Malware Analysis Report

2025-01-19 08:00

Sample ID 240616-ykejravdlf
Target b4e7ead3d03edf554919e104007bfcf0_JaffaCakes118
SHA256 4393aed58a3f682dc56206c1aac4a7f4d3a928935f96680bf6ac1e1294d7908a
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4393aed58a3f682dc56206c1aac4a7f4d3a928935f96680bf6ac1e1294d7908a

Threat Level: Likely malicious

The file b4e7ead3d03edf554919e104007bfcf0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 19:50

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 19:50

Reported

2024-06-16 19:53

Platform

android-x86-arm-20240611.1-en

Max time kernel

20s

Max time network

131s

Command Line

com.bolema.phonelive

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bolema.phonelive

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

/system/bin/sh -c getprop ro.genymotion.version

getprop ro.genymotion.version

/system/bin/sh -c getprop androVM.vbox_dpi

getprop androVM.vbox_dpi

/system/bin/sh -c getprop qemu.sf.fake_camera

getprop qemu.sf.fake_camera

/system/bin/sh -c getprop ro.secure

getprop ro.secure

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

/system/bin/sh -c getprop ro.debuggable

getprop ro.debuggable

/system/bin/sh -c getprop gsm.sim.state

getprop gsm.sim.state

/system/bin/sh -c getprop gsm.sim.state2

getprop gsm.sim.state2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp

Files

/data/data/com.bolema.phonelive/databases/bugly_db_-journal

MD5 a9462fe733ffc4b257bcb20ef99e8435
SHA1 d289981b11dd75ad9a7f0d8652cd53f594fcdbb7
SHA256 2ca18bc59b07334e0ef87265fbd74849f5689c5d37f2ad4f4c0115565ff55bf0
SHA512 bce88e8fbca1a4c9f2227bffceb4c05df1e98f2d52d59033ad80f7211f4bd3b47a9fcbb5e1cf086b74832eeaf6e4ef1dfad197c57e00914beb05eaf3056e023d

/data/data/com.bolema.phonelive/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bolema.phonelive/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bolema.phonelive/databases/bugly_db_-wal

MD5 5c1aefaeb67ea2089c01723f6bec29d4
SHA1 81412dd4dae13fe6fbbac7867bf257edb0a54622
SHA256 4ed9a22251d66cd5bd1d8c6f07a46850992d2e3099bd218bd0e09873a4942c4f
SHA512 63aaae6d755e78054b9177d4a575e53a2ef69da2239ef3e8bc1165ed69f5275694deb34062cf514059b62175c01ca3fe8d0bebd3c0ffb4e8d103bc406d2f23d1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 19:50

Reported

2024-06-16 19:53

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

187s

Command Line

com.bolema.phonelive

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bolema.phonelive

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp

Files

/data/data/com.bolema.phonelive/databases/bugly_db_-journal

MD5 b47b8ddf447a9fa73d91ed334d0c713e
SHA1 b819be5081f2453317456fbe2866f89f8992c52e
SHA256 675af93bab92e2769bf5d3e82e6c7a4c6d56c59c7856966a7f97165cc70ba8a1
SHA512 83ad880f43b59124e9d9efb5a91c2189731aaa74b442721f3f2a74f61d453c7805850e6386f74edbaa3e2204e7de9038de3313f05ad303af8699c53e07f242ee

/data/data/com.bolema.phonelive/databases/bugly_db_

MD5 8c12c8009b529993da017345b4d44b2c
SHA1 9b0bc8ada3773c5a51fc4d52c1cd9559bef31dd9
SHA256 7027d1cb206d11a49f92264eb108a5866b207e17725d685cac57bfa982b12ad0
SHA512 d3430f4a0edf23eb6b465580851b4edd0397372e767fee903d8722edfd457206bed83e516a0c1161d68ddd84a75e1bcd64aa31392487988b78473da0593d3618

/data/data/com.bolema.phonelive/databases/bugly_db_-journal

MD5 bd731530793a7a44bdd437c7699e37ce
SHA1 f606741f3dcd608b64eb0b47c830c2615f073628
SHA256 4c3da2a63285ed8c41aefb6800b5597fb62d0f7f789679be04b80119ab639f83
SHA512 150451c680719736d5a6d227cb3bd5c2c098abdc4188a057ab406cec594c97c513351dd793916c3ec4068e8de538f93d17f37987dfc18e56c0fbe45e33232ed8

/data/data/com.bolema.phonelive/databases/bugly_db_-journal

MD5 455e500af4e34af3b3010d7ab7cf388a
SHA1 f47c0d93b979352a52b88344c75ce11fe8a657e0
SHA256 0491555670d2d4e6ae4baff725e94a6ba7bc70526d92daacfb91694c491fabdf
SHA512 5384f6254ed73f8359c48153223fc93ff043cc39e5d5502210504c8e517d98c1e9ad000c9cf6c63619b589ebc259e0a888a4ce5c42840654a8efd22d4307f1c6

/data/data/com.bolema.phonelive/databases/bugly_db_-journal

MD5 c9bf298d6e85dacd0aac96210b250fcc
SHA1 94b4e7407801e09073f4702a1462a536414f68ee
SHA256 ebac8e2c3ffdd7b603c97df6165dfbd1d49dd9fb24e9ebc3d1ba237614ffdd5e
SHA512 8532775f6a5e4b4efc385b20d72ff60d3c2d112d26a138ce0664e761918bd86d2029ab9b24565942f79d013fba5787b46b1584f68f52fb91ced34f0cd58e819c

/data/data/com.bolema.phonelive/databases/bugly_db_-journal

MD5 aca266bce88a604dd14274f3be9afb7d
SHA1 3ef39f1b6be2746e8aaa69481989ee2b133bcd5c
SHA256 01ac168e80be2cd7d9b3c0a21428cc4b1fa59809d41392cbdeb1a02de251dce4
SHA512 f883e26bc89b6d0c93ccb322a6962e4c4484844859c9d6de30ee2b4dcb45341dc0314736df15032f356f856e9e1120d58d1f6b970e27f972050f762494d82c47

/data/data/com.bolema.phonelive/databases/bugly_db_-journal

MD5 c92242e469f42f10859b6f27d894e907
SHA1 bb2f14ae75ddb15521670abbdc3b79f222f07211
SHA256 db66983fc72841ec1734c14fcc3accc3d19c2cbcdddef2c23e33f2ac126437ea
SHA512 eba7a782e381b23a698c0bd822eda99e2415bcdac79767339e041e2e62ed790f86fcb39bd992b9d75aee69c1b3e8975a9df53fc40eb9b9ce1be9e0c68bfc2a2b