Malware Analysis Report

2025-05-06 01:30

Sample ID 241103-wkqwns1cjj
Target 8cc4d36de1acd4d4d785b3035732f762_JaffaCakes118
SHA256 c514baccac98175a0e933c13a132a1512f731cfd02aea8ceaeebe457ad00f122
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c514baccac98175a0e933c13a132a1512f731cfd02aea8ceaeebe457ad00f122

Threat Level: Likely malicious

The file 8cc4d36de1acd4d4d785b3035732f762_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests cell location

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 17:59

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 17:59

Reported

2024-11-03 18:01

Platform

android-x86-arm-20240624-en

Max time kernel

146s

Max time network

156s

Command Line

com.sogou.androidtool

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.sogou.androidtool

chmod 777 /data/user/0/com.sogou.androidtool/cache

chmod 777 /data/user/0/com.sogou.androidtool/cache

com.sogou.androidtool:remote_proxy

chmod 777 /data/user/0/com.sogou.androidtool/cache

getprop ro.miui.ui.version.name

getprop ro.build.version.emui

com.sogou.androidtool:push_service

chmod 777 /data/user/0/com.sogou.androidtool/cache

chmod 777 /data/user/0/com.sogou.androidtool/files

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

com.sogou.androidtool:channel

chmod 777 /data/user/0/com.sogou.androidtool/cache

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 defake.pingback.zhushou.sogou.com udp
US 1.1.1.1:53 get.sogou.com udp
HK 129.226.102.244:80 get.sogou.com tcp
HK 129.226.102.244:80 get.sogou.com tcp
US 1.1.1.1:53 mobile.zhushou.sogou.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 config.push.sogou.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp

Files

/data/data/com.sogou.androidtool/databases/downloads_classic.db-journal

MD5 ebd9a5c9b8079c201161bd18f8d3c1bd
SHA1 f8fd32dee4adb9077559e4ab8e5233f7f4e44f8e
SHA256 b3778e5b89aff670653122c7acb44a147b928d6948ef1f9ae1be5baa36e7bce2
SHA512 5dc181c7ce4526cdaef042464d1ee491e2f1072a15fef9660dbb3dd2308f942c75be44cae27e164a1278e18bd9449b32a3e5e57ffc749f4778f09c5ed59e9f2a

/data/data/com.sogou.androidtool/databases/downloads_classic.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sogou.androidtool/databases/MessageStore.db-journal

MD5 ab91b0f160aa842f7f4b3f33816e747f
SHA1 53ba5c10899317a3954011c37275f7422e6ed013
SHA256 ff6e73a928738a5d84a0de9e015073f1584dd789977321dbf1d87ff0fe7fbf10
SHA512 573dae35ee73a0dc08eb64f576e1fc60fd6f97d44ee022bb284004ad5c3c7a051b63811360be352f20563741ab20ecbfa25a27d08768b57917d559e58f310871

/data/data/com.sogou.androidtool/databases/downloads_classic.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sogou.androidtool/databases/downloads_classic.db-wal

MD5 450cb208bb5721659de4f1b8553e818a
SHA1 96b19e1c556b4a4ae49d8166a0265e8855e16a13
SHA256 4c669077f80cfb748246e9a85eb74966ea179e388ece09231880def4eee2aefd
SHA512 4ed134c532ff6bdbf570562eded7ef5b09457fb063cf068c3af575c54b4ff5b3a4d9bb05cb5c4ff23a87f85b543d689f522e655a8620824c130f45d3867ba025

/data/data/com.sogou.androidtool/databases/MessageStore.db-shm

MD5 12a9b2257e9a7a0c95a5b6dcd7d2eae1
SHA1 376d22cbc5b90ca040d86fa3d156145f9b30d46b
SHA256 863474453534927e47298ef1139dc295e89248f3fdbc1fea409766ce474ce299
SHA512 f3be79798c3537fb275f742fabebb93a33ae53d6028fe970e75983edc9e0221b10643577b25bf2c55876e7f16af55cd81b24a91a95bd357a4fb7d0320dc1ce93

/data/data/com.sogou.androidtool/databases/MessageStore.db-wal

MD5 9d4621fb694bd2fd0d782365d1c1a526
SHA1 a9e38a4334677af3138dbb447b7bcdd8e3c8e652
SHA256 70901be1101428a7ead58ba5c9733a15a7c2e096720a260a86c36c2d2d87bec9
SHA512 bc595475ea8fe1611442b19052c6f94591331cceebe49be53fdcdb88f923f47a45a0c7f1a42c937bca6700e157d96c825df0473b2529b2cbda4bf052ee91310a

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-journal

MD5 09496da0d5ffda4ecfa8db6022540c6c
SHA1 c92f31216374afcada20697b7185e501318e8665
SHA256 d5072cfdf869e9698f974f0ec6f9f585cc150ecfa042f2a3daab6e08534c7a26
SHA512 6ca3fb0acfd404c792ff4e843863666b1e23ff6cabf596b38f0ddf75e12dbe6c40396b7024c739c12597da2adac9844ba05164e1112554b1cb3e6c2d03381ee1

/data/data/com.sogou.androidtool/databases/MsgLogStore.db

MD5 9061c397eb7ea97abec0e11fb97a02c8
SHA1 33c14e4b613f4351b0a1d20ba2f56ddee16dff6e
SHA256 89a97fe0a1b14f62f9a106b4f610765e6608afb0f5163d9aedea1b36d7ae9ad8
SHA512 4def31e175bb75ec4309934493ecf303d53d8fc7b63f18b31c6c35f6d0cb7c1a3b90630985ac69c96843d2a8ce82a0b096e034be6924a8c7212e945e52da68af

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-shm

MD5 5dba79369ffe93a9224fa488567d4e8c
SHA1 f2e00882b608de9255da0d6a11dd4ed0e7cd95e3
SHA256 27f83f6a37fd35c604f48a567505823314d3927b1560260b2131704f0ae46c09
SHA512 2e881b4cede1a98e1628750e97aabe881d78b47b30790d38985f03e5b1b4500b4a559061621745118d004027d5ca105f32d435311d888e64a6a932386c3396c8

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-wal

MD5 0a7dab6fd505702d7f93988b28a18899
SHA1 9aed5521bc96557979e542e27cddc525f0cd8a83
SHA256 30cb7ae0b6237493ae7d9832c3afe204860c144a03fdb2669f90acd1312387a5
SHA512 2629f0164d9635de6f771651a2d696cad822c4f514c5c3b06fb35876b02cb57069868677a65107483f44aa5f57ab9fb88712efbb5ac61d11d0c3ed12dcae1b66

/data/data/com.sogou.androidtool/databases/bugly_db_-journal

MD5 20aea10d47445074c7ae1c9fd74ec162
SHA1 f7f4224784a15e47b2aef0f2dacc7e228a2ff410
SHA256 4c40890bba498491b9a1f4441c01f1eff786710d42209deee362304f5f057b02
SHA512 465684ebc0d75e2895ccede3c764fb4370813ffd598992761ad8b76358511d880da5e955e3e9e5fe0c2edeb77bb77f09f0da77dd796a684bc80983b75fd80c58

/data/data/com.sogou.androidtool/databases/bugly_db_

MD5 d7c09653d28bdba7b663b0df68c2f0ef
SHA1 1af94446d39e1c07aa699a8e21e8120ae4fcfd8f
SHA256 b46a5caa2a07834e94fde714c6d683a71ede48f41b7964e0b9e3e7e57017e6ae
SHA512 0f3127a6831dd6df3cf12e0d69195394e415ab31e9ab7751e2a230be9010f0e6d436d2fb0859c70373e2192a712083134b676ecdf2b8cfe39ff26fda3f828018

/data/data/com.sogou.androidtool/databases/bugly_db_-wal

MD5 c451d70c3df15999e8dcf1b373d02091
SHA1 e4f7e768409765b077738c7d19ee4f7a19d1c7e9
SHA256 0523d1ac7ba581e26e0488c96335af693a7e265f356b43160d2fceb5931fef8f
SHA512 a98b47b487bdae10f71ff17d20814201954d9f63e12ae211ca46f8354f9cc133e9c8c067757f5fa51e1af9b7fae84ea6e819bbca0ae4d35c550470842bd9cdb4

/data/data/com.sogou.androidtool/databases/pb_db-journal

MD5 3001b912c620a54b77495db42359a641
SHA1 516bd8add595f0c4ebb6cafb9c7c4b3c4d379183
SHA256 5d5412792dca1cc71d72edc1362ad2ae75b6acb1db45315a5b7c18792740d273
SHA512 9c0095f096cde9c1e69958c6523cf9feda1498278e94d45b16c6c21ddcca018b5c255c4d9e0294e24b2898b6cf828435406f6c5585e27d135da6e24fdf1372ab

/data/data/com.sogou.androidtool/databases/pb_db

MD5 650956f5790780ebe873a98ec3c6208e
SHA1 93d153640b298e9214eca32825ec30b181f9e8ce
SHA256 36b4a521ca7add4a85d3ceffd27777e37c0c0e06c44977492e58657664d59cab
SHA512 9fcc0dd8a702424908286f597c6418516a939038d264c2d31f65dc48fc5b025d7a4c85d85a54dbaf33708b7ccb0c703c2bb0762033a6fcfe7917287c6d307449

/data/data/com.sogou.androidtool/databases/pb_db-wal

MD5 7c32834df396b83488ca24e771914b44
SHA1 baf7061040077c90326d15311681f7fd4496030c
SHA256 089357ded832d6e1676072cd39cebdf557dfc4aa099d7f94c1cfa577d2c0ce34
SHA512 425eded9936aba492b63c6cd4b7916dec5b5aa7f5c8202b578c873eb4c33cb1d84154fd0dbed379e37e57b682eeba9f5e95100fb085847cb4ea1f1054909476f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 17:59

Reported

2024-11-03 17:59

Platform

android-33-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.42:443 udp
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

N/A