Malware Analysis Report

2025-01-02 07:37

Sample ID 240510-ave19sgb9s
Target 2c75049f9e6a498b23efe9c793c3d43d_JaffaCakes118
SHA256 9cf542903232785e6719f05d0773b0b5a494edea45a335336a82691ce6027cbb
Tags
privateloader discovery evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9cf542903232785e6719f05d0773b0b5a494edea45a335336a82691ce6027cbb

Threat Level: Known bad

The file 2c75049f9e6a498b23efe9c793c3d43d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

privateloader discovery evasion

Privateloader family

Queries information about the current Wi-Fi connection

Checks CPU information

Acquires the wake lock

Checks if the internet connection is available

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 00:31

Signatures

Privateloader family

privateloader

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 00:31

Reported

2024-05-10 00:34

Platform

android-x86-arm-20240506-en

Max time kernel

126s

Max time network

149s

Command Line

com.mobigrow.canyouescape4

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mobigrow.canyouescape4

com.mobigrow.canyouescape4:ngds

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 pushnode.gameservice.com udp
US 13.248.169.48:6225 pushnode.gameservice.com tcp
US 1.1.1.1:53 stats.unity3d.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 13.248.169.48:6225 pushnode.gameservice.com tcp
US 13.248.169.48:6225 pushnode.gameservice.com tcp

Files

/storage/emulated/0/.ngdslog/com.mobigrow.canyouescape4/pushv2_part_one.log

MD5 6d80846efaaef9941da9bcb022556e1c
SHA1 add058064ccfb60b3af73ca91ab5b936309db866
SHA256 b9f8ac7fd15316393f7a7c637e08f685fcfe1a62451542e96ec98d5407440c8c
SHA512 cfd893fbb8f876f73b9ae1c38c65a6c83ab9dafc79258251fbe5e76263a3dd3be9c093b1ef56f29997a3d9dda2e20356c1e7791864586adeacd30c2a3daae2ce

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 00:31

Reported

2024-05-10 00:34

Platform

android-x64-20240506-en

Max time kernel

128s

Max time network

153s

Command Line

com.mobigrow.canyouescape4

Signatures

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mobigrow.canyouescape4

com.mobigrow.canyouescape4:ngds

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 pushnode.gameservice.com udp
US 76.223.54.146:6225 pushnode.gameservice.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 216.58.212.206:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.187.206:443 tcp
US 76.223.54.146:6225 pushnode.gameservice.com tcp
US 76.223.54.146:6225 pushnode.gameservice.com tcp

Files

/storage/emulated/0/.ngdslog/com.mobigrow.canyouescape4/pushv2_part_one.log

MD5 0f637b29ed72269f9f4c78872d3f7219
SHA1 17765b35cd0984e812bda76f39acbbb4102e3bf7
SHA256 5bc85f799f81d98cca9a680df92fd365554ffd0f9eeb3922eca0390cfa75a3b0
SHA512 b5bd6899d6bc86e6d5dfaafedfeb2d173edf3649050f9542054442f73898e5c907f036b38cfe84c9db43f8b427d196e7e41509b54bc3ec53a13c4d5e301deb01