Malware Analysis Report

2025-01-19 06:57

Sample ID 240523-c6kr1abb78
Target 697a6472ed5f06d54b42064e5e6850f9_JaffaCakes118
SHA256 db0a1bc3fd2329470b9ba4df85badecd3cba7b5ac997f3c04e7f4a1dc1faaf73
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

db0a1bc3fd2329470b9ba4df85badecd3cba7b5ac997f3c04e7f4a1dc1faaf73

Threat Level: Shows suspicious behavior

The file 697a6472ed5f06d54b42064e5e6850f9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Checks CPU information

Checks memory information

Queries the mobile country code (MCC)

Obtains sensitive information copied to the device clipboard

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Checks if the internet connection is available

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 02:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 02:41

Reported

2024-05-23 02:44

Platform

android-x86-arm-20240514-en

Max time kernel

153s

Max time network

161s

Command Line

com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ads.mopub.com udp
US 34.111.158.155:80 ads.mopub.com tcp
US 1.1.1.1:53 receive.client.c-launcher.com udp
SG 54.251.178.82:80 receive.client.c-launcher.com tcp
US 1.1.1.1:53 api.c-launcher.com udp
SG 18.139.175.233:80 api.c-launcher.com tcp
US 1.1.1.1:53 alog.umeng.com udp
DE 8.211.36.31:80 alog.umeng.com tcp
GB 142.250.200.3:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
US 34.111.158.155:80 ads.mopub.com tcp
GB 216.58.212.202:443 tcp
US 34.111.158.155:80 ads.mopub.com tcp

Files

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db-journal

MD5 38a11d4a461986f2bee45c9cedf0e1f8
SHA1 280d6ca0cf6d2413bc739167b97faa52904f832a
SHA256 c043b21e1f3bab7a2fbd542634f824741692f1229feb7b6861623aeaae4b3cd4
SHA512 d10ea36b379bdee9be766840ce0f4a7ae08f29b907c5c8b89adf47e82803c6d20c1f951a64059c2542e82d1ba7ccac8a11bccae32e0ae42d6f18e4433e21e109

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db-wal

MD5 0d9333f4b472871c5593666f0a249742
SHA1 25dbcbbb7bf247612739f1caae5a17c3eacec384
SHA256 4aa530e6c4d88c9375fd4b71b38daa7b090ef2f2fe73baf08de43a888b0984b1
SHA512 faa60d7f2d2baccefc52ba6b39a1faa22bc2bfe99bcccb76a72a90bfede9c15ae44e4b074c40caab8eeae2f4c61800c88fdbb05ae0cac98a68bd7bb55cd5bef2

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/files/uuid.md

MD5 27f29cfabac9bfa4cdb682d4b5b30f62
SHA1 43dd812116731ffe8f7e6cb25b2e2ae198214912
SHA256 ff819c1c25b5a1ad8aae40594c4314f90ddfea6f185c4ad1522419b5aa8a9b5a
SHA512 b3dc3045b442ec612874300d794aea660b173c95bb218123bb1cec6ccad5fa06c267a723846edc6979b725d8f1b03ed42ad2144197da7a1af1a141212cfb491c

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/files/.imprint

MD5 bf5fdcce139b2cd662aaeeaa224b5b69
SHA1 306d486b4f394c74b37124470716ccb69ba03c7a
SHA256 ad9134c78134e0718c9e202ba43d54634f312b3b954877c06a50453f8fe2c4c7
SHA512 44432732c94e1af63dbdcb596532af499c07d0651b8833fc6443ac957eeb6245439765d11ed90b04d7c2836b52ae50cd0cb5f11a0e5857783f0fafcbd117fbb4

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 02:41

Reported

2024-05-23 02:44

Platform

android-x64-20240514-en

Max time kernel

155s

Max time network

164s

Command Line

com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ads.mopub.com udp
US 34.111.158.155:80 ads.mopub.com tcp
US 1.1.1.1:53 receive.client.c-launcher.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp
SG 54.251.178.82:80 receive.client.c-launcher.com tcp
US 1.1.1.1:53 api.c-launcher.com udp
SG 18.139.175.233:80 api.c-launcher.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 alog.umeng.com udp
NL 172.217.168.238:443 android.apis.google.com tcp
DE 8.211.35.113:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
NL 142.250.179.164:443 www.google.com tcp
US 34.111.158.155:80 ads.mopub.com tcp
US 34.111.158.155:80 ads.mopub.com tcp

Files

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db-journal

MD5 ea8e538ccf6765202020b687e5305a33
SHA1 18fd7e9fec0936639ac2c5b1a7d3ecf8d1462c54
SHA256 2b6e8c641f8a010d1ab2066c401661cf1f0a932603a26f05e432743291c64019
SHA512 d38a2ba8e35de4a9ff57ddbfc9d6d27f02cab29d2eae0be5d96d20e3df2ceeea16b8fc77bcf2ebc3b2be898f1e37171114ca90c8909b652de7f71836cfbd4204

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db

MD5 62a3561989ede658cd16cc1f14199c1d
SHA1 6320791cdfd16b26450bf711bd6776d80a396912
SHA256 9ae0206411304ee027e0cfe3b4e6732ced5b423f99c33340dafb68d2b5b215f6
SHA512 c4ef43e702e053ee39153149d1fb11311c57c6ad5393ea905df942df8bcd3625e2224563eb4c35bfc45e140aa09135c5123f48d220fe622d9dcf2a4cdaf5dfe4

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db-journal

MD5 92424681cab2cb81fcaf183c3266f7ff
SHA1 d0572c0ccd9b5e3d198aa7af68e2efd2be644285
SHA256 60e9f6acde999d0961e7f20512cfc43b07436c09cb3ed214b1c45585b09ad75c
SHA512 f3ee04743f9c4111b383eddcf6d6d2b780fb860d4ec9c85df79bb55e5df1a6ee56ae6dd9087deb29d5e594f137332a9c89bd5d4dd3ce081041272299ee83d5e5

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db-journal

MD5 b21d6b3423fa0c9ad14b191566c7b6b2
SHA1 a2659623ab3684d6a2a2810d177600bab9f453dc
SHA256 ae92b0da73f1b1143808d44d902d1c0ba0fccb00ee334e74ba2f8c2445862478
SHA512 0a28dc17f47d2d331a9734f067d172f2af30e8da5f9798d8622093daa2f6d3b761903ac9102d55e3c72b0cf91a88d45be9303aae5e5fd14c344f3b95e9eb0451

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/files/uuid.md

MD5 9cb7c9a62fb94a56351ab8859120b306
SHA1 9caccc22e13d10415d6b0ca3bb970820b1767afe
SHA256 0c4394cf6df22fe1ef0010c7c94ba7ce1c53a5716e312041b53b36c1e15305e8
SHA512 60e4e47ac553a3f1a6a1e473a27c0ab2bcb6c4876656aef0440e97844ab60116f79284cb602c37f54e9879dfa2e8456acc870ec25b211a0be71fde3a98f0b680

/data/data/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/files/.imprint

MD5 1897f315add50bdcf8bc93f2ef7dc817
SHA1 a6e2eb818b6d38ec6781d8a8c24e8896f2b54b2b
SHA256 11a2a4adcf2cbe4a50e6e6dcbe766ed2711ffbabb3995aa586fd843e003831c7
SHA512 32cafda98c4f98b98711a443b56c4ad4c4ebe24b2d037a496451de6356855b695cf52c12101463e604b708f32cfd00b2c3c0d1a97230bdf2b6f2fd7f4db6a5ae

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 02:41

Reported

2024-05-23 02:44

Platform

android-x64-arm64-20240514-en

Max time kernel

155s

Max time network

164s

Command Line

com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 172.217.168.238:443 android.apis.google.com tcp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 ads.mopub.com udp
US 34.111.158.155:80 ads.mopub.com tcp
US 1.1.1.1:53 receive.client.c-launcher.com udp
SG 54.251.178.82:80 receive.client.c-launcher.com tcp
US 1.1.1.1:53 api.c-launcher.com udp
SG 18.139.175.233:80 api.c-launcher.com tcp
US 1.1.1.1:53 alog.umeng.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.200:443 ssl.google-analytics.com tcp
DE 8.211.35.113:80 alog.umeng.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 34.111.158.155:80 ads.mopub.com tcp
US 1.1.1.1:53 www.google.com udp
NL 142.250.179.164:443 www.google.com tcp
US 34.111.158.155:80 ads.mopub.com tcp

Files

/data/user/0/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db-journal

MD5 1f9aa5100e04d9628a341bb252d562d7
SHA1 1b088b8c253881d441a7ad9ae4539ba147bee908
SHA256 a774e52fe341fcaedcb295951f4aef070a5b2fd23764ecc16b4c67b97c8458bc
SHA512 5c17d11353480bb1b82e07b90cd5bafb957217419bd562584b4e21e18e37d4a76d9c92d5d8980d56b0615cb752dad55e29ed6e63f6b88e3d2ec71996ca97f5ba

/data/user/0/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db

MD5 ed710a8968441282a5939621c2771927
SHA1 b6ac28b3e32ea66790c52d6934608b5e71f3d5b8
SHA256 6e7b95a553c2528d6c564296a9e481a6d913074c35011a19f2da8e4807c53bb2
SHA512 547d7c530ad345edf6b880b7685d2ddf3770e595fe3a40041677cb0c296b15ec6d9e8ebf3f2db51624be41766a0af6764512f1c352d5fde22bdea81d7c08e364

/data/user/0/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db-journal

MD5 cfb40c1dd0f9bb155bef9ade6c23b893
SHA1 62521ff2b343a5097855c3a73f3d31a56e449d50
SHA256 9e03b41a9a7447033cb2c9adf729d9862ac658fdec47830fb58a1c0b036879c3
SHA512 0eb8444fd71bb0a79cb45529075996eef09f692d9121d3f4e2cf0bd484f84b89f00a6893919e6427ecc5af3be742668cb997ce55409730efba9ae537413d9a1a

/data/user/0/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/databases/http_auth.db-journal

MD5 6fbc6d8adb41a1f84e117ca2ebb04f9c
SHA1 389b3b7b1286887468f7580dbdab3e55ea7af4aa
SHA256 86a64a1c2cea5a2c3e840a0edd56409764b8511ff2bc52003a90c06a565a95d7
SHA512 958571c39fabfe400ad630437fc636a433ecbd9fe074709648c2cf384e4410c1c28f46e06a14219ce6daedec7b83859b5309d36885aa14858d91ebfc5ef0d2f4

/data/user/0/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/files/uuid.md

MD5 999dd03227a2191cfce920d34649f141
SHA1 dec868e507532965fc1a64f3ef1741906a1cbbd8
SHA256 7d3b57a47c9128bab1db7ae463043182a5a2cdec7d9b1af0f9752eb455e87660
SHA512 5e8bb0455967d1b12497102a1409428ca1522013e5c1f9aaa1dbcfe09d58b6f88cb9d5cfbec429199435dbbc20a9fe6f01063552afea6c9b4ed972c5a374e0ab

/data/user/0/com.cyou.cma.clauncher.theme.v591975b04f1f6705f128bbca/files/.imprint

MD5 7a854cab6e972cd3946dfadd0da77c28
SHA1 4d66fd630c1a672c4148fc10e802eb941ac9c875
SHA256 3ac5b4ece0119c1683da7413a91c605301c32d3d705d2a9c4e71262465821e08
SHA512 00a9c32d7dcb9e3d8f028e4ae396e822e81a966d7919ff363eb047edf1156145c3bf6495ae17c5caced7fdd520123eb8c656216cd4ed30a4225563ca169b51ea