Malware Analysis Report

2024-11-16 10:44

Sample ID 240603-mama3acc54
Target 916a78420a65fb7997e30f812346d2e1_JaffaCakes118
SHA256 b49007b1b031082dad9aef361200cb3f882495fc9edcdc6566d5fba781e02b86
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b49007b1b031082dad9aef361200cb3f882495fc9edcdc6566d5fba781e02b86

Threat Level: Likely malicious

The file 916a78420a65fb7997e30f812346d2e1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:15

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:15

Reported

2024-06-03 10:19

Platform

android-x86-arm-20240514-en

Max time kernel

153s

Max time network

154s

Command Line

com.com2us.deadcity.normal.freefull.google.global.android.common

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.com2us.deadcity.normal.freefull.google.global.android.common

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 s.com2us.net udp
GB 184.87.190.129:443 s.com2us.net tcp
GB 184.87.190.129:80 s.com2us.net tcp
US 1.1.1.1:53 com2ushub.com2us.net udp
US 1.1.1.1:53 ws.tapjoyads.com udp
GB 184.87.190.129:80 com2ushub.com2us.net tcp
GB 18.244.155.55:443 ws.tapjoyads.com tcp
GB 18.244.155.55:443 ws.tapjoyads.com tcp
US 1.1.1.1:53 www.chartboost.com udp
GB 18.245.187.47:443 www.chartboost.com tcp
GB 184.87.190.129:443 com2ushub.com2us.net tcp
US 1.1.1.1:53 s3.amazonaws.com udp
US 52.217.231.224:443 s3.amazonaws.com tcp
US 52.217.231.224:443 s3.amazonaws.com tcp
GB 142.250.200.3:443 tcp
GB 18.245.187.47:443 www.chartboost.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp

Files

/data/data/com.com2us.deadcity.normal.freefull.google.global.android.common/1133164158

MD5 92ac4fd890da9ea9e285e4a1a0210c2b
SHA1 fac3f96a47fb3b0fb96fcbeb276614c581cb607d
SHA256 d50413275210dad8cab88de57c1538342e3ec090816af5b0c290f913b47b47d6
SHA512 76d8454ec1e208aeda3cf70317c26b722f493fed2fae85c7d6a7d4fa97cae736dc745b8e9ef7b34e792257b53817ed64f401d9d6e1c75079826a5787b3b02999

/data/data/com.com2us.deadcity.normal.freefull.google.global.android.common/files/GameOption

MD5 6d43fedd5482ce8e1b209083e74a3788
SHA1 b96b2a4f9cbf652ea8e98f0a73c6613678191fff
SHA256 c5030c9e336a94c1586c46722d27a1231f92f5c975c63c455d11b05b74cb8bab
SHA512 bf533031588bdf4043c504320d33c3e3d75371f4dc5eb1c40a72c7dba91c72f03c43252a2aa7858ade0e604ff746fa3ab4e5195578346dc3a60b428646eba99c

/data/data/com.com2us.deadcity.normal.freefull.google.global.android.common/files/Award.dat

MD5 7b63d93ee01c6d68d86e0467a84f179b
SHA1 fc447d0ef1927c5a0ce279bfd4fca18c06d76f07
SHA256 1d9674ff6bbeec788dd1a59b69f316b0d626898e689d9f7b4f9c38385323ec30
SHA512 166bbad4fb154b937b0ceefd71e572e503713ab4962a7d933a3b6f231988c5f6961a217b9fe72473bb2ae90b5019323075c1575f81c25f505eb7ba13fc333428

/data/data/com.com2us.deadcity.normal.freefull.google.global.android.common/files/PushConfig.properties

MD5 e1483866095102911f2418faf694904a
SHA1 3a6855a1fa4b391f32f835f1e27629ba0e0ddc44
SHA256 f1449e396c04aba9eaccd36341ea9f7eccfb4a91bbebb2d404065deb1fe2f087
SHA512 1bf362a45a3f5f572cb8abcb4a66ba285cc91ddee721ebd9ac2e04ad06ecb72a39d7eac56ee6ae18bc23a9a88e63db683c4df37c5f42c9755970bc57b79a83f8

/data/data/com.com2us.deadcity.normal.freefull.google.global.android.common/files/PushConfig.properties

MD5 9a99e582ae140de0c914ccaaa2dc50b6
SHA1 e8114b878344237c2ffa8284a38909a8a5a7fff8
SHA256 6c17957cf4dc20ba0363787efa2859a9e67c23f567eec42fc53400befe9be2b0
SHA512 7fb0426886c7edf4d96874505d110200389a330960bf3ce7988e7f9699e2755029b5866cb5ef88a9fe079938e58c9d4119a7800dd1523d1fad329153782f7b16

/data/data/com.com2us.deadcity.normal.freefull.google.global.android.common/files/push.dat

MD5 52dea78bb95b08e52909f2d0a9eb5b58
SHA1 e1dab96273a67e6ba1274e596283702e7dd7204f
SHA256 81ef2a06029f9529646d324413d0cde061a330d940a2a641473bdcf1bc37ba08
SHA512 b206e73cda908b37d52dbfb8143892056de81ac11d23c591343ea1fd716dd36fa295023c115b9e0d63afa9000f8da18b665fdfe0612c73d0266acf1cefd87d5f

/data/data/com.com2us.deadcity.normal.freefull.google.global.android.common/files/activeuser.props

MD5 fdeb7f4524d02165c078a7ab018a22d4
SHA1 3e02c8ede5a69ac91b2e8654eddd4a324ea47984
SHA256 124fb113831335d249314c1bf61d7bb08db5c11d77a684983573f500e6069056
SHA512 4db2691879ad511e0b67a17cc5d1828344352610eecf321b8a71f6518611d3a72ced97e78f5a4b507efdefa36eb037f4e763e0e7c830cfe4bafee1346cd7bf17