Malware Analysis Report

2025-01-19 04:50

Sample ID 240617-w8ajlatcrm
Target b96b25d99b55d1883a273508bf8f1e3b_JaffaCakes118
SHA256 1e6c7511c81c799917f836610f6a409be4d034c3eacec7dd0fbb87c26cbb3348
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1e6c7511c81c799917f836610f6a409be4d034c3eacec7dd0fbb87c26cbb3348

Threat Level: Shows suspicious behavior

The file b96b25d99b55d1883a273508bf8f1e3b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries information about the current nearby Wi-Fi networks

Queries information about running processes on the device

Requests cell location

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 18:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 18:35

Reported

2024-06-17 18:38

Platform

android-x86-arm-20240611.1-en

Max time kernel

127s

Max time network

188s

Command Line

com.chuangxiangkongjian.basketball

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.chuangxiangkongjian.basketball

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.buerkongjian.com udp
US 1.1.1.1:53 ucm.buerkongjian.com udp
US 1.1.1.1:53 loc.map.baidu.com udp
CN 47.98.121.217:80 www.buerkongjian.com tcp
CN 47.98.121.217:80 www.buerkongjian.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
CN 47.96.51.69:80 ucm.buerkongjian.com tcp
CN 47.98.121.217:80 www.buerkongjian.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 47.98.121.217:80 www.buerkongjian.com tcp
CN 47.98.121.217:80 www.buerkongjian.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.chuangxiangkongjian.basketball/files/Reservoir/journal.tmp

MD5 d6ac8c8db0504502d7f0e057a78c5ce3
SHA1 8f4cf91a262b24ec9c1a6e7c41fd6d16b6623bb4
SHA256 8f22a32cd8de58916041d1097976f2b9c80f7e9a18593d5a6b058bcaed17e22a
SHA512 100e74f0c65b51a17de6eeff96d5c38bd6d40e3c8ee00094fd906ba5794088fe1ad6f3a15be196480384cf01399ea26665a05471404f1eeebb0c82ae6fb104bb

/data/data/com.chuangxiangkongjian.basketball/cache/script.spp

MD5 9b12280d299346255ec6a9f170cb71d1
SHA1 98208d126b503ce372ed6806a06b0a70b78bb2ac
SHA256 07f1b7f0b2a89bb21217142275aba00972fbe27e5bc11dc332aa218726c01867
SHA512 913c54711f96a534077bd4c9f4f566f1bf7957aebad698f0b6462a9a7f2c8620f99e1c4681e81fe2a734a857acfbe433093301b578f6f05450195b60f0f74886

/storage/emulated/0/baidu/.cuid

MD5 191d6c5b68dbffb35572fec8481247bb
SHA1 007897e6be7940bcd170d8a56492a120d125ed39
SHA256 ff1a4fc06a47aebfb97a1f08d9f9ce77a10eeb355bac6436780c8900fad22e69
SHA512 999133f1607bb4d38295424e3e90df57ddfdc5eb80831a4e8781c701d1cfb5975608241de97b8c52a6ffa77232bbf1456e318a20fc038cb99bd3ec9ef44a9d50

/data/data/com.chuangxiangkongjian.basketball/files/video_default_parser.zip

MD5 d417816ebbba93a8fe4c28641a5d9597
SHA1 7923aff5cd732cdcfd2245f694e02b38b4e7cd37
SHA256 e653aac013fc7138ed5a46dfd1e98b42722b221907753a8fb0377ad9c6bd0928
SHA512 b2b8f398348269caa851546944271c80166cf1d916a7a90564d85b41037f7e25cb6d3e827162b4bd2d2c71ed082ec96881cf330ab5cecdfb76b3e62e3e84c037

/storage/emulated/0/Android/data/zhangyoubao/device_id_self

MD5 da9fe9d7f8d02bad889d2b1c903efbbc
SHA1 805b8d3bcd31fbb39c366a94fca87e746624f571
SHA256 974fcd5dffabd56a19370282adeb9d78fe6b55cb30863d01cd1e085a00d711a8
SHA512 ddf8729396acfc40df9d748320fe2bbfa1e5d63603321c841a788b5f5cb938b6738a3e24e8cde42398d2431396e0c029c83f4bfaa336e74c612ae37950cafbb0

/data/data/com.chuangxiangkongjian.basketball/databases/cc/cc.db-journal

MD5 9216381a9d8d24b36e9692ff626fe6ce
SHA1 3d856bcdf51409fb9fb59d905eb64fe1aa56152a
SHA256 96c564ee26d64ee45c9072cfb20cf51966a97c76a4efc56be11b35def8147c27
SHA512 457711a57b8c1faed98a3a2dc3de1b5f269f26468e46e76d73a5cf7bf052653f872ae62e6e4c0e2e22ee94b782526739b99df1da455979bf55af2e3596ba2a1f

/data/data/com.chuangxiangkongjian.basketball/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.chuangxiangkongjian.basketball/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.chuangxiangkongjian.basketball/databases/cc/cc.db-wal

MD5 22b1062f6a1bdab4089d79412431f822
SHA1 61ff2f7806e21fdeedc442e1aeda270bd39eb6ee
SHA256 f9d3800c43488f769094a0c74741891b6f4f810e88793589771517157505bf0d
SHA512 b48f0a9bed698188d437f4527bd7ae3f7dac3ab4196f2766dc67bd39e104cb6ab3147dd7d707e8c39469ff47dcaf4fdfebaed89aaaaba283c1d372727dc4cc8d

/data/data/com.chuangxiangkongjian.basketball/databases/netcache.db-journal

MD5 075b18254b8db4771e708f110ba5f11f
SHA1 b6f407ff1b4b7fd93cbc356b403ecc4840bdb72e
SHA256 fcea15f39db6b72cc0a100fcf5ad885ef94579793b8e9954d07b1a4b65d88792
SHA512 27205d2e7444023a7a6313d93027bdb6f203cae4c1ab4069650ad2c6e81cd13c8938d029917336e7b913af2e31d0a3bd8414349744b4ce11311ce906b4bfe5ec

/data/data/com.chuangxiangkongjian.basketball/databases/netcache.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.chuangxiangkongjian.basketball/databases/netcache.db-wal

MD5 9ab4bc32072f1c0b5ed7671ec152400a
SHA1 03b725bc8bedad8d284088b36db51f13b83821b6
SHA256 5b55b2262a611804005b00ffa3f6b8a6a0d48ce11c530962b76486bd7043d77f
SHA512 6c81593c01ecc482a3993b33d22b2f09dad5ecb4ed40964de428b548204377976730d36c2bc5af2134c0db6e96689befca31bd51af5ba7d2a5256a84a677e816

/data/data/com.chuangxiangkongjian.basketball/databases/.ua/ua.db-journal

MD5 2537980a30c254cad17250aca19cc293
SHA1 253fa996eebf5aa0f6e1235976ad333d99ca5056
SHA256 4f1e9a40e0592b12a38f713bfeba5753bc4b4d836da74e4d6a09519689a16fb4
SHA512 576deb0322c0b662feb712067f1c3e0d9fe20dae0886908792e8fce960e65453ae59c58d927e7a8b320a8c89a3bbdc51d069f185454d49419627b38689f6e042

/data/data/com.chuangxiangkongjian.basketball/databases/.ua/ua.db

MD5 1cd45c74f125ddab39b1a037787659af
SHA1 c6be855ecd60925ba819298790ff1eb32f81d44a
SHA256 51818d4489f673db3c10450b25e946d63a44f56cd03fd8d9940f97e670311b90
SHA512 229335a71ab3f08abe7a3ae75b8846cf433a1ed6da8c240fd2f2ba3316b4b99ea22a3f2ee4a24dd5044670b126092251acefe28af27a13b2f6e067146f5868ac

/data/data/com.chuangxiangkongjian.basketball/databases/.ua/ua.db-wal

MD5 a1164eb4ea77f0673d4e3aeeb437fe09
SHA1 d9820b2682a77a4c58037ed520d057b577e39f21
SHA256 bf58dd3c19a9b0c6dc8ed0017dbaa976c3f4f0f1f9e33ab731be12c00316892e
SHA512 3a13d07a271656941e9621e0af8b286c26505eff1be6542ad261ce96b38796fb7f805a21e67fc919650a0bb3a6784326b3ff63c9474cb8ff807cebd0921cf87a

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 db51d1a33e4e4ed7718ace99a95675e2
SHA1 ee4dfa0b32db4d32187838b295c6ddc95d047623
SHA256 ff8d9cc2bccb3f563e455cc7d4492bb93e90f8c7e198386941c858a9a97105be
SHA512 a4077fe3e0581d8c20f7d2d5b4142aae7ebbdca9bffc83048771d7a7e32b4d411f8f8691c85c5af970b56a40b9c18a94c15d7d1d3144a92b8418d00d20db1e3e

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 4b54d19c89b08b810fcb8515e6910d57
SHA1 16320ef45f5aab971733b223fc34e4b5e5b5018e
SHA256 19dcbe6ec039edcee64b95eb7aa9e3aceaedde3d89930411c7360f3236548ca5
SHA512 88041ea27f80412a76382cf04c2509c29ce67a990fe18239bee1b4402f54a234e3af9fb4df9bd706a28b2241e3d148de426f9e3068bc1ca4499a9cb1fdeaf197

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 1d644ed9b006525fd54200defdc841f5
SHA1 7c5b7818308533678f44420f42869d810e7e37e3
SHA256 1e92820de521ec7c0e148bcc8c0605ad38e313687abb2291bfd0fce9a6c5d9f6
SHA512 660251323dd89a954a2d5344287f46aa85a7e7e9a012cb85cf9c702522ed2dbc4b3406b388932d1b1413b0a8f5f29824aba8842d3162fa9f3ebd2a004b23c459

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 87f7b75396f292b9e8c79b4a498b834c
SHA1 eb98cc63ff41012b3a56f5f2e571f8ccd5cc46fd
SHA256 5951b6bcf214273d895c3c55694ba602c8eac066ef9410378f67fa14ff53b375
SHA512 794b5588705715627c91700c5b75dfbc7a97ae39c54e4130b6668c2e02277d571489e151216b285f4b3b86a00459f22c80cb2a22c9f6f6ab30508a58c8f68e45

/data/data/com.chuangxiangkongjian.basketball/files/umeng_it.cache

MD5 bde01b0c1d5183d9b7a2de9b08f9eb57
SHA1 4a634e0e39c8ffb7a0e0851cf0d5123977a9cf3b
SHA256 eba0071569fa6c286533347a5d64df6fc634228ae4a1e301b1f42ee5c955a8be
SHA512 def11d3f61c8adb8a3adb3807d3dbf55846f2a53ebcabd2938711b1c21e7887e9761f2cbc9bfe26f7488d9ea399a66fab7ca764ce8ff8087b8cbda4450321a8a

/data/data/com.chuangxiangkongjian.basketball/files/.umeng/exchangeIdentity.json

MD5 5e02a2ae6a43c56f7f1f2581f5eb124d
SHA1 3ec71bd7919b149608e29cfb4d56f78d43a79b83
SHA256 e5ec5c376fdd31e8d99b30ca76d803061593b54455fa2e1c1f6222d7c1bdfe32
SHA512 9ddf87790d1668951c4a7f032cd36127625d1b82af713470bee27a2fedd0259be0084ca0bac60f18ae73aea219ffa527e5a599ec2c5e9074d8c465ae57b78b16

/data/data/com.chuangxiangkongjian.basketball/files/exid.dat

MD5 2175e558ea92af86769368249e761eb9
SHA1 50c7ba0f6c0a21840cfccc401ec86666dd3283c7
SHA256 4450dbe8fe540caae22da2fde8bb2bbc5519ccb0f05a67ff24590011dcf5c8b3
SHA512 dbb4947aa2b1761f0af49c8b60a292a41b335bfa4af8cf0dafc59ace7c6afebdfd95d5bd85ee69a69f4c813ad4302d4a58b6cf337a686c4d107a11969568b42e

/data/data/com.chuangxiangkongjian.basketball/databases/.ua/ua.db-wal

MD5 560f7305f85dc9820076d4e128d9e5c5
SHA1 eb42a6541bda80080dd43c1b1648d4390a0ec0c9
SHA256 717624cb961c4c21720565aebac9bcd9fe81b8a7ee8e1e51251d6284ed42fe3c
SHA512 7c797c878b49e990d70c5ff882e4c73c07fff671cacd7ddeaba3e28a3d9502b0f0898bddbef326876aa51b56c1d251f2e491f53059ef7ef6b03156418c5b8bf4

/data/data/com.chuangxiangkongjian.basketball/databases/.ua/ua.db

MD5 d604a3bf1f8d992cc320ea5b1f7609bd
SHA1 247f88df0b55c7d523ea5398637711a0e4a483a4
SHA256 329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17
SHA512 67e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab

/data/data/com.chuangxiangkongjian.basketball/databases/cc/cc.db-wal

MD5 f17a8836b578c47ae51fda65f2009db7
SHA1 b7c422cef025ed8b5686e8764565efbc9ff5a8d7
SHA256 50619345707489c6a27fecd72db4e534d9e32808f905d6332e1149b0f8bcddf3
SHA512 5f18d61e58abff130e1d76f059ceabb5339faa00f5596a989d3caced88c1c8103f24b481b49b6d3b75302127c03e4ec24dfcab19357b48146de70cabaedf905e

/data/data/com.chuangxiangkongjian.basketball/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.chuangxiangkongjian.basketball/files/.um/um_cache_1718649449080.env

MD5 3599ccbcc9819e4584de994de60f27a2
SHA1 599adaa0284da76478b4a175298ba8c09d5f220f
SHA256 e0b90dd4b5aea3bd28489146eb79a671fed9bd9d47c7eb52af2916afeea52a32
SHA512 0e49e223a19b2a8170fe828a4041337494a698cdee2bcb76fd4e91fbe9dba7af78ee47daf47cbceb051d35a52cc85ddfb06479eac4e7963edcc890151d090e41

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 18:35

Reported

2024-06-17 18:35

Platform

android-x86-arm-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 18:35

Reported

2024-06-17 18:35

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-17 18:35

Reported

2024-06-17 18:35

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A