Malware Analysis Report

2025-01-19 04:52

Sample ID 240618-nx7qyssbmc
Target bbc39f755b123ae1d1a2f8ed279badd3_JaffaCakes118
SHA256 3f8f6d307ff497b21fa48ecef396bd76e632f2fc7ac3a2f6963d737a9d5608bf
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3f8f6d307ff497b21fa48ecef396bd76e632f2fc7ac3a2f6963d737a9d5608bf

Threat Level: Likely malicious

The file bbc39f755b123ae1d1a2f8ed279badd3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Loads dropped Dex/Jar

Requests cell location

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 11:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 11:47

Reported

2024-06-18 11:50

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

131s

Command Line

com.mobile.kadian

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.mobile.kadian/mix.dex N/A N/A
N/A /data/data/com.mobile.kadian/mix.dex N/A N/A
N/A /data/data/com.mobile.kadian/mix.dex N/A N/A
N/A /data/data/com.mobile.kadian/mix.dex N/A N/A
N/A /data/data/com.mobile.kadian/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mobile.kadian

/system/bin/sh -c getprop ro.board.platform

sh -c getprop ro.yunos.version

getprop ro.board.platform

getprop ro.yunos.version

/system/bin/sh -c type su

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.mobile.kadian/mix.dex --output-vdex-fd=50 --oat-fd=53 --oat-location=/data/data/com.mobile.kadian/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&

com.mobile.kadian:pushcore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:443 log.umsns.com tcp
US 1.1.1.1:53 cloud.xdrig.com udp
US 1.1.1.1:53 i.tddmp.com udp
CN 116.198.14.3:443 cloud.xdrig.com tcp
CN 116.196.71.30:80 i.tddmp.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.mobile.kadian/databases/bugly_db_legu-journal

MD5 410301444adb7b642d603f548b7f7606
SHA1 7750a42ac40b3bfbd81c38b1601bc9820a33e05f
SHA256 3d99637597dbdaf8ccc35daf6a10e2f857b5cf0c21bef802b99cd3486e8f5c10
SHA512 431b68e167b84dd099bfc446b6a53af91f9b2ef0363cc63afc754d88862c079b6cbd70d2c90cca8221d992695961603770fcbee7daadf0035403aeb32d25b2c4

/data/data/com.mobile.kadian/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mobile.kadian/databases/bugly_db_legu-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.mobile.kadian/databases/bugly_db_legu-wal

MD5 506406bb68fa2fa3388786ab5c20305d
SHA1 e2d5ef60c2b6e7243fa9b90c453337c84909adbd
SHA256 5b920f4b559d9ed28e1ab55ba0184941b9f8f76c4041487c4f6dc2a836d5ab99
SHA512 1013fcf17a2af3e34d1569f02a8af8f0a23959e1d8509ab746a737d1ae85d105e6e9b0379eed9821260d9b45cbd20cf4e17619184f2f05d8daf3c3c60175714f

/data/data/com.mobile.kadian/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 11:47

Reported

2024-06-18 11:50

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

9s

Max time network

180s

Command Line

com.mobile.kadian

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.mobile.kadian/mix.dex N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mobile.kadian

Network

Country Destination Domain Proto
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 tcp
BE 173.194.76.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.195:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.169.42:443 remoteprovisioning.googleapis.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 216.58.212.227:443 tcp
US 162.159.61.3:443 udp
GB 216.58.212.227:443 udp
GB 172.217.169.36:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal

MD5 721ac4f36d1e6ef60b4898550510e95d
SHA1 d81341304f0a2c15d49311dbc50ed212bd5129c0
SHA256 f05fbfa13804f95ecc7b55380852a0f3f52f1bb783e568aaa72eb20780f17502
SHA512 202afac63a7cf211e37efc07567a92c08f0a230fa1e31cd33732569cd9220e23f9b1ca9899e31652a9c54f06ab53cdb5bb9231b176279c1683a21e93d0679be2

/data/user/0/com.mobile.kadian/databases/bugly_db_legu

MD5 88d714eb09fb5570c81bce5c1b0a504b
SHA1 a7f772d4f9b80a4eb548d9f411467b5211e4da11
SHA256 8c443a95f9ed2cb81adf3a5159d6250cbf6ec402f83bee5f893b3f7c572808c0
SHA512 f8c8be5f386eb278c5c603fbef8648d1f1a199c73d3fcbe6f0e631320af2e5dfe2e8f7d345abdf7ece48b4b9617e2ec92f05c1ce26a8adce1919aa4d110fa17b

/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal

MD5 b0a5600ef17be6a76f43c56cf7cd6277
SHA1 fc41340249450d5002535abf22cfda1102d85630
SHA256 690b7238b9488d9f10b5f3d801f4bb730186ea90f2ee155596200c233bbe99f1
SHA512 03ec4afacf880f817fc806f328e89bafea2858689e9796da9f579bf45b58ee2d0bf94bd9f5fe8510663611a293390686ca08152e4a2fd8275ce8ac4389fb9d99

/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal

MD5 58c661fb7e35209fbfeca2bd276779fd
SHA1 40fedc33ea4c54b334df8cc339c91ef2a8782c9f
SHA256 a7006dc5bb98def2ce236cb975d0d91af977ac965d4b20408bda9a456550b26a
SHA512 3ca0755b7a9e8e6a97a4356dfe85474090416784a45708ea223b9e9177206e4ee282562a905291d3e3eb34e0bb8451a0188ef532b98dd55a43abdc939d419bfb

/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal

MD5 70e9b78e8b08c9c5e89a2e3a8b2c259d
SHA1 b9d428aa222f44d69fa7e2d43f442f6437a4ad22
SHA256 8e0d583ace320d93ac89d15f6f8755b36640c70dfba28af374253d4feb3dea0e
SHA512 6a171e1c105c3061a51dab5fc862ba944d59eb8bfb3b26bcb857899a51bbcc1e7f048cce4960ed60843347e0c932f6201d89cfa46cc121583b17a31c48909dc1

/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal

MD5 c41dea4d0c6750931bfb6f9c44012488
SHA1 423932bc7d5cc9ce0886f7fc88c43ef81705609c
SHA256 9ea829d4eedd41cf19196e9f1527456fe270b7a3ba7e57b5a531bed97fc4a816
SHA512 b6e5ae51bef5653ac61cdf3602adc47854d2621c9a36e05eb1616d0a165afd0d6f5a010edbadd49c515d34f3a5265c01328c3ab215f3a9d8bd68fb2d20dc70a7

/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal

MD5 b7097f6c10cadefacf30ca89d3af0cd5
SHA1 e910a69039d908f35317bb0322e9dc445378e290
SHA256 4367c6b5807c4080aac2cfb8dcb3992edabc0f88ab95aca0f7b89ebc797a5a38
SHA512 438b967ff6b4f9eb1a9b8439a49290372e5b7966919324431bec77ed23a97f7512589d39ccfc3879b71be6a69f088a198c3de8313407991022e4bccf4b08ca0b

/data/data/com.mobile.kadian/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/user/0/com.mobile.kadian/app_bugly/tomb_1718711277549.txt

MD5 bd0f8f8f3ad93fa07623422ec6e72003
SHA1 c3589295e7a4ddcf35bcd7a2c13bfd381783821a
SHA256 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647
SHA512 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b

/data/user/0/com.mobile.kadian/app_bugly/rqd_record.eup

MD5 5c9c46148175a50fe6afc580ba6ad968
SHA1 7b73c764d525bdfb0a9daa2512120ae194e306b7
SHA256 cdb68d6f29d5dfd129b11720fe82fb182e56bebf00bb980703a4a444fda9489b
SHA512 34d28eb6aa4c5029984b361b314996bdda8269aa2859e013b2716b7e3840e851b718511777c811ee62755a397fada558246e9a70295c8586e24a5f50fd5f1fb8

/data/user/0/com.mobile.kadian/app_bugly/rqd_record.eup

MD5 8602bd7731a92c9b843c6b7d5e5f61e5
SHA1 01e69cbcec679f499453b0b7a1a6d55b74aa963e
SHA256 bc37c19150f04667af0d8ba91b157326e40221151f3fcf7c4a679e99fd41c978
SHA512 2b3a71e6b28428032de420d9d8f0e0d6dec23f3a2fdb8a52fc9fa6482e206dbd3d5cb7d4e6ab5631d305aced0387667087326ef829203dd0773a9b25be2200c1