Analysis Overview
SHA256
9cf542903232785e6719f05d0773b0b5a494edea45a335336a82691ce6027cbb
Threat Level: Known bad
The file 2c75049f9e6a498b23efe9c793c3d43d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Queries information about the current Wi-Fi connection
Checks CPU information
Acquires the wake lock
Checks if the internet connection is available
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 00:31
Signatures
Privateloader family
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 00:31
Reported
2024-05-10 00:34
Platform
android-x86-arm-20240506-en
Max time kernel
126s
Max time network
149s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.mobigrow.canyouescape4
com.mobigrow.canyouescape4:ngds
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | pushnode.gameservice.com | udp |
| US | 13.248.169.48:6225 | pushnode.gameservice.com | tcp |
| US | 1.1.1.1:53 | stats.unity3d.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| US | 13.248.169.48:6225 | pushnode.gameservice.com | tcp |
| US | 13.248.169.48:6225 | pushnode.gameservice.com | tcp |
Files
/storage/emulated/0/.ngdslog/com.mobigrow.canyouescape4/pushv2_part_one.log
| MD5 | 6d80846efaaef9941da9bcb022556e1c |
| SHA1 | add058064ccfb60b3af73ca91ab5b936309db866 |
| SHA256 | b9f8ac7fd15316393f7a7c637e08f685fcfe1a62451542e96ec98d5407440c8c |
| SHA512 | cfd893fbb8f876f73b9ae1c38c65a6c83ab9dafc79258251fbe5e76263a3dd3be9c093b1ef56f29997a3d9dda2e20356c1e7791864586adeacd30c2a3daae2ce |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 00:31
Reported
2024-05-10 00:34
Platform
android-x64-20240506-en
Max time kernel
128s
Max time network
153s
Command Line
Signatures
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.mobigrow.canyouescape4
com.mobigrow.canyouescape4:ngds
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | pushnode.gameservice.com | udp |
| US | 76.223.54.146:6225 | pushnode.gameservice.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| GB | 216.58.212.206:443 | tcp | |
| GB | 172.217.16.226:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 76.223.54.146:6225 | pushnode.gameservice.com | tcp |
| US | 76.223.54.146:6225 | pushnode.gameservice.com | tcp |
Files
/storage/emulated/0/.ngdslog/com.mobigrow.canyouescape4/pushv2_part_one.log
| MD5 | 0f637b29ed72269f9f4c78872d3f7219 |
| SHA1 | 17765b35cd0984e812bda76f39acbbb4102e3bf7 |
| SHA256 | 5bc85f799f81d98cca9a680df92fd365554ffd0f9eeb3922eca0390cfa75a3b0 |
| SHA512 | b5bd6899d6bc86e6d5dfaafedfeb2d173edf3649050f9542054442f73898e5c907f036b38cfe84c9db43f8b427d196e7e41509b54bc3ec53a13c4d5e301deb01 |