Malware Analysis Report

2025-01-19 07:57

Sample ID 240610-n7ccssaf57
Target 9a986546b3b0dba2040ff87f5590f8de_JaffaCakes118
SHA256 c4afd359f850b9f84aa156a0bed39f2c1ca04a606ec0cd3f533a68c581e9a8dd
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c4afd359f850b9f84aa156a0bed39f2c1ca04a606ec0cd3f533a68c581e9a8dd

Threat Level: Shows suspicious behavior

The file 9a986546b3b0dba2040ff87f5590f8de_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Loads dropped Dex/Jar

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 12:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 12:01

Reported

2024-06-10 12:05

Platform

android-x86-arm-20240603-en

Max time network

148s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 216.58.213.2:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 12:01

Reported

2024-06-10 12:05

Platform

android-x64-20240603-en

Max time network

180s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
BE 64.233.167.188:5228 tcp
GB 172.217.169.14:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.195:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 216.58.212.234:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 12:01

Reported

2024-06-10 12:05

Platform

android-x64-arm64-20240603-en

Max time network

146s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-10 12:01

Reported

2024-06-10 12:02

Platform

android-x86-arm-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-10 12:01

Reported

2024-06-10 12:02

Platform

android-x64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-10 12:01

Reported

2024-06-10 12:02

Platform

android-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 12:01

Reported

2024-06-10 12:05

Platform

android-x86-arm-20240603-en

Max time kernel

133s

Max time network

184s

Command Line

com.mandi.dota2

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mandi.dota2/app_plugin/PlayerUIApk.apk N/A N/A
N/A /data/user/0/com.mandi.dota2/app_plugin/PlayerUIApk.apk N/A N/A
N/A /data/user/0/com.mandi.dota2/app_plugin/PlayerUIApk.apk N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.mandi.dota2

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mandi.dota2/app_plugin/PlayerUIApk.apk --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.mandi.dota2/app_plugin/oat/x86/PlayerUIApk.odex --compiler-filter=quicken --class-loader-context=&

com.mandi.dota2:download

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.youku.com udp
US 1.1.1.1:53 oc.umeng.com udp
US 1.1.1.1:53 dota2.replays.net udp
CN 59.82.23.79:80 oc.umeng.com tcp
HK 47.246.99.254:443 api.youku.com tcp
CN 106.75.90.87:80 dota2.replays.net tcp
HK 47.246.99.254:443 api.youku.com tcp
US 1.1.1.1:53 oc.umeng.co udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 feedback.umeng.com udp
US 1.1.1.1:53 au.umeng.com udp
US 1.1.1.1:53 au.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp

Files

/data/data/com.mandi.dota2/app_plugin/PlayerUIApk.apk

MD5 453960899faf2f8710b4a89f40ff3070
SHA1 83b43b3fa9be3074300a336772d5360a5b5e4b95
SHA256 fb48fe020d71a13ce48fee53e54cb6e0120dd3fb94519ea376f170b18fb60a4a
SHA512 1824db0130b002f908f63703f247a4fce985a92b4389b6de66c991fd19ef47f724b3c71d045bb13f71c22fe2965a61b023249f1758236b69bcbef3ac522742fb

/data/user/0/com.mandi.dota2/app_plugin/PlayerUIApk.apk

MD5 ac0c01be752771d01bec41ace38a337a
SHA1 341f50c23a97d311bcb6971ff4732b20fa32d4fe
SHA256 4b89f24a04562e927cf38149227f05f9049b2507adec6bdb67b808d68ad4a316
SHA512 0d326ebff770f6a20b8db1e5de8df12d6a36799e03622fe89ca08bb51e799950590bd19d027342f0031256d54676c1244900d46ed02e79fd543e36671ed9208b

/data/user/0/com.mandi.dota2/app_plugin/PlayerUIApk.apk

MD5 20d786fc8d2acec4bfad1e7dd982f666
SHA1 253da61dac2afff4677deb36b06bcd1aba267730
SHA256 dca695a3f0ead3ed137af6fe053520aeb47fede7f1d780b3b204cf99eee0dca4
SHA512 05b3985cc5fa8fb02415c95a4f186efb7d3de2f7f50fa69f191354442bd19a3e43f124e84c834d3fd1ecc4ace139bb94e48e81b9bfbb276a2c522a85c8c9104d

/data/data/com.mandi.dota2/app_plugin/oat/PlayerUIApk.apk.cur.prof

MD5 d58b49d836c3a708f8291d8d5198b0d0
SHA1 fb5d4f795ffd2e21d70e4c7a5a264bae7d0747fd
SHA256 cb2d259ab81ccbd0cb9a3daf69abdfe745b48729f1d46c144cbba5c58357001b
SHA512 7d0e4647750a52943d48ac1eae366dd55220ce41fdcb7ecfe4b497e10fdbb32a7cc00547842464b57505ec39d45ab073e81c95f72939674ace5188c7269fef3f