Analysis Overview
SHA256
f4192402915d000ca1389cc24c6cb7b7245372a10d1735b3a2b7c3a2479eff18
Threat Level: Likely malicious
The file 58849c5a9eb5285b444a1f0ea8827d0d_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Checks CPU information
Queries information about the current Wi-Fi connection
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
Checks if the internet connection is available
Requests dangerous framework permissions
Checks the presence of a debugger
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 04:21
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 04:21
Reported
2024-05-19 04:24
Platform
android-x86-arm-20240514-en
Max time kernel
63s
Max time network
130s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /system/xbin/su | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Checks the presence of a debugger
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.itianpin.sylvanas
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.187.228:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | oc.umeng.com | udp |
| US | 1.1.1.1:53 | sylvanas.itianpin.com | udp |
| CN | 59.82.23.79:80 | oc.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| JP | 106.186.19.75:80 | sylvanas.itianpin.com | tcp |
| US | 1.1.1.1:53 | oc.umeng.co | udp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
Files
/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:crashlytics/66497E5D03D4-0001-10D1-621B277DFD3BBeginSession.cls_temp
| MD5 | 5145201e6865ab6253b8db71ffc82011 |
| SHA1 | 5cf8f24004bf14b5f4355db6c258812f4e1e2564 |
| SHA256 | 7b886eab8d23c3acc0a36fc6f41ac32a4ff88ae65013c719836c77c9d0b6d372 |
| SHA512 | a0fcaf67ae4bc8b4279851b8c75f672a39f85b0f54ee731ae96e5a0574859092d6d5b4bebed257d101364bc3b08795f5f74c7ea0945a7f6d64d7dd44bb549088 |
/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:crashlytics/66497E5D03D4-0001-10D1-621B277DFD3BSessionApp.cls_temp
| MD5 | 9cc4a34328692609d114e93c51c7d664 |
| SHA1 | 2ef094fe03ce8079048e111c615cce1fbaae5a7b |
| SHA256 | 9223b44e3ec0e644f49a9b77ad35b723e56863503cdd743284268f93698193f9 |
| SHA512 | bc5ddefc9065606f48d901d26316554ce38d94e054049db5a6db0ae1bdaa51b37de5c2f4b86a4012dfc7ad5859644b17c4eb963a694e18a203c493eb31d1e0de |
/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:crashlytics/66497E5D03D4-0001-10D1-621B277DFD3BSessionOS.cls_temp
| MD5 | 9b3d4522944ce6396563812bfdb92fa9 |
| SHA1 | 6d2a6133c8f01938a48ccc77ef86ad8ca335c020 |
| SHA256 | d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9 |
| SHA512 | 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727 |
/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:crashlytics/66497E5D03D4-0001-10D1-621B277DFD3BSessionDevice.cls_temp
| MD5 | f4ea833cc067c7693866b3df990ae52c |
| SHA1 | 82ed754091ba11743d4131fb5547c79d13f95a22 |
| SHA256 | 437d847ae985dac0cc8e96312de1ed323b7907b9222ef717b2e75eb455df9d51 |
| SHA512 | 8cf3f98b4a4724d0b93aa7e76152f6645969edfb121b9bca17c7a21645729520b27ca15a41f9009f574ed7ce667fb4b15e087fc4bd0b5ba536fbd217afba88eb |
/data/data/com.itianpin.sylvanas/files/umeng_it.cache
| MD5 | 3844640752d11d2c6ce839b09f67bcb7 |
| SHA1 | 7ec69f537543caddda2160b1c1919ba90cbac91c |
| SHA256 | c0dba26fdb9ce42c830db4a1ca4173186c5d130244c817f2f04aa66f27f68cc9 |
| SHA512 | c05b2f43172fcc48d00b6e37a600104a10ef28f3881d6bca8e776bef67254df5faffb5d4d81d63dc5e62c47ecf9838d2d01cbeb8588a56caf5785f7c0f6fd3e2 |
/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp
| MD5 | c33583fae4e0b61cde1c5b9227963237 |
| SHA1 | fe2ebe4d27469af1460f7e852031a04208ef629b |
| SHA256 | 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc |
| SHA512 | fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e |
/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap
| MD5 | d34e086e3e3fe30c99159cfd4be481db |
| SHA1 | a41ce678165a0436dd2313b4274cfeb2b4dabdbd |
| SHA256 | e968ec7e8099b437562b5359620a4cdcced9a088fe78550526dc349107138a2f |
| SHA512 | c529865a5017e861f40aa46669026ac17be26873f86a3784d09acf65dbf44d39deeb0b0bbcd0344e33d803050e28f01f0ae20fa75a9caad1e6102a294d48b0c6 |
/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_37447cb3-46f6-4f88-860b-e9193592b6ec_1716092510705.tap
| MD5 | 493aad8cecdb03774b1b28057843ef48 |
| SHA1 | 416679aa7f266e7a08175412492d6832269b768d |
| SHA256 | 9289a4a9dda5341f2a334fad42f9d404fd30592de9ea704ca4c7e17fc2a7cefa |
| SHA512 | 48024bdc44459bb75e7dae8d9ffba0b2159b8d1669f7ef1a7f50f92c6b7b1b3fc2b70da8ef7c4b57147481a4bce5b7588f9568d11c87b7f3d8630fcb665fdf9b |
/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap
| MD5 | cef792f2ee9f44ac7a9c65a4cd30954e |
| SHA1 | 0da47ee1144b6e178e2946df8efa03095d800316 |
| SHA256 | 250a744c075eadad1a3e5ada45263d6622a9d84288cc1ce5cc3d4ae3a6d47fe5 |
| SHA512 | c4eb91d22dce64edb17a3cfe6ff6111189da58d4150c02f96eb8d104f256691665b13754de3f3e5327ce5a09a2d40bbb73a5d3fbb8de7496cb7da832c12351be |
/data/data/com.itianpin.sylvanas/files/.um/um_cache_1716092571186.env
| MD5 | 966b4456a50b44933ff0e8b8c3faac7c |
| SHA1 | 7b253d477237e13dfa138e150c25b700262bb243 |
| SHA256 | f5e408e2cf4826bc3e28a10e50a73d1164c43fa86504d823596c4d1f49dc4cd5 |
| SHA512 | b40df35fdf1b39d9e2f2ecf7db622850b3cad302343c57ee5a1b053adaba7d0bbed2272e613f4895660399edda498a127eeb06956ef2c853a19a508b4fb3d334 |