Malware Analysis Report

2024-10-19 13:11

Sample ID 240618-hmg5na1gqh
Target bb2de25e537542f093009b6aadc57198_JaffaCakes118
SHA256 5021f2b565e786d7030ed2db6839b9274f2512e91f96ee536fc7173d70d0f205
Tags
collection credential_access discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5021f2b565e786d7030ed2db6839b9274f2512e91f96ee536fc7173d70d0f205

Threat Level: Likely malicious

The file bb2de25e537542f093009b6aadc57198_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks if the Android device is rooted.

Checks Android system properties for emulator presence.

Requests cell location

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 06:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 06:51

Reported

2024-06-18 06:54

Platform

android-x86-arm-20240611.1-en

Max time kernel

166s

Max time network

188s

Command Line

com.yewang.beautytalk

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.model N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.yewang.beautytalk

com.yewang.beautytalk:ipc

io.rong.push

/system/bin/sh -c getprop

getprop

com.yewang.beautytalk:EmulatorCheckService

/system/bin/sh -c getprop

getprop

/system/bin/sh -c type su

/system/bin/sh -c getprop

getprop

/system/bin/sh -c type su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 internal.faceunity.com udp
US 1.1.1.1:53 internal.faceunity.com udp
US 47.254.56.66:6443 internal.faceunity.com tcp
US 1.1.1.1:53 stats.cn.ronghub.com udp
GB 8.208.8.123:443 stats.cn.ronghub.com tcp
US 1.1.1.1:53 api.dongtu.com udp
CN 47.98.65.108:1443 api.dongtu.com tcp
US 47.254.56.66:6443 internal.faceunity.com tcp
US 1.1.1.1:53 api.sobot.com udp
CN 203.107.41.32:443 api.sobot.com tcp
US 47.254.56.66:6443 internal.faceunity.com tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
CN 203.107.41.32:443 api.sobot.com tcp
US 47.254.56.66:6443 internal.faceunity.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 nav.cn.ronghub.com udp
GB 8.208.102.120:80 nav.cn.ronghub.com tcp
CN 59.110.174.122:8000 tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 59.110.174.122:8000 tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp

Files

/data/data/com.yewang.beautytalk/databases/my-db-journal

MD5 f43d9fdb69e84375257f1b432d38dfb0
SHA1 8fb3564373a9d138b95007707c916420c11683fe
SHA256 f5cb1bb39554d6938f6f42c977b8752fcea1bb28ae4b8b776ff9504193a93f8f
SHA512 f26ef83cc6389b29a1c58465ba68a6e1eca01b3b027f4713653fec933749202aab271a3e9c45663602fc73a9269699a2caf055a7832963b0034127daf8d4a64f

/data/data/com.yewang.beautytalk/databases/my-db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yewang.beautytalk/databases/my-db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yewang.beautytalk/databases/my-db-wal

MD5 00db8abba3aefef75378c39a37a47d58
SHA1 e4f2f82c2ba6424bb17149a869b923055e42fc6f
SHA256 1bf439d033c7c4bdddd7cd3f6f059c1125f0b7a7d724bd5f988a83ef9c435373
SHA512 00d39780429b5efd50efee3458c2d3c5a7c32623d8aa744ab4622c1825353ec539e0822a278eadd54f5742324b4ef71af41a13c2b07e86078f3283b87539072b

/data/data/com.yewang.beautytalk/cache/image/journal.tmp

MD5 49ba216299599d18362322d863d48b6d
SHA1 a402c05796889a72d0a059c7c90a38b765563ba4
SHA256 8a8c0df94868811d6fa4d75abb1e9e15fa49ea8c97fe35a122bec08426832c7b
SHA512 023e66bec7c15725b370e7b97dc60f104910e2868033816be7da080e19b9fa367bec4155aa6187ee6b941f331ee01e1cfc80ec0b072fed78052cc0253e378fbd

/data/data/com.yewang.beautytalk/databases/Bqmm.db-journal

MD5 b3dd826ae63b81defaac0c9c60e28dc1
SHA1 02f0dc5b73052cb49d6e375a2c0688da8bd39a0b
SHA256 0f3d806828a8af759d6a23606143ccc2c44b89d19aa06ce8af13c75d22f0ceef
SHA512 6078e5d09f6e2cccae5c059fb5ce400d32f00128f63d48e698c3ebc36654a2ed464cc5cd8505130095e4ca5b92d24ec2f02edd9c193ab41bf7b74421cd726bc5

/data/data/com.yewang.beautytalk/databases/Bqmm.db

MD5 022df5ce816dc978f3dc3b858997d4d4
SHA1 e58115b6ddb88c2b865307df97983ceb14a95555
SHA256 c25252902a7b686136d9559a350a67520ca504a99b4ce18a54fdd222d7a501af
SHA512 f064e366213227f6c4a190a7aff3e8e114416a7aff38c3b3fb271f9e2eafa3c778fc8148419441e8efe8a881ebbad957e98c7a2814cfd28189701e46d06ac7d4

/data/data/com.yewang.beautytalk/databases/Bqmm.db-shm

MD5 b354a3798d70ae0a36c4359aac6a5a58
SHA1 591bf4d73a4ea2ede29f25db14d53f0a63b0323d
SHA256 9e3ca451e62c6db03da38f24710d89f83aaa89b5278cecaee6931edb367c249f
SHA512 96a1831defe9bf18c8a1b5b22e7c102da6f63c2e42b30ddc9a428fde7a986d877f0fa848ba8d860946007557146c7d94a87ca9e967dde46e53574b56318eea96

/data/data/com.yewang.beautytalk/databases/Bqmm.db-wal

MD5 a147bba47cb5aa47814d53798616dbca
SHA1 e46dbbc32ddd3c38576f46409b61b3b7b517c76f
SHA256 ab3b06e5b37128e4274160048431743ad8358eb0060c42a971ee2f3b487e96de
SHA512 7c8197008d29067dc0d05fab13d0a76329619423c5ef876d2e13fdca45de2c9d452bd6aaa6e1c683601c42bbb2eae42b9e8e24c0e7a155b85971d454e191a593

/data/data/com.yewang.beautytalk/databases/bugly_db_-journal

MD5 ed4f17dc95b32c106489dcca43053619
SHA1 94f6bfb3172c7d038c79590d9f70b80fd57b6ef3
SHA256 a87325322479545fb44e9247bb04543d7787e8d388bb3610c81fd1cfe2d8f365
SHA512 acd20ae13bbb97cec412a7b9f3288756689e7692c9275c366c3cd4298b955a727fb9e234a1f4e889b7de06548a743f43c0b5f6aa644a80ab994b0b9a2cf63345

/data/data/com.yewang.beautytalk/app_crashrecord/1004

MD5 7e417354a693307bc8f28e7704da6bb1
SHA1 f6dc4b229306052646c95a0d1522ea8b037ad5e5
SHA256 374ea6cf64002050b5c9b9021493e2da837c2ff3043f4f235cf50707b14bb6b0
SHA512 b50a446876bd7dbc1481a735a3262e33f8785c9c60a28e67dd50f321d154816727611a6170e30227b98b6f825e99103b4a741918f61354fd44ea18e53c7baf61

/data/data/com.yewang.beautytalk/databases/bugly_db_

MD5 aa99281ce0cd69a9302f8b64b918ad75
SHA1 ccafc0e5fb16198e466b209a888301f4100fafe8
SHA256 a3cde8388c50e78c7b3c8dab1d0c46c64c375248031adbb6a5802e3da65bb431
SHA512 a8b80f09a555652d3e4b9775b6aa58341dad7fb120509e128df417533ba361353b19530306e8691f1ce5fc0c69f1a89d29bd2eb176291a5e85b945d14c9eb085

/data/data/com.yewang.beautytalk/databases/bugly_db_-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.yewang.beautytalk/databases/bugly_db_-wal

MD5 528a223e2eca1a93381f3a0705806db2
SHA1 0a41ceb8d384204d2ff248b66a293bae2079e09c
SHA256 d610b86a3946d1916ccafacbef3aa16ccf29b518d857a384278f87c68119dadb
SHA512 9e8ef35b46978e1e0658ccb1a5edc45a3851e15139c5af07704882fd8d0cc43cae4c94cd11a6bb554a89996f2404e435b43046e5ed28ef4ecd15f65e59ac692b

/data/data/com.yewang.beautytalk/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.yewang.beautytalk/files/sobot_chat_log/sobot_chat_20240618_log.txt

MD5 982ddd1d43d896f058bae6190452fe8b
SHA1 0eaadfb1fcab9c7f9806f3aba821619493bd33c4
SHA256 bb5c90023d5b8da09f22c8621e2644147150c59f9eba28b69a8b836abfe62c5c
SHA512 20a94c70fa248440036e2dae7533918afa8d0b9c007591c99f74e9d4a94b21f740478e7b9c0c396fc265f2764139c273643fb3b4275f727bdcaaaf905401bddc

/data/data/com.yewang.beautytalk/tinker_server/111_version.info

MD5 485e3095b426bbed8aa5a037ebd08f96
SHA1 4e83faddfe11cbdf7d8c95ade5096536f263c31f
SHA256 d5fd73138156474f7844719c97785dc13e8ff28f999e5930576f1ecf6c3798b1
SHA512 04f9e64ca7bd21daf4ff0f0fa22bf519af5ddf2b4bcf060e949a6b12d9605420eabb4c928c3099e078e5d62aa1854e97ed1ed0951478dc91b9489daa8d95a13c

/data/data/com.yewang.beautytalk/databases/bugly_db_-wal

MD5 9d13c95d25c4b237b816c1977f9c2915
SHA1 49aabab01bb469769d958d80ddcf08d3f1289f28
SHA256 f598781e154babb9d263bd34ca08206ccc28202a5c80843835f37039b3d81686
SHA512 f6761c57e6a3da6dfa6780a3f5feb13bdbe3fcbb6529905f700062706c5d8a4e821f234704fba362a7410cf4effff107cfeaee6b93a778fd793a0f57f63629b1