Malware Analysis Report

2025-01-19 04:54

Sample ID 240617-x779xavgkn
Target b9a56c5e845349fad573a0a50cdd63d5_JaffaCakes118
SHA256 69b1d7ccdbd47631e1543d3f7f21bf7fb65e654bf4d74064f335e3861ce09297
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

69b1d7ccdbd47631e1543d3f7f21bf7fb65e654bf4d74064f335e3861ce09297

Threat Level: Likely malicious

The file b9a56c5e845349fad573a0a50cdd63d5_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Requests cell location

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Declares services with permission to bind to the system

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 19:30

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 19:30

Reported

2024-06-17 19:34

Platform

android-x86-arm-20240611.1-en

Max time kernel

150s

Max time network

187s

Command Line

com.sogou.androidtool

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.sogou.androidtool

chmod 777 /data/user/0/com.sogou.androidtool/cache

chmod 777 /data/user/0/com.sogou.androidtool/cache

chmod 777 /data/user/0/com.sogou.androidtool/cache

com.sogou.androidtool:remote_proxy

chmod 777 /data/user/0/com.sogou.androidtool/cache

com.sogou.androidtool:push_service

chmod 777 /data/user/0/com.sogou.androidtool/files

chmod 777 /data/user/0/com.sogou.androidtool/cache

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

com.sogou.androidtool:channel

chmod 777 /data/user/0/com.sogou.androidtool/cache

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 awpping.mse.sogou.com udp
US 1.1.1.1:53 defake.pingback.zhushou.sogou.com udp
US 1.1.1.1:53 mobile.zhushou.sogou.com udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 get.sogou.com udp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
HK 129.226.103.145:80 get.sogou.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
HK 129.226.103.145:80 get.sogou.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 36.156.202.78:443 plbslog.umeng.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 tcp
CN 203.107.1.100:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 httpdns-sc.aliyuncs.com udp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/com.sogou.androidtool/databases/downloads_classic.db-journal

MD5 d36039c073a1f927c2b64d680f779a5d
SHA1 0c0ce140dd92c8f8a018313b4f5241e2336d43d5
SHA256 59bde80b36b81551aa1e84249989ee85716dfdd1e5c3446a14296f2f341283c1
SHA512 19599da638b3c291706dac5f4da2847ef3bd1ddd5b5fcdaceb128443509139ef51eae5252f4ed9da991e5a9568cfa93f2f33b2a88d825623f356a2a842319f8a

/data/data/com.sogou.androidtool/databases/MessageStore.db-journal

MD5 55b9902964df420164affc63ee632dc7
SHA1 97875e8320c19dd26da9ae993cf6bf4575e4e0f4
SHA256 c74722f5059bde7e64eb06a7ca157efea858dd338d34a04b6026af4184b0832b
SHA512 fe902b312be8799d7aa18608660ed87909c587ddf3d4f71cf675c95e575dcb68d8aa48a6bfd057578ac9546ff0c1aa5ee4d47e570e71600aaadff7fc0917f8bb

/data/data/com.sogou.androidtool/databases/downloads_classic.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sogou.androidtool/databases/MessageStore.db

MD5 075ea151a59c26e1e9becfdbb5c2ffb0
SHA1 f7ac8ae6314f020d0dd549a706de8f381fdc0a71
SHA256 579e93b56a314d64702ce9b9c0cdaee8c348c640bc51a66cf4250aeea1752ac4
SHA512 c9afd8e404f77211ce662ff1876201fb926684f2472506a2331d161b0856170df2789f419e0c068b8b83a7d73b6c3bd5acfc92aa19d943dd008985998fe99717

/data/data/com.sogou.androidtool/databases/downloads_classic.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sogou.androidtool/databases/MessageStore.db-wal

MD5 27095e3fa430df52f5c56acabfe6aa19
SHA1 3b8fb8126b4c7cb874f50af37741bf6edf0ba4ae
SHA256 e4a5b1cecf0599e62408873e44d984486dbc2e9e3b02e32548af22ae1439537b
SHA512 19314b83fac66bb0e050b803a9b4b1f665b8a17b57fb81e80ae702e584c9b2870d600c1088e731e75dc7151f015d15d64b2fe470c63409cdea41b14fdaa616d7

/data/data/com.sogou.androidtool/databases/downloads_classic.db-wal

MD5 2da0a897490cf677255702c6a04d54ef
SHA1 c6bd8ac6d8e7bcd976fe5ace921a67e7afd2a9ce
SHA256 b8324f32e777c4f060bb60d1d29e207b69f7acefbeb27ec6f3b6ea3a1aac0cd2
SHA512 e0c1d1c665f5e39e6db2002cea9f86f72bac01b836b8cb24d0524b28a64bd9ade34d30e6de9b9668fbfa96057d7e0a60806e7ef6e66a230690922e9d5249f247

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-journal

MD5 9db2946d067482960821d167a1dc7b1c
SHA1 f3314398089721a2e867ffe9c11d9b91a27ecd78
SHA256 5754908f6ccfe5ced11168aae0e9c12064b56e48bccd0fb0ffb37db70d6c519f
SHA512 0dfe066f0ae1b3872849c4b0ee965ca7022e9efba70ebed3d8b71cd16d2b527fa9cab5494906401fc1f06783fb68ca46982a6a5d102b0bc9d86b1efaa815e747

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-wal

MD5 3336fbf3083ba8c28e8fbbc7430c7e38
SHA1 285c92c39ae44ecf34f5852ff909e4bed659a496
SHA256 34023d1ac6b08fded791f48eb36e017e46654163a928be0f73d7ef8649455c24
SHA512 78d089df9f3c02779dea300a379c125524d8408da22611c522a9f61441e291525e88376d3e9332f169986c15d8c85dafc97c64809a29fc11e9588f6e9decd7bf

/data/data/com.sogou.androidtool/databases/bugly_db_-journal

MD5 40b1d212e3276ab00b71f9df7cd25978
SHA1 17bb835439d1448af39640b4c10bb3e2fd8b5940
SHA256 0ca07b528af8496195f5eb46ee6706866790370f4f937d868d224cb8246ef283
SHA512 117374b30b5b8d9d4d88ea239958573b77609141f6e0fc17c90c0f3b6d8cced0ccd9a3c83fac0ddd7f081bec8903dce1ec5ec7406ea304719f382a8a9d42394c

/data/data/com.sogou.androidtool/databases/bugly_db_-wal

MD5 2a73bda6a2ac1c74b49c18bc54953145
SHA1 4dcdbb8b8c6fc9ad246532a10ba0cb5e9ea6e2b3
SHA256 33604d01e5837a2010e2093a4d6b441dbed5dd83b01159023e3e62aba1d8133f
SHA512 161f8133b5ce50c8d6cac2a1012165a1002ed1c91647f9b6556fd89f67bc6e7fa0d698e5bc3c25acee3a6d6391af7cb7d1bea30fbfa15628bc17f5dc31e75de9

/data/data/com.sogou.androidtool/databases/pb_db-journal

MD5 58614b5127884fd16ccefa62a611d6e2
SHA1 9becee423001c75e720e2f0c6872f9b2b7e7fbff
SHA256 bbd53a4387ab4ce393314027692be87b52fdae94ef5f7256704fb9190579a0c2
SHA512 4bc5e199e97801a3641b001cfebc55ba9836744962c371a9a217a8a636f64d45da74d4fac8fa0d64c6a96e8da8a07bb36a396c0a7e40e742b6b5d8807d6e7125

/data/data/com.sogou.androidtool/databases/pb_db

MD5 650956f5790780ebe873a98ec3c6208e
SHA1 93d153640b298e9214eca32825ec30b181f9e8ce
SHA256 36b4a521ca7add4a85d3ceffd27777e37c0c0e06c44977492e58657664d59cab
SHA512 9fcc0dd8a702424908286f597c6418516a939038d264c2d31f65dc48fc5b025d7a4c85d85a54dbaf33708b7ccb0c703c2bb0762033a6fcfe7917287c6d307449

/data/data/com.sogou.androidtool/databases/pb_db-wal

MD5 e8eef83fbdf1473916620a2c35f43137
SHA1 7b7133b0b3649bce51b2eeac54f7a577f3fe28fb
SHA256 d52e672a7b5b298ce4c8f7bb2b93b0a88f0a53ba8dc33965107438fb001f17dc
SHA512 14bfa6922d7491a67bbde659376600e16a3b42bec3ff324a1647bd5fac565b057522d38d94b49777318c62c02ba1c52765057f4578b65adc7b7776831065a7d0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 19:30

Reported

2024-06-17 19:31

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 udp
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 udp
GB 142.250.180.10:443 udp
GB 142.250.180.10:443 tcp

Files

N/A