Analysis Overview
SHA256
5d2cf9397fdeedc424c390e1369edb2244859042b5c8e31785de9ce5e8b88288
Threat Level: Shows suspicious behavior
The file 9d6b0aac78228fdc7f4727ff497c5791_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Obtains sensitive information copied to the device clipboard
Requests dangerous framework permissions
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 07:26
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 07:26
Reported
2024-06-11 07:29
Platform
android-x64-arm64-20240603-en
Max time kernel
154s
Max time network
133s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.sku/app_push_lib/plugin-deploy.jar | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.sku
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | wxmp.99114.com | udp |
| CN | 58.83.155.120:80 | wxmp.99114.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| CN | 58.83.155.120:80 | wxmp.99114.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp |
Files
/data/user/0/com.sku/app_push_lib/plugin-deploy.jar
| MD5 | 610ae20fa40cb991ef4670582bc3996a |
| SHA1 | bad8dbc9b7226fbd4f1b97dabe777c36605ccc9b |
| SHA256 | 010690c6a9fe3d6e21c33940453cb2a5c41e26ac24ea42e3732111613701eede |
| SHA512 | 8584fa3850e97276d6afef61dff9401531cd7830a3a7660fcc3b75c21c55196a59efad46ad763f1695f59c99874e29aa285ba9d9f43a5989d004a0e115d76b1b |
/data/user/0/com.sku/app_push_lib/plugin-deploy.key
| MD5 | 86896cfc29159ebebbdc72a7fea66d3c |
| SHA1 | 76f71e17f279e9010cd1f16d9c979f75bb9cbdb6 |
| SHA256 | 4040246e2cd23768965dd2720eed8ab30b0891eb7324201ac1592e8e39eb7697 |
| SHA512 | 89d4d3e88c41bf4c9cd527ed6c7af45e14545019b1d86414fd7965fb6dac79a6a8f1e8c4b4de4503e6bef2b98ad32f37d319c7e29e807b2b83d56cd867ab9ca6 |
/data/user/0/com.sku/app_push_lib/plugin-deploy.jar
| MD5 | 058c9e49195a1ab48863deb84a028f63 |
| SHA1 | a35b0dc7822174cff3683e1aa2b5cf85833733df |
| SHA256 | ce04c452c6c3dc56dee78205f036a779c7144eb607dede07aa054f93f77ad049 |
| SHA512 | 081643598f3bbda4d2f560975f6e6fec8da94c8a578d80c05cf6f035ed3766db65de21cbe3ec92a16060e5ea1c1aebe37bd339de76365daf67648fd5967e5c47 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-11 07:26
Reported
2024-06-11 07:26
Platform
android-x86-arm-20240603-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-11 07:26
Reported
2024-06-11 07:26
Platform
android-x64-20240603-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-11 07:26
Reported
2024-06-11 07:26
Platform
android-x64-arm64-20240603-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 07:26
Reported
2024-06-11 07:29
Platform
android-x86-arm-20240603-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.sku/app_push_lib/plugin-deploy.jar | N/A | N/A |
| N/A | /data/user/0/com.sku/app_push_lib/plugin-deploy.jar | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.sku
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sku/app_push_lib/plugin-deploy.jar --output-vdex-fd=40 --oat-fd=42 --oat-location=/data/user/0/com.sku/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.10:443 | tcp | |
| GB | 172.217.169.10:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | wxmp.99114.com | udp |
| CN | 58.83.155.120:80 | wxmp.99114.com | tcp |
| CN | 58.83.155.120:80 | wxmp.99114.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | tcp | |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 216.58.213.2:443 | tcp |
Files
/data/data/com.sku/app_push_lib/plugin-deploy.jar
| MD5 | 610ae20fa40cb991ef4670582bc3996a |
| SHA1 | bad8dbc9b7226fbd4f1b97dabe777c36605ccc9b |
| SHA256 | 010690c6a9fe3d6e21c33940453cb2a5c41e26ac24ea42e3732111613701eede |
| SHA512 | 8584fa3850e97276d6afef61dff9401531cd7830a3a7660fcc3b75c21c55196a59efad46ad763f1695f59c99874e29aa285ba9d9f43a5989d004a0e115d76b1b |
/data/data/com.sku/app_push_lib/plugin-deploy.key
| MD5 | 86896cfc29159ebebbdc72a7fea66d3c |
| SHA1 | 76f71e17f279e9010cd1f16d9c979f75bb9cbdb6 |
| SHA256 | 4040246e2cd23768965dd2720eed8ab30b0891eb7324201ac1592e8e39eb7697 |
| SHA512 | 89d4d3e88c41bf4c9cd527ed6c7af45e14545019b1d86414fd7965fb6dac79a6a8f1e8c4b4de4503e6bef2b98ad32f37d319c7e29e807b2b83d56cd867ab9ca6 |
/data/user/0/com.sku/app_push_lib/plugin-deploy.jar
| MD5 | 058c9e49195a1ab48863deb84a028f63 |
| SHA1 | a35b0dc7822174cff3683e1aa2b5cf85833733df |
| SHA256 | ce04c452c6c3dc56dee78205f036a779c7144eb607dede07aa054f93f77ad049 |
| SHA512 | 081643598f3bbda4d2f560975f6e6fec8da94c8a578d80c05cf6f035ed3766db65de21cbe3ec92a16060e5ea1c1aebe37bd339de76365daf67648fd5967e5c47 |
/data/user/0/com.sku/app_push_lib/plugin-deploy.jar
| MD5 | 0f01de9b83dd8195bc640c07b7e45dd3 |
| SHA1 | a427c07efaed492839e89ab490db691534da8c21 |
| SHA256 | 738447a77b1796c32da78df26302a5bef6369f761af0c4622466338806f8c061 |
| SHA512 | 510c3b4ff8ec84345b45d8cb7ded5fc93dab20f154c8f90f23afb3d9713f27d44b96858e52684dd5cb333134e231a6096f7cef18ea2cccd5c81ee7e98ba61459 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 07:26
Reported
2024-06-11 07:30
Platform
android-x64-20240603-en
Max time kernel
156s
Max time network
131s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.sku/app_push_lib/plugin-deploy.jar | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.sku
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | wxmp.99114.com | udp |
| CN | 58.83.155.120:80 | wxmp.99114.com | tcp |
| CN | 58.83.155.120:80 | wxmp.99114.com | tcp |
| GB | 142.250.187.234:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.14:443 | tcp | |
| GB | 142.250.187.226:443 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 142.250.200.14:443 | tcp |
Files
/data/data/com.sku/app_push_lib/plugin-deploy.jar
| MD5 | 610ae20fa40cb991ef4670582bc3996a |
| SHA1 | bad8dbc9b7226fbd4f1b97dabe777c36605ccc9b |
| SHA256 | 010690c6a9fe3d6e21c33940453cb2a5c41e26ac24ea42e3732111613701eede |
| SHA512 | 8584fa3850e97276d6afef61dff9401531cd7830a3a7660fcc3b75c21c55196a59efad46ad763f1695f59c99874e29aa285ba9d9f43a5989d004a0e115d76b1b |
/data/data/com.sku/app_push_lib/plugin-deploy.key
| MD5 | 86896cfc29159ebebbdc72a7fea66d3c |
| SHA1 | 76f71e17f279e9010cd1f16d9c979f75bb9cbdb6 |
| SHA256 | 4040246e2cd23768965dd2720eed8ab30b0891eb7324201ac1592e8e39eb7697 |
| SHA512 | 89d4d3e88c41bf4c9cd527ed6c7af45e14545019b1d86414fd7965fb6dac79a6a8f1e8c4b4de4503e6bef2b98ad32f37d319c7e29e807b2b83d56cd867ab9ca6 |
/data/user/0/com.sku/app_push_lib/plugin-deploy.jar
| MD5 | 058c9e49195a1ab48863deb84a028f63 |
| SHA1 | a35b0dc7822174cff3683e1aa2b5cf85833733df |
| SHA256 | ce04c452c6c3dc56dee78205f036a779c7144eb607dede07aa054f93f77ad049 |
| SHA512 | 081643598f3bbda4d2f560975f6e6fec8da94c8a578d80c05cf6f035ed3766db65de21cbe3ec92a16060e5ea1c1aebe37bd339de76365daf67648fd5967e5c47 |