Malware Analysis Report

2025-01-19 08:00

Sample ID 240616-ytmaysyhlj
Target b4f4107bf1aab0b6edbb748955180de0_JaffaCakes118
SHA256 01343973409184c28d63a6928922876c3e13d340847aecdf7f4714834dd7cd7d
Tags
discovery evasion impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

01343973409184c28d63a6928922876c3e13d340847aecdf7f4714834dd7cd7d

Threat Level: Shows suspicious behavior

The file b4f4107bf1aab0b6edbb748955180de0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact

Checks Android system properties for emulator presence.

Checks Qemu related system properties.

Queries information about running processes on the device

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 20:04

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 20:04

Reported

2024-06-16 20:10

Platform

android-x86-arm-20240611.1-en

Max time kernel

128s

Max time network

180s

Command Line

com.xixi.confidentBank

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.product.model N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: ro.kernel.qemu N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.xixi.confidentBank

com.xixi.confidentBank:pushservice

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
US 1.1.1.1:53 eco-api.meiqia.com udp
CN 59.82.29.162:80 log.umsns.com tcp
CN 118.178.198.148:13000 tcp
CN 203.107.60.151:443 eco-api.meiqia.com tcp
US 1.1.1.1:53 sdk.open.phone.igexin.com udp
US 1.1.1.1:53 yangcongjiedai.datasink.sensorsdata.cn udp
CN 115.227.15.225:80 sdk.open.phone.igexin.com tcp
US 163.181.154.244:443 yangcongjiedai.datasink.sensorsdata.cn tcp
US 1.1.1.1:53 fp-bj.fengkongcloud.com udp
CN 152.136.248.158:80 fp-bj.fengkongcloud.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 115.227.15.229:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 115.227.15.231:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 115.227.15.233:80 sdk.open.phone.igexin.com tcp
CN 152.136.248.239:80 fp-bj.fengkongcloud.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 115.227.15.235:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 115.227.15.7:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 115.227.15.239:80 sdk.open.phone.igexin.com tcp
US 1.1.1.1:53 fp-bj.fengkongcloud.com udp
CN 152.136.248.239:80 fp-bj.fengkongcloud.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 115.227.15.241:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 115.227.15.6:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 115.227.15.237:80 sdk.open.phone.igexin.com tcp
CN 152.136.248.158:80 fp-bj.fengkongcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 115.227.15.227:80 sdk.open.phone.igexin.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
US 1.1.1.1:53 fp-bj.fengkongcloud.com udp
CN 152.136.248.239:80 fp-bj.fengkongcloud.com tcp
CN 59.82.31.160:80 log.umsns.com tcp
CN 152.136.248.158:80 fp-bj.fengkongcloud.com tcp

Files

/storage/emulated/0/shumei.txt

MD5 4149179bb2ba5c4a5c61292d9857bd17
SHA1 ad0f07cdf1e46a987f4966b3b0f45b190e273361
SHA256 0ebe529732521349b3d1ebd02fab409ff3c98d935c7d444bff2690457297e645
SHA512 fc92e7c1fce87aa7f782e1a32461dceb46c64cc5a47fb61d611eb4e2dd6c0477fbb85f9476677d05a54d1da93b868c87e85a83ea398a8d98c5b09611a7cc4a07

/data/data/com.xixi.confidentBank/databases/tracker.db-journal

MD5 26d2a6605a71cb9eed85ec9cbf90b438
SHA1 c98f15a57fb8127b1b0f4f4cc273a85117981338
SHA256 99641067a990ea65b5d36e5672712e8816609db2e9c87f0d9006c492c2cc98a1
SHA512 8db47d121d8fae5370ff25ce7f650fa0e303f1aedac6818d58dd47d5d77f676b8858e1b222e4ddfe1f6a3a992263597f21164ee9d7301b364feb7db796b51958

/data/data/com.xixi.confidentBank/databases/tracker.db

MD5 c9c466c835b25845ebd905a4bf945645
SHA1 3ac8822d4278e37f12ea820db343bb55ec87fb5f
SHA256 0e4157eb22069d3d05683c62c7c7ca9784e6bb9628bae12f9420ac2544138d2e
SHA512 cf2447093f2e3adebfb433167877fb68f699d40112e1d1c574a168b1c55a2d4ca111901eb2923ca749e42828f67f7b62a2d5478f96ce6b841e8afc33247615ed

/data/data/com.xixi.confidentBank/databases/tracker.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xixi.confidentBank/databases/tracker.db-wal

MD5 68b68429cac4415fdb4541d32069f5a4
SHA1 f3b16c565725cb73956a06a55b537422added55b
SHA256 74048c04a12de56ff62f4ed43ddffff7e7e9e73d1c4d842a4e89d1876898e72d
SHA512 8f5762c6f4ec5345c94fbc153a149b279318975cee495a17ac80f652518446594dfe7274f1a62ca44b3312f9dee66963b4d431ce7c09ec6a8d086f06488efc44

/data/data/com.xixi.confidentBank/databases/ua.db-journal

MD5 5e4b11fd97d93a6ae33ba239d3ee5aae
SHA1 4621182b9789017782a3ca202f7994b1d7c9c178
SHA256 82da406460669a611fb8ee52e1148f5867a882d789f9d4a68d2e82ebb3dd4c90
SHA512 fc3bd4909a75ad3c3cd20b0ad32871fd81753423268dabd50f9313239886d457593b687afca7e1d872b428949672070c0d0dd645dd3a7545fb1600903dbbaa54

/data/data/com.xixi.confidentBank/databases/ua.db

MD5 d10075304c94b19adbed1eb8d937cb80
SHA1 3c9e0731c95a600420d9664d5de09daf8d48e0aa
SHA256 60ade0b7bf17a220592d3b6c8bcdec9af7f87e7f0e60ea5401fbad1f1c49bd67
SHA512 fab673fa5c0299a5d0eedda17db58d9673993673b9e3b668e5c6e5cdb548ecc119bb54bbdf5e8f0f426c3893ebeadfd5c0d6e3fccdec384e53ce6be0f9f14007

/data/data/com.xixi.confidentBank/databases/ua.db-wal

MD5 0a7cb82a06427544105fe5cfae40bc80
SHA1 193d412ce4f0efba512ce9f6c71bc93f34ebc594
SHA256 985d9d79c835059601110eecab62ae90360607d39ac5a4a1a2060c14dfb78d69
SHA512 f16ddc385706a1e5adb9d72fafa86f367c4ea28bca06c2f7a8a95c8e9c734f0f6fdc4115b5b42302655944bd716e035a950b39598ae7bc1082212ee6b646cae4

/data/data/com.xixi.confidentBank/databases/cc/cc.db-journal

MD5 105fdb65a281a6ef2dfc0fd3ee39e4b3
SHA1 90879b082cc551d1f2a5b32d7614eee574ff751e
SHA256 d2bba28658fe780613291587c807cf4e31592a367a763b5731f2a0181b4d51db
SHA512 484753109a4efaef08f0beca960c2a05ad8d884f5b96b9dbff054f5435f48df14267b2c771ec0899dbd8cd98ad40cd722cebf2910d071fc95fa923de90b7af5c

/data/data/com.xixi.confidentBank/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.xixi.confidentBank/databases/cc/cc.db-wal

MD5 7d6018397ca22a2e578369a1e90f706b
SHA1 0856720c2977b83129d9397c960376c3e21699d1
SHA256 cacb4c80a8f10296d28b942996f446ee2ad2e98095f8fb854eca6751d484b9d0
SHA512 042fff1ea2986e6462320d03e700a29f27e3081e06c86f120fb9e3f6e3dd20d99b62fc88ad347d1515e1426f1f822b00801f35774695dbad8a01ea93cf4f914b

/data/data/com.xixi.confidentBank/files/umeng_it.cache

MD5 d3f3e337f7d657fd7d7b1e4137defb48
SHA1 f0f5e585082cbf861c38bd58887a96acec20a643
SHA256 3bb949941c450e19905b19d537926773851389110bffb9ca6d41776453c94790
SHA512 1ae6ae1f42a671ad62355cab05a572580f9f3533ee0db75b098b4a94847a2624c57acd8f486bbecc03ef70db3b8894ccc9238d1f940952081087a79dc5444231

/data/data/com.xixi.confidentBank/files/.umeng/exchangeIdentity.json

MD5 f4f097adf4ec71be397879825543244c
SHA1 844957535e1ebe8eb63d3444ae0c9ae3069a8fb0
SHA256 34cd8e9ca255a27f71b686e6acbf8e92e768740a3884fdb4529a0b0e0fec38d9
SHA512 6b081e25edb238fb9d49cd2f4d860321fbada6367d80c883e540eafd792781c7057152e1d624e9612299e7fc90a28d10a5a88c59ba00d42a07d1ba7244c3d700

/data/data/com.xixi.confidentBank/files/exid.dat

MD5 7a51300aff87dfbbe1ae00108e31ad92
SHA1 5a34c3410ad9e80f4c5ec5cf8831cbfdf0b59611
SHA256 4914c4eb94c37043b39c5ad29b14ce125808942b80a5e58e8b1da065029b9a6a
SHA512 897fc8d009be42f84a06e693aa7c066a1808bddbe660d81c1f65b832bde4f19d3e343a596c4a5e1a6e998f9b52819087a67531d2898e36e1486607bac966127b

/data/data/com.xixi.confidentBank/databases/ua.db-wal

MD5 f18e580cee30f90f07b0cdda3f00f4ad
SHA1 472d885677bfa851e60e8f38d78377a6afc9162c
SHA256 7c69aeb5f99a82745a7f669045e3864756eecf2035e509919c3fda2ffdfc0cc6
SHA512 7740ac63e3179694fa9181b95e575d2b43f982ea2601d375e2f29eb31c99aa08b63155ce9007e84c55df50014386bd33a14c64ea4362cb6aaad6c2f6c31b40ed

/data/data/com.xixi.confidentBank/databases/ua.db

MD5 d604a3bf1f8d992cc320ea5b1f7609bd
SHA1 247f88df0b55c7d523ea5398637711a0e4a483a4
SHA256 329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17
SHA512 67e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab

/data/data/com.xixi.confidentBank/databases/cc/cc.db-wal

MD5 f7f43a66a9eb037b22685349db83c175
SHA1 88d38e4bb46ab7967118f817ca552e3c414c2d03
SHA256 96163f8420527c988ca97b28c8ccc5019f2427d18a7e1bcec2537f3487a990b9
SHA512 7249a4d7ffa7177918b05b3f3c9857e2c7a46eba0e6e91bcbc067e1f1616ce46298241f8b3834ad3315650d7945ddcd1c529d50aac618ec299097dccf85b95c0

/data/data/com.xixi.confidentBank/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/storage/emulated/0/Android/.thumbcache_idx0

MD5 a74efe5106f492b8d54eea66522cd422
SHA1 ba8442c5477fdd27ec69b820a7b697118310292f
SHA256 a9d76cc6d509eb31fa3b9cddc138d0635a0186f49b87816f270035c6f3451e12
SHA512 ee7e144309fc1b6bf089743691ba31e6794560ffe257c0f579df24d2492580f789a3cc96f867884c2842ede57e5fd16e32d37f99f3ba1cdd6dd1f6cddbdbad8a

/data/data/com.xixi.confidentBank/files/.um/um_cache_1718568594492.env

MD5 b61b383c4ec5ed3d3c251ad025090a25
SHA1 b409aa8bd4128d9bd4ad500f0da93fe64f47198a
SHA256 345f3f0181b2b6bc9c73710649366cf8ccbeb11b59130130244f23e9d0ae3679
SHA512 c3e23de6092384511e249b67fcbf46157468baf81fd12ecb90084cc75dd79e7aa92608c627ece292c852fe9d4d1048a65e6114dd9735f6ff9337f3275739e34c