Analysis Overview
SHA256
46b488a24149f31590fc7ad3eee9eca2948139d606b814c0a5c2a7007c367796
Threat Level: Likely malicious
The file b966faa774d873c43535efbd8fa2811e_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Queries information about running processes on the device
Requests cell location
Queries information about active data network
Requests dangerous framework permissions
Queries information about the current Wi-Fi connection
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-17 18:30
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 18:30
Reported
2024-06-17 18:33
Platform
android-x86-arm-20240611.1-en
Max time kernel
73s
Max time network
159s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.hfi.hangzhoubanshi/mix.dex | N/A | N/A |
| N/A | /data/data/com.hfi.hangzhoubanshi/mix.dex | N/A | N/A |
| N/A | /data/data/com.hfi.hangzhoubanshi/mix.dex | N/A | N/A |
| N/A | /data/data/com.hfi.hangzhoubanshi/mix.dex | N/A | N/A |
| N/A | /data/data/com.hfi.hangzhoubanshi/mix.dex | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
| File opened for read | /proc/meminfo | N/A | N/A |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.hfi.hangzhoubanshi
sh -c getprop ro.yunos.version
/system/bin/sh -c getprop ro.board.platform
getprop ro.yunos.version
getprop ro.board.platform
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.hfi.hangzhoubanshi/mix.dex --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/data/com.hfi.hangzhoubanshi/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/sh -c type su
com.hfi.hangzhoubanshi:pushcore
/system/bin/sh -c getprop ro.board.platform
getprop ro.board.platform
com.hfi.hangzhoubanshi:pushcore
/system/bin/sh -c getprop ro.board.platform
getprop ro.board.platform
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
Files
/data/data/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal
| MD5 | 9063594ae5bf4332bb1a4972a1a4f1ba |
| SHA1 | e1c89b4d42d55ceee18a311f4c8173e8dc946235 |
| SHA256 | ce3aed01928b7e773fe6f2efbee548da83120d9587a6e1e568cb8517c796f397 |
| SHA512 | 3bb4f3e5674d64db496c9525656de90f1db4aa73fed84eca598f012df0f6ce00f4d10de850c68504cf1eff0354314572ad8eae809bff3db601ce9767bf40b450 |
/data/data/com.hfi.hangzhoubanshi/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.hfi.hangzhoubanshi/databases/bugly_db_legu-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.hfi.hangzhoubanshi/databases/bugly_db_legu-wal
| MD5 | e899c467141c5c000bff1c669b84bdc3 |
| SHA1 | 58af713b2eaa0fdc6f037939c54c9394ede2a2a4 |
| SHA256 | 13b7b5fd2498d3d6f67d6445b28295d353d67e8eb9b1adaa4d213cc0f21020c8 |
| SHA512 | e3546f65c49f86efdbf213e0220a9790fbcd20ed71b8aa9cc49b0dd273954b867cb54ea0042efad9b87bcfbd35a55e2f371728771f817eff94bcb7e0256a3f84 |
/data/data/com.hfi.hangzhoubanshi/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/storage/emulated/0/Android/data/com.hfi.hangzhoubanshi/files/tbslog/tbslog.txt
| MD5 | dd07e23d9d7d46053fca3c01cb9a74ce |
| SHA1 | d8228ec57b31b5a92756c35c568d54c2db6c31d6 |
| SHA256 | e25f309d7656679cb4a6a9717ac03a4a91e917439008469c57d204ffa63b220b |
| SHA512 | 97de79cd66eb16fd746dd9bf8896109bc38b210fbb9b400338727d68c7351d60ff0043c11b5e8419f51d0f221a527886043e07cc49cd8145d8cdf2bb2d317bfa |
/data/data/com.hfi.hangzhoubanshi/databases/hzydbs-db-journal
| MD5 | ff27a1ab0a1754f5162da8bc83ada7bc |
| SHA1 | db2656bf425aee8ef2a0751e73f26b1f19c9a7f5 |
| SHA256 | d6511ab2124451da7582a320015b722e48bcec9819185bffa6c8d892582c0802 |
| SHA512 | 41366e30202e3543ab7535d92c0055bc27af1a9c70d42ab921cc9776d4cf7262d25fae89a733b9a77ba57c41d2730aa6d0ccf4e432a5c0f3cbcc106ae1a2ee8f |
/data/data/com.hfi.hangzhoubanshi/databases/hzydbs-db-wal
| MD5 | 96deb65c5790f7f1194d3b205fc37dc6 |
| SHA1 | 2cf0c678bc4e785c312f4516b4063a8f45111ada |
| SHA256 | b90a88108306887ac32b05574ebf73fd94822d6425ef5a5bece80ca1a6822d20 |
| SHA512 | 22839c3093e09b9ba6f67b44536f1addb560fedada9c05d8704e941aebd3dfa72ce04381a4ea3db4061f8696a5b9ce7537a52c1811032f4a02cdb5e9ede1f409 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 18:30
Reported
2024-06-17 18:33
Platform
android-x64-arm64-20240611.1-en
Max time kernel
10s
Max time network
132s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.hfi.hangzhoubanshi/mix.dex | N/A | N/A |
| N/A | /data/data/com.hfi.hangzhoubanshi/mix.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.hfi.hangzhoubanshi
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.234:443 | tcp | |
| GB | 142.250.179.234:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp |
Files
/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal
| MD5 | 496ad9af3915521b9087dba5620b9ad1 |
| SHA1 | cd013f5007ad0a868328c0bc7e384d8d69fbd965 |
| SHA256 | febc5c0117397be678d0565ea4b9f08ff8088edfcd1b49b4981ec97dafe802fb |
| SHA512 | 6b12adc0f0cad65b7b4e9ed50243ff2a067e45c5dfd5f914fe69008d1f9c4ab96287ac01f1e35d16773b258317e6e869a5738219c2956c55650f9ad70fc11d22 |
/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu
| MD5 | 0b26b20b4498cb631fe3cc92c04a218e |
| SHA1 | ace9bf88a3da840273a87aa59118057aaa37636c |
| SHA256 | 79dd32ab0f55ca819018bbd55166cd6230dda0f42f057eeb703904a6f1e810d2 |
| SHA512 | 39f14232bed69f525058a1d65becbb7c692006fd894866cde0fe23c52408168c32576cd51dd0651dac76debd19cc23ab1df84c4493d01eec8e676c3c06ea71cd |
/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal
| MD5 | 87aac760087ff2f624ab4c5eeaea4402 |
| SHA1 | 012a74e2bdf82262e7a09550d02e7b7387455459 |
| SHA256 | 8b02dd2d48e63bb4881b5d119875fa82e5af84186af2a601b717230e0dd0d47f |
| SHA512 | 190c5d9ebc8b43ff3543d34272609246c9ee28a3f81c285d57c9a1512556910337a643b40c4ca99e99697042cde8e1857a028615a45ef5c649545819c96aeaed |
/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal
| MD5 | a738aad438c3ef74093953a010c97db6 |
| SHA1 | 16dd0c71e3d1b07b3b1f49b5e937d5e6967a8e79 |
| SHA256 | abe614f301b51058cc3e49fe44922af4c7906f1a865ed91919377122ae6bc24e |
| SHA512 | ac39d8a767d8fb9216aee46a55d32919df1af380489ca95850a2caf1317d03c58c4a2bf98d7320935db241e4165a60baf84a584e29a6bdfc9bd4365e38cc9bc9 |
/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal
| MD5 | 75b88864db20cd3b21f27b54ae4216e7 |
| SHA1 | bc3b55a13cdaa2ba83e0b9917932aff3e7ceb7db |
| SHA256 | 1c5b52d392f26da4b68a822f9e3492bb14a69e12c84e4b7437c4b58f29008250 |
| SHA512 | cbb5075edb56e00390175b2d46ca6eb9022d6f79066edc45436fb716afbd1b822fbe5c01598edec72527213acca3f7b31f7479c90b4e9acf8598c439c520e473 |
/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal
| MD5 | 1c0a728c109afe870474e5bcd1859f15 |
| SHA1 | 022a2f4b66807b17249798b58b689fa5d045fe61 |
| SHA256 | 1323fa743a7c510652e5a890feaede483cce58f2bf26070161d330be8b2e79df |
| SHA512 | ff1d0b16c4a23d19b634fb0b3b0f2f07824427aa291cd3df152fb45ad270a34bfb69106bd95b9d3919ff4b450cb5d1ac1df3f6065c42c6e0dc31e1aa0bbbd7fc |
/data/user/0/com.hfi.hangzhoubanshi/databases/bugly_db_legu-journal
| MD5 | a45e60890142ac956195708624d8f6f9 |
| SHA1 | 26285be7012b62d0eb7e40e0b6206a8652109e12 |
| SHA256 | 7557dcea97c223dfabcbea4e456ac2e915ae681488f16ec5c4bea53301a929d0 |
| SHA512 | d4d011e9ce2e01fd2d8961871746395c44d91b351ebf625e9811e08055f05b4dd53e410a9a4120e21bd377139eee8947cd47cc9d7810f78f388cb75c21cb806f |
/data/data/com.hfi.hangzhoubanshi/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/user/0/com.hfi.hangzhoubanshi/app_bugly/tomb_1718649031844.txt
| MD5 | 94c8a672b934c2fc3a4432205c8a213d |
| SHA1 | da78f40013dc4653f3b6651b4e48e9dfea92fed3 |
| SHA256 | ecf644c3dbd0b90a751e6e77887133fbe16b610bf6a115346a11616a040dd143 |
| SHA512 | 33f988d89f8b1ae2fd9afffe776232407c1474991dd476ef0e23121bc5a24f2fde446121959250a6367c1bec499e8dacf7ae84362fc0772d40b8ddf28c8c2f1e |
/data/user/0/com.hfi.hangzhoubanshi/app_bugly/rqd_record.eup
| MD5 | 263b6b32a0ead515d24d1c244bdccc13 |
| SHA1 | 0fd7cb91b8a00ddeee372ca93b578f0991d99310 |
| SHA256 | c939dba88f80082c3dee6eac78d7f16ff46ba63afda604fa2b6aee16e81e4f67 |
| SHA512 | 6cf196298bcdf90621a61bd256b25beb0f5d0d4254052710a1532781df47c6a0750bff2adb138ceb8a453ba904fe16f394245405f69ae78f585e78494ea2bba6 |
/data/user/0/com.hfi.hangzhoubanshi/app_bugly/rqd_record.eup
| MD5 | b71e023909b2c12544a3b504e4f04dae |
| SHA1 | df86da03ccc4ba12b017168ebded99cd7aec47d3 |
| SHA256 | 95d2d903405237e44725e12db14d3ae207b8bc1d020a5f3de540b095d7c54d50 |
| SHA512 | 8e68adfd9cc2b859478d0b8d24ed2241749b09f3a5b2c31d33f13c6b9da757d43dc8fc87151682e05b7c3bd3c5f9e90a2f981452c070685e728dbce6a297071d |
/data/user/0/com.hfi.hangzhoubanshi/cache/tomb.zip
| MD5 | f6a31b29686c4f4eda349bc8bb68004d |
| SHA1 | 1b294148b516dd524f8abff6401d9ddd4bb7a5e7 |
| SHA256 | 065d894776b1f993cfb7cc66503597f8ce0351a13bd18aca54d03d618e11a20c |
| SHA512 | 9122a6b19d5681c96317c23b4445ffff861e672e5adb818c5221f476a58a4a33e61b8eaf51554800c1882196a6fb92540f6544e1c755cd0775e3e00cf299b329 |