Analysis Overview
SHA256
b9e7fb383c21308a930c82e206497390824d40ffc63b5f705889212f26a7a359
Threat Level: Shows suspicious behavior
The file 53a516db611a3d600f12155b01e1ff74_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Requests dangerous framework permissions
Checks if the internet connection is available
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 07:41
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 07:41
Reported
2024-05-18 07:44
Platform
android-x86-arm-20240514-en
Max time kernel
34s
Max time network
168s
Command Line
Signatures
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.xmoo.noface
chmod 755 /data/user/0/com.xmoo.noface/.jiagu/libjiagu.so
chmod 755 /data/user/0/com.xmoo.noface/.jiagu/libjiagu.so
/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.xmoo.noface/.jiagu/classes.dex --dex-file=/data/data/com.xmoo.noface/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.xmoo.noface/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| US | 1.1.1.1:53 | f.appjiagu.com | udp |
| CN | 180.163.249.208:80 | f.appjiagu.com | tcp |
| GB | 142.250.178.3:443 | tcp | |
| GB | 142.250.187.228:443 | www.google.com | tcp |
| CN | 106.63.25.33:80 | f.appjiagu.com | tcp |
| CN | 180.163.249.208:80 | f.appjiagu.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| CN | 106.63.25.33:80 | f.appjiagu.com | tcp |
| CN | 180.163.249.208:80 | f.appjiagu.com | tcp |
| CN | 106.63.25.33:80 | f.appjiagu.com | tcp |
Files
/data/data/com.xmoo.noface/.jiagu/libjiagu.so
| MD5 | acd3a64e22c56dc0628edd7615a74ab4 |
| SHA1 | ec22ef7fa9dca4b475af2724d483bda140370ca7 |
| SHA256 | c57cffd4175fcd618f29d48eeba1b8b30e2bfd4ce9e05c6c5b0bc4378914d008 |
| SHA512 | ec93027efd827742d3f9db70c4d4aba51e817191ff888aa2337939f2ce518b98f1c1f7ed3d49d25d3bff47738f68ead6348b1b309c54a17e18c4460cc2142e3e |
/data/data/com.xmoo.noface/.jiagu/classes.dex
| MD5 | f963850443b343123a5521b7100a9eb1 |
| SHA1 | 9841b70f218bedd0026c3f585a0698da1c8a86e7 |
| SHA256 | d6d066261ef4ef0a86ad6c9556e5ab01619f90dd4a9020227fce469f4fabc864 |
| SHA512 | 3450cdbac91812273c4fd92a96ef3ab1080169e8ba42a5bf855af46197170d4bdc2f7f0008861ab0ccb6171ed9b3d5c3e1996ed87b7e1c115fbbb5f93cda3233 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 07:41
Reported
2024-05-18 07:44
Platform
android-33-x64-arm64-20240514-en
Max time kernel
7s
Max time network
132s
Command Line
Signatures
Processes
com.xmoo.noface
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.100:443 | udp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.35:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| GB | 142.250.179.227:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| US | 34.104.35.123:80 | tcp | |
| GB | 142.250.179.227:443 | udp | |
| GB | 216.58.201.100:443 | udp | |
| GB | 142.250.180.4:443 | udp | |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp |
Files
/data/user/0/com.xmoo.noface/.jiagu/libjiagu_64.so
| MD5 | 50132c32a26a923539d8e33982584fc0 |
| SHA1 | 627d770948b0df82024a67e8c6e2d24e02c6af42 |
| SHA256 | 3e29e52a3139ae44e7ce621c3d9bfb9584bfc3280be727b9ead2ae64f831f258 |
| SHA512 | adac859261d2b8e868578e941dfa639eff1a4ee95e2930e3b0899db3ff06d31b35eb612c302132e46abbf87611cfbe9f487b0d8f30c403398e8561abfd3a05e9 |