Analysis Overview
SHA256
6751d123db9e9b26253b16e961afa0ba3662690e8182e714a4d05950e67788fb
Threat Level: Likely malicious
The file 25c5c07564fbd738c35d5eb529dfb860_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Checks CPU information
Queries information about the current Wi-Fi connection
Tries to add a device administrator.
Reads information about phone network operator.
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
Checks if the internet connection is available
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-05-08 16:43
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 16:43
Reported
2024-05-08 16:46
Platform
android-x86-arm-20240506-en
Max time kernel
3s
Max time network
130s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Processes
com.onion.lock
logcat -d -v raw -s AndroidRuntime:E -p com.onion.lock
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | update.apksj.com | udp |
| US | 1.1.1.1:53 | www.umeng.com | udp |
| CN | 59.82.29.162:80 | www.umeng.com | tcp |
| CN | 59.82.29.163:80 | www.umeng.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| CN | 59.82.29.248:80 | www.umeng.com | tcp |
| CN | 59.82.29.249:80 | www.umeng.com | tcp |
| CN | 59.82.31.154:80 | www.umeng.com | tcp |
| CN | 59.82.31.160:80 | www.umeng.com | tcp |
| CN | 59.82.112.112:80 | www.umeng.com | tcp |
| CN | 59.82.60.44:80 | www.umeng.com | tcp |
| CN | 59.82.31.95:80 | www.umeng.com | tcp |
| CN | 59.82.60.43:80 | www.umeng.com | tcp |
| CN | 59.82.31.92:80 | www.umeng.com | tcp |
| CN | 59.82.31.210:80 | www.umeng.com | tcp |
| US | 1.1.1.1:53 | www.umeng.co | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-08 16:43
Reported
2024-05-08 16:46
Platform
android-x64-20240506-en
Max time kernel
15s
Max time network
148s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.onion.lock
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | update.apksj.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.42:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| GB | 216.58.204.78:443 | tcp | |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| GB | 216.58.201.98:443 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-08 16:43
Reported
2024-05-08 16:46
Platform
android-x64-arm64-20240506-en
Max time kernel
126s
Max time network
134s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Reads information about phone network operator.
Processes
com.onion.lock
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 142.250.200.38:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.226:443 | tcp | |
| US | 1.1.1.1:53 | update.apksj.com | udp |
| US | 1.1.1.1:53 | www.umeng.com | udp |
| CN | 59.82.29.162:80 | www.umeng.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| CN | 59.82.29.163:80 | www.umeng.com | tcp |
| CN | 59.82.29.248:80 | www.umeng.com | tcp |
| CN | 59.82.29.249:80 | www.umeng.com | tcp |
| GB | 216.58.204.68:443 | tcp | |
| GB | 216.58.204.68:443 | tcp | |
| CN | 59.82.31.154:80 | www.umeng.com | tcp |
| CN | 59.82.31.160:80 | www.umeng.com | tcp |
| GB | 172.217.169.46:443 | tcp | |
| GB | 216.58.204.66:443 | tcp | |
| CN | 59.82.31.210:80 | www.umeng.com | tcp |
| CN | 59.82.31.92:80 | www.umeng.com | tcp |
| CN | 59.82.31.95:80 | www.umeng.com | tcp |
| CN | 59.82.60.43:80 | www.umeng.com | tcp |
| CN | 59.82.60.44:80 | www.umeng.com | tcp |
| CN | 59.82.112.112:80 | www.umeng.com | tcp |
| US | 1.1.1.1:53 | www.umeng.co | udp |
Files
/data/user/0/com.onion.lock/files/mobclick_agent_cached_com.onion.lock
| MD5 | 277fc77edaa0bcdf22db128adc639b0a |
| SHA1 | 2e4489963594fe24bf4d4ecdcd659fa08040e887 |
| SHA256 | 3d76362e9563040539563757bca7bd97f8f88c53c6c74e1fbdc98ead1ab3ea85 |
| SHA512 | 9205521042eb9645f85d7656295909b82be2979c2594ac64a8ec87c9443ae031a12c7ea78f5142db290d4b999d838b6b161fecdfb76292c0934d2bdbdd7cb9b7 |