Analysis Overview
SHA256
2606e9e7d3cb402b2fad8512a65ef3620c3e54fea44a2e5af5d2be2bc4c572e2
Threat Level: Shows suspicious behavior
The file 988e2ce3e14ce47c08b143d4fd47e3c6_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Requests cell location
Requests dangerous framework permissions
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Queries information about active data network
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 15:59
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 15:57
Reported
2024-06-05 16:03
Platform
android-x86-arm-20240603-en
Max time kernel
175s
Max time network
140s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar | N/A | N/A |
| N/A | /data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.gamed9.g360.pet
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/oat/x86/pro.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | openapi.360.cn | udp |
| US | 1.1.1.1:53 | oc.umeng.com | udp |
| CN | 59.82.23.79:80 | oc.umeng.com | tcp |
| HK | 101.198.192.35:443 | openapi.360.cn | tcp |
| US | 1.1.1.1:53 | au.umeng.com | udp |
| US | 1.1.1.1:53 | au.umeng.co | udp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | oc.umeng.co | udp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| CN | 59.82.23.79:80 | oc.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
Files
/data/data/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar
| MD5 | 15bba7ef94733357290f9fa497b0d9b0 |
| SHA1 | 711c49a3f95ad820831121dca8457353c78053ac |
| SHA256 | 8c5bc659bfc15882f27b3c8b661a14822161f23ecc4660ac5df7a5fc50edc77e |
| SHA512 | 776b67f1cc3dbe7909257b3ab515266343d20e25827604564e73fb0251b8dedbc6f9dd4b80c852dcdc135729ee38336e225041ed48db26e45f13266df34de841 |
/data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar
| MD5 | 463cc82334cd91474e6b40a6597f5796 |
| SHA1 | dd0345f766de775c3bbf2345493f3493e69f32a7 |
| SHA256 | 22ab17f12d0da010a9dd0bb729a9e42ac060e636feb97f2f01ef45343ce634ee |
| SHA512 | 93ca318249bb60df2aaf67a9eed107bae1d582143d41b7e430af47265709af19fe2c7fa7a8b7e904543ff9cf2ae4478770bfd1f3aa1bdd15408265d4e01e2b09 |
/data/user/0/com.gamed9.g360.pet/files/qhopensdk/pro/190/pro.jar
| MD5 | ac8af37fd04483d85300c62e63f7712f |
| SHA1 | d639fb2004c4aab3b31937bc131ae974939b8e61 |
| SHA256 | 80eb44132a098f0ecdabd2e28f4e4b778ff3db5c6aad2c2e79a74c77f830d04a |
| SHA512 | b0b92d2f0d8fb9d0c843bf17f6cdc971d6abb2dd6e142e44877ebbc34a8022506f535e802d7f5c997b9a456f4656335c18b1246044a8448cbc00014401b2bdba |
/data/data/com.gamed9.g360.pet/UserDefault.xml
| MD5 | 4a8226e4211ccb4cb79f54d4ee35a55a |
| SHA1 | 7144e993ff784e4458c4d53d6f9f29930cf13fb8 |
| SHA256 | 8d5bfd20db452314b315192d7160e28bce53c777c98a31aa6df7c93345a692eb |
| SHA512 | 7d7480da93b3363306438c7cc08fb913e29098eb19c4f6ac40ac5282329ecd8eae77fed695822955183a4b7084d18da89c2c937af5fcdf43b3f1bd7854cc7041 |
/data/data/com.gamed9.g360.pet/UserDefault.xml
| MD5 | fe3364ffbb92104e365f306b7c3f4a71 |
| SHA1 | a9e112177a6b432d79bb0953695a6ef4a7ecd086 |
| SHA256 | 161750f868f2e9ec20382bfc3a7838793a847e7373602cb0418afe0e1ee9da9b |
| SHA512 | a16a9bb689dbd4147217066d578059f0318b81505a6a390153ba1a463e887901820704fd7bffc83e6fd17faac4f45210d9f6116c7e785773c829ce7781296841 |
/data/data/com.gamed9.g360.pet/UserDefault.xml
| MD5 | f824772e85c59aa9284beb1afb5bd708 |
| SHA1 | 09a2ba5896857dc95d2beec0869fc1084f61138d |
| SHA256 | b62dc7b20def4941f4c1aa047ec1037d971c18abb4c8580cc0a13f79fa70090d |
| SHA512 | 9f1bb28c34c1033cf4ec843b998c98d878cc2b081cfee668642b4b4ea680066f9b230f7b8584101376cb965db339c2efb0d9f64674f18203a12db9a83034241d |
/data/data/com.gamed9.g360.pet/UserDefault.xml
| MD5 | edbf72e9b2b7172144c07ff99e82b2d8 |
| SHA1 | 6fbcc848ab8a804349ce238fef02f34623e84f80 |
| SHA256 | 6651f918ebf70b4a4c7b94f8bc2cbae0a597832614ad7a341accf09c132cea64 |
| SHA512 | 197bb88efa8b620a038109d9f1d16446b91f01961482610f6ed15474281a470440e7e1813f8963c625dc28125c23282db93898a13613432e029ec459c54e5066 |
/data/data/com.gamed9.g360.pet/UserDefault.xml
| MD5 | 8a7ef9a04a7583ebf3d5f7d338dbd3fe |
| SHA1 | 008ede01f584eb1e7edb05f8182fb44d283f3b0e |
| SHA256 | fb963eafd075d6d6ca285324df454ffab20422f2bd24e7b42f333cf4c0e27220 |
| SHA512 | 448083c6a45ad02a78d23107b6b44aced2198f275f77adfb7cb08243dddf19b69f6df2aff1eb69593ad58f45baddbf20fa6c485065bf8db4f8c8e4073f56af49 |
/data/data/com.gamed9.g360.pet/files/qhopensdk/pro/190/oat/pro.jar.cur.prof
| MD5 | ac1786848861adc75e846f576948880e |
| SHA1 | 2fca5d669a7ff0d716622dbfcdc2ddf7e704589f |
| SHA256 | 80fc61b1a59193fff03c984043a8148f77b31608be74668b5e7582ebbcc37c84 |
| SHA512 | d4b46d55fec7c913a8db8e8d21db3903760fe9ee13f0e0bded513bb8cc7ce857454ba68a04b238f3f0e86da11dd7b87e31067c14eb9c3e32a96914e24071efcd |
/data/data/com.gamed9.g360.pet/files/mobclick_agent_cached_com.gamed9.g360.pet
| MD5 | 3e1e4eb41a839536febe99d9aa1c3e67 |
| SHA1 | cfc42cbb9e9cd2945ce138d75b95dbbf47b7a32b |
| SHA256 | 4c6c896fcdce62b09c3c572e8a90bbbdc117b7d47df0903c531adf61a9807825 |
| SHA512 | 901a91d29d2b27d50310a295e6abc64d05fac0796af3de72f0a70a78154682e02ccbba9722b38ea45a609e427d8df79ec3645ef32f858f5b4867980c0f62498a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 15:57
Reported
2024-06-05 16:03
Platform
android-x86-arm-20240603-en
Max time network
135s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-05 15:57
Reported
2024-06-05 16:03
Platform
android-x64-arm64-20240603-en
Max time network
134s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.200.10:443 | tcp | |
| GB | 142.250.200.10:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-05 15:57
Reported
2024-06-05 16:03
Platform
android-x86-arm-20240603-en
Max time kernel
2s
Max time network
134s
Command Line
Signatures
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Processes
com.alipay.android.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-05 15:57
Reported
2024-06-05 16:03
Platform
android-x64-20240603-en
Max time network
148s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 172.217.169.46:443 | tcp | |
| GB | 172.217.169.14:443 | tcp | |
| GB | 142.250.200.34:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-05 15:57
Reported
2024-06-05 16:03
Platform
android-x86-arm-20240603-en
Max time kernel
3s
Max time network
153s
Command Line
Signatures
Processes
com.unionpay.uppay
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-05 15:57
Reported
2024-06-05 16:00
Platform
android-x86-arm-20240603-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-05 15:57
Reported
2024-06-05 16:00
Platform
android-x64-20240603-en
Max time network
9s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-05 15:57
Reported
2024-06-05 16:00
Platform
android-x64-arm64-20240603-en
Max time network
12s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp |