Malware Analysis Report

2025-08-11 00:00

Sample ID 240518-xh6d1sab5t
Target 56474618182fc7c90f9aa12841dbf6f6_JaffaCakes118
SHA256 0ad83fb33fcef5413c1038f4d1190f7b90f394eaa90571b93c1a9daa4fd5e7d1
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0ad83fb33fcef5413c1038f4d1190f7b90f394eaa90571b93c1a9daa4fd5e7d1

Threat Level: Shows suspicious behavior

The file 56474618182fc7c90f9aa12841dbf6f6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries information about the current Wi-Fi connection

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 18:52

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 18:52

Reported

2024-05-18 19:01

Platform

android-x86-arm-20240514-en

Max time kernel

64s

Max time network

130s

Command Line

com.lutongnet.kalaok2

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lutongnet.kalaok2

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
CN 61.144.222.72:8480 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 216.58.204.67:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.lutongnet.kalaok2/files/mobclick_agent_cached_com.lutongnet.kalaok2

MD5 a2183773cf233266e7b43001d673cdd7
SHA1 c527e7c769aaa69c67e3ea7de0581aa1226c2505
SHA256 9d246546fd050d81cd683390be863cfdb2b2baddc85c63330028e274d65f094e
SHA512 d1fc7b24c0124f8c7f2b060f5fe201a4677f6d23422481455ef5feb8f4b018520a98b3946cb55de4f7eb282f9658e9f99acf6fb33b985deca87960f69f1b3c70