Malware Analysis Report

2024-10-19 13:10

Sample ID 240617-zl98gstdlg
Target b9fb792680a42cc975db16a84f7c159b_JaffaCakes118
SHA256 3392dfc6855d3fb0fb4b0eb21605372fbb82dd2a6e0116037d819a8f46e0f24f
Tags
discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3392dfc6855d3fb0fb4b0eb21605372fbb82dd2a6e0116037d819a8f46e0f24f

Threat Level: Likely malicious

The file b9fb792680a42cc975db16a84f7c159b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Checks known Qemu pipes.

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Checks known Qemu files.

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 20:49

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 20:49

Reported

2024-06-17 20:52

Platform

android-x86-arm-20240611.1-en

Max time kernel

126s

Max time network

183s

Command Line

connect.app.sunsea

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

connect.app.sunsea

/system/bin/sh -c getprop

getprop

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 aylasunsea-cloud.sunseaiot.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/connect.app.sunsea/databases/MessageStore.db-journal

MD5 fd050b529b3bc0e3461138f1951073e3
SHA1 11a4f5fb2a90ca2826f13bc458fe6c1f11c00c60
SHA256 cd4113cae2c78010ea15c67dacb08f5a6254c83d44e90a78f2668f5e9c1db19d
SHA512 8c28edb1872ebb49156e1342c71bad936d7ca5ff1591e8cf2909bacbcf11df56ca3b22db6e6353ea5c47556902bd4cd8d2f0a5da45dd4163c7bcbe477c26a190

/data/data/connect.app.sunsea/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/connect.app.sunsea/databases/MessageStore.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/connect.app.sunsea/databases/MessageStore.db-wal

MD5 f84184dd89eb6eb1028381f371c65e61
SHA1 583af15fc3d36d87606d0ff43c6b35eb8215f2ac
SHA256 952ea5e2555283577a939653dea6b1662a1d2fef26552c991ca56c30ffb91655
SHA512 e3339dbdea91019df05184a763056c746a3854663577ab28e338d028117d13d281052c8ac28e4a05329d3782bc5cb1ec99a280c5b905ff8d0f1c22681112fe9f

/data/data/connect.app.sunsea/databases/MsgLogStore.db-journal

MD5 ee95280d0e130d7911cfde0bef54d365
SHA1 b1275ada878e85891e8dc2a337108da51f8345b5
SHA256 6cf5a0842bda0d07760033ea38d5cc19e92a70a8fdb45cca9a755433dddd2c1f
SHA512 93b7ba8d55631d5809795434ceaa30a3edb507decd37edfcbd2f9cfb36c8fe42df35d3633f21b65de047a46378ab9f9ffe88f91d4c2b6f61e5cd08517b5a088b

/data/data/connect.app.sunsea/databases/MsgLogStore.db-wal

MD5 be2fbe788db8ab9c08c3a53e149d4b94
SHA1 03895f06020e42db3e383ad3088b2d85702b91f7
SHA256 39e9d29b47a29bfa0111333990a6eac5c6fdbf8254f5032248de511efbcabd3d
SHA512 19d1dce64f9719ee4c15cf6ac71f662d329a689405de31852a4e373316f6ee24115362df6d62e2c3a5c67223bcd776df87d2f0d0e3ccd7d063a646f0cd241789

/data/data/connect.app.sunsea/databases/bugly_db_-journal

MD5 2b6f0208ce5ea6a45e9431e47993c4cf
SHA1 9d9ce164d6ddeef8feb661221f5272e0d0f28464
SHA256 b692fa94c25a813043f76a58e254d64935774de73e691c678de8ce4dce904b59
SHA512 6d7557b68bf79b5bfc903f453da1bdb77c4a63d061e11b203c57941234d7c8dd2c89ea21f9c0d0e816737ce4fee2dbec6bb242b17163b9bc7eead26aede42862

/data/data/connect.app.sunsea/app_crashrecord/1004

MD5 8657c4dd6a2270c49586b77b4c9943f9
SHA1 ba0b65e5593ab7ae473a48a0f63105218ce98643
SHA256 c3f14fd80a40fbe2fe4ab319639faa5f62ea9d09a67f20f36f4d4434decfb3d3
SHA512 bc32960564cedff8b020a2ff07e62ef6fbec31528e0fd74f51d8c812a1cfc7a3097f4a972c5c3144a7d3cb2f39b5d037c6d8ca197611b0ff3de9aa05baaa9df4

/data/data/connect.app.sunsea/databases/bugly_db_-wal

MD5 4f097135aa61c7000e01528db20ee77c
SHA1 cc90398d6b24fa8b49da6543bae187961b710bba
SHA256 c33eb3adb474b391577e79186776896c4b55e948c011c2f139909a8c43685b22
SHA512 afa1afbf7d7efd47b851e4a1d05e170fbe9f0ad757896127ea3529b7faf4572e4223627eabdea00e6780178a3c7f14ee70c6a7168e4b428edca69b925569a02f

/data/data/connect.app.sunsea/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/storage/emulated/0/Android/data/connect.app.sunsea/cache/data-cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 20:49

Reported

2024-06-17 20:52

Platform

android-x64-arm64-20240611.1-en

Max time kernel

125s

Max time network

184s

Command Line

connect.app.sunsea

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

connect.app.sunsea

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 aylasunsea-cloud.sunseaiot.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
GB 216.58.201.110:443 tcp
GB 216.58.212.194:443 tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp

Files

/data/user/0/connect.app.sunsea/databases/MessageStore.db-journal

MD5 682b713c2ff3e2b6d17455d7005e075f
SHA1 6484a462416b01e894ec1bf42c91086941283929
SHA256 7a1a72f52814f5af38525dc600abfe08ee1fb9f34de6d3790bc91f6ba165dc62
SHA512 0e1911fa527c93b62d85926156f5106b5f39e16bcd093affee810fb8d4fae40cdd57580921c471ba9ad57ad42ed09c9fb61259479d54db69a5aab53523b6a3d3

/data/user/0/connect.app.sunsea/databases/MessageStore.db

MD5 f1abc67cc72bf5fe66779fa5dd1dfeac
SHA1 660f6d1cffa2bf57ec29105e40d08ab103cf18ad
SHA256 a953ef381606a6d98d98f3278e94fc1d5b58a0778f8ea3e305111586b759c14a
SHA512 dfbe97f3c1f3a3ebd63fc5bcee1b1dd1b91dfe01ac95af8fe897f44079e852421fa0c4cf038da6e43264d50f3e612ddc2be9aa17bf47ef604ca428fafe0858de

/data/user/0/connect.app.sunsea/databases/MessageStore.db-journal

MD5 d880d07b2b008b7e1b9305582cd31cf5
SHA1 a54bf65e329c8b8633eedf56fe297f14eb72ac0c
SHA256 3ddfd12b40a5920734bf54cedb4f8397e408d325ac9389f18fc2d6484fcf348c
SHA512 43deab15a2f33a1f64624e2d49fb9a5a2c900ac59b42005ff9d183f90ebe10df8e5fe09de6b5572a8f99972c8471f1d889dcded2fbff28b0ba4a489457164983

/data/user/0/connect.app.sunsea/databases/MessageStore.db-journal

MD5 e0e5d3c25779a982cf51ccd8a6ea43df
SHA1 82283d5f22f96c6c6fb87cc40285a2d17484bbe0
SHA256 3cb05207c05954701157481878f58c7552078479792e28baf0e22ac51b5b85c8
SHA512 0b1f9d4b91148fff2353a61043b8568cc48ab610fa3143fdfab6ac205863eaf77bf1d843de9c2c82151232d12d6ef812b29f778190ecdf82568317b0937d0f14

/data/user/0/connect.app.sunsea/databases/MsgLogStore.db-journal

MD5 274dec737ba125527a5e0a24d8894af3
SHA1 564bc4b39a919ef8064f6c9d93f15c4dc7cb5b20
SHA256 75d9ff46f72e1182323c4315769dc82c0688f3a000ff277fe99958b7e583d02d
SHA512 098047523f81976b4ad632acdc81fc95e6c0c4d33c1702ea2cbc8b8e64fb7fd16e03fc0db3e3d2011ff2e17d594e0168058f20040812db290bbb059f3a9770c1

/data/user/0/connect.app.sunsea/databases/MsgLogStore.db

MD5 a860ba3e3a648f73fc11269ff9ea9c16
SHA1 7167faf1666bdb05633e945dddc3d6af6c35fd0b
SHA256 4087524ad761d0669a39007849311b2b0a32c1a62d0a7ff04d4a77d702bfe27e
SHA512 279991548672e18e99522e1402ab96a3b1887a6ccbfa350cab5c5f5096807beb647b9cef0a5668755798f8032e243aab9ea5f1cfcd934671153d54fce48ef8c0

/data/user/0/connect.app.sunsea/databases/MsgLogStore.db-journal

MD5 3024e7ef30379d18dd510385460dba7d
SHA1 f11b54461737541d12ac2b9fb7a404c33d543bb7
SHA256 d75338784160be6d15a7bc6132b00c8c57014970614990694c612849a09e26a8
SHA512 b84bf8e68b90d4b7d483107dbad771d2c6cf8f60b917b61831b5109a7c02fc560a3acdd40a1064f65f46c7e2aea2faa02d1fcccb2a27aa0d422af9b261950a72

/data/user/0/connect.app.sunsea/databases/MsgLogStore.db-journal

MD5 e3efe587e278873538cdc17a76104ed3
SHA1 3a51d113cba7eb48eccea6597d0613e7bc950c0b
SHA256 dd3b26dbda89fdb32c8dc9464967c0709281cf7a5ad81cba2fbbb64a3371f114
SHA512 2340619e97892bd25cfb26d033ea227bff9b0fd901ee5ed806a169c130e35bd6c1743a48583e14f2b1a383ddff52b21260c9ae3dcd4b7dff99184605da487d1f

/data/user/0/connect.app.sunsea/app_crashrecord/1004

MD5 695545aac82dc2fc6b3d1c8cb0349f9f
SHA1 8d6d0ba257da64f6bd1dc2b11b7f03a7da410691
SHA256 02a5911a70c8d022a718b9410c07881e70af8cff7de046fddee9666092e1fd4b
SHA512 9bd71bafcc892833c7f351d4a1a106b8ff4855b20a91c29129f8ce34b63cb6c36c5f95e4cea1d4f91cee415c54e7aa14648bf2dd82a382408cdbde48d8d231de

/data/user/0/connect.app.sunsea/databases/bugly_db_-journal

MD5 d602e3917a6f8f66f3e9150781cbc4c1
SHA1 0ed98daa6e6e817399c44bfed232e5ae8371d141
SHA256 a4670d874ef380e0a896d8b05c05d3785625a92d413dbc6bc84e92cd510a12aa
SHA512 caf6d32ae00253b49eba3e0b911564eb8c58a4408b5bffd373b78795501376d4a0c0af8843eefc910cb41290a5ad54252ff42ac492b2284a68702847c75b75f0

/data/user/0/connect.app.sunsea/databases/bugly_db_

MD5 e8be12df1989f2de302d22b5eb5b5362
SHA1 2b73e508aad320e5918aea4c9fc961e961be56c6
SHA256 20a84c03cadf518fd2652e3aecabc9f2a16adf0a13b4ae89688fc8ea1d5f4afa
SHA512 80458b87a0fa60f0d2e1ee6d55cc7967a4716593e5915cfb3743c5a7d0e6310883208966b239708c2add00c962ccfc21c3cb867ae9add22dad721b65e3cfdea5

/data/user/0/connect.app.sunsea/databases/bugly_db_-journal

MD5 c3ba1a81b976b619ecf1250d83a38d0e
SHA1 25607596df5827b37d8a7d03dae18f67a7bbdfbe
SHA256 0170fec74564378492794f4d5277d999b23550baea9c0420f93b92e2b10d1b4f
SHA512 3c083bccd2173f7febe4ed4eefcd0cfd79cbcec787ec3e56379add891122328566e5675a20905e2c9a0ffa374ce7c3886539fc5bf0d64fdbec7be668c9f60f3c

/data/user/0/connect.app.sunsea/databases/bugly_db_-journal

MD5 f4a8d89d814cde786ac63e0aa52e4c64
SHA1 45765f68932881153a6daddd833931f095f177a4
SHA256 a7fe7c0a53007364dcfdf60208c386a33249432a9ae21d01516bd87bc2cfb8fd
SHA512 29c492bd23510e01776a0af4f531dcab456015c849f11cedaf683304cf275753dcf600331d6a70f2c60a313a331f9c98b79e8b019949892c400f588bda4f3f83

/data/user/0/connect.app.sunsea/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/user/0/connect.app.sunsea/databases/bugly_db_-journal

MD5 e3d03c0a6188ba1030ecccd0e303317c
SHA1 59a7442a500bb148d2322cc5dba7cc1a2c3b346e
SHA256 6d3b5f1dd3574a214ca2dc2405856de796da576997899ea11862452125ae95e8
SHA512 441d4f7b7b769b34fead1a2aba73a0fe95edc4271f87d3d13d0801b6809ad7348ac28bf5f6289a3147235a74c382e197eb21a76391d775b7fe1a49fa1d20748b

/data/user/0/connect.app.sunsea/databases/bugly_db_-journal

MD5 f7001b8bd9577e6aa7076a70ecb78f88
SHA1 739c67e2855ab4454d234200c01b97c67b7ae3a4
SHA256 f79c40a6228875a797352bb5e93ef4b986217dad5ddf5bc98380099a205c852f
SHA512 388140ae58161935c527d2ffb44ad01a02bbf4df2ed76d705296af1e2140fb24ede20064adff794c4bdb68def97dfe56668ccb094699c8395dc7145c1181ca46

/data/user/0/connect.app.sunsea/databases/bugly_db_-journal

MD5 039c296d7871329ac3c7c4cd5ec169e2
SHA1 154d602a86444195e37ac70a6b5fcf99013d104f
SHA256 6b4d8d3dd8e56321da2f3f4766e25fa8af2be48bf3d8c5f28df8329ea9b6917b
SHA512 e55c20f4b62420dc15eaee6a43f384b50b8d4b3a669af73683a9f68cfa3bd33edbec37454fbdb93177a432670222bdbe4807a1ddd81684c8939bd717ef7689ad

/storage/emulated/0/Android/data/connect.app.sunsea/cache/data-cache/journal.tmp (deleted)

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56