Analysis Overview
SHA256
064e31868539641c9b89e144f6de53737a15c5375425ab13e6637e6057b23332
Threat Level: Likely malicious
The file 020a9064d3819a0293940a4f0b36dd2a_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Makes use of the framework's Accessibility service
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Loads dropped Dex/Jar
Tries to add a device administrator.
Acquires the wake lock
Requests dangerous framework permissions
Reads information about phone network operator.
Declares broadcast receivers with permission to handle system events
Declares services with permission to bind to the system
Checks if the internet connection is available
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-04-27 00:51
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-27 00:51
Reported
2024-04-27 00:54
Platform
android-x86-arm-20240221-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/dehzrmmuephxt.jlspwknqzylvykca/files/5a411ce47ea10.apk | N/A | N/A |
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
dehzrmmuephxt.jlspwknqzylvykca
ls /sbin/su
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | naurrris.com | udp |
| US | 1.1.1.1:53 | myyron.com | udp |
| US | 1.1.1.1:53 | bodgerr.com | udp |
| US | 1.1.1.1:53 | kafffr.com | udp |
| US | 1.1.1.1:53 | falldaa.com | udp |
| US | 1.1.1.1:53 | imarrland.com | udp |
| US | 1.1.1.1:53 | pettross.com | udp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 1.1.1.1:53 | doovver.com | udp |
| US | 1.1.1.1:53 | hoboos.com | udp |
| US | 1.1.1.1:53 | valkityter.com | udp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
| US | 208.100.26.245:443 | pettross.com | tcp |
Files
/data/data/dehzrmmuephxt.jlspwknqzylvykca/files/5a411ce47ea10.apk
| MD5 | 156441057e307e0dbca6186b3a31c608 |
| SHA1 | 55146784fb0e2c92746194569d7922aca40e860d |
| SHA256 | 4842519dd8325f030fae94aec3da4a764d60610ea72e736212ce8c78b8221fb3 |
| SHA512 | a0f787d30e6d5c99a0990a94d8b68b330d5038519a3ef56eb44de60daa4ae8c3ce8ab5b0892da607835b31c766a5434261a279bf650b87ad6ea22c7fc4ececbd |
/data/user/0/dehzrmmuephxt.jlspwknqzylvykca/files/5a411ce47ea10.apk
| MD5 | 9778e03c60275524d3649ce5c92b6618 |
| SHA1 | cd7242a2d6ac8e923061612a2d300012e65ec4c4 |
| SHA256 | b8d887b0ba0e951714eaa73b9b033dd4aab86ceef3dd698d07ccb676cf3aae1f |
| SHA512 | c5bd221b820465eff85ff573c30a7137b5654016e90a7806aaa386797f6bb5ca8562bc8057f0f10d7a801a1effc5707c868c3547696fba6c62312271e576fe49 |
/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-journal
| MD5 | e0560a2121128f22dd3e5e12508350eb |
| SHA1 | dab00bd8db4d9f32f7a30c2b5273cdc70c4e4dcc |
| SHA256 | b921fabf0a14143e3bbc5eb819ca1ab6f8ca52036fb57ab324e27fe91f5fb433 |
| SHA512 | 589f99bc3830e94ed4fc93af7c30e91aee45896645b38ea8c996cb898b1d9623db72a201f47e0d555d17e9038a10bb245c222e7e9ceef32937a21d1b3ab8269d |
/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main
| MD5 | dafdb8d45d05821439f16ccb1907909d |
| SHA1 | 36dec7dd5c8a7e80d9cc24c30585b4ff11e8d0b0 |
| SHA256 | 6c523a4d63e99f5e17461540bf0e2944b91d85ec0170b7f9d911b29f2819251c |
| SHA512 | f2b4d3cd69aa5d797a430254920b1a5c2244cf84e35edbe70dfa8eba349cc2c37e36ff6420cbe6f6ce380fec1ad149785703efc7d1a356be1d05b298a32723b8 |
/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-wal
| MD5 | 10a3a7b4602208c16209bacc1ac7fc81 |
| SHA1 | 9c928d68c89cf04085e816249fc9ab725d314910 |
| SHA256 | e3a4aad789356ed828a2969b315b18157215e2ea29d3a3a81b1bc03309727a84 |
| SHA512 | ba8780575fb7aee14a8f61c3711aaafc663d413d75428fa2e18c798c89a29dc33d50d95c64cfb4d91726efa5c8e4528f97466c76d2c46618dfb5045e6acc9585 |
/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-wal
| MD5 | a0067c5a351eb9f60a139b429c86e148 |
| SHA1 | a6f2881d3bfa3243d7ad54aa82603740875c705e |
| SHA256 | 39c9966f10723bc430a7f4a689580b7be744fbf91a8d3146ca99a83700bfdcde |
| SHA512 | 474644a62d64e24fce17e7d2fc67980a4bcf14e322d2fcc6a21182b3c9f200bed5c5f49245d7860c1b8134a86c9f5ee1d8175deac846ef78f1b2e800e9cdba22 |
/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-wal
| MD5 | 4c0c5e8c05f184f9c46c3fd8762c1b89 |
| SHA1 | 1628e6d5410e8fb7e32d690525dc10d0775f513c |
| SHA256 | ba0bad0be561ea61f34b24feaec67808a6ecf2d8eaaea789573eecf00e31fb7d |
| SHA512 | a115bcd778b86fbfd5d3be034207cef74bd274852483db006a306bea5a1855cc161ecaac759636164090bf818467769378fffeaac5ff88cb8820c4c2eb130fc2 |
/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main
| MD5 | 53d7713c95fddd2d8976c69259594a1d |
| SHA1 | 088864004b031cc283e0202bb5664d499ceeb896 |
| SHA256 | 15d5e809605f735119ced83840be00ddf28a8eb36c0372538874dca32c84e599 |
| SHA512 | b66b8d5c49c9fab49ff57071f533a82248e52532da8538b56927ba286cd0d138bcf2b8d45480319d113d70035acc070e8c8545103fb2fc061f338715d960ee80 |
/data/data/dehzrmmuephxt.jlspwknqzylvykca/files/oat/5a411ce47ea10.apk.cur.prof
| MD5 | fdc1b25ca9b77024d4f31f36d08f8247 |
| SHA1 | 1aaa3aa2d55d936b9018353c1ee50fa7cb9152c4 |
| SHA256 | 22058ea61d1829a2c14194a58e4a6f6344a4e9eeed37d700c87e8b1ac703b8e6 |
| SHA512 | 189758c86b1dcce792174b88989f629fd2d37fdbaafb0dfa6285025ded713da25b518cb7f9ea5492ac0aa2857e783b7281aff0f5b5350ffb4d6c192aef4b7112 |