Malware Analysis Report

2025-01-19 06:54

Sample ID 240523-rc4eksde9s
Target 6b2d3355e2b2d91ee90bdb41c4d9daba_JaffaCakes118
SHA256 59069daedf165cf0b2ae9fb8a379823350333457ed90e7919ce2c39107ad870e
Tags
banker discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

59069daedf165cf0b2ae9fb8a379823350333457ed90e7919ce2c39107ad870e

Threat Level: Likely malicious

The file 6b2d3355e2b2d91ee90bdb41c4d9daba_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Checks CPU information

Checks memory information

Queries information about running processes on the device

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 14:03

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 14:03

Reported

2024-05-23 14:08

Platform

android-x86-arm-20240514-en

Max time kernel

102s

Max time network

136s

Command Line

mmapps.mirror.free

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/mmapps.mirror.free/cache/1582435991586.jar N/A N/A
N/A /data/user/0/mmapps.mirror.free/cache/1582435991586.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

mmapps.mirror.free

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/mmapps.mirror.free/cache/1582435991586.jar --output-vdex-fd=88 --oat-fd=89 --oat-location=/data/user/0/mmapps.mirror.free/cache/oat/x86/1582435991586.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
GB 216.58.212.227:443 tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 www.startappexchange.com udp
US 1.1.1.1:53 init.startappexchange.com udp
DE 132.145.224.90:80 init.startappexchange.com tcp
DE 132.145.224.90:80 init.startappexchange.com tcp
DE 132.145.224.90:80 init.startappexchange.com tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
DE 132.145.224.90:80 init.startappexchange.com tcp
DE 132.145.224.90:80 init.startappexchange.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp

Files

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4D0E02F2-0001-10AB-A9BD5E2B5AC8BeginSession.cls_temp

MD5 95756c9d8e0ddf00e890f9470a19cefc
SHA1 1de4c07c9b4f86231b67049a15cc395215c29158
SHA256 c6700f9c9fb6ba1ce83c667141bb12c278f88c31d30d6715bbdfc362aaf3b00e
SHA512 7549441521f7f761d7f5d8c8cb6d834d18f64dcc1f0a448f87d53a0c504b75c856256877bd6b2fc028552937ea25db43e1a4be1da2f78845ffc4c0d1e467674c

/data/data/mmapps.mirror.free/files/gaClientId

MD5 70d0d2f189673e1e2151adf89d987e8d
SHA1 56267195601dd7f4e65231662d105023816edc86
SHA256 e81703148e1cf1e27a898da1c01878c7cc2e4742ce39952dbddad104f900e02c
SHA512 e00e5acf85a4ab4d8cd19718c390ff0f2a3f5394a0f66c07478f819f0ced06e563ae61590e31d167a553303cbb6ae8c12cd5d4455d6ef69d72ed02d5baa1df22

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4D0E02F2-0001-10AB-A9BD5E2B5AC8SessionApp.cls_temp

MD5 ebc68458825482e8a1d11674ccd84d67
SHA1 d549a8d368560c83b63c7da79816a632b0e00885
SHA256 2d73ef4fab14fbff7b14bdabc40706c0cd599c3e704d333a0bfefca35097f94e
SHA512 b1d1ee4f327a8dd6ed67303b0b24af42b3790eea2ab688e9a20382a519df0e92d7e08cbb785949346b531fc5eff2b1817ee334240387ff23cad2445d54b6dea0

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4D0E02F2-0001-10AB-A9BD5E2B5AC8SessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4D0E02F2-0001-10AB-A9BD5E2B5AC8SessionDevice.cls_temp

MD5 516b5289372e371f8fa8528e699fe92f
SHA1 0a515aa451700405786787d486f2120f0e268a90
SHA256 0ef5399520c6d643d63ba9a954abd6d8ead845bad24b71be106dee321a77d3d2
SHA512 57885d5b69ddf1dff0f8fe8bf83ea0ae06671fabf13ebff4e7b2bd8806e40e055349ddce8e56b21f6f96c479837acc300aa9d6cb03a3aac8a05da8805bfc98b4

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap

MD5 68bbb45979fccee8b10ce00584d2a009
SHA1 63fd9cf8b5188cedb5d5226b10bdf9f4b5860620
SHA256 8438498b9c8dc7b9e8daf908c5ab8fe7b0b214305a636f11caf7109295cf922f
SHA512 08cd3340c5721d64b4dcb4bb237745cdfa6b90a808edc1296b4c0227470b483f34df6f304771ab40f39cc29456b2f5c166d635e2a9088f4a58e4b52b9b3de8d6

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics_to_send/sa_4ee562a6-d824-44c2-9d46-0ebc1710998d_1716473102875.tap

MD5 7f40d5debe7352ab2523d1458aaceb65
SHA1 2797eb51a3f94a718977fac75e77ad94822664f5
SHA256 02da8fbbc931fff84ff35c8413b57b1cbff3e2408dc2d5db59bb089249dd77df
SHA512 10b6b3687fe670e31207ad3a1e11a06f0f88a158e89548f36147ece1cc45fc5968cb393e9741e9f177d3c2967b23be7198fea5c85d702ddfd1142b0d385fb5aa

/data/data/mmapps.mirror.free/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/mmapps.mirror.free/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/mmapps.mirror.free/cache/1582435991586.jar

MD5 2048eb6124a452540ee51dae4145aadf
SHA1 d05005b2cd7fe4cd652b0d7fd1bdac2c19d51451
SHA256 105c54b6fe3f25350e92187467761598e4c21d62b1091b77d091f65f3bd98864
SHA512 bb6cb3853dd2a5d0701e20607d4e153ae201268dd2e5e2d06cc2df208b3b4dc50132a4ab428251b1644d2399fcc717662438d082ff14203387bab8794109d44d

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap

MD5 6192ff9ee3615c7250464ad797e33892
SHA1 3e87caf08cd150dbe4498390b4e7d1720d54cc71
SHA256 68bcadcacf8022734bffb2d40a59fc0fa6d4c1d8f1b4132bea9dc95053fcd451
SHA512 aa61fd2d7785c6e03553540a8d1765d7848859d92b3621ac176c2232557f281f5e034fa78c5c36f7efe4519dbb4afcc79c17c7f10c39e91aeddbcc9152b6fd42

/data/data/mmapps.mirror.free/files/gaClientIdData

MD5 8f251d30f7cc6a1766edf48a81e0d22e
SHA1 baa1f0b18c04a222adb9150af05f6275d300d4a5
SHA256 9e766f5624e75f080176df10a0eff2ec8b4110825afb9e19167caf17b1c16ca5
SHA512 42311bbe3847644d93c03297d9d81f7e276637f77c981f9b545a5fff61f6fc82769cfb4702cab7470f2f201b8a39887bbdf06bfc3c2b851bfa0f7b588ce0a819

/data/data/mmapps.mirror.free/cache/oat/1582435991586.jar.cur.prof

MD5 a3b78d197d786c13687c3f0f89703bd8
SHA1 9967f0726b6b1ed3f198904547b81920f8329621
SHA256 c5e6754556dbe01b055066f23c28ddaaf5fe67cee4baed00d59dc993335b3d97
SHA512 9a47c9bb977edec9d29d22f280e0078ca931a722eaecc2b085c6b5aaf6246d17a6ad07c9faca45070bb5b89a3ee6cf896f5e2c7e73fb033e3ac57471df70a8b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 14:03

Reported

2024-05-23 14:07

Platform

android-x64-20240514-en

Max time kernel

86s

Max time network

135s

Command Line

mmapps.mirror.free

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/mmapps.mirror.free/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

mmapps.mirror.free

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 www.startappexchange.com udp
US 1.1.1.1:53 init.startappexchange.com udp
DE 132.145.224.90:80 init.startappexchange.com tcp
DE 132.145.224.90:80 init.startappexchange.com tcp
DE 152.70.183.52:80 init.startappexchange.com tcp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
DE 132.145.224.90:80 init.startappexchange.com tcp
DE 132.145.224.90:80 init.startappexchange.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp

Files

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/mmapps.mirror.free/files/gaClientId

MD5 10fd2cba1b9f186542ff605670bdaa73
SHA1 fc1b4c7a51375d9c035013bfe7cd0fad148f51a2
SHA256 355eebfea41cac95c2a1364c896dc90867313cb6252e929cd47c659a55975fcd
SHA512 1da0840e3f658e48b4b3fac0ec5d7adf10b2c186229874ee083992b7f72f431a918e59b7a9d24516c7bb843955abe4d45280ae174ce10c634281735ab5ba3e70

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4CDB0103-0001-13EE-2BF531436AAABeginSession.cls_temp

MD5 cc563a338b4f080d6f9600812e51e968
SHA1 cad6b5524fe2b08c1207c355856da7e57fa42fd5
SHA256 e709708b9ea048009fc1e1e3a13165245dbbd5e2db78e63b12124a9a0c13d03d
SHA512 78188d8124d64cc7daab9b95b5a28e2a056a0033659cb2f359d2795376f77d6b63565ff7632087a2035189173751abb581b9c807b8b8db458b3ebbcfaff5eeb3

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap

MD5 357a9a7864792ead535d2ffa03b7163a
SHA1 8ae74fe692d819adc5428990a107ac4a21b6dd73
SHA256 a60cf929509aaea85eca4ea38b1d88c5517ba5481864672101133a7734504742
SHA512 c7a879a7ac25953ad9b7c534dedecbfa370c792aecd0a0744f052128b2e0e5825cb68f2572613b795a744b1803a8de9b32aaa1a087b13271a626a959ec31060b

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4CDB0103-0001-13EE-2BF531436AAASessionApp.cls_temp

MD5 cc74b5f72e98c4e84096a034ee660fdf
SHA1 e68d3cf01314dd0bf3d2b12eb324b91f4285e011
SHA256 d348a0097a9f198b39571b8778736221b082187e53242490854083bb898740db
SHA512 6c1298c4fc6559ece06ca1f6e16bf88be86933845845969799ec4bbcc84d5c514ac1b688989c73ed0cd370960cc1e1ea8be82ac6dfb303dd5a3a0b6cc9bd6939

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4CDB0103-0001-13EE-2BF531436AAASessionOS.cls_temp

MD5 2566d27ce8c28d8961f082c375d7535e
SHA1 92fe585b1a2c9c523d2fa1f65ab5c1b6a1a6edaf
SHA256 5acdb54ddba2e264f6822fbdbc4e9b5158f57d43785c2f01d981956b18f7a90a
SHA512 1c70679bbd25a57f9ac02083d5af0fe72b1417cf3070a195497f03d6f492e87b1ed3f570de7ea7c814c995a1530e32610d9570f31a480648f4062e8d3287be8f

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4CDB0103-0001-13EE-2BF531436AAASessionDevice.cls_temp

MD5 f16077ce74679b6665cb21f0a84a04fb
SHA1 12e3217a254f921ab85bf3887d23019bfb1426a0
SHA256 f374052dbe3f9b8e9dfd7168ac4bd69b81c7d6a2114246e35a1e70c0836da77b
SHA512 e1ccd52961a94ce7b0e6e80fa34eb2ec5a85dcfd443f9514af1dc160d039ddb1e9c97b36a2d868ef8c5d091334f5d387e8576d819a6416f94a37a84c65302d11

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics_to_send/sa_93989be3-8833-4fe4-b2d7-227d1a6f74d6_1716473051865.tap

MD5 c9fdd2a0e2b5597c2fc2a4fd85e2b850
SHA1 df7f00dbfe2d11ff57728c97ae0f2a124d8a2585
SHA256 e98a58d7520d8810995b403269799d9224c5f79249f36b301cc908c97b1b35ed
SHA512 4be7b915e73f74901dd8d40c1db4eddd10fb2d90cad535f1a18f194f77045cee17d9c58250329a3258d89b1ba240cb8ad6a559a14f80ba86af1050482392af37

/data/data/mmapps.mirror.free/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/mmapps.mirror.free/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap

MD5 ce93ec8bc653afd4b9cb8ac50e8ffb18
SHA1 2013da1557cb85aea33541e8506fb9e703d968f9
SHA256 330545c3c12553495650726627a60051aa188ca577ec257b07221a4645ab1021
SHA512 1bebe58d49f5dd720a565a87f2502c0467e5c72c18e329b08172b2c570dfb073b88defd21c2f2bbc8c8b7d105768b7ee5567009e0188a19f2f429720a4c172ef

/data/data/mmapps.mirror.free/files/gaClientIdData

MD5 bd7257873a40e76cde8812486913e442
SHA1 29e89fac71a8d80ba597016d7388b026937fc351
SHA256 a5bf0bc0469f82b05516ebc6d99751d403ddb0a5ffbd6f30e6a7f990c73e49f5
SHA512 ddf01f89cc30b7fb3e3060cf262851eba16aac23d56d981ce54b4ffa7865ae4d5be84217a496348e385a50ee2af69299b72cccfdc1adbd578a0aea0e51f10e18

/data/data/mmapps.mirror.free/cache/oat/1582435991586.jar.cur.prof

MD5 0d54a4386313e9b5ab0c662b0b63185e
SHA1 dcc4b657094d0402aaea007dde418641bf286047
SHA256 211cf6da70f0de77c5ec0fffbe7d48633f4a6ea8823b6fdf8978f2938eade032
SHA512 d426226bfe32f3b8e0845e77e0a81d8eae25365d43befc8af74270b5076e95e9e0abc0f2d0326abf446e56e248a550030ff2282c5680997bdcb3fcdc7c456b05

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 14:03

Reported

2024-05-23 14:07

Platform

android-x64-arm64-20240514-en

Max time kernel

166s

Max time network

133s

Command Line

mmapps.mirror.free

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/mmapps.mirror.free/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

mmapps.mirror.free

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 init.startappexchange.com udp
US 1.1.1.1:53 www.startappexchange.com udp
DE 132.145.224.90:80 www.startappexchange.com tcp
DE 132.145.224.90:80 www.startappexchange.com tcp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
DE 132.145.224.90:80 www.startappexchange.com tcp
DE 132.145.224.90:80 www.startappexchange.com tcp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
DE 132.145.224.90:80 www.startappexchange.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/user/0/mmapps.mirror.free/files/gaClientId

MD5 07688c577202a289529626b0fd520619
SHA1 1d2fc33292af84ab98263f4b7676f2f42780766f
SHA256 89afa5691cd4a4e75c19a733aad4a63653128164b43a4f6a26dccd5fe66c9735
SHA512 2e862a93b5353b2b22c8f2676e9fd8aff83d3037c7e7860b87cf5923c617aa05567cf65244048a9e10bf8b0c745ffd7dd08f29310a82b203e271c410a4b2119d

/data/user/0/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4CE003CC-0001-11FC-5AE675F35082BeginSession.cls_temp

MD5 0332f9f844e0f93117a21e82f75ab5f6
SHA1 7ed9aa6687b5a58d9a037e49e04349c038d25488
SHA256 5d50b3db4158f2d9fbdd8eaae5e4b3ec38ff503f5f6de23864f86ca24a134176
SHA512 7eb385e94b0e83e1e5ca5a5b7aaf49c1fada09010599082d1a2ef21acb7e1c5a67e3c0ed31c66762b252a8cf77e61569d3c206518723ceb476795b535826629f

/data/user/0/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4CE003CC-0001-11FC-5AE675F35082SessionApp.cls_temp

MD5 579a5bee2e24535529c0ec625edb5765
SHA1 ec4f0a0cc5d5faf90e2feff4ad7476e3185f87c8
SHA256 0315f5d633aa2967db08762ae98d646a9181b02c51e1e3cc546c0106ab2eec9a
SHA512 4f3ac969776fdc97df43112a595b51fd3c12a6328aa6bca7ff0dfb58ec57d0f5bcd4650679c02044f4c074abca3b8bac61f4371a981b33e2b2f516339328ac04

/data/user/0/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4CE003CC-0001-11FC-5AE675F35082SessionOS.cls_temp

MD5 b3d9541cc92a9153d14e5160f8d8c008
SHA1 2e1ac80eb381dd82a03795b682f92020348c0113
SHA256 1ead5b213c87f182ffce484c34f7d9f140ad3425c0f303f460492efe8a26c56d
SHA512 78074409135a210ba4e1407ad9b3f784f5683e83aac4ce3482d4e8135425cf2b30db1ff5dd0041901c490a551a477237c6d255671c7b1fad74090980dcf3334f

/data/user/0/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap

MD5 46149af3b517ae40fabb11f2ef1b7b6b
SHA1 bb990d1dad46fdc4b8788936bf91a2d20a387451
SHA256 d309923a045441f5efd0b89b6832fee912330ed32b4fed2fdb5f8f389857873b
SHA512 3ee664406ca290c0f925c408f7105a8c255a96fb8d2996a759f268da9e89a0487f7995bf6a761e81cbdfd11abf9755c7c6625b484bbcd6b3a0997f3ac3c717de

/data/user/0/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664F4CE003CC-0001-11FC-5AE675F35082SessionDevice.cls_temp

MD5 341847a33177dc68bb320adcd5da9646
SHA1 1f494262a1b2aa88d40fe1b5325ef78ec237363b
SHA256 196d0e5753999d6cd8c315b03a6736aead366c4ea0d82e6efc26e22cd77eac82
SHA512 f4c7f5a2498a8b1661739e3b319d9f430d2228f7f41e662fc3f23b1889b902f57286c9ed39a60ff15addb42f2dfb088c00ca86b186ca7743e2e982885c95b3a8

/data/user/0/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics_to_send/sa_a643a90e-03e8-4ccb-90cb-d0b8e8ee6874_1716473057212.tap

MD5 05815d9dd3c3bab8795558374253265d
SHA1 fb16faa77c595d37005f55d0895a6b16fee514bd
SHA256 cb86f31f04dd6ecd221d59d0008a743e8225b1c0bafdcce1b6d6a6c5882dd106
SHA512 d4d04a5d7680d5d6f3d88a7781cb28a5fe86a75d1abc1ff7df8ed83af6853f71563f8eb1801dd56d997ca100d7c729fb58ab6c8b18172b8d52a7795cda04e9c8

/data/user/0/mmapps.mirror.free/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/mmapps.mirror.free/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/mmapps.mirror.free/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap

MD5 08ec8d58264cffbf3ce19d7f34914f49
SHA1 28dfe7be2b0fe2ec8089496d36d938033f12b600
SHA256 df943a777ca64ed58255d0118fae400b97ad6d7882146e397966623f1024237f
SHA512 aef29a8922eb6236eb21131f1a30eddaef9843a3e38bacc505ae50eeded0665325a8a3cde3c565627e049a419ca541c20c59927d17e99b7f6ae56cb497579120

/data/user/0/mmapps.mirror.free/files/gaClientIdData

MD5 9d990a9d06ae609d8daaa6de80c1c099
SHA1 04b8e733d78c51ef885aea07f8b3c862269867a9
SHA256 27a792c94f565dff0e8fe9a0c71e3bc0d8542028d6987bbebef4c1182aeb2e83
SHA512 94682eb6dda027975adbd9ba2c06b183fb9c9577e18b0a4adb1747a960e2e3b22a47858249a2ec7f1c506e10d63b0b4b587fb3234a096fbd1d086f59b44f5f6a

/data/user/0/mmapps.mirror.free/cache/oat/1582435991586.jar.cur.prof

MD5 f9431a0cde5766b6a47fe517f0dbe91f
SHA1 41ebffb9e03db4e211961286e6c233726d1c704f
SHA256 48409024aacda3669e2112419ca8742dedca12f5310521730db60c8387710616
SHA512 3102a350b8cdbfe686564eb79892a609f3cccd74d4b420f831156b1c57b736853f1cba0988d4dea7bf728f341e3ed2b997274684726afa2d97d31115e5213382