Malware Analysis Report

2025-01-19 06:59

Sample ID 240522-mcaeaabf81
Target 66ebd45845c6fd22fbe0dc7f224d06e4_JaffaCakes118
SHA256 e83844fabd0f98c30c98901f65dfb657fa8a3bd0e5f6b7eaaafadf29fad1546b
Tags
discovery evasion impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e83844fabd0f98c30c98901f65dfb657fa8a3bd0e5f6b7eaaafadf29fad1546b

Threat Level: Shows suspicious behavior

The file 66ebd45845c6fd22fbe0dc7f224d06e4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Obtains sensitive information copied to the device clipboard

Checks memory information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 10:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 10:18

Reported

2024-05-22 10:22

Platform

android-x86-arm-20240514-en

Max time kernel

19s

Max time network

143s

Command Line

com.gameloft.android.ANMP.GloftFWHM

Signatures

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gameloft.android.ANMP.GloftFWHM

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 eve.gameloft.com udp
CA 208.71.185.246:20001 eve.gameloft.com tcp
CA 208.71.185.246:20001 eve.gameloft.com tcp
US 1.1.1.1:53 iap-eur.gameloft.com udp
CA 198.136.44.127:443 iap-eur.gameloft.com tcp
US 1.1.1.1:53 secure.gameloft.com udp
CA 208.71.186.74:443 secure.gameloft.com tcp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 201205igp.gameloft.com udp
CA 208.71.185.246:80 201205igp.gameloft.com tcp
CA 208.71.186.74:443 secure.gameloft.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.gameloft.android.ANMP.GloftFWHM/files/gaClientId

MD5 a68d49933c3aaa839f0febfa85516ef6
SHA1 04a78a863c9d810e522cd9ca344f9f11a5fd3513
SHA256 827aebb70bd01891b6919181066a2ff5ef5be188a9c0c8713f47d3b18e3e45fe
SHA512 2081c283ec014ce98d954f0e6e95c5b763fb862cc9c67d4dbbc1f70fae1d3bd44c7d17d9c2d725dcf2eba447cef14289bbd349855f5ad8e325f042df0c012e77

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing-journal

MD5 955177304aa9345da2fea3c0fd633523
SHA1 32cab1781236c0ed34dfb01abfab45ab4a0be339
SHA256 5e106436cd7c81c3326701d1e4fc14268ebf9de271c576b933c2beaeda023a71
SHA512 d278125e7f82ce09496887b2156a6fd96ded46af9e6932cc01eedd53877960424f99e44615a58936685846c1ee7e62e0441dd076905f946ba188045e3d47a915

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing-wal

MD5 cf69cb819ce07afa4fc534adcc33b618
SHA1 7d8a5ec5c4fe125f8357f2975855b3d1ad0dc663
SHA256 58f0405b560ca45ec4caae6056300b4565b6470cde25da73c6926aba43ac54e4
SHA512 6e2caa350b3e817163b53e53011e5fb33589bfabf4372ce8491ed16eeb536dbd7b618fae84d252695e65df9c4e581d28571acf819156d044725bfd0e087afdb4

/data/data/com.gameloft.android.ANMP.GloftFWHM/files/gaClientIdData

MD5 265ffdbfe1e867b777b49549d685153c
SHA1 e2e81e739b6177cba969927b2d1d7de9947296bb
SHA256 0e4ff5819464c705ac03d74eaef91526d03aaf9b27bdac96c60ed2116bc03aaa
SHA512 5170ae9a084fdbc93116034429f8f563956417244e7e1f7ce9810ebe0cb69de03dc940bb8ecb3d055d53f1380f4918ad9279f2e88fdbac01e8f03219822c70ef

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 10:18

Reported

2024-05-22 10:22

Platform

android-x64-20240514-en

Max time kernel

51s

Max time network

170s

Command Line

com.gameloft.android.ANMP.GloftFWHM

Signatures

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gameloft.android.ANMP.GloftFWHM

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 eve.gameloft.com udp
CA 208.71.185.246:20001 eve.gameloft.com tcp
CA 208.71.185.246:20001 eve.gameloft.com tcp
US 1.1.1.1:53 iap-eur.gameloft.com udp
CA 198.136.44.127:443 iap-eur.gameloft.com tcp
US 1.1.1.1:53 secure.gameloft.com udp
CA 208.71.186.74:443 secure.gameloft.com tcp
US 1.1.1.1:53 201205igp.gameloft.com udp
CA 208.71.185.246:80 201205igp.gameloft.com tcp
CA 208.71.186.74:443 secure.gameloft.com tcp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.gameloft.android.ANMP.GloftFWHM/files/gaClientId

MD5 6e127aedab6c38479689b22ed5b57fbe
SHA1 d7912fa49fe19314f1683b2bfbb74d300c34d4bc
SHA256 ba889002562f58aefd4c9a1c41f8dbc1377b108d91c8ff3cc6fbddcc7977419f
SHA512 874971f555a2c968f29f07260b83eaca46522b513e1c0856a87a53ea8ed6e85f2cb0a7bc2afd0508666d2770897b68b29426e8abc5f734f7b3a839ec8c7403a1

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing-journal

MD5 750d9917bffdb87e86aa3ef45a527783
SHA1 b23a0ac0a02249677abfc9886c1e8160fe1f6d00
SHA256 d38139365a4c51b97b2549348a206f545036392b216aa39f1aef793f65c32197
SHA512 e02a5d42e13c668f840342573b8c8992a55f1703aaacdec7a0243023bc7bf097ba81ba7d0466a6bb20375d2d64bf21217899be34ef8146f08234eac88e0ed6ab

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing

MD5 8dd59b526bc79a3d7bc97d6970579314
SHA1 6f14f7dea83cc2370be250310d5fa04e92f5d861
SHA256 16b5a9d1e18c80d0443eaa663c78b4468bbcc99486c46e6971fa67a48f53dbd4
SHA512 56b8781c1496bc74e802cb02d7a196ef7ecdedd43d5a54c1443cced80d6743cccdf2845fa01cbe9aaec585c0c432d31490b238cd4238baaa2f1c08c4ef092b4c

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing-journal

MD5 5912b475b7c5fc4379670a4e8fc7fbb3
SHA1 a22f0fa2b3141f96376f37db9435a2493d16e47f
SHA256 bd0e81e6e68787df38065de11907034c24dd88a46f2aa31ec915892ca26bff7e
SHA512 aa5a2d6cbfc5e7c196c5b2715e113c27e2ae523e2a8b965545d0aa4076d1c2026b72c7b341552ef4f902ee995f474252d0f7abcc2a8b572885a449035e5e0944

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing-journal

MD5 83679d52c4dc4ba273198e26bbe0bdc6
SHA1 c6056415458a1ad5adfb07e00136aafcf42fe0ac
SHA256 f329ea4aae48a0a222aec999cadca156750a77020e84715fda37f04a51948635
SHA512 46a32da4db5fe32c66577cebf3d38d1809a4ff26b30ac74bc4b8b30db20230de5369ec4972016e0ec6aee6f33e763789328bace3bb00f287591920d5cc3f1275

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing-journal

MD5 edc835fb623c99975ad250d802754e49
SHA1 f1a81ec0cf0557e24696f06e930c030ea80695aa
SHA256 5d4039f13b547632bd690b442927c4161fbcc56c8164bcaf943735c52ea9ae26
SHA512 0c882b8c88ea7065e718e4761b9dfbaa359a392585f457e2ba0b14690d769ab0762f3bef6e10762d56c1b8ba22d821d36634302cf31d5abcb725e933ab745f94

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing-journal

MD5 a71c99fec9ec55a723d38273de46e631
SHA1 bbbda2398dcba4da077181edd813f4591aa46587
SHA256 d2f8637c2fef3a40034745b7a9e6214b28e8caf97a8977c44fbf61527067782d
SHA512 1ab0a78efaea1f0cd33e5342bd6eceb36ce2a621b7c8d67fb6bd13c9a1a0ec2e3702a28987c37f1300b528f2fcd20db471303f9d90516d0feefae06ceb822008

/data/data/com.gameloft.android.ANMP.GloftFWHM/databases/gameloft_sharing-journal

MD5 dc2a92dfa4c567c7fb4fa95961c44774
SHA1 a8d3cca3682256d7897bd29a0501617d598ffe77
SHA256 4cb5c2fe80596b7b91651f0afe61bfa457d669585cebc19b4f8c3237544ad45d
SHA512 78e19122e231cd319e5acc000bd9ef61e37c1ef6d58ef994ea870f1560caab5999b7f0169ca744f890cf5f7cfd16378c340378d3f068d9b09343152efe880588

/data/data/com.gameloft.android.ANMP.GloftFWHM/files/gaClientIdData

MD5 3f992548b201d8c64dafd65461098446
SHA1 3a749af513904a918c46bace0ef71dcba4ff23c0
SHA256 084edeb8b90e8965136d23472136ac7d4711f65a3e535dbb2afa4025439ce5dd
SHA512 03d257234f7891bafa6e6f8a99d3d9bf1150d37966d8082759678de89484cb4e88c04d493b0dee7b69b74b0f4246147ab95db1b1e9dd4f0bc7ba11d9d072e20c