Analysis Overview
SHA256
f24cdbb1e8b40771f2798543664e39a08ec02c3aa9c6c552ff7008a9d6a75478
Threat Level: Shows suspicious behavior
The file 8da7dc1501f70fecf9fedef7e9b84156_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks memory information
Obtains sensitive information copied to the device clipboard
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
Queries information about running processes on the device
Queries information about the current Wi-Fi connection
Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.
Checks if the internet connection is available
Requests dangerous framework permissions
Checks the presence of a debugger
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 09:46
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 09:46
Reported
2024-06-02 09:49
Platform
android-x64-20240514-en
Max time kernel
128s
Max time network
152s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.
Checks the presence of a debugger
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.damaiapp.yyl
com.damaiapp.yyl:push
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | log.umsns.com | udp |
| CN | 59.82.29.162:80 | log.umsns.com | tcp |
| US | 1.1.1.1:53 | api.m.taobao.com | udp |
| CN | 140.205.160.4:80 | api.m.taobao.com | tcp |
| US | 1.1.1.1:53 | yyl.uxi.me | udp |
| CN | 59.82.29.163:80 | log.umsns.com | tcp |
| GB | 216.58.212.226:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| CN | 59.82.29.248:80 | log.umsns.com | tcp |
| CN | 59.82.29.249:80 | log.umsns.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| CN | 59.82.31.154:80 | log.umsns.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| CN | 59.82.31.160:80 | log.umsns.com | tcp |
| CN | 59.82.31.210:80 | log.umsns.com | tcp |
| CN | 59.82.31.92:80 | log.umsns.com | tcp |
| CN | 59.82.31.95:80 | log.umsns.com | tcp |
| CN | 59.82.60.43:80 | log.umsns.com | tcp |
| CN | 59.82.60.44:80 | log.umsns.com | tcp |
| CN | 59.82.112.112:80 | log.umsns.com | tcp |
Files
/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-journal
| MD5 | 192cffbd24709a0a4f35c5d7e6af5e3c |
| SHA1 | 8125bf1ac0c7e060695ee437655852834e441710 |
| SHA256 | 2f0a41d1a36c68d328e38a88a93a0d935a9234169612db4a9f87a246043f0612 |
| SHA512 | 28933baa51682ee0db6a5b0fa312acf2ab97e8e89b76d975eb62380c22fb3111bc9cfe90374c9090e127298960314330edf73d836c858b355ae939cd293aa07d |
/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db
| MD5 | 2fb5e0568801128e0b79bbedbd61eaa7 |
| SHA1 | b3762ae9ba2735cf5126032bf79512a8ea17bd8f |
| SHA256 | 7afbd4c1c94b41086a7493b1a32585047a3b3fc01a3c3a3688d6e712726381ef |
| SHA512 | a5832add9b0708f68d4a105e27f9b3ac30d10644d35948e63be63aad84415f9d0a5a64a2c5f4fa7c549918c8ded1f7c7df2dbd892d0bc14e93b9818fed8ca9f3 |
/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-journal
| MD5 | 2ee89a308fb561fe04da45ef7bfaccf9 |
| SHA1 | 344cb6b3dccdad37cfebd7d4837c744982574f50 |
| SHA256 | b252ec6b2684e6c35f296fc70b4e1bc57d0eee2418658393885c324a682c89c5 |
| SHA512 | 93136d26de542b0395db036875fd77ff9f9f0c6342dac95b0619661c2085c78496cead4865cb1947a52bc2f1e15edbaa53bb34a3ed4fc5726ef38f87801d6c20 |
/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-journal
| MD5 | 5227e8a027e1fe9371838807997eb177 |
| SHA1 | 815e7195a7fcbd1b9dd048df12c94b2576c6d24a |
| SHA256 | d20581bb0ed180a0ae4df5124d17c012f0a36c907472b41a0592295aba1bb797 |
| SHA512 | 87836bbc77962cdc2a9a029c177de09c5a729c23ea417940d96dfdd8d6fe3d74d8814405d971fbb0170d294c25a18cc5583fc0cfd5a17df401cb63d4e5a2af81 |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | f2ad664e596d1396e96515d4643d583e |
| SHA1 | 568e5f1216479a95b506440e4f253c5639b03612 |
| SHA256 | 75d14c7567ddf6bce0651f37f4f74b8d7b43ac6b2075bccd92b52367ca5e0cdc |
| SHA512 | 88b7429a8ee88d560ecff15f1a3634bcac0d6b71d83aa4f227f43c24b30f49950f1c78de1fc0a10edafdb8acf62b8a97747b12a5e3332bd23b94133b7c770e78 |
/storage/emulated/0/.DataStorage/ContextData.xml
| MD5 | d2c91fb4b8935ff1b88b960e2cb01be7 |
| SHA1 | 5e3414b93d2a3a8b951c178a6c280ddf7899e96d |
| SHA256 | a97764334d66254459a4b786c74cf2aabda2eecb964e989862fd9c385a1697e5 |
| SHA512 | 8cc1b893bff3f8cf5ab91a2640340ae1ad4426112a081c5170fdd7ab799700d050bfda7f29888f6716d1585abe039cf68e513c6577db933f611d6661f0f57f80 |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | 61964523ed2c957633219754aeb8bce5 |
| SHA1 | 2acd2c84d9342d5faceab53ff25bd5a4fe4b3c95 |
| SHA256 | ee2ad72586435c383d29aa10fcce5aa6746a97905daf92eef4e62d1f3eb2420c |
| SHA512 | a560a7bbeb3577de5fd9177249f6cb97b8179ebd5aa7ee08760c0bca888f56d79811bfb0d02e8c6224518bfe141a36559f23211c52f33e0ea1122296fb72adca |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 09:46
Reported
2024-06-02 09:49
Platform
android-x86-arm-20240514-en
Max time kernel
126s
Max time network
131s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Reads information about phone network operator.
Checks the presence of a debugger
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.damaiapp.yyl
com.damaiapp.yyl:push
cat /sys/class/net/wlan0/address
cat /sys/class/net/wlan0/address
cat /sys/class/net/wlan0/address
cat /sys/class/net/wlan0/address
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.195:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | log.umsns.com | udp |
| CN | 59.82.29.162:80 | log.umsns.com | tcp |
| US | 1.1.1.1:53 | api.m.taobao.com | udp |
| CN | 140.205.160.4:80 | api.m.taobao.com | tcp |
| US | 1.1.1.1:53 | yyl.uxi.me | udp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| CN | 59.82.29.163:80 | log.umsns.com | tcp |
| CN | 59.82.29.248:80 | log.umsns.com | tcp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 216.58.201.98:443 | tcp | |
| CN | 59.82.29.249:80 | log.umsns.com | tcp |
| CN | 59.82.31.154:80 | log.umsns.com | tcp |
| CN | 59.82.112.112:80 | log.umsns.com | tcp |
| CN | 59.82.60.44:80 | log.umsns.com | tcp |
| CN | 59.82.31.92:80 | log.umsns.com | tcp |
| CN | 59.82.31.95:80 | log.umsns.com | tcp |
| CN | 59.82.60.43:80 | log.umsns.com | tcp |
| CN | 59.82.31.210:80 | log.umsns.com | tcp |
| CN | 59.82.31.160:80 | log.umsns.com | tcp |
Files
/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-journal
| MD5 | 09ad0d79e37c0c268c2f57972a664b4c |
| SHA1 | 9d8c8376b5d76b1af2d974c19e5c02fd2a6b4cea |
| SHA256 | 7d71a2691ae8ad62b3f41e18413c15a5ff24473cd59b508c180666116f166d2d |
| SHA512 | 4dadc55bffd9b39611a7a70a9ab3e8e2256468c3156a3b525122ab65c831097d22ebdba49547d0538698a26fe8b0900da1d7e07e65b2c97845cfea7d5f93b7cb |
/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db
| MD5 | f5ae32aa1d107b065c2b758b7d8cc54e |
| SHA1 | 6f4c6201365aab1b4d6c1a1669213db716eaa1c1 |
| SHA256 | d96bd17a72f054221436b1e049350c1a11ad752a4e2dda89019394efd248979a |
| SHA512 | 35f7148afc30d4766733709af5daafe22c32039f358d2ef24cb9a1462e960141153ae95905b0516a15eb04c6f380445a52c381a0883e8f591f0711f3b7c6a6ea |
/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-shm
| MD5 | 925498e61d387efc74d273222b650e4a |
| SHA1 | c0a6c6e79101032b94d21a4a7d107b9a933274da |
| SHA256 | de33cee842b3970ca9f4777e9f0e3c95e53ca7c031b727befb9c1c5d6a49f9d7 |
| SHA512 | 6f47bfb71e4509ec60e89ebeda865089728f0526d6f279ae1eaeab8dac08b6c3b3d8689e27dd0e6c4c69e4b7c9007ffa17b69659492a464516d8360719a4e012 |
/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-wal
| MD5 | 611c5bd1100f7b0d15880a802fc1d7ea |
| SHA1 | 80b51c2dd977160ce386660daeab20433e963761 |
| SHA256 | edfaccb7c759377d78e6647540b4369c38310b0e170ddc9dac95ab7f6cd03f6c |
| SHA512 | 9bfaaaa3073697694a50883e396423b9841af6fe8757f933fe36b2a63a579a6bd044f6848a9d6e1e66f68b49f61df13bf380be95629dcc50d02a1923accba35d |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | 169d05a158d4c04a06cf663eb1dcced9 |
| SHA1 | 81a9649d2be11eb27db0ebfbfc2f27c8d7fd90fd |
| SHA256 | 8fdab9fe9fffcce810528bfefd82753a367f78fca0977384d326a8841a65f8af |
| SHA512 | 03dfff135cbb5a1fa4b0ee8785c722866dc31431d80df09ba70762642fcfc08b49b424f88ff9a268f8a64d22383d915aeb81b9adaeb03afbeba7b320d28d12f0 |
/storage/emulated/0/.DataStorage/ContextData.xml
| MD5 | 67a428c1200ef80aaeadfbbabf991b63 |
| SHA1 | 91d57a4e2a878ca4e8a399714ccbd9e962c27bc3 |
| SHA256 | 100a14a1e3b345e3d84e272dc2a19c3a7774e13962f7106513aec5702eefc691 |
| SHA512 | edb5bff46a88dcf651efc6f75258c44c6b79e72f73f41b761839ad4c7121830dda77e67070259133b615be80587cb6b462bfc335a5d533dde42ba59c342a610f |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | 658e0884ad8fb7a218f3257c0a4cdca4 |
| SHA1 | 9efb4e451aaff9e582b0dc0e6799d5d0ee808e71 |
| SHA256 | 86cd85da6a0b186ccf143dbca7d911625533e9d581fecdb5ab017f75b32f5f25 |
| SHA512 | dd6adf31339e7325d8445a620c09c351b187580f1b8c53047041cf79d73432e4dbb9ba3ced21b2b56fc7e6e1274cf86937affe354a47936db87fba473795fb05 |