Malware Analysis Report

2025-01-19 04:54

Sample ID 240617-w5jm4ayhlf
Target b966faa774d873c43535efbd8fa2811e_JaffaCakes118
SHA256 46b488a24149f31590fc7ad3eee9eca2948139d606b814c0a5c2a7007c367796
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

46b488a24149f31590fc7ad3eee9eca2948139d606b814c0a5c2a7007c367796

Threat Level: Likely malicious

The file b966faa774d873c43535efbd8fa2811e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests cell location

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 18:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 18:30

Reported

2024-06-17 18:33

Platform

android-x86-arm-20240611.1-en

Max time kernel

73s

Max time network

159s

Command Line

com.hfi.hangzhoubanshi

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.hfi.hangzhoubanshi/mix.dex N/A N/A
N/A /data/data/com.hfi.hangzhoubanshi/mix.dex N/A N/A
N/A /data/data/com.hfi.hangzhoubanshi/mix.dex N/A N/A
N/A /data/data/com.hfi.hangzhoubanshi/mix.dex N/A N/A
N/A /data/data/com.hfi.hangzhoubanshi/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.hfi.hangzhoubanshi

sh -c getprop ro.yunos.version

/system/bin/sh -c getprop ro.board.platform

getprop ro.yunos.version

getprop ro.board.platform

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.hfi.hangzhoubanshi/mix.dex --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/data/com.hfi.hangzhoubanshi/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/sh -c type su

com.hfi.hangzhoubanshi:pushcore

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

com.hfi.hangzhoubanshi:pushcore

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal

MD5 9063594ae5bf4332bb1a4972a1a4f1ba
SHA1 e1c89b4d42d55ceee18a311f4c8173e8dc946235
SHA256 ce3aed01928b7e773fe6f2efbee548da83120d9587a6e1e568cb8517c796f397
SHA512 3bb4f3e5674d64db496c9525656de90f1db4aa73fed84eca598f012df0f6ce00f4d10de850c68504cf1eff0354314572ad8eae809bff3db601ce9767bf40b450

/data/data/com.hfi.hangzhoubanshi/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.hfi.hangzhoubanshi/databases/bugly_db_legu-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.hfi.hangzhoubanshi/databases/bugly_db_legu-wal

MD5 e899c467141c5c000bff1c669b84bdc3
SHA1 58af713b2eaa0fdc6f037939c54c9394ede2a2a4
SHA256 13b7b5fd2498d3d6f67d6445b28295d353d67e8eb9b1adaa4d213cc0f21020c8
SHA512 e3546f65c49f86efdbf213e0220a9790fbcd20ed71b8aa9cc49b0dd273954b867cb54ea0042efad9b87bcfbd35a55e2f371728771f817eff94bcb7e0256a3f84

/data/data/com.hfi.hangzhoubanshi/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/storage/emulated/0/Android/data/com.hfi.hangzhoubanshi/files/tbslog/tbslog.txt

MD5 dd07e23d9d7d46053fca3c01cb9a74ce
SHA1 d8228ec57b31b5a92756c35c568d54c2db6c31d6
SHA256 e25f309d7656679cb4a6a9717ac03a4a91e917439008469c57d204ffa63b220b
SHA512 97de79cd66eb16fd746dd9bf8896109bc38b210fbb9b400338727d68c7351d60ff0043c11b5e8419f51d0f221a527886043e07cc49cd8145d8cdf2bb2d317bfa

/data/data/com.hfi.hangzhoubanshi/databases/hzydbs-db-journal

MD5 ff27a1ab0a1754f5162da8bc83ada7bc
SHA1 db2656bf425aee8ef2a0751e73f26b1f19c9a7f5
SHA256 d6511ab2124451da7582a320015b722e48bcec9819185bffa6c8d892582c0802
SHA512 41366e30202e3543ab7535d92c0055bc27af1a9c70d42ab921cc9776d4cf7262d25fae89a733b9a77ba57c41d2730aa6d0ccf4e432a5c0f3cbcc106ae1a2ee8f

/data/data/com.hfi.hangzhoubanshi/databases/hzydbs-db-wal

MD5 96deb65c5790f7f1194d3b205fc37dc6
SHA1 2cf0c678bc4e785c312f4516b4063a8f45111ada
SHA256 b90a88108306887ac32b05574ebf73fd94822d6425ef5a5bece80ca1a6822d20
SHA512 22839c3093e09b9ba6f67b44536f1addb560fedada9c05d8704e941aebd3dfa72ce04381a4ea3db4061f8696a5b9ce7537a52c1811032f4a02cdb5e9ede1f409

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 18:30

Reported

2024-06-17 18:33

Platform

android-x64-arm64-20240611.1-en

Max time kernel

10s

Max time network

132s

Command Line

com.hfi.hangzhoubanshi

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.hfi.hangzhoubanshi/mix.dex N/A N/A
N/A /data/data/com.hfi.hangzhoubanshi/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.hfi.hangzhoubanshi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal

MD5 496ad9af3915521b9087dba5620b9ad1
SHA1 cd013f5007ad0a868328c0bc7e384d8d69fbd965
SHA256 febc5c0117397be678d0565ea4b9f08ff8088edfcd1b49b4981ec97dafe802fb
SHA512 6b12adc0f0cad65b7b4e9ed50243ff2a067e45c5dfd5f914fe69008d1f9c4ab96287ac01f1e35d16773b258317e6e869a5738219c2956c55650f9ad70fc11d22

/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu

MD5 0b26b20b4498cb631fe3cc92c04a218e
SHA1 ace9bf88a3da840273a87aa59118057aaa37636c
SHA256 79dd32ab0f55ca819018bbd55166cd6230dda0f42f057eeb703904a6f1e810d2
SHA512 39f14232bed69f525058a1d65becbb7c692006fd894866cde0fe23c52408168c32576cd51dd0651dac76debd19cc23ab1df84c4493d01eec8e676c3c06ea71cd

/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal

MD5 87aac760087ff2f624ab4c5eeaea4402
SHA1 012a74e2bdf82262e7a09550d02e7b7387455459
SHA256 8b02dd2d48e63bb4881b5d119875fa82e5af84186af2a601b717230e0dd0d47f
SHA512 190c5d9ebc8b43ff3543d34272609246c9ee28a3f81c285d57c9a1512556910337a643b40c4ca99e99697042cde8e1857a028615a45ef5c649545819c96aeaed

/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal

MD5 a738aad438c3ef74093953a010c97db6
SHA1 16dd0c71e3d1b07b3b1f49b5e937d5e6967a8e79
SHA256 abe614f301b51058cc3e49fe44922af4c7906f1a865ed91919377122ae6bc24e
SHA512 ac39d8a767d8fb9216aee46a55d32919df1af380489ca95850a2caf1317d03c58c4a2bf98d7320935db241e4165a60baf84a584e29a6bdfc9bd4365e38cc9bc9

/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal

MD5 75b88864db20cd3b21f27b54ae4216e7
SHA1 bc3b55a13cdaa2ba83e0b9917932aff3e7ceb7db
SHA256 1c5b52d392f26da4b68a822f9e3492bb14a69e12c84e4b7437c4b58f29008250
SHA512 cbb5075edb56e00390175b2d46ca6eb9022d6f79066edc45436fb716afbd1b822fbe5c01598edec72527213acca3f7b31f7479c90b4e9acf8598c439c520e473

/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal

MD5 1c0a728c109afe870474e5bcd1859f15
SHA1 022a2f4b66807b17249798b58b689fa5d045fe61
SHA256 1323fa743a7c510652e5a890feaede483cce58f2bf26070161d330be8b2e79df
SHA512 ff1d0b16c4a23d19b634fb0b3b0f2f07824427aa291cd3df152fb45ad270a34bfb69106bd95b9d3919ff4b450cb5d1ac1df3f6065c42c6e0dc31e1aa0bbbd7fc

/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal

MD5 a45e60890142ac956195708624d8f6f9
SHA1 26285be7012b62d0eb7e40e0b6206a8652109e12
SHA256 7557dcea97c223dfabcbea4e456ac2e915ae681488f16ec5c4bea53301a929d0
SHA512 d4d011e9ce2e01fd2d8961871746395c44d91b351ebf625e9811e08055f05b4dd53e410a9a4120e21bd377139eee8947cd47cc9d7810f78f388cb75c21cb806f

/data/data/com.hfi.hangzhoubanshi/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/user/0/com.hfi.hangzhoubanshi/app_bugly/tomb_1718649031844.txt

MD5 94c8a672b934c2fc3a4432205c8a213d
SHA1 da78f40013dc4653f3b6651b4e48e9dfea92fed3
SHA256 ecf644c3dbd0b90a751e6e77887133fbe16b610bf6a115346a11616a040dd143
SHA512 33f988d89f8b1ae2fd9afffe776232407c1474991dd476ef0e23121bc5a24f2fde446121959250a6367c1bec499e8dacf7ae84362fc0772d40b8ddf28c8c2f1e

/data/user/0/com.hfi.hangzhoubanshi/app_bugly/rqd_record.eup

MD5 263b6b32a0ead515d24d1c244bdccc13
SHA1 0fd7cb91b8a00ddeee372ca93b578f0991d99310
SHA256 c939dba88f80082c3dee6eac78d7f16ff46ba63afda604fa2b6aee16e81e4f67
SHA512 6cf196298bcdf90621a61bd256b25beb0f5d0d4254052710a1532781df47c6a0750bff2adb138ceb8a453ba904fe16f394245405f69ae78f585e78494ea2bba6

/data/user/0/com.hfi.hangzhoubanshi/app_bugly/rqd_record.eup

MD5 b71e023909b2c12544a3b504e4f04dae
SHA1 df86da03ccc4ba12b017168ebded99cd7aec47d3
SHA256 95d2d903405237e44725e12db14d3ae207b8bc1d020a5f3de540b095d7c54d50
SHA512 8e68adfd9cc2b859478d0b8d24ed2241749b09f3a5b2c31d33f13c6b9da757d43dc8fc87151682e05b7c3bd3c5f9e90a2f981452c070685e728dbce6a297071d

/data/user/0/com.hfi.hangzhoubanshi/cache/tomb.zip

MD5 f6a31b29686c4f4eda349bc8bb68004d
SHA1 1b294148b516dd524f8abff6401d9ddd4bb7a5e7
SHA256 065d894776b1f993cfb7cc66503597f8ce0351a13bd18aca54d03d618e11a20c
SHA512 9122a6b19d5681c96317c23b4445ffff861e672e5adb818c5221f476a58a4a33e61b8eaf51554800c1882196a6fb92540f6544e1c755cd0775e3e00cf299b329