Malware Analysis Report

2025-01-06 11:00

Sample ID 240603-fgasaadc65
Target 9095861656c4e22ccdcf6e586c16f4f1_JaffaCakes118
SHA256 d5dfc58f8c06ad8d2b3de4a3b1ad6ecb3c6403ef7ad9c40ce3479e39328ed815
Tags
discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d5dfc58f8c06ad8d2b3de4a3b1ad6ecb3c6403ef7ad9c40ce3479e39328ed815

Threat Level: Likely malicious

The file 9095861656c4e22ccdcf6e586c16f4f1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence

Checks if the Android device is rooted.

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:50

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A
Required by dream services to bind with the system. Allows apps to provide interactive screensavers (dreams). android.permission.BIND_DREAM_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:50

Reported

2024-06-03 04:53

Platform

android-x86-arm-20240514-en

Max time kernel

4s

Max time network

170s

Command Line

com.suda.datetimewallpaper

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.suda.datetimewallpaper

ls /sys/class/thermal

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:50

Reported

2024-06-03 04:53

Platform

android-x64-20240514-en

Max time kernel

153s

Max time network

152s

Command Line

com.suda.datetimewallpaper

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.suda.datetimewallpaper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.suda.datetimewallpaper/files/umeng_it.cache

MD5 ad5c38f02dd4e3718df1dd901b545201
SHA1 f86273e1cd8e8524e8f6536e736a1e5bd4aa14af
SHA256 24160597a425c61393cf6a02fb6129b7ed348dcb6daea1d11111d829138ccba5
SHA512 06bf62d3d15bdd843ccf7cada6e746d791d02fa46ad0e58327f42caa939960c2400b99f82f36b4fc3014868d29303263d0ffd92edf4501f10a46e7ef99db4081

/data/data/com.suda.datetimewallpaper/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE3MzkwMjIxNTg3

MD5 779e5271fb2496ab35a9930b0025c0a4
SHA1 ca93ce13dd50ef30e26cea6a298c7dcf79ac0a6d
SHA256 36dd7d7063070afa22d703ae4fa3acda9b326d6e96e0d43b2047991b9cf919a4
SHA512 ddf88a3731c80fdb0f7b5d01b14dbd6d71ff40a054fe5ba2ca90cef33b3fa5efe7b496d478141286b51719da6a754c044eaa08e29750659b3a9034930c94f78e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 04:50

Reported

2024-06-03 04:53

Platform

android-x64-arm64-20240514-en

Max time kernel

153s

Max time network

132s

Command Line

com.suda.datetimewallpaper

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.suda.datetimewallpaper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/user/0/com.suda.datetimewallpaper/files/umeng_it.cache

MD5 768700d99c0ac297e3f1890a95d76e64
SHA1 c861baf6af79098d2e63addf4f8ff851640fdce7
SHA256 c50f7dec5e6bf29c470782dd52ee964b44590196e3923c0c8b1bde40ae5a1e97
SHA512 42e330bb7de89f57f95c8d570cb856b3762951ebfec2c8eeb268bd23df6043d6308b4a6a4c7468cc5228f1bc17f2d20e64a8cbc962cf6aeb50e64145444a04ce

/data/user/0/com.suda.datetimewallpaper/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE3MzkwMjIxMjMz

MD5 4b1b33cb5226d308fe0223adb5d5cd5b
SHA1 8a784b2b8e66c0636ab7ceeb53c51daf0ea65578
SHA256 55b4d151b5fd99d5c22aa7420a0e995cc679a2bab8cd9ab1f6bf08b297aee5f2
SHA512 1aa3e0cdfffba1d14dca9915c1a1de809f369e4d0f5c282d92b253d66e2ac70f403e15cc4dda4da251583fe0379035ba228b8550bc1f49a548e2f99093f18c01