Analysis Overview
SHA256
955be5bb9d093e6750782f95ed25f390e168c5f3118fec45ae65ceb4424614b7
Threat Level: Likely malicious
The file 9b5741dd8c9e803a3650ac461ec99117_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Obtains sensitive information copied to the device clipboard
Loads dropped Dex/Jar
Queries information about running processes on the device
Declares services with permission to bind to the system
Requests dangerous framework permissions
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 16:40
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. | android.permission.BIND_WALLPAPER | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 16:40
Reported
2024-06-10 16:44
Platform
android-x86-arm-20240603-en
Max time kernel
179s
Max time network
170s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
jp.harucolor3.kanmusububblewallpaper
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | androidquery.appspot.com | udp |
| GB | 216.58.204.84:443 | androidquery.appspot.com | tcp |
| US | 1.1.1.1:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | tpc.googlesyndication.com | udp |
| US | 1.1.1.1:53 | www.googletagservices.com | udp |
| GB | 172.217.169.65:443 | tpc.googlesyndication.com | tcp |
| GB | 172.217.169.65:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.178.2:443 | www.googletagservices.com | tcp |
| US | 1.1.1.1:53 | s0.2mdn.net | udp |
| GB | 142.250.200.38:443 | s0.2mdn.net | tcp |
| US | 1.1.1.1:53 | googleads4.g.doubleclick.net | udp |
| GB | 142.250.200.2:443 | googleads4.g.doubleclick.net | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 216.58.201.110:443 | tcp | |
| GB | 142.250.187.194:443 | tcp |
Files
/data/data/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar
| MD5 | e8e0527a01aefdb89afd2c508f131da1 |
| SHA1 | f1103e6b260c657ceb3d95f1b023af3fda8b133a |
| SHA256 | f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce |
| SHA512 | fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34 |
/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar
| MD5 | fde2ee00cbd121cfab5290b078aa3ceb |
| SHA1 | e2b77d5320e155e413d040a8c20020962065b2f8 |
| SHA256 | 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685 |
| SHA512 | a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56 |
/data/data/jp.harucolor3.kanmusububblewallpaper/cache/oat/1582435991586.jar.cur.prof
| MD5 | a3b78d197d786c13687c3f0f89703bd8 |
| SHA1 | 9967f0726b6b1ed3f198904547b81920f8329621 |
| SHA256 | c5e6754556dbe01b055066f23c28ddaaf5fe67cee4baed00d59dc993335b3d97 |
| SHA512 | 9a47c9bb977edec9d29d22f280e0078ca931a722eaecc2b085c6b5aaf6246d17a6ad07c9faca45070bb5b89a3ee6cf896f5e2c7e73fb033e3ac57471df70a8b1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 16:40
Reported
2024-06-10 16:44
Platform
android-x64-20240603-en
Max time kernel
179s
Max time network
153s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
jp.harucolor3.kanmusububblewallpaper
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.106:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | androidquery.appspot.com | udp |
| GB | 216.58.212.212:443 | androidquery.appspot.com | tcp |
| US | 1.1.1.1:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | tpc.googlesyndication.com | udp |
| GB | 142.250.200.1:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.200.1:443 | tpc.googlesyndication.com | tcp |
| US | 1.1.1.1:53 | www.googletagservices.com | udp |
| GB | 216.58.212.194:443 | www.googletagservices.com | tcp |
| US | 1.1.1.1:53 | googleads4.g.doubleclick.net | udp |
| US | 1.1.1.1:53 | s0.2mdn.net | udp |
| GB | 216.58.204.66:443 | googleads4.g.doubleclick.net | tcp |
| GB | 172.217.16.230:443 | s0.2mdn.net | tcp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.187.226:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| GB | 216.58.212.206:443 | tcp | |
| US | 1.1.1.1:53 | widgets.outbrain.com | udp |
| GB | 23.219.197.58:443 | widgets.outbrain.com | tcp |
| US | 1.1.1.1:53 | zem.outbrainimg.com | udp |
| US | 1.1.1.1:53 | b1t-eudc1.zemanta.com | udp |
| GB | 146.75.74.132:443 | zem.outbrainimg.com | tcp |
| NL | 213.227.153.230:443 | b1t-eudc1.zemanta.com | tcp |
| US | 1.1.1.1:53 | b1-eudc1.zemanta.com | udp |
| NL | 213.227.153.228:443 | b1-eudc1.zemanta.com | tcp |
| NL | 213.227.153.230:443 | b1-eudc1.zemanta.com | tcp |
Files
/data/data/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar
| MD5 | e8e0527a01aefdb89afd2c508f131da1 |
| SHA1 | f1103e6b260c657ceb3d95f1b023af3fda8b133a |
| SHA256 | f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce |
| SHA512 | fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34 |
/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar
| MD5 | fde2ee00cbd121cfab5290b078aa3ceb |
| SHA1 | e2b77d5320e155e413d040a8c20020962065b2f8 |
| SHA256 | 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685 |
| SHA512 | a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56 |
/data/data/jp.harucolor3.kanmusububblewallpaper/cache/oat/1582435991586.jar.cur.prof
| MD5 | a3b78d197d786c13687c3f0f89703bd8 |
| SHA1 | 9967f0726b6b1ed3f198904547b81920f8329621 |
| SHA256 | c5e6754556dbe01b055066f23c28ddaaf5fe67cee4baed00d59dc993335b3d97 |
| SHA512 | 9a47c9bb977edec9d29d22f280e0078ca931a722eaecc2b085c6b5aaf6246d17a6ad07c9faca45070bb5b89a3ee6cf896f5e2c7e73fb033e3ac57471df70a8b1 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-10 16:40
Reported
2024-06-10 16:44
Platform
android-x64-arm64-20240603-en
Max time kernel
134s
Max time network
163s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
jp.harucolor3.kanmusububblewallpaper
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | androidquery.appspot.com | udp |
| GB | 142.250.200.20:443 | androidquery.appspot.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | googleads.g.doubleclick.net | udp |
| GB | 216.58.212.194:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.212.194:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.212.194:443 | googleads.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | widgets.outbrain.com | udp |
| US | 1.1.1.1:53 | tpc.googlesyndication.com | udp |
| GB | 23.219.197.58:443 | widgets.outbrain.com | tcp |
| GB | 142.250.178.1:443 | tpc.googlesyndication.com | tcp |
| US | 1.1.1.1:53 | www.googletagservices.com | udp |
| GB | 142.250.180.2:443 | www.googletagservices.com | tcp |
| US | 1.1.1.1:53 | zem.outbrainimg.com | udp |
| US | 1.1.1.1:53 | b1t-eudc1.zemanta.com | udp |
| GB | 146.75.74.132:443 | zem.outbrainimg.com | tcp |
| NL | 213.227.153.229:443 | b1t-eudc1.zemanta.com | tcp |
| US | 1.1.1.1:53 | b1-eudc1.zemanta.com | udp |
| GB | 216.58.212.194:443 | googleads.g.doubleclick.net | tcp |
| NL | 213.227.153.230:443 | b1-eudc1.zemanta.com | tcp |
| NL | 213.227.153.229:443 | b1-eudc1.zemanta.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp | |
| US | 1.1.1.1:53 | s0.2mdn.net | udp |
| GB | 172.217.169.6:443 | s0.2mdn.net | tcp |
| US | 1.1.1.1:53 | googleads4.g.doubleclick.net | udp |
| GB | 142.250.200.2:443 | googleads4.g.doubleclick.net | tcp |
Files
/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar
| MD5 | e8e0527a01aefdb89afd2c508f131da1 |
| SHA1 | f1103e6b260c657ceb3d95f1b023af3fda8b133a |
| SHA256 | f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce |
| SHA512 | fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34 |
/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar
| MD5 | fde2ee00cbd121cfab5290b078aa3ceb |
| SHA1 | e2b77d5320e155e413d040a8c20020962065b2f8 |
| SHA256 | 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685 |
| SHA512 | a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56 |
/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/oat/1582435991586.jar.cur.prof
| MD5 | f9431a0cde5766b6a47fe517f0dbe91f |
| SHA1 | 41ebffb9e03db4e211961286e6c233726d1c704f |
| SHA256 | 48409024aacda3669e2112419ca8742dedca12f5310521730db60c8387710616 |
| SHA512 | 3102a350b8cdbfe686564eb79892a609f3cccd74d4b420f831156b1c57b736853f1cba0988d4dea7bf728f341e3ed2b997274684726afa2d97d31115e5213382 |