Analysis Overview
SHA256
d5dfc58f8c06ad8d2b3de4a3b1ad6ecb3c6403ef7ad9c40ce3479e39328ed815
Threat Level: Likely malicious
The file 9095861656c4e22ccdcf6e586c16f4f1_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Checks CPU information
Queries information about running processes on the device
Queries information about the current Wi-Fi connection
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks if the internet connection is available
Declares services with permission to bind to the system
Requests dangerous framework permissions
Queries the unique device ID (IMEI, MEID, IMSI)
Listens for changes in the sensor environment (might be used to detect emulation)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 04:50
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. | android.permission.BIND_WALLPAPER | N/A | N/A |
| Required by dream services to bind with the system. Allows apps to provide interactive screensavers (dreams). | android.permission.BIND_DREAM_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 04:50
Reported
2024-06-03 04:53
Platform
android-x86-arm-20240514-en
Max time kernel
4s
Max time network
170s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
com.suda.datetimewallpaper
ls /sys/class/thermal
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.195:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 04:50
Reported
2024-06-03 04:53
Platform
android-x64-20240514-en
Max time kernel
153s
Max time network
152s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
com.suda.datetimewallpaper
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.40:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.75:443 | plbslog.umeng.com | tcp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.2:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp |
Files
/data/data/com.suda.datetimewallpaper/files/umeng_it.cache
| MD5 | ad5c38f02dd4e3718df1dd901b545201 |
| SHA1 | f86273e1cd8e8524e8f6536e736a1e5bd4aa14af |
| SHA256 | 24160597a425c61393cf6a02fb6129b7ed348dcb6daea1d11111d829138ccba5 |
| SHA512 | 06bf62d3d15bdd843ccf7cada6e746d791d02fa46ad0e58327f42caa939960c2400b99f82f36b4fc3014868d29303263d0ffd92edf4501f10a46e7ef99db4081 |
/data/data/com.suda.datetimewallpaper/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE3MzkwMjIxNTg3
| MD5 | 779e5271fb2496ab35a9930b0025c0a4 |
| SHA1 | ca93ce13dd50ef30e26cea6a298c7dcf79ac0a6d |
| SHA256 | 36dd7d7063070afa22d703ae4fa3acda9b326d6e96e0d43b2047991b9cf919a4 |
| SHA512 | ddf88a3731c80fdb0f7b5d01b14dbd6d71ff40a054fe5ba2ca90cef33b3fa5efe7b496d478141286b51719da6a754c044eaa08e29750659b3a9034930c94f78e |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-03 04:50
Reported
2024-06-03 04:53
Platform
android-x64-arm64-20240514-en
Max time kernel
153s
Max time network
132s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
com.suda.datetimewallpaper
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.14:443 | tcp | |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.75:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.212.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.4:443 | tcp | |
| GB | 142.250.200.4:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
Files
/data/user/0/com.suda.datetimewallpaper/files/umeng_it.cache
| MD5 | 768700d99c0ac297e3f1890a95d76e64 |
| SHA1 | c861baf6af79098d2e63addf4f8ff851640fdce7 |
| SHA256 | c50f7dec5e6bf29c470782dd52ee964b44590196e3923c0c8b1bde40ae5a1e97 |
| SHA512 | 42e330bb7de89f57f95c8d570cb856b3762951ebfec2c8eeb268bd23df6043d6308b4a6a4c7468cc5228f1bc17f2d20e64a8cbc962cf6aeb50e64145444a04ce |
/data/user/0/com.suda.datetimewallpaper/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE3MzkwMjIxMjMz
| MD5 | 4b1b33cb5226d308fe0223adb5d5cd5b |
| SHA1 | 8a784b2b8e66c0636ab7ceeb53c51daf0ea65578 |
| SHA256 | 55b4d151b5fd99d5c22aa7420a0e995cc679a2bab8cd9ab1f6bf08b297aee5f2 |
| SHA512 | 1aa3e0cdfffba1d14dca9915c1a1de809f369e4d0f5c282d92b253d66e2ac70f403e15cc4dda4da251583fe0379035ba228b8550bc1f49a548e2f99093f18c01 |