Malware Analysis Report

2025-05-06 01:30

Sample ID 241103-xs7d3a1kbw
Target 8d0a4a004388280bbdd4063de723f626_JaffaCakes118
SHA256 9345c977450df097a332f964e4eaa12a3091e4d54db2b19359cfca27fc6c712d
Tags
banker collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9345c977450df097a332f964e4eaa12a3091e4d54db2b19359cfca27fc6c712d

Threat Level: Shows suspicious behavior

The file 8d0a4a004388280bbdd4063de723f626_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries information about the current nearby Wi-Fi networks

Queries information about running processes on the device

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 19:08

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 19:08

Reported

2024-11-03 19:10

Platform

android-x86-arm-20240624-en

Max time kernel

130s

Max time network

131s

Command Line

com.lolaage.tbulu.tools

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A
Framework API call android.hardware.SensorManager.registerListener N/A N/A
Framework API call android.hardware.SensorManager.registerListener N/A N/A
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lolaage.tbulu.tools

com.lolaage.tbulu.tools:push

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

com.lolaage.tbulu.tools:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 helper.2bulu.com udp
CN 218.245.98.73:80 helper.2bulu.com tcp
US 1.1.1.1:53 adash.m.taobao.com udp
US 1.1.1.1:53 utop.umengcloud.com udp
US 47.246.137.207:80 adash.m.taobao.com tcp
CN 218.245.98.73:80 helper.2bulu.com tcp
US 1.1.1.1:53 au.umeng.com udp
US 1.1.1.1:53 feedback.umeng.com udp
US 1.1.1.1:53 alog.umeng.com udp
US 1.1.1.1:53 au.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mt3.google.cn udp
US 1.1.1.1:53 mt2.google.cn udp
US 1.1.1.1:53 mt1.google.cn udp
US 47.246.137.207:80 adash.m.taobao.com tcp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 180.76.11.136:80 loc.map.baidu.com tcp
HK 180.76.11.136:80 loc.map.baidu.com tcp
CN 218.245.98.73:80 helper.2bulu.com tcp
HK 180.76.11.136:80 loc.map.baidu.com tcp
HK 180.76.11.136:80 loc.map.baidu.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
HK 180.76.11.136:80 loc.map.baidu.com tcp
HK 180.76.11.136:80 loc.map.baidu.com tcp

Files

/storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools.db-journal

MD5 d110534b9917d6ee7b3b7bbf846e102e
SHA1 0ded1cd2c47f23903a03ac8d25fa86a2c12d8550
SHA256 7a3528c4dba7f34590667707bd5cf9599c87993ab0ba34ba2109b7767b58d30d
SHA512 d49c3a03f5cc2e3b084f4fed6867d324a8735086be0d9df9ea0cad2210a8e4369f700bb548efc33ca71cfcca53a77aabf443ae9f95e48aa00eda8967a0a71589

/storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools.db

MD5 cd0e98274cbc95f98ed9ba4e8963ace8
SHA1 37264bf7e2af30fff22855b5046bcafe06804063
SHA256 2be6d1c2a8f5d57175bd64cae8bfbcd5f6ad390a27e5427b8ae5fdd4ea9b3de8
SHA512 8870f130cf1108842c1e3a179a590cfecd61e12cfb124b16f012110511e8e94dae058c566c3342baa186571ea3645240a22bd6c66d5b6be4a50789de2e777886

/storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools.db-shm

MD5 3bc1f072a0de0314dc3d8d1dcfbc992b
SHA1 00745aeae33221dd2efb9d34e647777460c7eecc
SHA256 622784ebd10f0b38785cb07f23fe16a578d41b5274486458b346ad7af6b3cd64
SHA512 422d5b1e81685f1ebdbbc256d7170f2c7ca84e0be08958bc0f1a0ab38e17f32552d025a99222cbca07da7a58a7e59cbcb07daec49737fd07dd57ecc075f5f5a8

/storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools.db-wal

MD5 3f10de8dd31dae3e00b821f5a370c7de
SHA1 72dd412a3b8200089a6483840b76c1f38a168e9e
SHA256 969982f06f18d6d1a129dc275973f893d53aa720a6997d97475dba25eb702d24
SHA512 67fd7204120f3bfb54038f1d66c0a5db1412449853f857b0f92b368808417c9b1bb72afe02ed7e29233de5bb5f3ae75e56814572b76f22e0432b56fb6d2807d0

/storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools_map.db-journal

MD5 c3e7666ec54df28b3a414cc56f5bb169
SHA1 3d438a9f21ff789e609b1f3d0ada51eb561cd129
SHA256 ef56d0af44bee408e517b10b1f937b2a54446b91799fad728d7b9af8c6ce613a
SHA512 14c96122f629e3ec6b1a6d47638de689e6a8f79839bba3cd9acdb8331069c6912a60161ad7b48e2c1510f8ca30a807fc3f5b88a003a73881c351bc50ff424411

/storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools_map.db

MD5 46d901760a00b94835f4ca6477ca1dad
SHA1 976de02455d0e83734651f7e1a411b7cf28f1913
SHA256 a69ce1acbda11c481fdf61e4b3e5a554d8fd08ee351a35db3d9325d1c4c60293
SHA512 d2e21d5466ff31df079c0753febd09d2c7315f52130763af8957fbfde4b02d23f7ce36bf21195c9d159abe5dd4fd770ce6fe189e03b779a6239d4d409a05f651

/storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools_map.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools_map.db-wal

MD5 4b39a4e9c2f3ab3757e27efd38bf04c2
SHA1 e0a6635166483038b50ea931cd1b6d647a8c2378
SHA256 e45782e1b7c6d6502c807e1560974ecc124238c417ef2d216b91a770dfe749b8
SHA512 b3966721a5cf71adb571158d83d8b7f74901849b80b8251a691d1c28ef46b9cd9aaf16cd2d5aea67b464acf45870c8b1a49b1fd3232d0bac8e7930d0cce0351b

/storage/emulated/0/lolaage/TbuluTools/db/osmoffline.config

MD5 4bebe2f99ba2c5b9af38c336a5bb0c72
SHA1 2673c4e0e8d74fb56df53978085055bd01a250ea
SHA256 04aa9ab2f2090191997c83f986a6b4fd7dfc298c6c98e39580d2a750577fd95e
SHA512 82793d733f439e75e239d88ac6c84d6c8f1b60a7286d1fc7bfdd7f0fc575052782531fea45dff8f4dc35957c082c73479f03090ef6841fc58770880d27336c2c

/storage/emulated/0/lolaage/TbuluTools1.folder details.txt

MD5 68e22a246098aab8d8e86750c54bc866
SHA1 32f62d96df459fc087a5b1a369a570de48ddf849
SHA256 2b2495d864f76d30376d16a874e4c451d3ee7923ff36149ca46924a64baff40d
SHA512 f8c7dd18f5a59987bb3e096b932c7c616218d61c4efe43724f77dee74fb53caf37238df9edf7f3bb5946218ade0acb9a84adc2f8f816f74e0a89a3562dc4868b

/data/data/com.lolaage.tbulu.tools/files/umeng_it.cache

MD5 bf0497131ef446d4fd537b463311dc80
SHA1 a8925209ad4e090e9d0fcc6089d42e1abc976b80
SHA256 a4e06666330fc794b2974cb14bd3377fd4fd0c21b598fffb0127a9b35f8a7138
SHA512 c22157a2f0b3a8b5d3f0ec805b1bf4501fd582793e5ddb4686ad7a611727deae33650b8e60ef4d510549ac3e9f4d22a1a892ba620904141de3e6e1d30d710870

/data/data/com.lolaage.tbulu.tools/databases/lolaage_download.db-journal

MD5 03ef4dbb1916b94948bf615ad7d305ad
SHA1 b84a1622a623a8036434793f502191f3630e0a5f
SHA256 f0f4b280445d3c9f5c8a04f579b3b428441b5c056511428e5807fcd3e8f2095c
SHA512 fe84ef9a86e5ef06845a849d39ecfc59847c90c7a51c477424878681f6a7340cef30dc752b332fa8154c2085a7cdaea85f045e7d1f9d873661535928f0ebf8a2

/data/data/com.lolaage.tbulu.tools/databases/lolaage_download.db

MD5 be888c6a02731e720c9f98dcc92f9226
SHA1 39ac337a3f78a48131037e1633e5e688d2fe58c2
SHA256 e487a0233704712252c712b264d81993d708c967c57f2447ebd64a403b51fa57
SHA512 d6cbd98565d2f3eb4b180d7163e3832cfbd85b25a0440dbf217df8c993b3865f87fd83b46a83059f1b05066d9483ba3ad339840fb350597fc9adbef1b3ea72d8

/data/data/com.lolaage.tbulu.tools/databases/lolaage_download.db-wal

MD5 5c1476ef5aa9713a374762ecfb175ed3
SHA1 5d656973c5a734a3981a87fb44c5cff9ce0112c9
SHA256 241a549b6ea1d99343a1c3f813fc146320449b6e320fb1d9826e63f1db3694f3
SHA512 161373a7e1796b16ac6f654acffa75983b2890140bfc0146fc31a3bcee3d6379f926ed671c266ceabaccc53299a5335f14abff6d361dae874277bebcd4c18e14

/storage/emulated/0/baidu/tempdata/yol.dat

MD5 a936690571e9104e1922dda4a0ba5bd1
SHA1 65f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256 f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA512 3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

/storage/emulated/0/baidu/tempdata/yom.dat

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5