Malware Analysis Report

2025-01-19 08:00

Sample ID 240616-yf7pqsvbqd
Target b4e271be9edb6ea6c53092f1b5473862_JaffaCakes118
SHA256 22e7086881793f9680b4938c4eea1065d451cac36ae1c70fa4a5fffb22dd7682
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

22e7086881793f9680b4938c4eea1065d451cac36ae1c70fa4a5fffb22dd7682

Threat Level: Likely malicious

The file b4e271be9edb6ea6c53092f1b5473862_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Checks known Qemu files.

Checks known Qemu pipes.

Checks Android system properties for emulator presence.

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Queries information about active data network

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 19:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 19:44

Reported

2024-06-16 19:48

Platform

android-x86-arm-20240611.1-en

Max time kernel

126s

Max time network

178s

Command Line

com.kgezbv.kbrqeym

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xcdb39000-0xcdb4a74c N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kgezbv.kbrqeym

/system/bin/sh -c getprop

getprop ro.product.cpu.abi

getprop

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 port.appbsl.net udp
US 1.1.1.1:53 adblocker.appbsl.net udp
CN 120.27.130.213:80 port.appbsl.net tcp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.106.211:80 log.tbs.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 www.zgjiechao.com udp
US 1.1.1.1:53 www.appbsl.net udp
GB 163.181.57.241:443 www.appbsl.net tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/com.kgezbv.kbrqeym/databases/ip.db-journal

MD5 f126b163805d5407f60c03afe01d7ca1
SHA1 9cc293a7fb3a4f48d0ddea8c40cf4c49ffa2dfd4
SHA256 c692f62858f36e5b95df8657d9db31d433f29b0d419208b60127551a302ab542
SHA512 f3f62ffdbdec6330b27f3ca07ce84c1cda7ccd831c4206987d1da7fa6946a5ecb535e9b35e0f0adebb6fd526f7db8982eed85329bf1bc0534fee1e829024a106

/data/data/com.kgezbv.kbrqeym/databases/ip.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kgezbv.kbrqeym/databases/ip.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kgezbv.kbrqeym/databases/ip.db-wal

MD5 05203e8870534345cbec5a472e563e24
SHA1 01f1468d8453ff3c06b59bbc6152234d2ec6530f
SHA256 e03555a53dc7c42d571bf65fc41ef96ec0408cb43ee25a297f54f15485af662d
SHA512 831641531b980078dabbb21aebb7e28636b78136bbd6d849cadf8245236ed6bd219b7986aa1cae684c27734cd83bb0ea2291052b92874241cc2ca6b0c64a27cb

/data/data/com.kgezbv.kbrqeym/app_crashrecord/1004

MD5 505f9b130eba3bbdb24b6eaa8b1538d9
SHA1 dfd6b7cf0d6746e8370dca4abb8800311f3d6542
SHA256 52fd799bdd2a951a68bd961b14eb0699f4ca2b19656e1a30863c9cdcbf1dde51
SHA512 5a19e035e95c37574da9fb6f1e4e220e3c8ca33758c89706d7c3c80856ad447c571d9b0b6be94b05aab0b7f4dd4c853f48df3157348bcc5d794916924143bd44

/data/data/com.kgezbv.kbrqeym/databases/bugly_db_-journal

MD5 4e5312b8590439f47711513f43f23b4f
SHA1 d179b5145086beaa65f29cdd4a0ecf1ed6cf13f8
SHA256 d46e345009220e3fcc098ff0f2583a6ef861ced2d14321c9007403033b252750
SHA512 f501a74ec685535f91b66dbc773b1b835a8ad771ba1627239beee17fab43e897f0c7cf621aa46d83d7fca509ab4070adb3e3ac0c5fa3adc9337e2733016b10ce

/data/data/com.kgezbv.kbrqeym/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.kgezbv.kbrqeym/app_tbs/core_private/download_upload

MD5 598d90b13eb746a7815418a8204195e4
SHA1 3d60b5cab6962acd9d59ce40f6f90b1750de9c53
SHA256 8de0df25e2ed549ed43594dd88fa7a27a19048670e5f00876b621a650059f71c
SHA512 e119d32a6e06df717059ce280f851dd0586a1caf31a490c1348e2337315d5f69bec86fabe756dc8c90c76516f7ce2d3a15bf262e5c994bc4f8b59e81b0030087

/data/data/com.kgezbv.kbrqeym/databases/bugly_db_-wal

MD5 84f06f71846a7cc590d7f394ddb86248
SHA1 928c47266c6bafa7e66657bda6e4828dc27b524e
SHA256 f0c70fc8067423c8e7f2f466fc207179433310e724098b9e4886171c42285487
SHA512 475e3059a6b088309b1cc6c9608093b650a179e11917e0044721d9dea5bed42009b23581a8485d1d884f83a676f529ee81782909d5664aa6d7b255e20418c36d

/storage/emulated/0/Android/data/com.kgezbv.kbrqeym/files/tbslog/tbslog.txt

MD5 ad1d8bfa6c2783d5034e8fc2fede030b
SHA1 9e89644132e2af7b87431ace6921098ca3341503
SHA256 0709100f0cc28491cff726549db4ad294dc14b40adf17bb376df943fcbc341b9
SHA512 59d580c44ecdc1cee4058dc2bee182db8a43e46954d58acc80754eae4ea09d38e9b919be64aba7b76c946a6212ca052532dbff7b816981920ff429c286175b9f

/data/data/com.kgezbv.kbrqeym/app_tbs/core_private/download_upload

MD5 a7bb31bc2801f84ab0a74c2ecbeafa59
SHA1 0a1883cc9029d7ae6089aaebd446bba0dbc6c532
SHA256 31a0e5a560098c7928e7e79cded663f5e6820a852829b917506bca5e0ada433f
SHA512 c591ac139a0d7dab5d7b442f5c91c3ecc68092dba33b22acf57e4e46947eecc4eeb1bad4f4304558d16ca4f10a1d7cb3a2c4786095da22c2c614909190c1d037

/data/data/com.kgezbv.kbrqeym/app_tbs/core_private/download_upload

MD5 50dd1be461fd601fa5add63e51bf1a09
SHA1 944c87d691860e993a9bcd1dc53fb00a054bc75f
SHA256 e73a50b9df0149c0d144847df9ca01ed0b976752f9066a1c7c441ddeed5a4bb4
SHA512 c2748e0d47ffabd54047d7b2f6c18137abb782659785c4cf35da2c1fd59ad8a2a0a3b3532bec1391afa483ee0d8002f7dcc0112c01dbb97580bc2aa6dffaa149

/data/data/com.kgezbv.kbrqeym/.00000000000/39285EFA.dex

MD5 75a8168e7080b90fc2956592c268371f
SHA1 3702da56d31f381525473364f031dc884e37076d
SHA256 0b9c032080788add7f5989d0ce145e66a4686ff3a43b0e48dec60bf18bf75701
SHA512 33536573c834fffab7236dd96c22cbc3d075ab70b622ff7787381e5c7c262ab62e0252f0d07313c9227ccc8308cd93cd96373e57fa55a066691d5b5cfb55f5d3

/data/data/com.kgezbv.kbrqeym/.00000000000/39285EFA.dex

MD5 02f69eb4fe05ebc6c9f736d83e5f7e26
SHA1 777d75e14a73f5721fc4ae34f49a9a4b82311373
SHA256 13502356b7d3f910107aeff131e9c4a2b892744a125a2d1a2a206b219dc36042
SHA512 7c1f5d68d40bf37aef2e59aa9a4f96d1ef642a8db7e53295953b0b5fa3a63cd7546c5cf8ad3fc17f6b84a795a08e13024d8dcb3db828ca3fad634964cba69bcc

/data/data/com.kgezbv.kbrqeym/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.kgezbv.kbrqeym/app_tbs/core_private/download_upload

MD5 7676e5f4c356ea78babee2748bb88a27
SHA1 d7bcc91dccc62e34c6512b10989f2dd32783b981
SHA256 81b2b703783b83482e85b8a984945545ecabb335b06666ef6def855c7667772e
SHA512 0aa59565be792da19d1e82ab7eaa3ee1cf1df1526c4d7adb84e01dae649ea0a0d36180000a3de3f3a4f585ee4045a0100d10ad26e30508adb03e73b44c05c7cf

/data/data/com.kgezbv.kbrqeym/app_tbs/core_private/debug.conf

MD5 e9e87978b18fcac9f879435d3260698d
SHA1 4ad9663180b131a495fa85a6f7b75d3096bbf177
SHA256 756bc2270414ce9c88546fe44006b5bd33c314978e449b6548546ea7690dbb30
SHA512 61e530338c2e387c1b889d4d4259608a39cba48c4e53f77cd00222534c291da5829107ecc44f2c7fb1ee39df4a36ab6d0949c80c272aed27a3ce5449045d38aa

/data/data/com.kgezbv.kbrqeym/app_tbs/core_private/download_upload

MD5 ec70e49ca6280ca474fa1a78afeda1e2
SHA1 061f11054c7c09315b821a94b2e90a4b9deb78b6
SHA256 46c63d04569cb1ecac471fda1425244532169ed70ad24f3632db202222ad75ae
SHA512 8a04ba554ff4b3e5af181290ccbc36d5bbc26f504435a89754b439e4c924573f7771b9f07e3e3a506958ee029751075f8fe9e525d6a9c5a13be8f399565fdc30