Malware Analysis Report

2025-01-19 06:59

Sample ID 240522-ld5fdaaf91
Target 66c9c2f489654bba512b837783e302ac_JaffaCakes118
SHA256 7851e04754c8797abd29e2e5d2c7f265e0469d33815b0cb70490537631773b5b
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7851e04754c8797abd29e2e5d2c7f265e0469d33815b0cb70490537631773b5b

Threat Level: Shows suspicious behavior

The file 66c9c2f489654bba512b837783e302ac_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Checks CPU information

Checks memory information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Checks if the internet connection is available

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 09:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 09:25

Reported

2024-05-22 09:29

Platform

android-x86-arm-20240514-en

Max time kernel

25s

Max time network

155s

Command Line

mark.via.gq

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

mark.via.gq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 scs.openspeech.cn udp
CN 117.48.148.47:80 scs.openspeech.cn tcp
GB 216.58.212.227:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 data.openspeech.cn udp
CN 117.48.148.47:80 data.openspeech.cn tcp
GB 142.250.200.46:443 tcp
GB 142.250.180.2:443 tcp

Files

/data/data/mark.via.gq/databases/via-journal

MD5 53784cae45e0ddab5b7ad1a76c8b4d4f
SHA1 adc56d8df95fe2e2ae91c6a1b1ee1fd098de979f
SHA256 46f29f6d0c7dfdb1e4f521030bb7ab00271d62192ce5070150e3b17a709de1c2
SHA512 0c6b5086e977d3b66ffe80ad506e2ea88e0096ac039472fa132489bdc3ae9986cd0eb209110685075ba71967c129470619678bd861961ca44e2be0a9eadf4e04

/data/data/mark.via.gq/databases/via

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/mark.via.gq/databases/via-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/mark.via.gq/databases/via-wal

MD5 305c677f6957549a6a1d6d32c98fe18a
SHA1 8ccd991e3d868180bd8d6479f2eeffdcf547fd05
SHA256 94864fba9f7fd610bf1c01c0a63775d862e519c1cdb66dec72f34f94050b5c6b
SHA512 7d803b5cc97599833660173f03efb236747032d019abef813f403cdc6a5cb4690b56d27670a416215874cfed873b82c279b6127a78ea3ed69cfb6ce0d5211e18

/data/data/mark.via.gq/files/homepage.html

MD5 d48ccc02f532e4727897bd39d5b40ef2
SHA1 b507f56e90860728224f2f327ca8ba28d250911e
SHA256 dd585710bc352eaad39344010cd11a10d8754828c419373248210a5fd87568b0
SHA512 3f2e28e19284099a7011fcd2477b9bb48cd2f50846bfa1c23a9a28643381b45f3add4f4387b0d890fa706494df9cb400cf41f3d6495b677110a48f3da3a4e002

/data/data/mark.via.gq/files/about.html

MD5 f3ac5c210c5ee1b39ffc192f5ddee887
SHA1 fcdfc269f609b9434a83f473ad5eaa44a7faca12
SHA256 1623f8e485b5be3591c5e97abd6525e1c3d5d66ebd71906aa2afec38594c9eaf
SHA512 e70053d6994f18e86721cdc8edd9107c7893365340872184b4663a885e20295dbbde2af6ba8a6fdbca2f3f54d86032cd360f4b972ede51f13f11f4b7d600521a

/data/data/mark.via.gq/files/iflytek_cached_mark.via.gq

MD5 278a16a8446bb27c31fef1c6d5777cdb
SHA1 a4629eb5675defe1be5584fb2be40debe8880d85
SHA256 6f8c9662503ebed740bb246d67f11c5c97de7e1ddeaca9320a5a56fc5b9cbf7f
SHA512 9b74c214e24610727eee04ff91bf758f8967cfaf0667f6498cfebb931de40e737a11c041f064e174750ecf3955dbd523803c91eb494a9fc586e819a520005e08

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 09:25

Reported

2024-05-22 09:29

Platform

android-x64-20240514-en

Max time kernel

49s

Max time network

158s

Command Line

mark.via.gq

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

mark.via.gq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 scs.openspeech.cn udp
CN 117.48.148.47:80 scs.openspeech.cn tcp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
US 1.1.1.1:53 data.openspeech.cn udp
CN 117.48.148.47:80 data.openspeech.cn tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/mark.via.gq/databases/via-journal

MD5 cefb357f3947566c272573fe75c54de7
SHA1 81a527d30cabe93c126f51f7c55115a82a56ff20
SHA256 fea8066fc58f05902f4b5a314c42293d1712af5d97d39a7ea6fd06f12d4a50aa
SHA512 6f3dde1b8900da18389b1c1a13da635c9068ab56e831748f75a6bb2079ff9ce139fee9022103c1373e7b86a37682762be3a082072b8e24649edcd1c02cc32ae9

/data/data/mark.via.gq/databases/via

MD5 8b22ddafd73d169b9accb6e2b3d6a354
SHA1 c34800e45fe81c27f044ae9cbbb3ef5466c361a4
SHA256 4376bc40d06dd0f0db476a6ddae1e441308cb84684aba476626ddf535e4845ad
SHA512 55492986a32bd68df7f05c60d96ba35ddfe494dcc8854e114d3fdee21e5ff579251bc47235e6e596ef5845b39da2065ea8d82aad476870efe0eac642f795b96e

/data/data/mark.via.gq/databases/via-journal

MD5 aa377d37ab5fed330671c8ebedac822d
SHA1 e6c6f00aba49cfab5a21e0a644e48b872e1d25de
SHA256 27ce2c859e30835e111afbc05cb4fe62eca8c1c4fd68c4ab0283ec2c34e5aa35
SHA512 2ca039a74054ff88c43e422b4ece8aae6595426c3dbb2c9d0c3c5019101209129e21af7960e51eb9865666fbf9b0b8ba895328f7d48aa90adc50be4d63d4cb39

/data/data/mark.via.gq/databases/via-journal

MD5 5d48303c828e2d3aca62ec7647192514
SHA1 8acbb74ba2735e7a904a771e632c0b6c1fe7f5a1
SHA256 4d36efc253809a0f1608281e3779b1aae64943b6cb7e35c58180943f7c683d70
SHA512 8054ffe41fb8d3c4c423d42d8f2e4ddce12b20a22c196bc4cafbe92c27102b93832a397a656e6dc5db15f60695d99a669314e4d9eb57c93a0f81600357cfc199

/data/data/mark.via.gq/files/homepage.html

MD5 d48ccc02f532e4727897bd39d5b40ef2
SHA1 b507f56e90860728224f2f327ca8ba28d250911e
SHA256 dd585710bc352eaad39344010cd11a10d8754828c419373248210a5fd87568b0
SHA512 3f2e28e19284099a7011fcd2477b9bb48cd2f50846bfa1c23a9a28643381b45f3add4f4387b0d890fa706494df9cb400cf41f3d6495b677110a48f3da3a4e002

/data/data/mark.via.gq/files/about.html

MD5 f3ac5c210c5ee1b39ffc192f5ddee887
SHA1 fcdfc269f609b9434a83f473ad5eaa44a7faca12
SHA256 1623f8e485b5be3591c5e97abd6525e1c3d5d66ebd71906aa2afec38594c9eaf
SHA512 e70053d6994f18e86721cdc8edd9107c7893365340872184b4663a885e20295dbbde2af6ba8a6fdbca2f3f54d86032cd360f4b972ede51f13f11f4b7d600521a

/data/data/mark.via.gq/files/iflytek_cached_mark.via.gq

MD5 2c1fb4db1116928dcd4bec86ee25100c
SHA1 14add22009c3233be2a3a7b9b95f17e6d50ba8f3
SHA256 af492e6cf5673311131dd0b79f9f3bcc035c48fc787c5724dba50128df0eb880
SHA512 bec6cf9998c8a61c4c20b3456d04c4f6f2a84df2bbc8d6be23fa60b9102374d6377076bbea768a7c4fe8ff0e8f34fad9e8e71b1d188fe959c6400ecb2e0bb1ef

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 09:25

Reported

2024-05-22 09:29

Platform

android-x64-arm64-20240514-en

Max time kernel

25s

Max time network

133s

Command Line

mark.via.gq

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

mark.via.gq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 scs.openspeech.cn udp
CN 117.48.148.47:80 scs.openspeech.cn tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 data.openspeech.cn udp
CN 117.48.148.47:80 data.openspeech.cn tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/mark.via.gq/databases/via-journal

MD5 d216f086ffba61d88f08c546b76d7fa7
SHA1 14eb689bb89bdb56a322c99d9cf2836035cca5c9
SHA256 f34048b6711f3d5ce37a25747358b5b6b19d7e81be14bdb341606e82f9ad70fc
SHA512 5f3d3a2c516902873f9d1161b9837f29ac7778e76388facb65fd1dd5d25178b7d3fb3ac2a67647e027ebdfbeedc423ef513adcce6467ea94230ad94923021830

/data/user/0/mark.via.gq/databases/via

MD5 2d35aff1ca01b56baaa9cc5b750c59cd
SHA1 164c8b4816b59c93306a1512e13691331c2e82fc
SHA256 8305d50d65d94128ca6d64b033c4819d8f9bd39bf62b493513995ce9198f9f8f
SHA512 1a3b4d5057c39dce3f9ac041f56926f232fbb87583991ffbe787437512f150eb3f359c5bcc83af3ad344675efb8e83bea2c441b0fc91126cef648933d323e975

/data/user/0/mark.via.gq/databases/via-journal

MD5 801d3304c69470c23f242fe91760eb9c
SHA1 5c0353be131e4d9904ec070ebb3b3ca89080cb7e
SHA256 15199a470a3b95f44104ac6b32c5612919f1bfa8d59de182f7941a300006666d
SHA512 cac31fe6b5b5573e050673e80f7e111be28bf1a756c024aabb06825d5cbbb093c8381010541b322c9933d8d3256494b90f54fb6366c92906f498d2f6e904a143

/data/user/0/mark.via.gq/databases/via-journal

MD5 000d40ad37e49370c684c38ee0cb0c71
SHA1 e12118bd5433c76b258d5c797783219b3f734825
SHA256 856fba8ea4e8009a1dd5beb383c3a6948eb95b1fe1489e576bbdab2612408c36
SHA512 db5733662ff2ec6dd0c2a4593e690fb950fa46c17f02c706675e0830e1c199299ae615142db40a1458fe1480024e1fb6abc9d3f75a3b497c2be00c3e659569b1

/data/user/0/mark.via.gq/files/homepage.html

MD5 d48ccc02f532e4727897bd39d5b40ef2
SHA1 b507f56e90860728224f2f327ca8ba28d250911e
SHA256 dd585710bc352eaad39344010cd11a10d8754828c419373248210a5fd87568b0
SHA512 3f2e28e19284099a7011fcd2477b9bb48cd2f50846bfa1c23a9a28643381b45f3add4f4387b0d890fa706494df9cb400cf41f3d6495b677110a48f3da3a4e002

/data/user/0/mark.via.gq/files/about.html

MD5 f3ac5c210c5ee1b39ffc192f5ddee887
SHA1 fcdfc269f609b9434a83f473ad5eaa44a7faca12
SHA256 1623f8e485b5be3591c5e97abd6525e1c3d5d66ebd71906aa2afec38594c9eaf
SHA512 e70053d6994f18e86721cdc8edd9107c7893365340872184b4663a885e20295dbbde2af6ba8a6fdbca2f3f54d86032cd360f4b972ede51f13f11f4b7d600521a

/data/user/0/mark.via.gq/files/iflytek_cached_mark.via.gq

MD5 aaeddaca6aa5c639deb002b392cfa697
SHA1 eab4c739ae2e48d1cf4d918d2358df7bcc7eb3a9
SHA256 57b434980b64978462efb2f69460ca0805587429a02a84c5653d5adcb4233744
SHA512 929eda737440a9f78d4b3622d3de7cf81bb70ee52809a9f0ada1fa5679893cb718af321a3796a68275493a38bc322a87915565f03ffa85af1c37873e8382cbbb