Malware Analysis Report

2025-01-19 04:51

Sample ID 240618-kqw44awcpc
Target bad861f273403532bff062f27e1da977_JaffaCakes118
SHA256 0b40b14c589ce7afb3e51b172f11ca46616c4dacc2e8260e985aa8b6a5095f06
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0b40b14c589ce7afb3e51b172f11ca46616c4dacc2e8260e985aa8b6a5095f06

Threat Level: Shows suspicious behavior

The file bad861f273403532bff062f27e1da977_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Requests dangerous framework permissions

Reads information about phone network operator.

Makes use of the framework's foreground persistence service

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 08:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 08:48

Reported

2024-06-18 08:52

Platform

android-x86-arm-20240611.1-en

Max time kernel

15s

Max time network

130s

Command Line

com.zerdsoft.haoxuesi:emulator

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.zerdsoft.haoxuesi:emulator

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mob.adwhirl.com udp
US 1.1.1.1:53 www.umeng.com udp
US 1.1.1.1:53 aos.gw.youmi.net udp
CN 59.82.29.162:80 www.umeng.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
CN 59.82.29.249:80 www.umeng.com tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp

Files

/storage/emulated/0/zerdsoft/zerdsoftea02.smc

MD5 29be29506a4c4974fd0b43292cef6cb0
SHA1 ad218443a2ef87a7b10139912c60e97aafd8edf7
SHA256 8e76342ffcffe00d122aa6d6d7223e7c44c33b17bbc1dde8af545b9cfe8b747d
SHA512 326d7de2dc99bc8aa6450129a14f6e4597fbc2d137e0183641f577e23e294b1f0b43451fe836b395ec245a912187228d16224b75f98d50c71c144756a22d5f30

/data/data/com.zerdsoft.haoxuesi/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 89bbfe8bf4b315f65b1fb343654698ee
SHA1 2270719f67403e0bcb6e4f757b62f7869d6fd201
SHA256 9d19a2653cebd98378faf6189712bba80d53af5a1699f47ac773398f479fc8be
SHA512 5e43ef05c8122984b14265ed852d84c78ba457864e1970a16563a91443c85ff53ab7f456bbd51c01c7ca11c25140c3b53ebf215a1c6b6a0e594abc716e1f3ead

/data/data/com.zerdsoft.haoxuesi/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 444dcff94349a15fd51691d591f9fce8
SHA1 eac521c472f9583ccf89d6dee19c73433a86f1f9
SHA256 5e223e57598bc0fcd4853c53a9dfe68dd321875c88e3947737e48cd7af5fb783
SHA512 0a9a8bd6f4b858ffade8dc7e722a688bf6af02ab0eaa4423d49a06c58ad29c0a40709a76e2597228f2d3d1595b963555eebe13047df95a11f474cc621af1566a