Analysis Overview
SHA256
447819e3551724706ec7010b5501fd6cec02c1ad1d951ea7b3ab71d27ffdc4c8
Threat Level: Likely malicious
The file 8dcb6b127c917194b4d676624a4e58b7_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Checks CPU information
Obtains sensitive information copied to the device clipboard
Queries information about running processes on the device
Checks memory information
Loads dropped Dex/Jar
Registers a broadcast receiver at runtime (usually for listening for system events)
Queries the mobile country code (MCC)
Requests dangerous framework permissions
Queries the unique device ID (IMEI, MEID, IMSI)
Checks if the internet connection is available
Checks the presence of a debugger
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 10:41
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 10:41
Reported
2024-06-02 10:45
Platform
android-x86-arm-20240514-en
Max time kernel
6s
Max time network
131s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks the presence of a debugger
Processes
com.pregnancy.infopm
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.213.3:443 | tcp | |
| GB | 142.250.200.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar
| MD5 | af170c3ab4aacd227ae3b70a955bdf18 |
| SHA1 | 34287521763a244c2d37d082e614175198b19d10 |
| SHA256 | d6e411da16142f7e75bcea4e6c7da49a06554703b77c5dce67b39b2c36a39a60 |
| SHA512 | e739fc73307e17a5d38edee078f4d637a2de5d6594ab14dff27ef018cd465d0a0718a3fa981de7ce4ae78fdb030cddb6c4aef7fc277b435093b0fd2e60f0e27e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 10:41
Reported
2024-06-02 10:45
Platform
android-x64-20240514-en
Max time kernel
68s
Max time network
145s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar | N/A | N/A |
| N/A | /data/user/0/com.pregnancy.infopm/cache/1582435991586.jar | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Checks the presence of a debugger
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.pregnancy.infopm
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | adlic.rjfun.com | udp |
| US | 54.186.225.149:80 | adlic.rjfun.com | tcp |
| US | 1.1.1.1:53 | www.woowo.org | udp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| US | 1.1.1.1:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.194:443 | googleads.g.doubleclick.net | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| GB | 142.250.187.194:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.187.194:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.201.98:80 | pagead2.googlesyndication.com | tcp |
| US | 1.1.1.1:53 | stats.g.doubleclick.net | udp |
| US | 1.1.1.1:53 | analytics.google.com | udp |
| GB | 142.250.179.238:443 | analytics.google.com | tcp |
| BE | 173.194.76.156:443 | stats.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | m.addthisedge.com | udp |
| US | 1.1.1.1:53 | m.addthis.com | udp |
| US | 1.1.1.1:53 | s7.addthis.com | udp |
| US | 1.1.1.1:53 | connect.facebook.net | udp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 157.240.221.16:80 | connect.facebook.net | tcp |
| GB | 157.240.221.16:443 | connect.facebook.net | tcp |
| GB | 23.218.76.2:443 | s7.addthis.com | tcp |
| GB | 23.218.76.2:443 | s7.addthis.com | tcp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 157.240.221.16:443 | connect.facebook.net | tcp |
| US | 1.1.1.1:53 | www.facebook.com | udp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| GB | 142.250.179.226:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
Files
/data/data/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar
| MD5 | af170c3ab4aacd227ae3b70a955bdf18 |
| SHA1 | 34287521763a244c2d37d082e614175198b19d10 |
| SHA256 | d6e411da16142f7e75bcea4e6c7da49a06554703b77c5dce67b39b2c36a39a60 |
| SHA512 | e739fc73307e17a5d38edee078f4d637a2de5d6594ab14dff27ef018cd465d0a0718a3fa981de7ce4ae78fdb030cddb6c4aef7fc277b435093b0fd2e60f0e27e |
/data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar
| MD5 | 83256ba2df6312b81d1a644fb9789b60 |
| SHA1 | 4f637acada64e7954600e5e2cfefc2d5cd6d70eb |
| SHA256 | c02138bc1fbb689e2b0204899b3339e3a689d14b35b601b6d71437ebe6b0b960 |
| SHA512 | c558fbde79b8c586390c32ac02a428090167fbd22041ba6bf25ca36da74966b9cf370c5d549c3356aa630fcdff26e720dc1de97aa9ea9d7520521f31f4c8abf0 |
/data/data/com.pregnancy.infopm/cache/1582435991586.jar
| MD5 | e8e0527a01aefdb89afd2c508f131da1 |
| SHA1 | f1103e6b260c657ceb3d95f1b023af3fda8b133a |
| SHA256 | f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce |
| SHA512 | fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34 |
/data/user/0/com.pregnancy.infopm/cache/1582435991586.jar
| MD5 | fde2ee00cbd121cfab5290b078aa3ceb |
| SHA1 | e2b77d5320e155e413d040a8c20020962065b2f8 |
| SHA256 | 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685 |
| SHA512 | a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56 |
/data/data/com.pregnancy.infopm/cache/oat/1582435991586.jar.cur.prof
| MD5 | 31ade1f8d59483bc2902ad41992b0226 |
| SHA1 | 0d2bfcf084e5a5251b0e1e4d5961ca56ff57c629 |
| SHA256 | 82b18a80df2c61864c3b4c7fc049b6ad6efc3bf1cafe5116a9150b63e717a645 |
| SHA512 | eb70556c99e4c8608b700178290ccdeb4e62e52d9fb7af5173f1ef9c9ab1325db417eb2191edf1080a9ba98d74238151d7c74d52f623e49ce25bd0a4c14fee63 |
/data/data/com.pregnancy.infopm/files/oat/ewqeqewqeqewqewqavpcc.jar.cur.prof
| MD5 | 14223abdef89bac4b829bbc1f3f56d9a |
| SHA1 | 4ee0f082f57eb727ef3f7f9e2d9d6e6792783503 |
| SHA256 | becc742f16181bef97525f96911fe70651e1967220a818b1fe85af6c1cc3c1b2 |
| SHA512 | 6f93331363c47adf8ac16f1ebe0f2a9179f072bdc614ef88e04eff3df528212176c005e6bbe7695434cd6b449f9c571b9d7ebb7ed45c6d4a2788c19fd5086f89 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-02 10:41
Reported
2024-06-02 10:45
Platform
android-x64-arm64-20240514-en
Max time kernel
139s
Max time network
145s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar | N/A | N/A |
| N/A | /data/user/0/com.pregnancy.infopm/cache/1582435991586.jar | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Checks the presence of a debugger
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.pregnancy.infopm
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | adlic.rjfun.com | udp |
| US | 52.26.223.62:80 | adlic.rjfun.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | www.woowo.org | udp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| US | 1.1.1.1:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| HK | 203.218.238.42:80 | www.woowo.org | tcp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.180.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.187.226:80 | pagead2.googlesyndication.com | tcp |
| US | 1.1.1.1:53 | stats.g.doubleclick.net | udp |
| US | 1.1.1.1:53 | analytics.google.com | udp |
| BE | 64.233.166.157:443 | stats.g.doubleclick.net | tcp |
| US | 216.239.36.181:443 | analytics.google.com | tcp |
| US | 1.1.1.1:53 | m.addthisedge.com | udp |
| US | 1.1.1.1:53 | m.addthis.com | udp |
| US | 1.1.1.1:53 | s7.addthis.com | udp |
| US | 1.1.1.1:53 | connect.facebook.net | udp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 157.240.214.11:80 | connect.facebook.net | tcp |
| GB | 157.240.214.11:443 | connect.facebook.net | tcp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 23.218.76.2:80 | s7.addthis.com | tcp |
| GB | 157.240.214.11:443 | connect.facebook.net | tcp |
| GB | 23.218.76.2:443 | s7.addthis.com | tcp |
| GB | 23.218.76.2:443 | s7.addthis.com | tcp |
| GB | 23.218.76.2:443 | s7.addthis.com | tcp |
| US | 1.1.1.1:53 | www.facebook.com | udp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar
| MD5 | af170c3ab4aacd227ae3b70a955bdf18 |
| SHA1 | 34287521763a244c2d37d082e614175198b19d10 |
| SHA256 | d6e411da16142f7e75bcea4e6c7da49a06554703b77c5dce67b39b2c36a39a60 |
| SHA512 | e739fc73307e17a5d38edee078f4d637a2de5d6594ab14dff27ef018cd465d0a0718a3fa981de7ce4ae78fdb030cddb6c4aef7fc277b435093b0fd2e60f0e27e |
/data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar
| MD5 | 83256ba2df6312b81d1a644fb9789b60 |
| SHA1 | 4f637acada64e7954600e5e2cfefc2d5cd6d70eb |
| SHA256 | c02138bc1fbb689e2b0204899b3339e3a689d14b35b601b6d71437ebe6b0b960 |
| SHA512 | c558fbde79b8c586390c32ac02a428090167fbd22041ba6bf25ca36da74966b9cf370c5d549c3356aa630fcdff26e720dc1de97aa9ea9d7520521f31f4c8abf0 |
/data/user/0/com.pregnancy.infopm/cache/1582435991586.jar
| MD5 | e8e0527a01aefdb89afd2c508f131da1 |
| SHA1 | f1103e6b260c657ceb3d95f1b023af3fda8b133a |
| SHA256 | f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce |
| SHA512 | fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34 |
/data/user/0/com.pregnancy.infopm/cache/1582435991586.jar
| MD5 | fde2ee00cbd121cfab5290b078aa3ceb |
| SHA1 | e2b77d5320e155e413d040a8c20020962065b2f8 |
| SHA256 | 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685 |
| SHA512 | a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56 |
/data/user/0/com.pregnancy.infopm/cache/oat/1582435991586.jar.cur.prof
| MD5 | f9431a0cde5766b6a47fe517f0dbe91f |
| SHA1 | 41ebffb9e03db4e211961286e6c233726d1c704f |
| SHA256 | 48409024aacda3669e2112419ca8742dedca12f5310521730db60c8387710616 |
| SHA512 | 3102a350b8cdbfe686564eb79892a609f3cccd74d4b420f831156b1c57b736853f1cba0988d4dea7bf728f341e3ed2b997274684726afa2d97d31115e5213382 |
/data/user/0/com.pregnancy.infopm/files/oat/ewqeqewqeqewqewqavpcc.jar.cur.prof
| MD5 | 0c66c78f71a8a69fde03a257cdf6e5c5 |
| SHA1 | fd1d079ad91c3fe6f71f50b459a70b1c9fd88788 |
| SHA256 | dab8564fed624d7652367793d78798d93183cfe0a586c747b7c38aa86732a569 |
| SHA512 | 646e2b260fbc5be7ef900ab385698468f63aa888e206fc2327751d16227575ac15acd8aed56ec1c13938d76b61ddaa44b1b64cab7558523bec8782f91760cb78 |