Analysis Overview
SHA256
7851e04754c8797abd29e2e5d2c7f265e0469d33815b0cb70490537631773b5b
Threat Level: Shows suspicious behavior
The file 66c9c2f489654bba512b837783e302ac_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obtains sensitive information copied to the device clipboard
Checks CPU information
Checks memory information
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Queries information about the current Wi-Fi connection
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
Checks if the internet connection is available
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 09:25
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 09:25
Reported
2024-05-22 09:29
Platform
android-x86-arm-20240514-en
Max time kernel
25s
Max time network
155s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
mark.via.gq
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.42:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | scs.openspeech.cn | udp |
| CN | 117.48.148.47:80 | scs.openspeech.cn | tcp |
| GB | 216.58.212.227:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | data.openspeech.cn | udp |
| CN | 117.48.148.47:80 | data.openspeech.cn | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.180.2:443 | tcp |
Files
/data/data/mark.via.gq/databases/via-journal
| MD5 | 53784cae45e0ddab5b7ad1a76c8b4d4f |
| SHA1 | adc56d8df95fe2e2ae91c6a1b1ee1fd098de979f |
| SHA256 | 46f29f6d0c7dfdb1e4f521030bb7ab00271d62192ce5070150e3b17a709de1c2 |
| SHA512 | 0c6b5086e977d3b66ffe80ad506e2ea88e0096ac039472fa132489bdc3ae9986cd0eb209110685075ba71967c129470619678bd861961ca44e2be0a9eadf4e04 |
/data/data/mark.via.gq/databases/via
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/mark.via.gq/databases/via-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/mark.via.gq/databases/via-wal
| MD5 | 305c677f6957549a6a1d6d32c98fe18a |
| SHA1 | 8ccd991e3d868180bd8d6479f2eeffdcf547fd05 |
| SHA256 | 94864fba9f7fd610bf1c01c0a63775d862e519c1cdb66dec72f34f94050b5c6b |
| SHA512 | 7d803b5cc97599833660173f03efb236747032d019abef813f403cdc6a5cb4690b56d27670a416215874cfed873b82c279b6127a78ea3ed69cfb6ce0d5211e18 |
/data/data/mark.via.gq/files/homepage.html
| MD5 | d48ccc02f532e4727897bd39d5b40ef2 |
| SHA1 | b507f56e90860728224f2f327ca8ba28d250911e |
| SHA256 | dd585710bc352eaad39344010cd11a10d8754828c419373248210a5fd87568b0 |
| SHA512 | 3f2e28e19284099a7011fcd2477b9bb48cd2f50846bfa1c23a9a28643381b45f3add4f4387b0d890fa706494df9cb400cf41f3d6495b677110a48f3da3a4e002 |
/data/data/mark.via.gq/files/about.html
| MD5 | f3ac5c210c5ee1b39ffc192f5ddee887 |
| SHA1 | fcdfc269f609b9434a83f473ad5eaa44a7faca12 |
| SHA256 | 1623f8e485b5be3591c5e97abd6525e1c3d5d66ebd71906aa2afec38594c9eaf |
| SHA512 | e70053d6994f18e86721cdc8edd9107c7893365340872184b4663a885e20295dbbde2af6ba8a6fdbca2f3f54d86032cd360f4b972ede51f13f11f4b7d600521a |
/data/data/mark.via.gq/files/iflytek_cached_mark.via.gq
| MD5 | 278a16a8446bb27c31fef1c6d5777cdb |
| SHA1 | a4629eb5675defe1be5584fb2be40debe8880d85 |
| SHA256 | 6f8c9662503ebed740bb246d67f11c5c97de7e1ddeaca9320a5a56fc5b9cbf7f |
| SHA512 | 9b74c214e24610727eee04ff91bf758f8967cfaf0667f6498cfebb931de40e737a11c041f064e174750ecf3955dbd523803c91eb494a9fc586e819a520005e08 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 09:25
Reported
2024-05-22 09:29
Platform
android-x64-20240514-en
Max time kernel
49s
Max time network
158s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Processes
mark.via.gq
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.10:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.72:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | scs.openspeech.cn | udp |
| CN | 117.48.148.47:80 | scs.openspeech.cn | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.187.194:443 | tcp | |
| US | 1.1.1.1:53 | data.openspeech.cn | udp |
| CN | 117.48.148.47:80 | data.openspeech.cn | tcp |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp |
Files
/data/data/mark.via.gq/databases/via-journal
| MD5 | cefb357f3947566c272573fe75c54de7 |
| SHA1 | 81a527d30cabe93c126f51f7c55115a82a56ff20 |
| SHA256 | fea8066fc58f05902f4b5a314c42293d1712af5d97d39a7ea6fd06f12d4a50aa |
| SHA512 | 6f3dde1b8900da18389b1c1a13da635c9068ab56e831748f75a6bb2079ff9ce139fee9022103c1373e7b86a37682762be3a082072b8e24649edcd1c02cc32ae9 |
/data/data/mark.via.gq/databases/via
| MD5 | 8b22ddafd73d169b9accb6e2b3d6a354 |
| SHA1 | c34800e45fe81c27f044ae9cbbb3ef5466c361a4 |
| SHA256 | 4376bc40d06dd0f0db476a6ddae1e441308cb84684aba476626ddf535e4845ad |
| SHA512 | 55492986a32bd68df7f05c60d96ba35ddfe494dcc8854e114d3fdee21e5ff579251bc47235e6e596ef5845b39da2065ea8d82aad476870efe0eac642f795b96e |
/data/data/mark.via.gq/databases/via-journal
| MD5 | aa377d37ab5fed330671c8ebedac822d |
| SHA1 | e6c6f00aba49cfab5a21e0a644e48b872e1d25de |
| SHA256 | 27ce2c859e30835e111afbc05cb4fe62eca8c1c4fd68c4ab0283ec2c34e5aa35 |
| SHA512 | 2ca039a74054ff88c43e422b4ece8aae6595426c3dbb2c9d0c3c5019101209129e21af7960e51eb9865666fbf9b0b8ba895328f7d48aa90adc50be4d63d4cb39 |
/data/data/mark.via.gq/databases/via-journal
| MD5 | 5d48303c828e2d3aca62ec7647192514 |
| SHA1 | 8acbb74ba2735e7a904a771e632c0b6c1fe7f5a1 |
| SHA256 | 4d36efc253809a0f1608281e3779b1aae64943b6cb7e35c58180943f7c683d70 |
| SHA512 | 8054ffe41fb8d3c4c423d42d8f2e4ddce12b20a22c196bc4cafbe92c27102b93832a397a656e6dc5db15f60695d99a669314e4d9eb57c93a0f81600357cfc199 |
/data/data/mark.via.gq/files/homepage.html
| MD5 | d48ccc02f532e4727897bd39d5b40ef2 |
| SHA1 | b507f56e90860728224f2f327ca8ba28d250911e |
| SHA256 | dd585710bc352eaad39344010cd11a10d8754828c419373248210a5fd87568b0 |
| SHA512 | 3f2e28e19284099a7011fcd2477b9bb48cd2f50846bfa1c23a9a28643381b45f3add4f4387b0d890fa706494df9cb400cf41f3d6495b677110a48f3da3a4e002 |
/data/data/mark.via.gq/files/about.html
| MD5 | f3ac5c210c5ee1b39ffc192f5ddee887 |
| SHA1 | fcdfc269f609b9434a83f473ad5eaa44a7faca12 |
| SHA256 | 1623f8e485b5be3591c5e97abd6525e1c3d5d66ebd71906aa2afec38594c9eaf |
| SHA512 | e70053d6994f18e86721cdc8edd9107c7893365340872184b4663a885e20295dbbde2af6ba8a6fdbca2f3f54d86032cd360f4b972ede51f13f11f4b7d600521a |
/data/data/mark.via.gq/files/iflytek_cached_mark.via.gq
| MD5 | 2c1fb4db1116928dcd4bec86ee25100c |
| SHA1 | 14add22009c3233be2a3a7b9b95f17e6d50ba8f3 |
| SHA256 | af492e6cf5673311131dd0b79f9f3bcc035c48fc787c5724dba50128df0eb880 |
| SHA512 | bec6cf9998c8a61c4c20b3456d04c4f6f2a84df2bbc8d6be23fa60b9102374d6377076bbea768a7c4fe8ff0e8f34fad9e8e71b1d188fe959c6400ecb2e0bb1ef |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 09:25
Reported
2024-05-22 09:29
Platform
android-x64-arm64-20240514-en
Max time kernel
25s
Max time network
133s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
mark.via.gq
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | scs.openspeech.cn | udp |
| CN | 117.48.148.47:80 | scs.openspeech.cn | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | data.openspeech.cn | udp |
| CN | 117.48.148.47:80 | data.openspeech.cn | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/mark.via.gq/databases/via-journal
| MD5 | d216f086ffba61d88f08c546b76d7fa7 |
| SHA1 | 14eb689bb89bdb56a322c99d9cf2836035cca5c9 |
| SHA256 | f34048b6711f3d5ce37a25747358b5b6b19d7e81be14bdb341606e82f9ad70fc |
| SHA512 | 5f3d3a2c516902873f9d1161b9837f29ac7778e76388facb65fd1dd5d25178b7d3fb3ac2a67647e027ebdfbeedc423ef513adcce6467ea94230ad94923021830 |
/data/user/0/mark.via.gq/databases/via
| MD5 | 2d35aff1ca01b56baaa9cc5b750c59cd |
| SHA1 | 164c8b4816b59c93306a1512e13691331c2e82fc |
| SHA256 | 8305d50d65d94128ca6d64b033c4819d8f9bd39bf62b493513995ce9198f9f8f |
| SHA512 | 1a3b4d5057c39dce3f9ac041f56926f232fbb87583991ffbe787437512f150eb3f359c5bcc83af3ad344675efb8e83bea2c441b0fc91126cef648933d323e975 |
/data/user/0/mark.via.gq/databases/via-journal
| MD5 | 801d3304c69470c23f242fe91760eb9c |
| SHA1 | 5c0353be131e4d9904ec070ebb3b3ca89080cb7e |
| SHA256 | 15199a470a3b95f44104ac6b32c5612919f1bfa8d59de182f7941a300006666d |
| SHA512 | cac31fe6b5b5573e050673e80f7e111be28bf1a756c024aabb06825d5cbbb093c8381010541b322c9933d8d3256494b90f54fb6366c92906f498d2f6e904a143 |
/data/user/0/mark.via.gq/databases/via-journal
| MD5 | 000d40ad37e49370c684c38ee0cb0c71 |
| SHA1 | e12118bd5433c76b258d5c797783219b3f734825 |
| SHA256 | 856fba8ea4e8009a1dd5beb383c3a6948eb95b1fe1489e576bbdab2612408c36 |
| SHA512 | db5733662ff2ec6dd0c2a4593e690fb950fa46c17f02c706675e0830e1c199299ae615142db40a1458fe1480024e1fb6abc9d3f75a3b497c2be00c3e659569b1 |
/data/user/0/mark.via.gq/files/homepage.html
| MD5 | d48ccc02f532e4727897bd39d5b40ef2 |
| SHA1 | b507f56e90860728224f2f327ca8ba28d250911e |
| SHA256 | dd585710bc352eaad39344010cd11a10d8754828c419373248210a5fd87568b0 |
| SHA512 | 3f2e28e19284099a7011fcd2477b9bb48cd2f50846bfa1c23a9a28643381b45f3add4f4387b0d890fa706494df9cb400cf41f3d6495b677110a48f3da3a4e002 |
/data/user/0/mark.via.gq/files/about.html
| MD5 | f3ac5c210c5ee1b39ffc192f5ddee887 |
| SHA1 | fcdfc269f609b9434a83f473ad5eaa44a7faca12 |
| SHA256 | 1623f8e485b5be3591c5e97abd6525e1c3d5d66ebd71906aa2afec38594c9eaf |
| SHA512 | e70053d6994f18e86721cdc8edd9107c7893365340872184b4663a885e20295dbbde2af6ba8a6fdbca2f3f54d86032cd360f4b972ede51f13f11f4b7d600521a |
/data/user/0/mark.via.gq/files/iflytek_cached_mark.via.gq
| MD5 | aaeddaca6aa5c639deb002b392cfa697 |
| SHA1 | eab4c739ae2e48d1cf4d918d2358df7bcc7eb3a9 |
| SHA256 | 57b434980b64978462efb2f69460ca0805587429a02a84c5653d5adcb4233744 |
| SHA512 | 929eda737440a9f78d4b3622d3de7cf81bb70ee52809a9f0ada1fa5679893cb718af321a3796a68275493a38bc322a87915565f03ffa85af1c37873e8382cbbb |