Malware Analysis Report

2025-01-19 04:54

Sample ID 240617-y3j7yswhrq
Target b9d9e8df7d75312774682b0d0b2b6229_JaffaCakes118
SHA256 45f76c78b2cf000cb1e10a09dc05601cfe06c9a2d9efd6cb848025fa6028e143
Tags
collection discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

45f76c78b2cf000cb1e10a09dc05601cfe06c9a2d9efd6cb848025fa6028e143

Threat Level: Shows suspicious behavior

The file b9d9e8df7d75312774682b0d0b2b6229_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery impact persistence

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 20:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 20:18

Reported

2024-06-17 20:21

Platform

android-x86-arm-20240611.1-en

Max time kernel

176s

Max time network

184s

Command Line

com.ude03.weixiao30

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ude03.weixiao30

com.ude03.weixiao30:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sapi.map.baidu.com udp
HK 103.235.46.245:443 sapi.map.baidu.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.94.137.180:19000 s.jpush.cn udp
HK 103.235.46.245:443 sapi.map.baidu.com tcp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 103.235.46.246:80 loc.map.baidu.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
US 1.1.1.1:53 sapi.skyhookwireless.com udp
US 1.1.1.1:53 dns.map.baidu.com udp
FR 13.39.65.24:443 sapi.skyhookwireless.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
CN 182.61.62.50:80 dns.map.baidu.com tcp
CN 1.94.137.180:80 s.jpush.cn udp
FR 13.39.65.24:443 sapi.skyhookwireless.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:80 easytomessage.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.92.70.140:19000 sis.jpush.io udp
N/A 10.0.0.172:80 tcp
CN 1.92.70.140:80 sis.jpush.io udp
CN 182.61.62.50:80 dns.map.baidu.com tcp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.92.70.140:19000 s.jpush.cn udp
CN 1.92.70.140:80 s.jpush.cn udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:80 easytomessage.com udp
CN 1.92.70.140:19000 s.jpush.cn udp
CN 1.92.70.140:80 s.jpush.cn udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 1.92.70.140:19000 s.jpush.cn udp
FR 13.39.65.24:443 sapi.skyhookwireless.com tcp
CN 182.61.62.50:80 dns.map.baidu.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
FR 13.39.65.24:443 sapi.skyhookwireless.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
CN 1.92.70.140:80 s.jpush.cn udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:80 easytomessage.com udp
N/A 10.0.0.172:80 tcp
CN 1.92.70.140:19000 s.jpush.cn udp
CN 182.61.62.50:80 dns.map.baidu.com tcp
CN 1.92.70.140:80 s.jpush.cn udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp
CN 1.92.70.140:19000 s.jpush.cn udp
CN 1.92.70.140:80 s.jpush.cn udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:80 easytomessage.com udp
CN 1.92.70.140:19000 s.jpush.cn udp
CN 1.92.70.140:80 s.jpush.cn udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
US 1.1.1.1:53 sapi.skyhookwireless.com udp
CN 182.61.62.50:80 dns.map.baidu.com tcp
US 1.1.1.1:53 loc.map.baidu.com udp
FR 13.39.65.24:443 sapi.skyhookwireless.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
FR 13.39.65.24:443 sapi.skyhookwireless.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
CN 113.31.17.106:3000 tcp
N/A 10.0.0.172:80 tcp
CN 182.61.62.50:80 dns.map.baidu.com tcp
CN 1.92.70.140:19000 s.jpush.cn udp
CN 1.92.70.140:80 s.jpush.cn udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:80 easytomessage.com udp
CN 1.92.70.140:19000 s.jpush.cn udp
CN 1.92.70.140:80 s.jpush.cn udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:80 udp
CN 113.31.17.106:3000 tcp

Files

/storage/emulated/0/baidu/.cuid

MD5 94e006d7c406d4131fba3e671b236c85
SHA1 e69770aeebf0635db70e739236f0a4d444fa43cc
SHA256 2984ced636d11fed6fad12877bb27e1d97a1ccd137e984e7140239dc97015699
SHA512 a8effbd94bd830cfff8b6ce0ce7efc388d965fa3be18dd1619253604c786d81f8efc74f9f6df99d58edc6e5868b5e7ec7682618a7855c6d9f1574fa340f9be74

/data/data/com.ude03.weixiao30/databases/rep.db-journal

MD5 0d3e99204c6401ea499fe9e6d9855497
SHA1 09829f00ca458eab7374d5079393a2cd69a2348a
SHA256 63ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca
SHA512 8d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68

/data/data/com.ude03.weixiao30/databases/rep.db

MD5 d25bf3160dedceacbe7b357d4702bd0f
SHA1 0d85473cff76145e89386dae3beac89bdc8ebe26
SHA256 558be0042846aeae571aa199436ce1319b89e829200ca3ed26a826dd83fff4bc
SHA512 645e88ce5255f090b74bc7116d5acf47dac89b5337afd8b728941b1936f96b666e80fe92abc121a0f3612647dc8c93b619dddde1c3d4aecfd61453ef9c4a280a

/data/data/com.ude03.weixiao30/databases/rep.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ude03.weixiao30/databases/rep.db-wal

MD5 c27b8bf98ce2dee338dc8d29c8b8c9a0
SHA1 5a1a2c8e86b0ee19ea0dc93ee188874fe7599365
SHA256 fe236451a64375021d97b4f8581fec2988b5761279e278c7f3a6876bc2fba9da
SHA512 14792ab5c115f3a02bb2a4fb3aa1ab47592caaf06d481cb1aa9a3d0d5a2519d760f95b4282227afd39557bb4f38a0c2465ea64feb2491b354a929461440c551b

/data/data/com.ude03.weixiao30/files/ofld/ofl_location.db-journal

MD5 e9194c0f12866c21f1937d150b9a7699
SHA1 7efe1bf53d25ca54285b6d30ed160cbdb34bd2c3
SHA256 29d68e9a4363d3a8a70251a25f91ffa3a8e657de90d89226c3f0e9b3dcd36e31
SHA512 7bd4b854c0ad76bc8a40dc5038dfabb2ad3639b3b38fa481ebdaf93f2925462d9be596ebcccfa8fb27a70e55a07c3c51b0672a8ac722b7a8a761cf0e61d4ca0a

/data/data/com.ude03.weixiao30/files/ofld/ofl_location.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ude03.weixiao30/files/ofld/ofl_location.db-wal

MD5 ef8235b0826d94131e080b0bc52663ac
SHA1 ddea95024fffb623c47d13d0a9962c752a41e698
SHA256 bd4255e6cc22b2e17baec65d6e8870b39f6d76bd073548f7e50d9c053f3876c1
SHA512 0dfc83e7e73e7f0e5c5ef9a4bec18b84be66b95445bcdf66fb73f2acaa3dce151551eb38f977dc00d890cc02d9eb36182fff5886c1c91f52ccb24cefe7783069

/data/data/com.ude03.weixiao30/files/ofld/ofl_statistics.db-journal

MD5 a25408a7af2d0cb0c27c1199e49a2afa
SHA1 e54af7650732a5814adbf2fcfeee5694b01bef13
SHA256 0f334426519649e5d90168a2288b976fb7e764f76cbce1e461990b0f6b2c1484
SHA512 223314b1b62c8850e814b2610404b92bbac07f82bb36cf643863137ec1d68008ef0b9c4843cd1d4caac06e491a4e913b8b208f903e914b083b632d7aec18c649

/data/data/com.ude03.weixiao30/files/ofld/ofl_statistics.db-wal

MD5 1f9342827ee1abc8ea0a2230f7a2ca89
SHA1 e4754345e2cc06d86dacb81444e9dc74268e55a1
SHA256 5e9e76fef47f474fa156f002d6ab21a5de36aeab16ece6313ef08a3ee3afd07b
SHA512 6623ccdfea12fe0ea19dbf77b00a7c0ac76d08f407777236bd445b83f4fd60551cf0c990f002742c2ab71d215a601416837bd9e0fa55663b223d6142fb2ca86c

/data/data/com.ude03.weixiao30/files/lldt/firll.dat

MD5 f8cf5f6033039436be0c09820d11e104
SHA1 67e7c36685c7a3f3e63bcd6ff3a4cf0cad955643
SHA256 07c9fb99f940a158f02a519534ea22d6febaac191b964cebe765ad228113fef8
SHA512 9c1b30bdad3ab0ce57c8591b9872431726e6551f2a6e3d254d7b96ac881cc4325ec330e5585571f06adb11c74cede52541bffcdac8c746ff055f2b5dc82c72f2

/storage/emulated/0/baidu/tempdata/lcvif.dat

MD5 a40343f2cc2ba4a34d44e95d889a70f2
SHA1 4b83fc32ce606de06b1f35be47ece9ca0ebedb6d
SHA256 e954b41cf0d4b3f9448d52e30ddbce9b31f60cd8c894bbac7a67d435f48e5f42
SHA512 50d8f1af2ee8fa0f7acbe14e96eaa82fd919a10b92a711adb955b2aa4ace3b856928b854017e7a778a0796ded5fa6e3b8f8b4fc5f26238cb5fd904897d5a4f8c

/storage/emulated/0/Android/data/com.ude03.weixiao30/files/baidu/tempdata/llg.dat

MD5 161557b06b4a4d3ce095528dea370eb7
SHA1 8bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f
SHA256 f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4
SHA512 96ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449

/storage/emulated/0/Android/data/com.ude03.weixiao30/files/baidu/tempdata/llg.dat

MD5 efd2e92fcf7f2a35b9865927a29f5607
SHA1 3804ca2b91e5d919de8bc1983a280863f8013fe7
SHA256 0851766bf8cf17768adea9d7b65ca7edbd054d61d4cff9bec3d39ef5e73e7953
SHA512 40be269116a6ed811d95d36ab8ff5b240cbfccda5378a86a4c61b8ac1188a0d937ce55d9d9a46392f81afcff6b755a5ff1e1fdc34debd056b773a4a1e81ccdfb

/storage/emulated/0/Android/data/com.ude03.weixiao30/files/baidu/tempdata/conlts.dat

MD5 8d80bc8ea90e9cac010d3ddf97bda5f5
SHA1 f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07
SHA256 f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93
SHA512 9ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7

/storage/emulated/0/Android/data/com.ude03.weixiao30/files/baidu/tempdata/conlts.dat

MD5 34a8d9d9f8bd7680d5061ccbd92a9761
SHA1 c08bbde9fe1eda5583d925f049a7ce59c50001b4
SHA256 cca0a2f02ceebc37581ce370c1f5e5be35f98f169041dec423c589f4a13df6de
SHA512 36fe412b571aa8ee6363b62ae71871c31b15d4049192df61ca33abe3913a82f46c11638e0e7ec4b95453f94aab3bec4df6102867277a6f57a558df449f5fb0a3

/data/data/com.ude03.weixiao30/files/ofld/ofl.config

MD5 66a3038eb94edba0066a9645dbe36283
SHA1 327cb23f4f25c65d3691a665c75d9ad521135be8
SHA256 0a9dee735ba694c49e95faebc03616862eab70e2d344c24433390b2749ed3dbf
SHA512 ce986a8e44e9ce231dfc5e9a3bb841cc4392b0bdf2ee52b4dc9de9d60d52ae5d006e667c172be65ab11865200ce1b187099f0c5dd829fe9992ad51cb1111ef72

/storage/emulated/0/Android/data/com.ude03.weixiao30/files/baidu/tempdata/llg.dat

MD5 c8e3820a2902e2f0e966fb5bcb02398b
SHA1 48a96699430b3e43c1261eaefa9a4deab8c14976
SHA256 8c5701caa4ec9f78a58b09abedc0c6ae8eeaf2d838c613b31060301383c3b72a
SHA512 325f54ec0f15a3b872952c3781ef22d45a3e8af95ed2844f2ec316204f4da92b170b408fc45f14e1b196c6ca0f7c0f921dde6457fc14e9612657a08b57f336b8

/storage/emulated/0/Android/data/com.ude03.weixiao30/files/baidu/tempdata/llg.dat

MD5 7dd18e14a8cc71c773b5da8bead450f6
SHA1 8cb935af43da2a727e684eccee2b806c0d2e7065
SHA256 b5a3ff0a66286e632852ef59b2c30ac85f4f0c65682b7f67a1eeaf2438059d5e
SHA512 c31f515e800fd104f9144780c44ee970cd22c257e30bad8ee9f862703fe17ab07e2462bd6f416eb078f198fdc7a5e88ad2941918b0cf7c08f572c523f411e6bd

/storage/emulated/0/Android/data/com.ude03.weixiao30/files/baidu/tempdata/llg.dat

MD5 2e78dc9940e152c324ad4706ed83f87f
SHA1 a6415715e8e65b78ee9757cf4bf317eb2ba3ed98
SHA256 dd77af8b08f73d6fd0d7ab9d4f4219f7c12d0cf707db075a10aaafda9db62ca7
SHA512 c9d8e1376cf440bf095fe0db625e08a27028676cb8d5af8e6c9cd5326994809b1c27e97cbabc47343af3a372a4cb7d6090b8feb700cb09a2a8ef823919b55021