Analysis Overview
SHA256
6a14393721d173d8b87d7d00c2b28a6e9f7e3542852282aa9148be324fea4cbc
Threat Level: Likely malicious
The file 90322951bfd2bb251279a4e31585d59b_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Checks CPU information
Checks memory information
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Obtains sensitive information copied to the device clipboard
Schedules tasks to execute at a specified time
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-03 01:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 01:59
Reported
2024-06-03 02:02
Platform
android-x86-arm-20240514-en
Max time kernel
23s
Max time network
130s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Processes
com.tocaboca.tocaboo.hack
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | freegeoip.net | udp |
| US | 172.67.165.196:443 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | lp.androidapk.world | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | tcp |
Files
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal
| MD5 | 240378b18db27dc3322a54cfd545b404 |
| SHA1 | 5b012694d3a6f7b1d074fdb23002004537d85a5b |
| SHA256 | ec2f83e322db33749f20100dea8e4a6ab300b2b5c74934b6fbaebb577350dbb1 |
| SHA512 | 61b7df60c57d8bdede996213d3ca9063f92dd032e8692d8a44285b2c4c4541f0abad4c0fabe01e27df87fa0f0edf74f01bd38e25cfdd897db204e4377444b835 |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db
| MD5 | 5d85664f8e614fcaef42be2e6f649027 |
| SHA1 | 09c6288922102f6114a823f4992415fd3373d61e |
| SHA256 | 55f8907e91226ef43a05583c7b4623b4e26994b62d20c8603975ccc1fa3b9409 |
| SHA512 | 3d6006a3e82d00fe9bc443e940acc5df12ec84114fcbcf8fbc8099c085cb1229b21a217b7445129b50558bfef5100894686d7359eb80b7ef087b65c7be3bc6e9 |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-wal
| MD5 | 0683e44a880a40b9232a28497fb8b748 |
| SHA1 | 416fc3ed2980174fc2dbbcdfa06339dbced97df3 |
| SHA256 | 875dbdb044611e9cdd732089b7b0668a18db985771c56d79af2b2d59fd9e50b1 |
| SHA512 | c9a2e259012a004923b50f913c1001e3d23cea5d7434c7a61dd32a9d6ebc8d47d53679e6b6dc8bd80fd9d9df73e0e28ef56a9b00d858f02a41d8ac9d6e84e5f7 |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-wal
| MD5 | cb2c25c8bf007326abc0a56dba509dee |
| SHA1 | b60219627eaf18fe9bbc317d9f957a7897bb56d8 |
| SHA256 | 89eda6e0eeaef84e334a77678d3eaedf259857e9bdbc605e48f8907dff34aa7c |
| SHA512 | 23c6dd18a6b83790b5a525506ab05454b9c9c7fe2cddd9804a017f3c034e0d0e253ea09653da5658cb818bce3e9f1479ea98e1efb31aa2fd870e1571b3046bf6 |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db
| MD5 | 4dbe7c13ace5aba5034ac824ed61586e |
| SHA1 | e1a2ce2e6dc45f01afe2e3b5957bb7c7fbd4929e |
| SHA256 | 790795cbde73b7d08e5ccbfe13b0227f0d4399a02162e0d80aa4f9dd6d4fbad4 |
| SHA512 | 6fdb5313c7ddaf26a6acb2a2c5a7240ca06265da1e23d07f8b388b60c234e0079f038ca14470a7d1a6d7023c08dbed5188d945594ceb4ac77f811ae86b88c1cc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 01:59
Reported
2024-06-03 02:02
Platform
android-x64-20240514-en
Max time kernel
49s
Max time network
152s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Processes
com.tocaboca.tocaboo.hack
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | freegeoip.net | udp |
| US | 172.67.165.196:443 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | lp.androidapk.world | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 142.250.179.226:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
Files
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal
| MD5 | ba7305579fd8df73dd7b98e6d6c2436f |
| SHA1 | a74cba9b62449537b4cf1808f9a10cd93b117116 |
| SHA256 | c43855a204b29e3a3f2f948756c177272806db9f20f46608af22aaf33b817575 |
| SHA512 | a6384005fea78bf2d6890d15de9221503beb5d29efcbe92bc881abd479cfa7dee9b4ceb6b6ea8912a5d24ed72645206bb7c89766c3282aeef127ae0d50bff5ec |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db
| MD5 | 12627a2ec645c4a4bc50dba5903afd59 |
| SHA1 | 504005c938517e61bcf68b65a055c2faba635c2e |
| SHA256 | f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903 |
| SHA512 | 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal
| MD5 | 43ed2b84b404c98701eae89f47e06332 |
| SHA1 | cb8589359dd9f72df913aaa21115259a2bd34e9e |
| SHA256 | 9138aa3e4cfe7813314a35f893eed49fe03f06988cdd69b737566c566852ec36 |
| SHA512 | ce61aee1e091fa6c7dbfdf5b9915daabaca9c3ada0622744a9a8ca565e7755ec7178a6a79886969893dd301375f5ac28a51ee9020f15134c21749701829fc8f9 |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal
| MD5 | 78c37deb9e070c0dd04c18868e7eb180 |
| SHA1 | 4e8439f4877f6e5608382e8851ab38a3d22e7ef0 |
| SHA256 | aa24d25da192efadc3b8332f941a85cef6566af11e40fd80ff58272581eaedd6 |
| SHA512 | fba0a434a9695889ee3c2e0b94cb7e56951bff43c324062fec4e90ab3fb8a862f9be1a040df67c74e3abdb758c00f66c9673b27f2629322ff2a046b3b0322b4d |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal
| MD5 | 3049ad0c6e16454a6565c061d28132c7 |
| SHA1 | bd8c0aa15bdc087b4a8769b8538b95a6db9c910a |
| SHA256 | 3cee5c2bf0f517190e047b8a8e8601694182089c331d27294771e2dcd1f1b3ec |
| SHA512 | 75f89a3e2dbdd6720564bbbfe52ab261a2f3abd5ba9f31e25990a80b34a781ea712680547c627d66327b195c51629a2ea36664fd861a3479884c29885a10dad8 |
/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db
| MD5 | 16b4741d88b5ee7ee8f932d7683225f5 |
| SHA1 | 053c809a592da360004f6dd0dc7c73e8c8f4d568 |
| SHA256 | bbda11d595d576c6b012f9ee0a98754af41849736c52ae29b5d260eabaf88021 |
| SHA512 | 81ca9ebeb82a285ddfba7d9e49f5e8baf4172d4dd6c309a241a8538d9dd0bc2aa3b467c0816e0ec3984acc04efdd043f4187f37131430b9fdd6cd6e6e28ee153 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-03 01:59
Reported
2024-06-03 02:03
Platform
android-x64-arm64-20240514-en
Max time kernel
25s
Max time network
131s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Processes
com.tocaboca.tocaboo.hack
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.14:443 | tcp | |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | freegeoip.net | udp |
| US | 172.67.165.196:443 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | lp.androidapk.world | udp |
| GB | 142.250.200.4:443 | tcp | |
| GB | 142.250.200.4:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
Files
/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal
| MD5 | 8e5b695d2bd79088416703fafbe0ea48 |
| SHA1 | 460bc77cfd217443c8c213cdc7b622f8a5f160a6 |
| SHA256 | e5e3cdaee908e70154cd54ca25ad78ae6aaeca44e7f7694313a7077916f4d538 |
| SHA512 | 502ff51535baab2625b44213ac0813e2a1b00df8bdbc4e586cb97635cae12e95799628906464b44b242e8cc7be6c04962b7670c6efc6e6795419455cea0ccb13 |
/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db
| MD5 | 58c0b6e45328752b20ac6e719ac034f8 |
| SHA1 | 372b2638afd00bbbc4034657b3df3d2e428fb367 |
| SHA256 | 9d74f93afa5a179b1ba2f19f154b2880aa8b99c88209802099045a0874d2426a |
| SHA512 | 2d347d5824b9ab701e341c89e8327a95fd6bab8e92ee15ce9550da368d773e22bff304072a4854df5ab763750a7401f7aa61a49e3292d62c27fa9f20536eb3ab |
/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal
| MD5 | 943ce76658156a58ad4418675586accc |
| SHA1 | d80e1ea747d48ccfb11b25239e3d4d9bfd5a7551 |
| SHA256 | d9f43fde5170e13b8c28f4163f3ff28b1405fa2086ca15dd2cb0de22562b8238 |
| SHA512 | 05032f3c145dbf0cc5beed4429be036108363aede4b1c59b80e853f305dec34f8fae4f355ea12e4e32c199b0fd59d23f518158826b3d498e21060b3e2a94bff5 |
/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal
| MD5 | 2e0987075a781de1bcd7b6a1201185b3 |
| SHA1 | 368382bd3a3ff4db3836812dc8a934776835e0cd |
| SHA256 | 5b85864f1e1eda3118d2e833137170f891d0c471165ff366a467a3a33d16b012 |
| SHA512 | 4c22ea1a19ced1a6091177a28addf8e5e5b9fe06aa81c5f0d36f70640d66aebd91a01e04f5ffb377954fb05c7ba4312abebcf96f4fcf4459064e722a5066dbe5 |
/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal
| MD5 | b9f40da9466818d4e005ca227bac206f |
| SHA1 | 9b47455688cca026a45e30a7d88d68ffbb6aa42b |
| SHA256 | 3f4f97220488de33e7f8550ff83ebe9e2a54cf224bdf105bcf8ca6ba267d9fd6 |
| SHA512 | c183d1cc12fef6a847e5fb7cb909df9551c6365ed7e20489a5fa38aabce54ae86dad8fdd8deab74527d5c7c144d5f2216e803f39741830ac03270a4991a98d2b |
/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db
| MD5 | 5703bc52fe64684bff0f0a869b448978 |
| SHA1 | 9e1e9a0f7d384591bc72576294c490b53318ccaa |
| SHA256 | 4e29eab3886d59e7172a73123ab7f7fafc4f695812960d4e2d95a04a0033701a |
| SHA512 | 6d9e1e23fbe1724855911531127c9c94b8fcbe7049d6883f2a75f37ca555dfe5dfe5c95044d6bda4d98b0e6ef2a98f87db83b298fb289f4d6983fc26e028b2ad |