256 56ff903977e48e1fb09e53ad237da3df46715b4ce4eb583d68d67643bbd0106d
SHA512 354865863f0632f74eb54df4a4a157a247dcb5900f059975ff7c67aeec55775b5885ea6c277b02b1418a5af296719df4ecd7ba9d2fb99b3cd1d8792319f93958

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 17:59

Reported

2024-06-16 17:59

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 17:59

Reported

2024-06-16 17:59

Platform

android-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 17:59

Reported

2024-06-16 17:59

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-16 17:59

Reported

2024-06-16 17:59

Platform

android-x64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-16 17:59

Reported

2024-06-16 17:59

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A