Malware Analysis Report

2025-01-19 04:51

Sample ID 240618-m2wzksvckn
Target bb917ab7b73a8740f1e25e35ba5f08cc_JaffaCakes118
SHA256 1ca4a080577f193828734cdc1668ec955b1674f32000bc714460fdff3422f13e
Tags
collection discovery evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1ca4a080577f193828734cdc1668ec955b1674f32000bc714460fdff3422f13e

Threat Level: Likely malicious

The file bb917ab7b73a8740f1e25e35ba5f08cc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Loads dropped Dex/Jar

Queries information about active data network

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Listens for changes in the sensor environment (might be used to detect emulation)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 10:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 10:58

Reported

2024-06-18 11:01

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

163s

Max time network

184s

Command Line

com.ircloud.ydh.agents.ydh02833779

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ircloud.ydh.agents.ydh02833779/.jiagu/classes.dex N/A N/A
N/A /data/user/0/com.ircloud.ydh.agents.ydh02833779/.jiagu/classes.dex!classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A s.appjiagu.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ircloud.ydh.agents.ydh02833779

Network

Country Destination Domain Proto
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 216.58.212.234:443 udp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.201.106:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 ez4q2.cn udp
CN 112.65.70.244:80 ez4q2.cn tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.200.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.200.3:443 udp
CN 59.82.29.163:443 log.umsns.com tcp
GB 172.217.169.68:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.227:443 tcp
CN 59.82.29.248:443 log.umsns.com tcp
CN 59.82.29.249:443 log.umsns.com tcp
CN 59.82.31.154:443 log.umsns.com tcp
CN 59.82.31.160:443 log.umsns.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/data/user/0/com.ircloud.ydh.agents.ydh02833779/.jiagu/libjiagu.so

MD5 5aea02f4e4c77fbf2e7a27f7ca9cc06b
SHA1 522db1748608e9173547b29b7aa82ddc3542c534
SHA256 5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2
SHA512 5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

/data/user/0/com.ircloud.ydh.agents.ydh02833779/.jiagu/libjiagu_64.so

MD5 289fb443987b114ee4237b4dd97672bc
SHA1 9b898410845dfaeae3af212b5df41177ba9b8f34
SHA256 a55e9ee18285b41a4ea1bf375930a5bdb603dbfc530a3dcb224bbded14e68210
SHA512 debbf2720c9b132b5923eaa9fcb372a72a97d574bce59789d06b645925fa2d6a27473aae4c9f1e4968614d44fd98a8b0fb1eec217a595fb5c80bcfc056705508

/data/user/0/com.ircloud.ydh.agents.ydh02833779/.jiagu/classes.dex

MD5 74741f53f109c82bbc5c08625a1f7764
SHA1 5de68e03c738d4cc8af6c56d0f4a831987be2300
SHA256 005c513831bc00f8e7ebbb33e1a04f25fd95a350a91d1f59f03391cd4bba0d64
SHA512 b2af541b81103fe9fc465843b94679328626e00b5ffba77f35bc7def96207b08fc01b59fc5f4200993853c97938ce78ae5a3093b40ad686bf74987b963f13048

/data/user/0/com.ircloud.ydh.agents.ydh02833779/.jiagu/classes.dex!classes2.dex

MD5 7561e5bec28f94c91ef1cd9f6839ccdc
SHA1 822825c4d5f1f931a6c3970a65f602b2307e6014
SHA256 beb89f919aeca8dcc03099a295fcdc17952540d87790547b7c2112b06b2a7c0d
SHA512 745867306a30f5af9ddffed55f889753aa22f2e4e3dddac566abfe6850a271370ee554a7709e7e2e3a79d922f56c7cfed14ff5f80210b29bda27d13f963a3240

/data/user/0/com.ircloud.ydh.agents.ydh02833779/files/.jglogs/.jg.ri

MD5 fef1d432f786c4bd4ca400658544b23c
SHA1 5900d29e822fbb53774829f4ad5a740faddcbc29
SHA256 fa8b5276ca12f6d59c22be18b7c939c131197c7f62f33e916befb480b97eb289
SHA512 f5563a51afeee25295c3584cf3ee588223f703ac5a77a2059d9b33a3b532484631b719e521c8d7384fc377fdd068181d5b98bf5546a7fe8e32c73deee79be6f7

/data/user/0/com.ircloud.ydh.agents.ydh02833779/files/.jglogs/.jg.ri

MD5 5a3e7e8cbfe3ed440f7073d4ce056c9b
SHA1 742d322e1d58ea2ed299db3ab98da7bd7edbdb68
SHA256 8d892cc6c8bbfe07bd01ec817bfbf90138e87851c0518aeaa55e2b5d497090bc
SHA512 c3eec6848336f814c93c48c9f6a59563bbeb55444dc766fcce2ca51c9ab31455998138002a83f9748e329e5e772ff51530e918dd513e4acbf8cddea66d37df54

/data/user/0/com.ircloud.ydh.agents.ydh02833779/files/.jiagu.lock

MD5 6ee12666dcb961208008b4150f6454fe
SHA1 7f7fbf981075e7c4ec229329c05db1ab83723bc7
SHA256 62ac4e06d4d819042df7aa72879be4e993a584b63a2e2234d6c01e259b852409
SHA512 44e5f639f08dcbfa8a12d7b1c9f6c1deb658e146a97649f342ed1b06a7062863298fa58160bb385692c2125a5283da94ad028925f3998d2a8ba8cb1cfb12e36a

/data/user/0/com.ircloud.ydh.agents.ydh02833779/files/.jglogs/.jg.store.report_pid

MD5 e771d6ddce4fc9f649ec1bed749ed443
SHA1 46fd3d6959f9bf1e3cf109f75db09a17819d9713
SHA256 27113043b9b6add4f94441e528b411bebd8632f1490b70b0a742dbdf7a268de2
SHA512 dfba6d80b44e1141e6876be6f4b69f6b929653068d99e8a682848c0f169eb5fc0316d5c648a7fa5def86c3b7b84255d4f19dc0a0e9f111cb4423f508b794598d

/data/user/0/com.ircloud.ydh.agents.ydh02833779/files/.jglogs/.jg.rd

MD5 993b0e802181dbb5becb442e74409998
SHA1 8352c5be81e2608ab8f8b99d98c42eae7cbc07e5
SHA256 e106248da263a16462ff76d32dfbd82b2835e6e77977be1082deb8e22439bc95
SHA512 01fff167b318eae1104a8601ffed06c256334bcb71c7dc48876213860ea928cb2b8aeebaa569dfa67520505fe522f0c387d72a3971bc32a891d4cd58b555ad5c

/data/user/0/com.ircloud.ydh.agents.ydh02833779/files/.jglogs/.jg.ac

MD5 690861817705b3cb19bfbb9d2cee12a2
SHA1 5b0341ee59f72d3b72ef0ffb28b7a0b5f248e745
SHA256 c364add23bc1ff1d94bc003febca37699cd0408c90d7f271df4c5f8b74d5d4d0
SHA512 3ad53d3c02b00699deafaab1630afc5fee3e979b50fd5c2057c460cc63537e8367f6b3c12a651635cf66aacb5216c61ed33497525caf873ea09430525fa61ffa

/data/user/0/com.ircloud.ydh.agents.ydh02833779/files/.jglogs/.jg.ic

MD5 da52af97a5608697113963c95406a3b8
SHA1 312a8f18891da0313c0856541970dc9d70427b1c
SHA256 4d37667bf6a9affd2dc1e7096babb7c31dfbb437e2bed15c745c71fa659af4c4
SHA512 80d59e137314fc0eb7c8d4659eae09b3806b3c5a56695f18faabb633381a7df60be906ef444ebd9f11709f9f89d6111f866bacc0f5c7e4a8946a728ce5820364

/data/user/0/com.ircloud.ydh.agents.ydh02833779/files/.jglogs/.jg.ac

MD5 d825926bfb8d2c14905fa15658217234
SHA1 f7554c83d06b8da57b0c5186bb6549e5c9cae760
SHA256 3945735c4707949f6012e029034a126717ab35313bf614e9d30b8d0834090894
SHA512 41dbf2b4910ad34bea7cf4c06096177e3eef09ba5ef4aebc9d81c027be41d87bb28aa6bbd2c2dce5304d5a616337b0db64c161203d68648eadd06621d064f86b

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 10:58

Reported

2024-06-18 11:01

Platform

android-x86-arm-20240611.1-en

Max time network

137s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.4:443 tcp
GB 216.58.201.99:80 tcp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
GB 216.58.212.234:443 tcp
GB 216.58.212.238:443 tcp
GB 172.217.169.34:443 tcp
GB 216.58.212.238:443 tcp
BE 74.125.206.188:5228 tcp
GB 142.250.179.234:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.187.227:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.187.227:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.187.227:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.16.234:443 mdh-pa.googleapis.com tcp

Files

N/A