Malware Analysis Report

2025-01-19 04:50

Sample ID 240617-yxz18asdnd
Target b9d0de0efe5f6915f19945835e7d1931_JaffaCakes118
SHA256 e5fe8436ba552efc5624313afbac9ec1833651d9fddda9945428667db5eac2ff
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e5fe8436ba552efc5624313afbac9ec1833651d9fddda9945428667db5eac2ff

Threat Level: Shows suspicious behavior

The file b9d0de0efe5f6915f19945835e7d1931_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Acquires the wake lock

Queries information about the current Wi-Fi connection

Queries information about active data network

Queries the mobile country code (MCC)

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 20:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-17 20:10

Reported

2024-06-17 20:10

Platform

android-x64-arm64-20240611.1-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 20:10

Reported

2024-06-17 20:13

Platform

android-x86-arm-20240611.1-en

Max time kernel

175s

Max time network

141s

Command Line

cn.com.autoclub.android.browser

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cn.com.autoclub.android.browser

cn.com.autoclub.android.browser:pushservice

cn.com.autoclub.android.browser:remote

cn.com.autoclub.android.browser:push

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.weibo.com udp
HK 36.51.224.49:443 api.weibo.com tcp
US 1.1.1.1:53 mrobot.pcauto.com.cn udp
US 1.1.1.1:53 mrobot.pconline.com.cn udp
US 1.1.1.1:53 wxzs.pcauto.com.cn udp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 14.29.101.160:443 mrobot.pconline.com.cn tcp
CN 183.61.120.105:443 wxzs.pcauto.com.cn tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 loc.map.baidu.com udp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
HK 103.235.47.89:80 loc.map.baidu.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
US 1.1.1.1:53 api.skyhookwireless.com udp
FR 35.181.105.100:443 api.skyhookwireless.com tcp
US 1.1.1.1:53 my.pcauto.com.cn udp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 183.61.120.90:443 my.pcauto.com.cn tcp
US 1.1.1.1:53 m.imofan.com udp
US 1.1.1.1:53 whois.pconline.com.cn udp
CN 14.29.101.169:443 whois.pconline.com.cn tcp
CN 183.61.120.130:443 m.imofan.com tcp
US 1.1.1.1:53 nav.cn.ronghub.com udp
GB 8.208.102.120:80 nav.cn.ronghub.com tcp
GB 8.208.102.120:80 nav.cn.ronghub.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 14.29.101.169:443 whois.pconline.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 183.61.120.90:443 my.pcauto.com.cn tcp
CN 14.29.101.160:443 whois.pconline.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 14.29.101.168:443 whois.pconline.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 119.23.70.98:443 mrobot.pcauto.com.cn tcp
CN 14.29.101.168:443 whois.pconline.com.cn tcp

Files

/data/data/cn.com.autoclub.android.browser/databases/autoclub.db-journal

MD5 c6ec029cee4a66535d8a34bda711f7c3
SHA1 7c553e2025ad091bbca7ed8273f0a117a6c5b2c8
SHA256 60306907a2b85ae0f0892b2431cb24b2406d555381c0b171523dba306a537f7a
SHA512 99602106f45d24805c315bc55c539f46a2fa26bb0318efaaf4b107107b1ab4e982c02c5b53063d188ca3419b6a16c81ee440df173515049dd5db19b9bb81b8f5

/data/data/cn.com.autoclub.android.browser/databases/autoclub.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.com.autoclub.android.browser/databases/autoclub.db-shm

MD5 0123add419c6e76e07f985d8525d2d88
SHA1 308b7fa78f888f51185526b27b649b74f4e60374
SHA256 a929c41e993b9ac9dc69ce39e70ec4806c72f3661b2e9400a69c92fd8aed9319
SHA512 eadd6e797a353403c73335fbe27ef6e0d5acc077000985f1028b6e537fe0b3dc4d74a2c7e5b767cb2d6fd2d43c315e684de2df1f262b5604f9da3daee1d0a6c6

/data/data/cn.com.autoclub.android.browser/databases/autoclub.db-wal

MD5 99c600ce3f44b7393dfc91feb709757e
SHA1 07ac28d30243097d134d7481942e8f753f5ea673
SHA256 7f2dcf34bc707373dfdbf4b9811a209e2d06f7fa0f714d8c91ddedf5497dd64a
SHA512 04f413df0f7b0c602f14170746e6ac0736b3cda1a971091cc5a519cd72cb51f3e271e69e276c365def2b00d7c1e8c85c4ae2638aa1bb73c70572a505c6ace892

/data/data/cn.com.autoclub.android.browser/databases/mofang_data_analysis.db-journal

MD5 4439ed8a8efbca04b731fedebb15be4d
SHA1 2d8f3a5af35567daf32226ad7cc1ffa9f8ac26f9
SHA256 254ffc8486bf3194802329f99fdde0bc04f799e251015766d719b3fa935be074
SHA512 1499db5da5bfb0a35a1330236867521966864a2d155b9ed502a46f2fd1e2bd80bf295899f25cc465a6462da3dc2a7d1890db10a216fced71d62fc295e8779f60

/data/data/cn.com.autoclub.android.browser/databases/mofang_data_analysis.db-shm

MD5 f0da05760f9568472d3a3b68dbf7f4c4
SHA1 3639de8fbc5a732c9454caafc0d987a35b330f43
SHA256 cd48ca389fa225c69fc21a11a5beedc0aa2bbe5969b7c2f909f0c6e1f7285e0e
SHA512 4aaa75acf5c1af456c8d76cf4c072dc47bcc2f495ba32d7b9bb7dddaf6d570b03a5b7e42a5e22a898fa4223caf23c0696dc9832e72b2888d672c760638adca45

/data/data/cn.com.autoclub.android.browser/databases/mofang_data_analysis.db-wal

MD5 67ba790b2a30c5d29726317b29c1c89b
SHA1 4b8c89cfff6b8b8b225228c8ca7b7f6c77436ae6
SHA256 e3bb8fd0112a525b3ea15210d6195d16aa7f3a68164c4fa7a54c3ad3d3ffae6e
SHA512 924cc6684e06c9cc706b7dc8d069896fb2cbc12b08c2b2c1c5e1771a75f25c8790b78333108810bbf28ccbb5b641edda95e659ecdba92b666ef695576334126f

/data/data/cn.com.autoclub.android.browser/databases/rong_version-journal

MD5 d7b09ec9bcaa8dbdc4f1f896ae558420
SHA1 ff3f4da806a6d47c2704653164cc015dd2d8f4a2
SHA256 4f10ed86ecdf3f0da53ec2595e2d571bf4e1486473c8fdd154f8b8498a2f6a6e
SHA512 77afe05fba2040b9bd4390f003680415941acbad20334760922025ede675c86e2e60f7ed469d716cb057dad931f2106b5850716eb0432f49609ec58f9ed7ee49

/data/data/cn.com.autoclub.android.browser/databases/rong_version

MD5 1c4274aa7a9a5cac8c6d1df71e4588c6
SHA1 abaecd685e01cc68801292e3dc7085654a22feba
SHA256 3f6cd5f480ae69859b7841450f3d032c528ba385ebf9f371b9c8fdc6eb4231be
SHA512 1adb95935798607bd36cedcd183924d3068f50097d017b278da7caee7771532b61ec3606f6189b6dec8426eb038fe40be75079ce35894b1a8e0d1d815261150c

/data/data/cn.com.autoclub.android.browser/databases/rong_version-shm

MD5 813ae01d309ffa7232853e52737526a0
SHA1 ec6b947e393acba90c16d263fa45700681dad302
SHA256 cbdbb3d4995fd559fd72a2c6b6dd2fcc7a043843b130311e809ff317c9891db9
SHA512 a9de6b1a2c6cd46cf64738bf3c8cae2d7d20ec6dedf6f24e90b396c3a0ea1bc4d583660411df830996e73e880d33e6b30b74323badf6b4fcc31ff565baed82aa

/data/data/cn.com.autoclub.android.browser/databases/rong_version-wal

MD5 31be61f134d20a0b890277fbf36d65a2
SHA1 b20f31f974c3824ab5f2dc7590e83b9c55163cce
SHA256 ca40e3e98da3e3dae89a5a5d548e79c87bc0d06637538b07aa4e40e1fdba682a
SHA512 f9d04fa805b2e0712a5c15f209d34083b6644c8e6fbf4a83cc132b9af3b5bdaa6578ed70fae379d8868ad96d22e2a51bcfbe2261b5f6aa01431448c0bfc2ee13

/storage/emulated/0/Android/data/cn.com.autoclub.android.browser/files/RongCloud/cache/journal.tmp

MD5 96e7da65043020b19cb0f5255fbea1a7
SHA1 b6299131791e83ead0fc48b4c5dc26f58ce936a3
SHA256 771b0a54f31d0535ba2c64b0a2f8df0276fc4ab40fa1052ac63eb5d9aaab9576
SHA512 c56a5235141907cb642be12a7e75c55e461a01fb0f26c2053abf41359cf8bdc0a3be9b4f1d7f162d7602c042adbc133d9b72c5e74a8f150dd77b33ad1fadc4e0

/data/data/cn.com.autoclub.android.browser/databases/cdn.db-journal

MD5 40e889123fe9c1371cc9db8ac743cd91
SHA1 026b8996fac1b8e24f5a8af2397efe5ac409a39c
SHA256 276f0a2a61489fc2b2c2f5f2fd1a845cc36713e76830ec4d7b3b8d57d5f5df8f
SHA512 7a16624c54305c0ea207350a03c079cf238b4ad162647780e4dd10598ead1f8722fb3dec5c008253fdc3370cf0f5a36d5cca7374b07b1ee5760f518ae260b012

/data/data/cn.com.autoclub.android.browser/databases/cdn.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.com.autoclub.android.browser/databases/cdn.db-wal

MD5 c6558e05655655d4c8f9f3f54d29c87b
SHA1 19ce96d65783373add5cdce229adba3de2069ef7
SHA256 cfec9bd43007246e2d8414900bb35661949ddee4d926b26f0d0ca0e6981344fe
SHA512 fca822efecc2d650b522a134b1a134c27be646709a71e3d31bf40c953d3b6bcd4ab4f6cc637e60161b741d43dac47e3e9f0e97cd978bdf21d1726950b923f008

/storage/emulated/0/Android/data/cn.com.autoclub.android.browser/cache/okCache/journal.tmp

MD5 37e8e716e0e2f4a0b05cd9571d95b84d
SHA1 f8d068f6931707bddb8cd69f706f2224ad1fea3c
SHA256 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca
SHA512 e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

/data/data/cn.com.autoclub.android.browser/databases/HttpLogDB.db-journal

MD5 04d9afd2ea5eae0e38182c770010e0cd
SHA1 38dcf125b6b0f61e0db39ccb83c0cc4cb98bc3c7
SHA256 6a22516df3d6edfa118a85f67aeaf81fef86609c5ad0b81a0935d81135439ba0
SHA512 225d8f9a82dc9fea271037a57b677f5eb50bb4a081c6a0fd08d19b35308254ed1bc0233fdd14c8d7e909411a9b71c6f57beec369f9e3e0907487fdf5626a9dab

/data/data/cn.com.autoclub.android.browser/databases/HttpLogDB.db-wal

MD5 e17c62fa2cb04bc0a655a97597ce0db6
SHA1 31134ef7eb0b20b61903f39a2bcb83e95e6405a3
SHA256 7ae8f3f697460690c30a9729525f521847bdbfbeba288fd83cb7c8370c61ff62
SHA512 eb5cf120ad9ef9db4d46f6e330199552b93079d6533f01889e167bcc48082ab3c1500a3c6a4c8badde23bb2d49866a0e8060b1c87d6cb0faeb804570393634e4

/data/data/cn.com.autoclub.android.browser/files/weibo_sdk_aid1

MD5 4028c8b91f544d6bd51a266683ff791e
SHA1 d8bacd93b5724c8500f66cc46632704115635afd
SHA256 7cda4149bb95d3c082f01b19b365228fd339ce4fcfa02969294e13bdae41270b
SHA512 a8fdcbe785c7f9eabff76f227db4e8c1d099dc8adc81a41283f8fbf118fd0fbff93be1aaacd3c966888f30f247215125317efa56495f022486f5262cd2cc3831

/storage/emulated/0/baidu/tempdata/conlts.dat

MD5 8d80bc8ea90e9cac010d3ddf97bda5f5
SHA1 f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07
SHA256 f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93
SHA512 9ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 20:10

Reported

2024-06-17 20:10

Platform

android-x86-arm-20240611.1-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 20:10

Reported

2024-06-17 20:10

Platform

android-x64-20240611.1-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A