Analysis Overview
SHA256
084a667ffce643e4755a6283bb67acf3b1b245aac3ba0b065a60e9a997f533b9
Threat Level: Likely malicious
The file 99baa663ea60375fdf5a4b733296e7fc_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 01:40
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 01:40
Reported
2024-06-06 01:43
Platform
android-x86-arm-20240603-en
Max time kernel
17s
Max time network
130s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.lxianj.simple_video_edit
/system/bin/sh -c getprop ro.board.platform
chmod 700 /data/user/0/com.lxianj.simple_video_edit/tx_shell/libshellx-2.9.0.2.so
getprop ro.board.platform
/system/bin/sh -c type su
logcat -d -v threadtime
logcat -d -v threadtime
/system/bin/sh -c getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.build.version.emui
getprop ro.build.version.emui
/system/bin/sh -c getprop ro.lenovo.series
getprop ro.lenovo.series
/system/bin/sh -c getprop ro.build.nubia.rom.name
getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.meizu.product.model
getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.build.version.opporom
getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.vivo.os.build.display.id
getprop ro.vivo.os.build.display.id
/system/bin/sh -c getprop ro.aa.romver
getprop ro.aa.romver
/system/bin/sh -c getprop ro.lewa.version
getprop ro.lewa.version
/system/bin/sh -c getprop ro.gn.gnromvernumber
getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.fingerprint
getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.rom.id
getprop ro.build.rom.id
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | tcp |
Files
/data/data/com.lxianj.simple_video_edit/databases/bugly_db_legu-journal
| MD5 | 835195c48e17fbf0194e9fac9602999a |
| SHA1 | 3aaa858f643ea81f689fd724758aa66eef06cefa |
| SHA256 | 2710f728a1aa7a573f6938363e607ea16f8d4ae45d873a350d3bcce8e01777f7 |
| SHA512 | c40ec0c3530d3e36d0abe033b8dfebd968653ba6e3a8640f1a0f615b93435123b41ef62c3afb844ffb265b8c16150fd9ea55b2cd6cb853477444f41df3c3c7f3 |
/data/data/com.lxianj.simple_video_edit/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.lxianj.simple_video_edit/databases/bugly_db_legu-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.lxianj.simple_video_edit/databases/bugly_db_legu-wal
| MD5 | 282218b81bc4e09bedd8b6753f631b40 |
| SHA1 | db8f89bcceee8dd125971f906da251eab76f9e2e |
| SHA256 | f07b181435fca9fcc40444da6d984eb6a8d18ce1fd3571943195cbd9970ae683 |
| SHA512 | 316c00db6d076cd82ccbc5f618b91a39c6816d168fc34696f16b8160b7357421036d5cd4f47d48f1e4d7a0088676abe4595098bee34fabfbe69e406dc9d34594 |
/data/data/com.lxianj.simple_video_edit/tx_shell/libshellx-2.9.0.2.so
| MD5 | 4499e8eb481dde2716df92aa0225ced5 |
| SHA1 | 0a6d5bfa0d42c2638cc3081f4cd6c06272e92a94 |
| SHA256 | d1ae2559b2cfe48d3fb199cfda3eee3e2237d7eeec0d88a7bba0692f7ce5a8b5 |
| SHA512 | 4ea90e517b73214234b2b6c97a1e99b0204c44a3c31d891e244cde892eed4d00a33b86128df073d86a787070ed7b79008a312e647973d3599728a6dc4ee590c9 |