Malware Analysis Report

2025-01-19 08:00

Sample ID 240616-z189qsscjj
Target b53ae9d9056d5720bfe79dcb4d8e3754_JaffaCakes118
SHA256 97d0a3807f2fc67606b83a78037b4c2852c5e34597bb9b1b2230853ca9b87650
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

97d0a3807f2fc67606b83a78037b4c2852c5e34597bb9b1b2230853ca9b87650

Threat Level: Shows suspicious behavior

The file b53ae9d9056d5720bfe79dcb4d8e3754_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries information about running processes on the device

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 21:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 21:12

Reported

2024-06-16 21:15

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

184s

Command Line

com.lehuan51.lehuan51

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.lehuan51.lehuan51/.jiagu/classes.dex N/A N/A
N/A /data/data/com.lehuan51.lehuan51/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.lehuan51.lehuan51/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.lehuan51.lehuan51/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.lehuan51.lehuan51/.jiagu/classes.dex N/A N/A
N/A /data/data/com.lehuan51.lehuan51/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.lehuan51.lehuan51/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.lehuan51.lehuan51/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lehuan51.lehuan51

chmod 755 /data/data/com.lehuan51.lehuan51/.jiagu/libjiagu.so

com.lehuan51.lehuan51:mult

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
CN 59.82.29.162:80 log.umsns.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.29.162:80 log.umsns.com tcp
CN 36.156.202.73:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
SG 47.246.109.109:443 ulogs.umeng.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 110.41.162.127:19000 s.jpush.cn udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
US 1.1.1.1:53 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 110.41.162.127:19000 easytomessage.com udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 59.82.29.163:80 log.umsns.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 36.156.202.73:443 plbslog.umeng.com tcp
CN 123.60.89.60:19000 easytomessage.com udp
CN 139.9.135.156:7008 im64.jpush.cn tcp
CN 139.9.135.156:7000 im64.jpush.cn tcp
CN 139.9.135.156:7005 im64.jpush.cn tcp
CN 139.9.135.156:7006 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
CN 139.9.135.156:7009 im64.jpush.cn tcp
CN 139.9.135.156:7007 im64.jpush.cn tcp
CN 110.41.162.127:19000 easytomessage.com udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 139.9.135.156:7008 im64.jpush.cn tcp
CN 139.9.135.156:7000 im64.jpush.cn tcp
CN 139.9.135.156:7005 im64.jpush.cn tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.135.156:7007 im64.jpush.cn tcp
CN 139.9.135.156:7009 im64.jpush.cn tcp
CN 139.9.135.156:7006 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 110.41.162.127:19000 easytomessage.com udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 59.82.31.160:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.135.156:7002 im64.jpush.cn tcp
CN 139.9.135.156:7006 im64.jpush.cn tcp
CN 139.9.135.156:7007 im64.jpush.cn tcp

Files

/data/data/com.lehuan51.lehuan51/.jiagu/libjiagu.so

MD5 4a453408e767c7470384d0a7454169f2
SHA1 9bbaf32ce857bd9d4b82a77c84c2395df9556a3e
SHA256 fd26cf273da2889704549a1fac6020ba4e0022f282187db0f0aaf3771b1d3f52
SHA512 98e534c96fe08fad56289b74ce12981666fbf3af6346c58d9f8888854c9dfc178363626c2fe00f74a5bbff9222859472197ef69b8c9f46b8fb6bbcae2a07d859

/data/data/com.lehuan51.lehuan51/.jiagu/classes.dex

MD5 0a6330eba710c20cc14a2d468bcfa34f
SHA1 1b30a7b7799b9f5f5bd4d2e824f7ff8b8fd65921
SHA256 e4487764b2fbc79d97b367737370ce97f7be1bd584f469ec3487f94dad7637e7
SHA512 d674854e0293a3964ff63564dacc730a7f57462d1ac6459bbd42e9175d3fdfd11e70c53c82de6600ade1f3632e5bfdc9c26931816da0ea74970b47e24c6911a7

/data/data/com.lehuan51.lehuan51/.jiagu/classes.dex

MD5 626dae4a2586be7cdbe5f120c002c228
SHA1 534054f08745eebd3d9a983080f00aeadac63278
SHA256 017aedbda6c38fbf92792addbb0387a10c8c3a9ebf7d8f4c6156c32376262425
SHA512 d538f6cd56347961c222c80d3110dffa29e473b4b627979eb04cccccf2be13f586e1395552ef03570597d85e0e93777eb784b0fe6714b16c7f802a38f95bbe1c

/data/data/com.lehuan51.lehuan51/.jiagu/classes.dex!classes2.dex

MD5 702d4e483240f81ee1d255f8e015ba00
SHA1 03235e0ccc7b2992bf457e20a8c3ff5e564570c1
SHA256 052fca698767e722ea1136376cf4139389a3585ba4d3fe35ed33fcb271f91080
SHA512 9cadbe4782e08083653f7f555bd52640c70eb50033bef73547a90a256dbd63980c220ca54595b8f11a55602cf2950c6fdcfe3a2521d4149f8e46fa5d7b3ceb74

/data/data/com.lehuan51.lehuan51/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.lehuan51.lehuan51/files/.jglogs/.jg.ri

MD5 3c13bb213492c06b79ba5da40fb84449
SHA1 c46ae3904d054cf37ba6c574e3da7f25f963b862
SHA256 69be268d679b55966a518e90b208d28747afd98347481554dc7d06ad226badf3
SHA512 765ae0e4133a356cb8da124f3a114286a08bdbcffb9af6ead238fedf9be73ddb56a8a3749061be5c678dcc0fc29cc0045cd68bbb5f2a2b493f0bd8cc6fbd5ac0

/data/data/com.lehuan51.lehuan51/files/.jiagu.lock

MD5 4a0bb68e819e8196c45820e2abb20ba4
SHA1 944a4de3132326ad141c3dee6d93379d5fe4966a
SHA256 e369b38ec6b74c16d9449f0c0a802bb5ea0d99a4f020ca5edab12e25563ad279
SHA512 a5f611839dd5b80b9e11dca21dc67a565142728c4a58a613a2ca4ec8feb93846ff006ab5ff29bcaa3e5a2102ade082c2259f11688c2eb50f2f39f51e6037223c

/data/data/com.lehuan51.lehuan51/files/.jglogs/.jg.ac

MD5 3924e1a5472bd9d70afb55e68e59e67e
SHA1 cb5aff7e3de925037670c39ca947e42f3e337e45
SHA256 121cc5cb416a525d245cab6777c84e86ce25bb55862c4b1b6280a52919e1e9d9
SHA512 5eac38bea90b4c098f8db758c229529653cf3b9ab03b3616ba4e7d59e47ef6f85e59ff2f8820f573127fe949b7269fdf7a614eead6e0cf478b40d8fc5771e3b2

/data/data/com.lehuan51.lehuan51/files/.jglogs/.jg.ic

MD5 24646cc7b3016ea76c0888d7e1863946
SHA1 b43a5e73a1d0f6f836e958e1b8b5631e809a53bd
SHA256 860a1df980a42fe4b60d20052a49d0808cafa9826f9bd75c26f42dce5be4a78b
SHA512 f5129d707a19008234939544559463e1e15abe9ac7e04d9f8bc0cf1f8f644541de3c1a1fa7d450d599c132aa39d6ed8f355204753636582d097ce8fa7ec3b195

/data/data/com.lehuan51.lehuan51/files/.jglogs/.jg.di

MD5 176c335375d54949eb89c32ceb6210dd
SHA1 23f992946b8f2de1f89e44a58e9dda958c0038e0
SHA256 11c5e993ae491d3cd25ee2ac2aa380c55cd0b17bd611b21481a12d47f189d5fc
SHA512 f3b3f6fa59f75659477856d8480275b0b74d2bfb1699f0fc93e46f120e5ad9264124cc804a8e7595fc6a13761a05337d928e4df94358702c09272761f0d85b14

/storage/emulated/0/360/.iddata

MD5 3c7be30e3812369e7ffec307a44fa1e8
SHA1 8e565e2983d2035f8ef8e33f15dc4fc657bdf53a
SHA256 b383f75f946ca42ffd8edcdcf8034d97acca558bbfaaf297e3d75eb86962a1ac
SHA512 de3f40ed8cf1732df77619e318adfd8a38db5c91997f5f392febc13d2157c6a98d348fca3ecdefe1a2f1a261a3b4d89be0f1c9851a0729879258ab887dd1c5cf

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.lehuan51.lehuan51/files/jpush_stat_history_mult/normal/nowrap/b55272ff-d068-495a-a521-13b2c6c138aa

MD5 1e4c0e6c8b2ba89d6787949ce9794e63
SHA1 3c15f26c19f87df7ca5c9917d50fb5dddc2d0ed1
SHA256 80db7f6a1eacd39d37ca11df1f5be81c649b2efeb5ed2e704a71e2969e73d3bc
SHA512 5f8c9f7d01d0f0b055d15a844164c4fdfe124b56fbecc333712c78e7cc87b4e3b9aaf1aa6c56513ffb25bf57dbfb2f265369cdc45d7a22ee1892e3e61842ec89

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 21:12

Reported

2024-06-16 21:15

Platform

android-x64-arm64-20240611.1-en

Max time kernel

3s

Max time network

131s

Command Line

com.lehuan51.lehuan51

Signatures

N/A

Processes

com.lehuan51.lehuan51

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/com.lehuan51.lehuan51/.jiagu/libjiagu.so

MD5 4a453408e767c7470384d0a7454169f2
SHA1 9bbaf32ce857bd9d4b82a77c84c2395df9556a3e
SHA256 fd26cf273da2889704549a1fac6020ba4e0022f282187db0f0aaf3771b1d3f52
SHA512 98e534c96fe08fad56289b74ce12981666fbf3af6346c58d9f8888854c9dfc178363626c2fe00f74a5bbff9222859472197ef69b8c9f46b8fb6bbcae2a07d859

/data/user/0/com.lehuan51.lehuan51/.jiagu/libjiagu_64.so

MD5 82b72d8012787c893d6973226eff77f0
SHA1 b5a0b2cedf9c3d958c428ecd8b99b62c4b40ba2c
SHA256 85e304f4ed97f36409d72e38745ade336d291e0ca96f2fe00713fdd47721db31
SHA512 42f720930649cab15033de27f60a0332f34bccfa0e27d25705b921b93c86f4934edccfdf1dc41fa0c1dec9569e5580e3d6e0745405477275911cdf92c4253286