Analysis Overview
SHA256
d6f8a80f7e5ef5656b672f0cd33a92a3f0a8535eb7ef44536624f9752d5fe3e7
Threat Level: Shows suspicious behavior
The file 6be5db63a57e72ad2e7e392515263028_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries the phone number (MSISDN for GSM devices)
Tries to add a device administrator.
Checks CPU information
Checks memory information
Obtains sensitive information copied to the device clipboard
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-05-23 18:39
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to receive WAP push messages. | android.permission.RECEIVE_WAP_PUSH | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 18:39
Reported
2024-05-23 18:42
Platform
android-x64-20240514-en
Max time kernel
177s
Max time network
131s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Processes
pob.xyz
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | mpbcc.online | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.212.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 142.250.179.226:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
Files
/data/data/pob.xyz/databases/sms-journal
| MD5 | ffe4312f05a1e4245b1edb9ffae6ca07 |
| SHA1 | 1e03813086d97039d22a49d9b19e15cc5d93a968 |
| SHA256 | 03d232fc261b480456d56a78530392d520cd13b9fa2d77d2f1106fb366cc9e05 |
| SHA512 | 0cfc6928452b20518aa078a225f256a6e4b82c50142f0f5f4eb7cb9d6323852c3dd22a8ef0110bde3830fe18b6200a6f656c797587a45191d2c2593bd0322bb1 |
/data/data/pob.xyz/databases/sms
| MD5 | f75f1a2e4c5a2b0ea72dbdc73eb58bae |
| SHA1 | 10a6f42c6b3ed46ac52bf402e5c0b6ec2e770056 |
| SHA256 | 61b3667c16a7ef98b9f6921ee38a5c8164cea5da99bcf9752baf1cd7aae14338 |
| SHA512 | 12985e041f1ccae6d733d40c62eeec50a0a8138548ff17b20487ca226e2ffaf8f2689a0d1f401d6c4931c3cf00db3ad7c9c32347f5951110b4d99288d207e0c5 |
/data/data/pob.xyz/databases/sms-journal
| MD5 | 514640444bc7e940737f4dd453f7dc4c |
| SHA1 | ec55fd2d9828050aad852719a2c81dbe592f7ede |
| SHA256 | be7c3b8185309411a7fa88e898b685032a094fb08eb12a69c393617394290801 |
| SHA512 | da5d079e7879cd00a9caf2572df32f68147b3f8321cf721187bf088835b78f310edb8e96c0f77c44075c91d8804952617338a54ea91145d36167fe815f6b6604 |
/data/data/pob.xyz/databases/sms-journal
| MD5 | 067b4114b4b3b60654e9ef10e07b7455 |
| SHA1 | ac3b37debcb3b15043203316ce7b0145535fdaee |
| SHA256 | 6753818955dd488b65218e5b56310c233dc4b7073fd650a3d01a2772494ed23a |
| SHA512 | 2796b7d4dbca70f487b717d96efc6c91bfc0234f157522a5316ed8ef6d02eff0a953123d8da15ebecfc465cc8e123466a74286b16f1f1fc27e2297d998e893fe |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-23 18:39
Reported
2024-05-23 18:42
Platform
android-x64-arm64-20240514-en
Max time kernel
178s
Max time network
132s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Processes
pob.xyz
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | mpbcc.online | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/pob.xyz/databases/sms-journal
| MD5 | 6971afcd6c87122cfa6f4705e5a409c4 |
| SHA1 | 107841d95cddc8a4d7eb7ebaffbf4cfc3a829cc2 |
| SHA256 | 13ac76309d3f4dd7d9a5ee6eaf83eb81fc91a959f032d4bdbc78479ed4046fa3 |
| SHA512 | 75d9d5aa8d2fecbcbe857ee5beaacd6d98cbc4a9b960e123f62fccc3d6edafa1a8ac05179b1073c6b7a4e68b1e4e138e830eed81e370266d869f9222271166d0 |
/data/user/0/pob.xyz/databases/sms
| MD5 | 862c334a6fc3edade14ad9c3e87c6e98 |
| SHA1 | 6df4251e383583e05a5e1453753bb2478a3c8abb |
| SHA256 | 5fc6e53b7d51c7676b37ffa3b0334e649b83bac92a9177f3cfc85d69570ada09 |
| SHA512 | 7ff529f9b25197fb640bd9128abfaec489b1179485120ace6324758d0fc9eb2e2bbe05bfe32fd693715744367cdb6c0ba8646094e56e35c31c9593392f518d9f |
/data/user/0/pob.xyz/databases/sms-journal
| MD5 | 04b1bab721dc5ac7fd53fd5915d1d08b |
| SHA1 | ca6fcb5ab59c7a9631e14fbad8c1a1c64215fdef |
| SHA256 | f51ad9ab083f33d8ba9a42de0182a9015a211c80a5e4ea548c08e85f3ad9932e |
| SHA512 | b9373d9e59914084a502e079dc49f4f0063839b660efb2c6f3ef1366cf0024cbae34242b3978b31a2794ac436c55d55beace6675f5236204d8a0317ec327d001 |
/data/user/0/pob.xyz/databases/sms-journal
| MD5 | f93ebd3814812ca324b5d4a511cfdc5b |
| SHA1 | a6a98ff63127c0c50ca265529164e21ae199c07b |
| SHA256 | ef0ebf4fb757cec12a7430ad90c638636c2081ef9ce5695abd6ec8f321d0d9d3 |
| SHA512 | 38c2c5b3e305488a520fff288ec4a25066c9a72c50695ed71c58715b515dc91e68d75a8f4aa31823b3c5979ad15874d817a256a7ee85eb54c2e6ef24e89b1c4b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 18:39
Reported
2024-05-23 18:42
Platform
android-x86-arm-20240514-en
Max time kernel
175s
Max time network
131s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Processes
pob.xyz
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | mpbcc.online | udp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
Files
/data/data/pob.xyz/databases/sms-journal
| MD5 | 42ff3134315596dfd6be82d5fb9d7aed |
| SHA1 | bd565eef9bb1d7174e4aaeb919e878a70819672b |
| SHA256 | f51f60ba43a564ad9d78328e2a94f80ede5c0044a2bce7dd9d789f928deefa7e |
| SHA512 | 529cb58696c86a1f585ca7e1d70ba8b4a3fd27ec95f3a3566b28b8f9d72aa9a4c61d703f299f8cc4ed7234e86feafc57c047cabebf293ac6931c948e06cbef69 |
/data/data/pob.xyz/databases/sms
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/pob.xyz/databases/sms-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/pob.xyz/databases/sms-wal
| MD5 | a87c409b5c30a4d28a68ec2984a1e8f0 |
| SHA1 | 94a0af12979efd21652eae376c8a1067cefc4189 |
| SHA256 | 3dbcb2d67565562b4ed755e442612a99dbf71d79ba5727192993047f72529c6b |
| SHA512 | d9ee0b7b00218c30fd91232d5b286000ba7e3764773098d05c78fe167963450dd9fb34cb9ab81d3edd313e8b2ab7ba4ec65fe9d6afd5e2d978d065e3606803a4 |