Analysis Overview
SHA256
ede0f85cee4a2e3fb6b23de922055a758de78a12ba22a3e8ad1087703fd6af78
Threat Level: Likely malicious
The file 9ae837da8ace09359db1c22803e159ee_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Queries information about running processes on the device
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 14:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 14:00
Reported
2024-06-10 14:03
Platform
android-x86-arm-20240603-en
Max time kernel
71s
Max time network
131s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.nlm.nlmmaster/mix.dex | N/A | N/A |
| N/A | /data/data/com.nlm.nlmmaster/mix.dex | N/A | N/A |
| N/A | /data/data/com.nlm.nlmmaster/mix.dex | N/A | N/A |
| N/A | /data/data/com.nlm.nlmmaster/mix.dex | N/A | N/A |
| N/A | /data/data/com.nlm.nlmmaster/mix.dex | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.nlm.nlmmaster
sh -c getprop ro.yunos.version
getprop ro.yunos.version
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.nlm.nlmmaster/mix.dex --output-vdex-fd=49 --oat-fd=58 --oat-location=/data/data/com.nlm.nlmmaster/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
com.nlm.nlmmaster:pushcore
/system/bin/sh -c getprop ro.board.platform
sh -c getprop ro.yunos.version
getprop ro.board.platform
getprop ro.yunos.version
/system/bin/sh -c getprop ro.build.version.emui
getprop ro.build.version.emui
/system/bin/sh -c getprop ro.lenovo.series
getprop ro.lenovo.series
/system/bin/sh -c getprop ro.build.nubia.rom.name
getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.meizu.product.model
getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.build.version.opporom
getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.vivo.os.build.display.id
getprop ro.vivo.os.build.display.id
/system/bin/sh -c getprop ro.aa.romver
getprop ro.aa.romver
/system/bin/sh -c getprop ro.lewa.version
getprop ro.lewa.version
/system/bin/sh -c getprop ro.gn.gnromvernumber
getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.fingerprint
getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.rom.id
getprop ro.build.rom.id
com.nlm.nlmmaster:pushcore
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | tcp |
Files
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal
| MD5 | ce26cba2a2176b6d6d6e6bb089727db0 |
| SHA1 | 324ff8da12a6ec699e7726b18dcdd015bc05add3 |
| SHA256 | 7990c78f02e8f65820abc0c0cc9589ab5abbb5b1fa6d73fdb177bc9e882c5cc1 |
| SHA512 | 8e6a7451ced4152d4c3362c00d70f0afbd3f36d8505ec34fa43bd17d2629799fb8b59d853e0adce3dae528743b6205a83f00192615c91e28ee5ac858c7df412a |
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-wal
| MD5 | 5b2c25d73dc6d29b3e097283a6b8b830 |
| SHA1 | f137a8fc640b5045a1ea636ac16c140a33cf36ec |
| SHA256 | 6b929b19bf535b5309e4290eaa197a5e04131f67d9097dddfaddc5a49a6814b2 |
| SHA512 | afe235be2f730b430b3d7e6a16f4cf234706b61d674e39049438d00a9689dec7ccbfe4f77786b100972f06acb91af20c4a3fce7993ab52fa5e329a4771efd684 |
/data/data/com.nlm.nlmmaster/mix.dex
| MD5 | 852332c7d1fbbc5859b5271875deeee5 |
| SHA1 | 8cd6c12a45a491a26512ac3eb1812459a7374480 |
| SHA256 | 5d1a736dc8270dd9b72d796899b15669d47fecd4fd42b0f80e89797cefa47d2b |
| SHA512 | 5aff83513d04abb6ee9c0afcdda95a46dc899b497d6cd7f99025ea827cd5d2591f728b8d789d06f22f9d5a0f4aca96dab1e1bb4265470dcacc634b46e258c12f |
/data/data/com.nlm.nlmmaster/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload
| MD5 | 6865cb2b6fa422ee615e1c8c043a172d |
| SHA1 | ac5cf0bef227b0b6440fd143e0cc024a0b563c55 |
| SHA256 | 73b511aadf89ecfcf07ee9ae1641e24c7851c0f35b67f64e36595a92b41b526f |
| SHA512 | 613ad3ad48dcb51b3d1a14714bd2c9ecaf6411f5f6c478f8e002ff081c3aa4945b792319adfaf1683724f7949d7a2eb6b4d01e2599cca4fd9e2afec32db3f898 |
/storage/emulated/0/Android/data/com.nlm.nlmmaster/files/tbslog/tbslog.txt
| MD5 | b3c8a909ee7873034da85abf1af7c866 |
| SHA1 | 08a5bab845a81e4a22f920ebc1594e82d36a2e54 |
| SHA256 | 22429212ef255b8dd01efa83eb7ce83fd31127515a3a555cf2ea5d07afdef13b |
| SHA512 | a46463ee3787be798b3bd5785636f74fbb404dbbd7f045e138027ef3bc32bcd6953e21794ca78b84f5ba1649655f052f2de4b5d140a6d1c6684bde25fcb03c8d |
/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload
| MD5 | e26f7889e724bb4c9c19f47b716b9d05 |
| SHA1 | 450ca0cd6503d4e04fda37938d1b99d73b38f3ea |
| SHA256 | 907174f832e388a9035d3b814baccede6d2b7e7e10cda1b7b11c2268297d0e64 |
| SHA512 | f50173d332a38828c1cbc364adc4c8bb1a9f1f09f0245d5da0c2f8db6400280b3d7cbfd2f43d5006f4337f5e02a67056f2dcabf74e008b4df23bed60c8450799 |
/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload
| MD5 | 4b17ccafa9f9c7c48bab14294ccdcc0e |
| SHA1 | 612e753e49d75ae5706a00747283a0fddfa557ea |
| SHA256 | 9f280cce95a56c64fbbd3fa3947406b815fe7d2f3cfd43dab7b758588150255c |
| SHA512 | 0318e329e0eb198e45dcf2421279fa831de6699f1bc13c31756f46df1acee89380838eac0e2c9f52ba28a345a7b537c4003c3739ba2e5fe569479d9dd85a6a35 |
/storage/emulated/0/Android/data/com.nlm.nlmmaster/files/tbslog/tbslog.txt
| MD5 | 01c772e2b24817f67f5a82989a46ab22 |
| SHA1 | ab3971c1dfe8c1f77603de748749c51181a2b710 |
| SHA256 | 02ca3015e0647f6f2422efbbeecb977487510fb3f33c68e2d2a0528e33af473e |
| SHA512 | feb6fa47586b90e3061ec8bb63928fd9cdc591359a519304a488efefb0b96643cbd436ea00c06e2248f2bbc036b24c35b4c9a673998260a1b95edc8760213940 |
/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload
| MD5 | 291b6495ea8cc484755d5cecfded1d48 |
| SHA1 | 14113de9ca03fa9436b744f16d4ba934ea52e9cc |
| SHA256 | 176c0579b7708dafcea27644f49b5bccfbbd6eb4aa8d1bb85e01eacf9ddce193 |
| SHA512 | 644d5258596ad31e13206ac5c8a4c448d864a9bcb11a936df95592eb369e905c8b44002d65f8a8506c89303e3b6d0d917384eeaecf5e94f419cf435090bed08d |
/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload
| MD5 | 6474eba054b35f1d238c446e4276d8e8 |
| SHA1 | 5af1028d6048d67200974a3dee7fae931d2f85cd |
| SHA256 | a3e0b4a76c06e80528817c89bf762f6d80d2fb85458cdbc1baf009c565dc2abc |
| SHA512 | 890d6abd1445fa2ffd4f099c1e5285a4f843eb95dde98f9bce4a1a58a3ec47ebc13fd434cb9338e55fb372ac55d1e50505a71de2ca5cf130a3bac3b1b3a01afd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 14:00
Reported
2024-06-10 14:04
Platform
android-x64-20240603-en
Max time kernel
9s
Max time network
147s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.nlm.nlmmaster/mix.dex | N/A | N/A |
| N/A | /data/data/com.nlm.nlmmaster/mix.dex | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.nlm.nlmmaster
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.106:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.169.14:443 | tcp | |
| GB | 142.250.200.34:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 172.217.169.46:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
Files
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal
| MD5 | 78fce74087557718c339a912605b806d |
| SHA1 | 4f57fe5202e1df4fb5ecb96537907aa959d4fb66 |
| SHA256 | 1135a5a135d5e6743e7c0f9afed1799e4418ab30103e21fb3e5b522029fb192c |
| SHA512 | d225baf595dbb0b7097201896749b0515c88ff2245a0aaeee40f436161c12b5bd53f0e9bbb2744004d8533747af458986f6eea9e2d39251e460f055a3dd843ac |
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu
| MD5 | c192151c8378290753e03c65a9cfd545 |
| SHA1 | 35a4fa172abcb89990b401ee708bd94e5876ac87 |
| SHA256 | 73bc173f5f65dd34ee842f2eff75500310159d3b608f4aa01b76edb237b0025c |
| SHA512 | 2277c7d1716dabe6036d15831979c22c862c2107649cccf5327bcb8ff56570c44f111d6378b897ee124f61f273014586368ae281199f70aab0cf6ce3bde3bd87 |
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal
| MD5 | 181d21daa0ae795b53d6c29c2ea26479 |
| SHA1 | 15c97cb7403c5aeb08a7baa7cae42a041e072cd1 |
| SHA256 | b01e1f5fa13fcf75fe1cd4254dea869742a70c77f4bdc9585a52263b7f19409a |
| SHA512 | 5a19edcf7fa506c5e9baac0277869e9fadda095f0b5b5fe0953b1a611429aca3b5d9550d4a358a209e260b18b18f4e04a36351c02f0f6d6081dab705efce4def |
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal
| MD5 | d11e5f1e9ebf9215b4610087431545b3 |
| SHA1 | 9b75292d43ce04a8575a4032b28f241c5b31a478 |
| SHA256 | 91c4a96d56145b4da6abf394937044de140b2eb94461877674b40c5c3d02fadb |
| SHA512 | 871bd8e88ea883731a02498c696290cf9493bb7a7a1ec992d055fb87f3cbf100acbc4f382a2e4b5e0267c32427c297078fb6279ffad901a8fdf9d94cbedff6fc |
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal
| MD5 | be4d6cb86bd892b27fa19140652d1ded |
| SHA1 | e6b9a6c23068bae25ffd961e0c6633a8228b9a68 |
| SHA256 | 63ffe57dfcbeb02755370fdfe66f6fd7faafcaa3ce48d2dae6f1229781649847 |
| SHA512 | cbc7610526034a95b3976e733742899c98a1e39f03509fd0c966bc1e8a2f362e7b63f6ff732b024ba49a101e747006080cce5bd9eadaa77c4ce7dba787b713de |
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal
| MD5 | 72b5e42b83d11c781353447a4c7ed405 |
| SHA1 | 2e29468b18c53e49215a3430eff4357d43d00687 |
| SHA256 | 172eae44f218458cedd01c4cdf52a4ce3800d32a0a5bd8ea1cab7e5f9ca1cd11 |
| SHA512 | ae0a6251e30e34262e637f6757da9204b8a15c19993a2bcb25a9aabe3aa2c7bb28c62d72d1f5b8575bcedb92cae38ecd9ea71a10f6658925806132efa7ba7f5f |
/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal
| MD5 | ad0a94dac4d6a00b9aa1f12f581c04d2 |
| SHA1 | bcfa129c27083156387bd1c5e666872c416b7ea7 |
| SHA256 | f0d9d7329191d5bd89a27d59194980d7a664f942777dcc155190c197dbdb4073 |
| SHA512 | c0d109a53d32013781f7e5103b243ada2440b2c759b22a8ae7b1ecef761f25eae5d35b114b9f8dc6676d223b205883ab22cd6ca4ad80c5ba386605423489dab7 |
/data/data/com.nlm.nlmmaster/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/data/com.nlm.nlmmaster/app_bugly/tomb_1718028059990.txt
| MD5 | 614c8f2dd11537bedd6919bcc57bb004 |
| SHA1 | 4e0c9f8b615a944f1a8489826ac67efaf0fa232c |
| SHA256 | 8dc9c25accce2fa57469164db53e4aa1a95e16fa5a9179f3a0959abf237a7caa |
| SHA512 | ef322e27d7238d29efc7085d7b75e459d877d32f11edca62c91563c765308b390f7ef82401f16c3dbf36eae2004a9ae7b33342411d005d5b8f4020cf06db1b1d |
/data/data/com.nlm.nlmmaster/app_bugly/rqd_record.eup
| MD5 | f4d883b0c659ea52ed7d107ed02bd580 |
| SHA1 | 99abe52a5b14da53d33c5a48da095e2a3c9ca2fb |
| SHA256 | 7aed857fd960066ecac9d3d820bb2555c8a4b33f8f0f5849c3771ef72fd0d18e |
| SHA512 | ec938b7965f79d33b82e4a90f10bc3d2acc56a9db026dd459a2613fb0b5b1f01403e01b15f921d0edc4f69c1eddb4afb086ff86ca45fb160cbc93c697980c147 |
/data/data/com.nlm.nlmmaster/app_bugly/rqd_record.eup
| MD5 | 2fdfe05081041895d756ff6265262de4 |
| SHA1 | d8522a0f34272e2a525d3ceaa4d83fe8c9f4a2c0 |
| SHA256 | 768e71022e9fcf218abb5547d6043f8776d1cae13e538afabc43fff29909bc2f |
| SHA512 | 8c60537d6accf7b65dbbc3eb89b3aaa14fc46a385e498cbc3cd41705cb71477407c81b30bf4d48ce38d2a291996df68778860faa0298618c99948631624689cf |