Malware Analysis Report

2025-01-19 08:00

Sample ID 240616-ymyemsvekh
Target b4eb44e6ec16420e24ddc4dc06f07700_JaffaCakes118
SHA256 d48013a9f5f6a9adaf1fa79c4d28e2ab112200b9a76d9fbc3a265aef7c95d83f
Tags
banker discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d48013a9f5f6a9adaf1fa79c4d28e2ab112200b9a76d9fbc3a265aef7c95d83f

Threat Level: Likely malicious

The file b4eb44e6ec16420e24ddc4dc06f07700_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 19:54

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 19:54

Reported

2024-06-16 19:58

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

186s

Command Line

com.kangxun360.member

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kangxun360.member

sh -c ls /dev/socket

ls /dev/socket

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 v4.api.kangxun360.com udp
US 23.224.240.151:80 v4.api.kangxun360.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 116.205.165.66:19000 s.jpush.cn udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 116.205.165.66:80 s.jpush.cn udp
US 23.224.240.151:80 v4.api.kangxun360.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 1.94.137.180:19000 easytomessage.com udp
CN 1.94.137.180:80 easytomessage.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 119.3.253.130:19000 sis.jpush.io udp
CN 119.3.253.130:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 116.205.165.66:19000 sis.jpush.io udp
CN 116.205.165.66:80 sis.jpush.io udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 1.94.137.180:19000 easytomessage.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 1.94.137.180:80 easytomessage.com udp
CN 119.3.253.130:19000 sis.jpush.io udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 119.3.253.130:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 116.205.165.66:19000 sis.jpush.io udp
US 1.1.1.1:53 api.share.mob.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 116.205.165.66:80 sis.jpush.io udp
CN 1.94.137.180:19000 easytomessage.com udp
CN 1.94.137.180:80 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.92.70.140:19000 sis.jpush.io udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 1.92.70.140:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.71.170.130:19000 s.jpush.cn udp
CN 124.71.170.130:80 s.jpush.cn udp
CN 1.94.137.180:19000 s.jpush.cn udp
CN 1.94.137.180:80 s.jpush.cn udp
CN 1.92.70.140:19000 sis.jpush.io udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 1.92.70.140:80 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 120.46.131.222:19000 s.jpush.cn udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 120.46.131.222:80 s.jpush.cn udp
CN 1.94.137.180:19000 s.jpush.cn udp
CN 1.94.137.180:80 s.jpush.cn udp
CN 1.92.70.140:19000 s.jpush.cn udp

Files

/data/data/com.kangxun360.member/files/shuzilm.db

MD5 3383f022372cba2aa59b749f148d02fb
SHA1 086ce0cb51083a7b02ff4b895e69cb3ce06e8792
SHA256 aec9578202732b5a08832922658f857e2acdd1c20cb2b630b59c82ebe6db68df
SHA512 b94a644fb65ba876ea872c44217304d618e773f3550707f74543c9fd3a00a2ed13698c0d7ba659ffda5a5039217fc96e3340daeed60ac4b4ee24e56a2d941253

/storage/emulated/0/Android/data/system/local/_system.dat

MD5 fd8c393e124a375a7fd42cbfea6ae9ce
SHA1 90b1278e57b992d57f1a36542a93a1394470b0ea
SHA256 115ccc07a620308d3640d53a5a6f06a7b8ed17a5374416d4ab2349ed219a73c8
SHA512 433a7e84a62123d6db15bf0291b9ccef58c205d24f39427c55081d42e267bb42084f8238fb3d2537c470dec05eb6a436cb9d927c44dcfb7b10876f916d170957

/data/data/com.kangxun360.member/databases/rep.db-journal

MD5 dcdb0a6572dd380e4e95d8c477afb7d6
SHA1 2d7198640375faf890f50f24cbe8b299dd280ebc
SHA256 3313870e76e191e7476cb6664ae4324f06c4e00c5d5256ff91f184835c2aaae2
SHA512 502f0127a447ea64d2b26491a13316ac9a2d749f0871a71c8d423762f4c065d092c6551fd16acc9bd1a7876b04bf7d429af41baa57bc4a0f9e5857ebd862b6ee

/data/data/com.kangxun360.member/databases/rep.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kangxun360.member/databases/rep.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kangxun360.member/databases/rep.db-wal

MD5 2f989c275c699dc54ac25742b506277e
SHA1 6758e1724ed57656b163ed1efade3ee3709bb4a3
SHA256 644131d222a56dc423b2833803d8302599024327fe9944f625258318298bbbc1
SHA512 1d7835d2918097118e3219eece15a10484f8fdeae0e467fdb564e790d4671a585de21052f8fe5fd6675aff11ce04dd1ec699ab845896dd8f9d9be875feb213a8

/data/data/com.kangxun360.member/files/umeng_it.cache

MD5 f793ec1902bb53b419e39d690a521fc8
SHA1 1b56ac4026a59d4aebf59a68cef21eefb3b643c3
SHA256 652bf1034990774057e4e29fd696d418a369997ba9c210d386d36f5fcc91cc5f
SHA512 81e37d4472952cb2ab4379d6ddc012c6d6387d3e13dc64d71ddf32cc553394d3068fba661a67c7956e89f5fcdb8446bc3eb522378581efe0da914a737613bf46

/storage/emulated/0/ShareSDK/.dk

MD5 c9383021bd97affc44be4db7018c4d7b
SHA1 7e680409d1c86e35149bebc22f2cf8c484f0d23e
SHA256 b7b7e032170e3190a84359e5c37adede1d58b6bf4c455ef0c01f73335709bb65
SHA512 7303f068da97319891e2d25c1c737035f1cfdc365d75d954102b612000e54d7e2b5dfafe10bdf909563e2b46ec3ff9e546423bff6f0aa9496880eab1c1c36a81

/storage/emulated/0/kangxun360/db/kangxun27.db

MD5 e4787c80e67da0da94b736448c709c0a
SHA1 f91cb0a9d89d95bb4bcb29e7f277208b0363b59a
SHA256 19d02631edf05989268df902272a2079abe3d8451db63d001d1c0ab3385fcefa
SHA512 552ebbda25b994edd84ddde030715f0d723c0999b5496b8624df5f8d29b3260244ac45084cc626ac6565f04fa4a9f62cabbcb50969730360e47c57500eef5385

/data/data/com.kangxun360.member/files/.um/um_cache_1718567765609.env

MD5 89460f06801c27a49674b4c011df61aa
SHA1 ea76989e27c87fef849f0da4a0182ec659328e5e
SHA256 9c6edee16931809b5cc583871b66867c46187e75cce082683f86df4ed33add55
SHA512 05272a446ab9e5a5e3c17ce7058dfbf75f7b998d0a7b387d1de03d0092406868edec829000fd4f454cd2b6f98e2f3fc0c2466bed66b32f971c3e6b6a380c73c7

/data/data/com.kangxun360.member/databases/sharesdk.db-journal

MD5 8a817ff5b4faa2bc6661588210f00f15
SHA1 416fb9bba224f31c5688ca2cac5fbdf01e268f22
SHA256 c354760e5a1e114e39b354a681635bd995c62b3372e1a3a863f76c8ff8250f50
SHA512 cc73ff7e10915bf391a5ef83f8a45e0ec76e7792950ef7af93ebc4ff58ea79a4ec829424cf5a3f8b1ce7ffd8ea252f7a641dafe27abc315515c1fd2216497019

/data/data/com.kangxun360.member/databases/sharesdk.db-wal

MD5 20553083418b476d0b39a0f8519b0b4b
SHA1 f82d2f1dc44db79ec50efd7bde35abb1b3247143
SHA256 54565d956205b57bd52a74a96f71d41ff9624438d25652915d1b20fb5c7ea2fa
SHA512 e39f284247496abe6aef464c4ba864d66ad6ad451bbebc570e6275a41e728cafb3696b8fc9efe427cf81f53790edcd1fb1d3a7dbb5004d782badbf444e92348d

/storage/emulated/0/ShareSDK/.ba

MD5 4fcb9ea2c889c44747de7775f42feb1b
SHA1 fc15343199db7e8adc1cd2397e68d514269c9edd
SHA256 5559cfdddc3f5dfb99066279fb46d6fae984aaa5beacd7372d7d826fbd73af58
SHA512 955965985d1a75be87a89d3ba6c213c455002873ae52ff58e9400871bc620bf213c5d75ff0f41ac1ea44ea2f9e6af7b46fb48933fa6bfe8fe6219025a9006af4

/storage/emulated/0/ShareSDK/.ba

MD5 e6529bca8bf395f5861c5edacb2b6db7
SHA1 62d0adfa43a4c25b52d2567eb519d03361362345
SHA256 5af936c8928b1c22d201bf861d2ac57c9bd2525e9aacb9f18433fe203e7470d9
SHA512 37b719c98d578b97895404b5707cfda37b86c2ff7c49e3c64d98ebf82059f61573e6dfa0ca83e3846eafcdc0e8098894564b7cd71c01bdce8dc280a4e8900237

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 19:54

Reported

2024-06-16 19:55

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 tcp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 udp
GB 142.250.187.202:443 tcp

Files

N/A