Analysis Overview
SHA256
69b1d7ccdbd47631e1543d3f7f21bf7fb65e654bf4d74064f335e3861ce09297
Threat Level: Likely malicious
The file b9a56c5e845349fad573a0a50cdd63d5_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Requests cell location
Queries information about running processes on the device
Queries information about the current Wi-Fi connection
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
Declares services with permission to bind to the system
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-17 19:30
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
| Required by VPN services to bind with the system. Allows apps to provision VPN services. | android.permission.BIND_VPN_SERVICE | N/A | N/A |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 19:30
Reported
2024-06-17 19:34
Platform
android-x86-arm-20240611.1-en
Max time kernel
150s
Max time network
187s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /sbin/su | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.sogou.androidtool
chmod 777 /data/user/0/com.sogou.androidtool/cache
chmod 777 /data/user/0/com.sogou.androidtool/cache
chmod 777 /data/user/0/com.sogou.androidtool/cache
com.sogou.androidtool:remote_proxy
chmod 777 /data/user/0/com.sogou.androidtool/cache
com.sogou.androidtool:push_service
chmod 777 /data/user/0/com.sogou.androidtool/files
chmod 777 /data/user/0/com.sogou.androidtool/cache
getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.board.platform
getprop ro.board.platform
/system/bin/sh -c type su
com.sogou.androidtool:channel
chmod 777 /data/user/0/com.sogou.androidtool/cache
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.204.67:443 | tcp | |
| GB | 142.250.178.10:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | awpping.mse.sogou.com | udp |
| US | 1.1.1.1:53 | defake.pingback.zhushou.sogou.com | udp |
| US | 1.1.1.1:53 | mobile.zhushou.sogou.com | udp |
| CN | 203.107.1.97:443 | tcp | |
| US | 1.1.1.1:53 | get.sogou.com | udp |
| US | 1.1.1.1:53 | adash.man.aliyuncs.com | udp |
| HK | 129.226.103.145:80 | get.sogou.com | tcp |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| HK | 129.226.103.145:80 | get.sogou.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| US | 1.1.1.1:53 | ulogs.umeng.com | udp |
| CN | 223.109.148.130:443 | ulogs.umeng.com | tcp |
| CN | 36.156.202.78:443 | plbslog.umeng.com | tcp |
| CN | 203.107.1.97:443 | tcp | |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| CN | 203.107.1.97:443 | tcp | |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 203.107.1.97:443 | tcp | |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| CN | 203.107.1.100:443 | tcp | |
| CN | 203.107.1.100:443 | tcp | |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| US | 1.1.1.1:53 | httpdns-sc.aliyuncs.com | udp |
| CN | 203.107.1.97:443 | httpdns-sc.aliyuncs.com | tcp |
| CN | 223.109.148.177:443 | ulogs.umeng.com | tcp |
| CN | 203.107.1.97:443 | httpdns-sc.aliyuncs.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 203.107.1.100:443 | httpdns-sc.aliyuncs.com | tcp |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| CN | 203.107.1.100:443 | httpdns-sc.aliyuncs.com | tcp |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| CN | 223.109.148.176:443 | ulogs.umeng.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| CN | 223.109.148.141:443 | ulogs.umeng.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 223.109.148.178:443 | ulogs.umeng.com | tcp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | adash.man.aliyuncs.com | udp |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| CN | 59.82.40.77:80 | adash.man.aliyuncs.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 223.109.148.179:443 | ulogs.umeng.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
Files
/data/data/com.sogou.androidtool/databases/downloads_classic.db-journal
| MD5 | d36039c073a1f927c2b64d680f779a5d |
| SHA1 | 0c0ce140dd92c8f8a018313b4f5241e2336d43d5 |
| SHA256 | 59bde80b36b81551aa1e84249989ee85716dfdd1e5c3446a14296f2f341283c1 |
| SHA512 | 19599da638b3c291706dac5f4da2847ef3bd1ddd5b5fcdaceb128443509139ef51eae5252f4ed9da991e5a9568cfa93f2f33b2a88d825623f356a2a842319f8a |
/data/data/com.sogou.androidtool/databases/MessageStore.db-journal
| MD5 | 55b9902964df420164affc63ee632dc7 |
| SHA1 | 97875e8320c19dd26da9ae993cf6bf4575e4e0f4 |
| SHA256 | c74722f5059bde7e64eb06a7ca157efea858dd338d34a04b6026af4184b0832b |
| SHA512 | fe902b312be8799d7aa18608660ed87909c587ddf3d4f71cf675c95e575dcb68d8aa48a6bfd057578ac9546ff0c1aa5ee4d47e570e71600aaadff7fc0917f8bb |
/data/data/com.sogou.androidtool/databases/downloads_classic.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.sogou.androidtool/databases/MessageStore.db
| MD5 | 075ea151a59c26e1e9becfdbb5c2ffb0 |
| SHA1 | f7ac8ae6314f020d0dd549a706de8f381fdc0a71 |
| SHA256 | 579e93b56a314d64702ce9b9c0cdaee8c348c640bc51a66cf4250aeea1752ac4 |
| SHA512 | c9afd8e404f77211ce662ff1876201fb926684f2472506a2331d161b0856170df2789f419e0c068b8b83a7d73b6c3bd5acfc92aa19d943dd008985998fe99717 |
/data/data/com.sogou.androidtool/databases/downloads_classic.db-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.sogou.androidtool/databases/MessageStore.db-wal
| MD5 | 27095e3fa430df52f5c56acabfe6aa19 |
| SHA1 | 3b8fb8126b4c7cb874f50af37741bf6edf0ba4ae |
| SHA256 | e4a5b1cecf0599e62408873e44d984486dbc2e9e3b02e32548af22ae1439537b |
| SHA512 | 19314b83fac66bb0e050b803a9b4b1f665b8a17b57fb81e80ae702e584c9b2870d600c1088e731e75dc7151f015d15d64b2fe470c63409cdea41b14fdaa616d7 |
/data/data/com.sogou.androidtool/databases/downloads_classic.db-wal
| MD5 | 2da0a897490cf677255702c6a04d54ef |
| SHA1 | c6bd8ac6d8e7bcd976fe5ace921a67e7afd2a9ce |
| SHA256 | b8324f32e777c4f060bb60d1d29e207b69f7acefbeb27ec6f3b6ea3a1aac0cd2 |
| SHA512 | e0c1d1c665f5e39e6db2002cea9f86f72bac01b836b8cb24d0524b28a64bd9ade34d30e6de9b9668fbfa96057d7e0a60806e7ef6e66a230690922e9d5249f247 |
/data/data/com.sogou.androidtool/databases/MsgLogStore.db-journal
| MD5 | 9db2946d067482960821d167a1dc7b1c |
| SHA1 | f3314398089721a2e867ffe9c11d9b91a27ecd78 |
| SHA256 | 5754908f6ccfe5ced11168aae0e9c12064b56e48bccd0fb0ffb37db70d6c519f |
| SHA512 | 0dfe066f0ae1b3872849c4b0ee965ca7022e9efba70ebed3d8b71cd16d2b527fa9cab5494906401fc1f06783fb68ca46982a6a5d102b0bc9d86b1efaa815e747 |
/data/data/com.sogou.androidtool/databases/MsgLogStore.db-wal
| MD5 | 3336fbf3083ba8c28e8fbbc7430c7e38 |
| SHA1 | 285c92c39ae44ecf34f5852ff909e4bed659a496 |
| SHA256 | 34023d1ac6b08fded791f48eb36e017e46654163a928be0f73d7ef8649455c24 |
| SHA512 | 78d089df9f3c02779dea300a379c125524d8408da22611c522a9f61441e291525e88376d3e9332f169986c15d8c85dafc97c64809a29fc11e9588f6e9decd7bf |
/data/data/com.sogou.androidtool/databases/bugly_db_-journal
| MD5 | 40b1d212e3276ab00b71f9df7cd25978 |
| SHA1 | 17bb835439d1448af39640b4c10bb3e2fd8b5940 |
| SHA256 | 0ca07b528af8496195f5eb46ee6706866790370f4f937d868d224cb8246ef283 |
| SHA512 | 117374b30b5b8d9d4d88ea239958573b77609141f6e0fc17c90c0f3b6d8cced0ccd9a3c83fac0ddd7f081bec8903dce1ec5ec7406ea304719f382a8a9d42394c |
/data/data/com.sogou.androidtool/databases/bugly_db_-wal
| MD5 | 2a73bda6a2ac1c74b49c18bc54953145 |
| SHA1 | 4dcdbb8b8c6fc9ad246532a10ba0cb5e9ea6e2b3 |
| SHA256 | 33604d01e5837a2010e2093a4d6b441dbed5dd83b01159023e3e62aba1d8133f |
| SHA512 | 161f8133b5ce50c8d6cac2a1012165a1002ed1c91647f9b6556fd89f67bc6e7fa0d698e5bc3c25acee3a6d6391af7cb7d1bea30fbfa15628bc17f5dc31e75de9 |
/data/data/com.sogou.androidtool/databases/pb_db-journal
| MD5 | 58614b5127884fd16ccefa62a611d6e2 |
| SHA1 | 9becee423001c75e720e2f0c6872f9b2b7e7fbff |
| SHA256 | bbd53a4387ab4ce393314027692be87b52fdae94ef5f7256704fb9190579a0c2 |
| SHA512 | 4bc5e199e97801a3641b001cfebc55ba9836744962c371a9a217a8a636f64d45da74d4fac8fa0d64c6a96e8da8a07bb36a396c0a7e40e742b6b5d8807d6e7125 |
/data/data/com.sogou.androidtool/databases/pb_db
| MD5 | 650956f5790780ebe873a98ec3c6208e |
| SHA1 | 93d153640b298e9214eca32825ec30b181f9e8ce |
| SHA256 | 36b4a521ca7add4a85d3ceffd27777e37c0c0e06c44977492e58657664d59cab |
| SHA512 | 9fcc0dd8a702424908286f597c6418516a939038d264c2d31f65dc48fc5b025d7a4c85d85a54dbaf33708b7ccb0c703c2bb0762033a6fcfe7917287c6d307449 |
/data/data/com.sogou.androidtool/databases/pb_db-wal
| MD5 | e8eef83fbdf1473916620a2c35f43137 |
| SHA1 | 7b7133b0b3649bce51b2eeac54f7a577f3fe28fb |
| SHA256 | d52e672a7b5b298ce4c8f7bb2b93b0a88f0a53ba8dc33965107438fb001f17dc |
| SHA512 | 14bfa6922d7491a67bbde659376600e16a3b42bec3ff324a1647bd5fac565b057522d38d94b49777318c62c02ba1c52765057f4578b65adc7b7776831065a7d0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 19:30
Reported
2024-06-17 19:31
Platform
android-33-x64-arm64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.68:443 | udp | |
| GB | 172.217.169.68:443 | udp | |
| BE | 142.251.168.188:5228 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 216.58.204.74:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.74:443 | udp | |
| GB | 142.250.180.10:443 | udp | |
| GB | 142.250.180.10:443 | tcp |