Malware Analysis Report

2025-01-19 04:51

Sample ID 240618-nh2ldswakk
Target bbadc2342f1bd97567a9fea7d612d45f_JaffaCakes118
SHA256 f32133ba50e3dcfec044c841fc4661b921e99a6734a0119d0d7f541c45eef165
Tags
collection discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f32133ba50e3dcfec044c841fc4661b921e99a6734a0119d0d7f541c45eef165

Threat Level: Shows suspicious behavior

The file bbadc2342f1bd97567a9fea7d612d45f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 11:24

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 11:24

Reported

2024-06-18 11:27

Platform

android-x86-arm-20240611.1-en

Max time kernel

25s

Max time network

131s

Command Line

com.app.tanqo

Signatures

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.app.tanqo

cat /proc/cpuinfo

com.app.tanqo:remote

cat /proc/cpuinfo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sdk.imap.baidu.com udp
HK 103.235.47.88:80 sdk.imap.baidu.com tcp
HK 103.235.47.88:80 sdk.imap.baidu.com tcp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 103.235.47.89:80 loc.map.baidu.com tcp
HK 103.235.47.89:80 loc.map.baidu.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.app.tanqo/files/imei.dat

MD5 748d9beeaa1899252a7365b780b95fb0
SHA1 2158cbe9044f2b138df0094615afe6616e526c9d
SHA256 59290d2d5a77605f8140feb82e44e8438115fb2f93dc56ed4c225b88c21baaa8
SHA512 cdeb0c4cebf1cc96ebda6940763a940df76120ee991bc7f003480caf055a970f16e4a19ef2ba2c56fa056d539b981e16542ec7239a7b91dd3828585bc2d1e440

/data/data/com.app.tanqo/files/imei.dat

MD5 c40cbb3b7fe3934476264f4f97a2688c
SHA1 dc6c74769b86253ee3c4de620a6557d0b80f76ec
SHA256 69dc129931e71092a3330af07b64d6a1de62ea51bc703819adae717391fa40ce
SHA512 1282a5f695eafcff1dabb659e8b02f1b2380e46808aeb7678ac74b92dc665387bf85d2857202fb717dd077e6bfbd95d7275924562bca07f8a482d6b66ec63924

/data/data/com.app.tanqo/files/channel

MD5 076e806c9f06c2146bb741ea9aaad609
SHA1 edab0b8d60c62587fab36a3619e99d08ba982eb7
SHA256 32bcebded0fb76f69437e0830ff609faeca938dd1569c54e428c2ac081f5d9eb
SHA512 5d8efc7b3d8be7efdaa4ebe1e153951ab290ac5d3e45bd05202e8c228f94f9a8ee8a44a0f21b7a0f935d9286d17a10581f8511c402a20d22309669a4a39b2f78

/data/data/com.app.tanqo/files/oem

MD5 bfe279945c6109d067bcd295b5189d86
SHA1 9969230fa9c65716f6f82a97c9ba7c7007609014
SHA256 a89151ba4b5ac0f22e96b71b963db927791d3808f5175f06ae4a60de5891bf0f
SHA512 c843adbb98d263d02ce3f9d3d9c684b9cfd8e61e8b155d8349317f122fa9089119e8eeced1a0f0f134db68a0b88ce095273acb863c86c1be6f9b8e4682eb00e9

/data/data/com.app.tanqo/files/ver.dat

MD5 ea58bedfdb6cfb48cef4fae785468b5e
SHA1 59898d4c278cd3743475a6ceec3f8cf955449fb6
SHA256 6188278802c1243a78e1db82e319137ca3416036ac835118caba00b07cfec62a
SHA512 51cb055c3a6d8a6d72555d24e47c670aa92d71ebaf12894a3f43010f64fdf26c92eac2153d114aba43ab28b67b7dcf656765f95962937fc16afda0f89cca0dfc

/data/data/com.app.tanqo/files/CMRequire.dat

MD5 25e57636aee83606d202f04f26c2913b
SHA1 1ef0ade456ba38aa31584d0fbce647d0ba74b399
SHA256 89c56da41f0046c9e733fed330d2636d623510c217f72c2d025df3343dc66783
SHA512 3a8d294b8be98abe4d18116cbf7c16d44a541d1d20dd4dfbbbf3bbd8cb7997abcbaf51790bbc1978135d888c4e89868a9a2575d9cfed65a331969de77ba07326

/data/data/com.app.tanqo/files/VerDatset.dat

MD5 caaa975d7bf4952bd5dd695ade33f1da
SHA1 119373fbb2db036712df72ec9b26c0c2840dfbb1
SHA256 d0f94264a6b5c355dbf5c0516202c732bcae471a2401542b2ca43307727a0d02
SHA512 db2acdecd236eab67cb67151032f53e51c9c04e754f3c21d74e05cacb1ea5edecbbccbd66ee760624b9cac97b8dd77f568324e8abc2b9c16aa73131db81c8b06

/data/data/com.app.tanqo/files/cfg/h/ResPack.rs

MD5 dc21b4edc571aced2aa937d173521c91
SHA1 e2960e6f71e352309991b25a44d4f7518d60f5e3
SHA256 8c896c9cc47451e0c79b3b341cf6aa14792a2aad21046ffa6ec363f37897283a
SHA512 2001b46c1449715f205da8a4a14196b1cd30f78898ec141ddbfc7d20d7e03d25438b754fda80c023e6e3d26f72e181adb2f28aadfa2a5ef10502e59c078ec2cf

/data/data/com.app.tanqo/files/cfg/l/ResPack.rs

MD5 7806e5053a46c8ebc18c2c8b46f67b58
SHA1 511d8a0e0939f004b515d591554b129b6d93b884
SHA256 f0ac8af0a9b2bc0db27c044cf7af338928a45fcd3ec48a2458dcee4f05131135
SHA512 a3adaca2e6c1ec238a203059d0aecdfe24f3a6fdcb4e88c21e6bb5353d3d6e05daf5d14024081e1b278bfd4153102293e3abe9f077caaaf7369f13b79590f4c6

/data/data/com.app.tanqo/files/cfg/h/DVHotcity.cfg

MD5 1d335013ca7d9773180867ae0705e97a
SHA1 e5658eabd7385e45f529279790a12b9c208d7709
SHA256 b560cfaca15bca257ce41cc5b25d4480ee4dad06df2121d21e804d6ee78cc9cb
SHA512 5e6384eac82149a17d5073a772770706410e21727c469f9330030258454eced07b6867b23366e7e024408706785ef74f4b0fa6ddd4952733cce110dd5b3830cf

/data/data/com.app.tanqo/files/cfg/l/DVHotcity.cfg

MD5 ae2eb9bd87feb727bf7096ba8ade8c04
SHA1 dc959ae89ef6cccbf373bd4e3741221ad5a2bc1d
SHA256 fa71ba760e1b3a7df0f4e6957cc008baa9f1533bbf743f920fc352f7f141d42b
SHA512 a5fc8d247c6d492b47829305ea455eca2eb3f38a181e36ada7b212e107cb1047bd4aa5d2a25402a69d60ab03e3bd30a8f8b5d242c30f262dd8bb52b01607b3af

/data/data/com.app.tanqo/files/cfg/l/mapstyle.sty

MD5 acacee140aba5e4a18fdfd326e722def
SHA1 53c6f3e47bf072d40e31806045db41bc8d6900c1
SHA256 a687d0612cc56090d585dc5dac7374f8b6b5c2270f354d38c50c4fdb14887439
SHA512 25af0abd326662a43fad74cce675c3c6eb5fe1fafd3f138fe8fb69809ee95986d485c5d4359f0713bee03a56d2cc48de49abeb1ac53e1ab9314bd88f0619cbd3

/data/data/com.app.tanqo/files/cfg/l/satellitestyle.sty

MD5 33146135cf68c35c8733a9f9f093d81d
SHA1 906b622cfa0aaae436409b5bd3707bea581700ce
SHA256 ccdf7c3c15ed2140f759003afc4122d269772fc13cbad36bca8c5cabdf4beee5
SHA512 17b815a3f41351740166558db47c3b8cfce911ae8af87140ec2af98d9589d1ec655a8c77c51092ee9a2c4fda94b6756435fe6f59ef047e85006029b57b3e8057

/data/data/com.app.tanqo/files/cfg/l/trafficstyle.sty

MD5 b6195b62e9932c6710b135179f4c4c22
SHA1 954b3823f6ec5d6ce2df3066c32ba7de1f9e4f0e
SHA256 1dd67d5d39b6f2c0e7763239b9b0463b38d1365c341d1c50c4250159d8c28cbc
SHA512 1bd38136abfe46eaf41498837a280584a7c0804efba497ee62edf7544e2020fbbf1fff425cef10acc4282b50456e38f1f7d6ec817578ab091276c814453a4405

/data/data/com.app.tanqo/files/cfg/l/DVDirectory.cfg

MD5 f2d3e2aa6890698cf36d3c4e3075c6d8
SHA1 96d788adc72eb08c4c72cbe933f8c5e2770522e7
SHA256 3f0a5be76f3872ce20b31f052e942b7b4d5ab77a84188ffeaa1cf28f8cc7b8a0
SHA512 648ec9e0d79a62739e12fde0c99955bc0afa472f81097798887aff665374680e5d572417b8db29efd52004c06794b301dbd3f36f7c5e57b71e8f628eadcfd5b9

/data/data/com.app.tanqo/files/cfg/l/DVVersion.cfg

MD5 d7b2c2b7a6b3005faf649099e4574066
SHA1 a1723e239e4d4120668ff9c473232656feaa31ea
SHA256 8015e5d3277c1072516bba2fc262b80351da55191dd8ec63d4dadb86499efd9b
SHA512 31d4bd54a779643fce02a3fef597e1e64dfb0730c5dce59582e1b8cf6beb494657e063fe3abbbff267e23bad9eee3a4e6b01137b3bc48f6b92def39e85182d3c

/data/data/com.app.tanqo/files/cfg/h/mapstyle.sty

MD5 9f2cb51454dca85880c73d2e20652007
SHA1 6ffa334629131a48d861c26418c8745be9da5d1a
SHA256 308eadf0a4b0719f23d43fdb857a140f084f361e6ec600ec34881cd70386c8c7
SHA512 45e6662da0bccdc3c945df7cf99515d5b95e03c927048704aa3c00dec7ed7d284d38168c6205b356ca15e7c9c7722ad6af9e7cd422ff988ee95ad015754dd1b7

/data/data/com.app.tanqo/files/cfg/h/satellitestyle.sty

MD5 cf819338ece317ed262e196ee8559920
SHA1 51fa0449076e5455da8662b7591c2a93d546608f
SHA256 3ba647a3a06077e5e9afd34ed43c936c9db90639e719439f6046891ccfae0465
SHA512 4976d7df0b90bccac497404008ad8efb6b8e6173b60f4a579bd9e1a3549089bcc23a9861dbd2ced867f9dfc27c0ee8cfbc16d92f0868f2d2806fad52d4404b60

/data/data/com.app.tanqo/files/cfg/h/trafficstyle.sty

MD5 28d2d5ad01ab7f972300fe9c1bbd136e
SHA1 c3c9861d7af8274436eda1f794fdc2ea938494ff
SHA256 812a376ab7b20b8434ae5e2086a4942ab719450df7b7af9444e0996d71a6aea2
SHA512 9aeb4cd6c34a48c4bb79dd12cc1525984204d885df1675808c85afe77ad42a4e1346d562bd095404c36524a095866d38e806e736ce66df71ce9cf4b352490ab7

/data/data/com.app.tanqo/files/cfg/h/DVDirectory.cfg

MD5 cdc4650029686d82e393023120a36dbc
SHA1 0850a6f2256470fe6adf1206c681aa5ab8bdd655
SHA256 af482880f07b7384dd1357f9e52f6f7d5b5838c6218850f6b79e5c5472a2c164
SHA512 4314d3ecb7119a123f711b19ecf8c251e29fcde532e7cc0207533c711b9a93354d6d17c1aebd36e91ff47e64d02e47704b5cfb0b738558adedb16341f1b3828d

/storage/emulated/0/baidu/tempdata/ls.db

MD5 fe644bf9ae47accfbd71fa1e06969618
SHA1 2465930b7fdcafce7053a971db30604e0c930d9a
SHA256 0679994901623e8a1338396703863fe9945b809980146bd343ab13db096c4776
SHA512 7d7ef4767e5b27adf9ffed163ff2eff605934afd40ef04cb07a1e9257e2f9062632c77f8b3045e400dad9dee90db4a849438e6f2b1a17bc185bbcff2996cd886

/storage/emulated/0/baidu/tempdata/ls.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 11:24

Reported

2024-06-18 11:27

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

170s

Command Line

com.alipay.android.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A