Malware Analysis Report

2025-01-19 04:52

Sample ID 240618-jky6tsxfrj
Target ba8686c4476af5942f47245af8455cda_JaffaCakes118
SHA256 639871e1bcacdbd954940e0066220ae5c0beb80a66a0a907bb8458a713ad17e7
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

639871e1bcacdbd954940e0066220ae5c0beb80a66a0a907bb8458a713ad17e7

Threat Level: Shows suspicious behavior

The file ba8686c4476af5942f47245af8455cda_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 07:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:44

Platform

android-x64-arm64-20240611.1-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:44

Platform

android-x64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:44

Platform

android-x64-arm64-20240611.1-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:47

Platform

android-x86-arm-20240611.1-en

Max time kernel

151s

Max time network

168s

Command Line

cn.jingling.motu.photowonder

Signatures

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

cn.jingling.motu.photowonder

cn.jingling.motu.photowonder.post

getprop ro.miui.ui.version.name

getprop ro.product.name

getprop ro.miui.ui.version.name

getprop ro.product.name

cn.jingling.motu.photowonder:vsservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ufosdk.baidu.com udp
CN 124.237.176.102:80 ufosdk.baidu.com tcp
US 1.1.1.1:53 wappass.bdimg.com udp
CN 61.170.103.36:80 wappass.bdimg.com tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
US 1.1.1.1:53 m.xiangce.baidu.com udp
HK 103.235.47.72:80 m.xiangce.baidu.com tcp
HK 103.235.47.72:80 m.xiangce.baidu.com tcp
HK 103.235.47.72:80 m.xiangce.baidu.com tcp
HK 103.235.47.72:80 m.xiangce.baidu.com tcp
HK 103.235.47.72:80 m.xiangce.baidu.com tcp
US 1.1.1.1:53 api.52youtu.com udp
CN 182.61.62.50:80 api.52youtu.com tcp
CN 61.170.103.36:80 wappass.bdimg.com tcp
US 1.1.1.1:53 vs-andr-push.baidu.com udp
CN 61.170.103.36:80 wappass.bdimg.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 111.206.209.144:80 ufosdk.baidu.com tcp
CN 61.170.99.36:80 wappass.bdimg.com tcp
CN 61.170.99.36:80 wappass.bdimg.com tcp
CN 111.174.9.36:80 wappass.bdimg.com tcp
CN 111.174.9.36:80 wappass.bdimg.com tcp
CN 113.142.207.36:80 wappass.bdimg.com tcp
CN 113.142.207.36:80 wappass.bdimg.com tcp
CN 121.14.135.36:80 wappass.bdimg.com tcp
CN 121.14.135.36:80 wappass.bdimg.com tcp
CN 125.74.42.36:80 wappass.bdimg.com tcp
CN 125.74.42.36:80 wappass.bdimg.com tcp
CN 60.188.66.36:80 wappass.bdimg.com tcp
CN 60.188.66.36:80 wappass.bdimg.com tcp
CN 111.170.25.36:80 wappass.bdimg.com tcp
CN 111.170.25.36:80 wappass.bdimg.com tcp
CN 110.185.108.36:80 wappass.bdimg.com tcp
CN 110.185.108.36:80 wappass.bdimg.com tcp
CN 106.225.194.36:80 wappass.bdimg.com tcp
CN 106.225.194.36:80 wappass.bdimg.com tcp

Files

/data/data/cn.jingling.motu.photowonder/app_dextor/chance_ad_dx.jar

MD5 ca5f2731961d0ce01718fa6ca03a3135
SHA1 a5c89c7149f3a7f9f37b42a8e0d8f19284bfa884
SHA256 244e3a4bfd08883a028701ae66d905fd167cba0c7b522a961d20b44b22f1761b
SHA512 438392046ed7c1a17407ce2d9a74f9812a9ff226bf7807e4d07fd908686fb03673331e759fc832a8827414f43e04eba08da1ee75698dddc228bde98086185236

/data/data/cn.jingling.motu.photowonder/app_dextor/mobisage_ad_dx.jar

MD5 ca912fc5eb0d44a368676d60198b4c6d
SHA1 c350f95005a5c5e6a2e179a75e4e2b560b65dfb0
SHA256 6d8122e725cf1c0113103e42b13b1e7be7a7f8b3c72737e8867df8cab25d412c
SHA512 d3f5578f3294ce3b172a0c8e50f066e731e9c2421661fbf762db3edc397028bfba7bc49bc116468b33ae1d780c8894f23c964d08100193944897fabc492aac5d

/data/data/cn.jingling.motu.photowonder/files/libprocmox_v1_3.so

MD5 988a89c1cfe70e8b1cc0b8375bd4d6ca
SHA1 325b4e5cbefcc228b8a4db91fbcc7c8162240f81
SHA256 1b0d8253311bc0fa63355e4e41658f18a52d10301c4908175c114d435cf01574
SHA512 550e1fad0a7aed4dfb35979e04255abbecd26750af3f74ec73deb9654475dc96b0eee35431c42af450ab1aed0abdacec06ec2188c3420e3b8b1ff021a0a6c3d7

/storage/emulated/0/Android/data/cn.jingling.motu.photowonder/cache/uil-images/journal.tmp

MD5 f2946ed39fd0040e81f30196a194072e
SHA1 9e7ddc7ded51c488efcdad60075ed206bf945c18
SHA256 db9d04b9545c528bde4ed87b87cb09d42ece4854d6aa00b39282ac3e4bb4207d
SHA512 ebd33bfa76b2b28d7a81cb1e8bf2f41f2d9e4a809da09cd0eb8af0ba07d2e23ae2f7c294c22a9c8415ab5df61cb615f5af34800c3dab1974bce65a03f42df40d

/storage/emulated/0/baidu/.cuid

MD5 bf7d71a82efb4280d0774439afe13048
SHA1 652ffa50a7bbc5e4a4e76cb0d6927d086020b255
SHA256 2e9ba310145f964b23ad82d5cb4267eb72e21948a597cdccaa7d1677246aed5a
SHA512 2c2950ae2ecfa302f500e2f326a7ec226be183363e943772c625c01da872434eab0781daa97c0895bfe61abff41d98dba0a314fbe0c285afbbc3f3d5cd904c21

/data/data/cn.jingling.motu.photowonder/app_license

MD5 306b32f2df696f6b85c2c22a380fa14d
SHA1 58ac16360eb6587d099b35603e35f5172fa59d44
SHA256 f09d9d9bb07ddc2835120c11c0d2d3e735267575b9c1eedcb5cd0773c4ea821d
SHA512 14e9ea5f685ef825573d6e9a86600ead17798af67a4f087c1ca9f607eba29fc87b2623474b52e63ca4d3940cc656e74d1b1d43bf80a3dce95dfd8f3582c5cf8b

/data/data/cn.jingling.motu.photowonder/files/__local_last_session.json

MD5 38dccbfb2605be55bce1bf555ed81516
SHA1 589620b354782c747e4df4d17012bd307ec0614d
SHA256 a65a903a9d5d430d7c88a180b2b3cd00bc320d4ccecd2b67fef4eafc4020b853
SHA512 95ea3f50c491052a916c13cd714449f29cd2825448cad2e9d99f2a196689aac2d873e0db8f2e3b3ba486599b34f0f1e827af730995a393e3f63503b6e543e565

/data/data/cn.jingling.motu.photowonder/databases/key_value_cache.db-journal

MD5 494a23b3eca125aafebdff77bfbc6e8c
SHA1 13302f836bbfc6fef3e4a03099c74e332ad2928d
SHA256 98905785af46f10ed6946d241fa9149d4b670c5856d426eafa676c53242f3641
SHA512 b117b7785e2cc5cceeebddd64f77d70fd41250b4b6d9291df922e93fbe3573b77a74a09dc9ec2ffcf816645544f54c5fc6b26899d4a059ae2926229a45b07339

/data/data/cn.jingling.motu.photowonder/databases/key_value_cache.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.jingling.motu.photowonder/databases/key_value_cache.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.jingling.motu.photowonder/databases/key_value_cache.db-wal

MD5 7f3ef9d21a56e4f64c6b6b477f8980bc
SHA1 f8b1b6b4427d9924da5d49e3cde8a83d8fe80173
SHA256 e2666d235b74723c74c39977f0bbd8d06a7a89cddfb7422736e7300110adb179
SHA512 8cf539b5c20d6d3dda7a31a5e0f9e31aeaf81090cc4a8e3488d5af5c29b567e1daa3677efd11cfa12fcf1ca212425bfbbecea2176acd17005b189fc99683e8ad

/data/data/cn.jingling.motu.photowonder/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/cn.jingling.motu.photowonder/files/__local_stat_cache.json

MD5 635cdee89ce96952a5ade6046e1f0367
SHA1 bc41606eddad6639e3fb9ea6d15b107667c9eb87
SHA256 25bde2837436f0d0de03cb8975ab2dd49dc7bec1eb1d669c7b4619b0fffac4d8
SHA512 f2dd85de27ca82b085b1ea3bb4f106b09ac87fecf7eec5fed76f36200755218e53dc8467e3fa524aadb59d6b6ca906bd5708a2fa952e288b1485c6244a9f9cd5

/data/data/cn.jingling.motu.photowonder/files/__local_stat_cache.json

MD5 9faa0928eff89653bd425142e7b0a1a8
SHA1 6f4b008ca82de89449483b62a4f0d34677ef1269
SHA256 0d4518ef78b02d3911917f12c455858a110724ee46e028d7eb3bc8510439c7bb
SHA512 4a39cc62f0fc074c216b6f449546e2dca8f3e05feb8e6e0a568c0f33980e96494d6b98e5d5429b7223dc1fc7207ae421d5dca857b71daecca1cc1f2a25ad9ee1

/data/data/cn.jingling.motu.photowonder/files/__local_stat_cache.json

MD5 b5c76bb99f6e8ba1e6432f30fda3924c
SHA1 9cd4e27778ae001c8514c8af4b2584a50697fc7b
SHA256 ac945c171c4d4ce7a62f7d188dcdc8ae3e51839e005a7ec91ca3da758808045f
SHA512 ac2957c93a888bf0d631e996ee003436b8864891856c7dbe9499da36494a14fdf600393fae35153bf26764693b680e0b1ad48fa3fef7eae57be4eb01683e7f22

/data/data/cn.jingling.motu.photowonder/files/__local_last_session.json

MD5 a8fb5c0b367aad49e3f2eaa79e418e8a
SHA1 67066b5cd3c8d795a958628db22233b9f438b318
SHA256 99c2c86452d179abd0d98e7aa027b0f0ef5b1df19fce83828756365fcf72f260
SHA512 9b1b149ede87de0878308335cc86eb758c6c7d93ed35faad6b80820b09e82f857c72adab7faa74f8ea0c6f97bc20a62f65c3c094c3b0363f5846a5bbf7fd954e

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:44

Platform

android-x64-arm64-20240611.1-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:44

Platform

android-x64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:44

Platform

android-x86-arm-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:44

Platform

android-x64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:44

Platform

android-x86-arm-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 07:44

Reported

2024-06-18 07:44

Platform

android-x86-arm-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A