Analysis Overview
SHA256
e5e8e91ffc0499e8e7b01ba8f8305fb1c98e49778c9278d862334d23ec3e821e
Threat Level: Likely malicious
The file 9e867bd7e7c41f6aa2a48fe1c9856019_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Queries information about the current nearby Wi-Fi networks
Obtains sensitive information copied to the device clipboard
Queries information about running processes on the device
Queries information about active data network
Queries information about the current Wi-Fi connection
Queries the mobile country code (MCC)
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 14:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 14:34
Reported
2024-06-11 14:37
Platform
android-x86-arm-20240611-en
Max time kernel
64s
Max time network
131s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.yxxinglin.xzid25697
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.10:443 | tcp | |
| GB | 172.217.169.10:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.78:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | wendsldj.com | udp |
| NL | 78.41.204.34:80 | wendsldj.com | tcp |
| NL | 78.41.204.34:80 | wendsldj.com | tcp |
| NL | 78.41.204.34:80 | wendsldj.com | tcp |
| US | 1.1.1.1:53 | ww1.wendsldj.com | udp |
| US | 199.59.243.225:80 | ww1.wendsldj.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | partner.googleadservices.com | udp |
| US | 1.1.1.1:53 | www.adsensecustomsearchads.com | udp |
| GB | 172.217.16.226:443 | partner.googleadservices.com | tcp |
| GB | 142.250.187.238:443 | www.adsensecustomsearchads.com | tcp |
| US | 1.1.1.1:53 | afs.googleusercontent.com | udp |
| GB | 142.250.187.193:443 | afs.googleusercontent.com | tcp |
| GB | 142.250.187.193:443 | afs.googleusercontent.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
Files
/data/data/com.yxxinglin.xzid25697/files/umeng_it.cache
| MD5 | bd647ad4aaa9b57501f289a84eed5ee4 |
| SHA1 | 9f9364c791c9c221578634f78bf0575ceeed41db |
| SHA256 | b8b296f16fe2371c06ed20b0f6f4e4302c0403f3ed356b0c70363b1c84cf3a0a |
| SHA512 | ccb9a524900693e7cd6a5063e0045380e007fe01e1190f2f36c312ec687e3498ac32dd9192224c25787b78fd730325dfa3b84839a00c08e56d8a0aa71215f10e |
/data/data/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDY4Mjk4
| MD5 | 8b62526f7f6bbc2e1e850b9a0c428cc2 |
| SHA1 | 52e8bced520fa8e2b4c72abb93d7b89940aafb77 |
| SHA256 | 6bcdcd7bc7a15ea479364d1967c64ab21a25fc379ce37ce8aa8d4ceff704f3cb |
| SHA512 | 0402f230a98b457f0ba022f43c9d4cd41cefaa9d4358cc133b77915e8ddf0b468c8b2bef39eda812a4bba3071b74a8c1b3f8e574e85fe10a2623f2b7e2636026 |
/data/data/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDk4OTcz
| MD5 | d1f531dbd53bd10069716c33e2374ced |
| SHA1 | 6205e846e8e0e078a8d615cfd8690fc757ef340d |
| SHA256 | 8957f46c37daaaddb705e82659a93412c74e013e8b3f75cd142cca35b11a1a91 |
| SHA512 | 65b7745d7421c2a6a0f4027d06c05b54b77742e4472a57d4513a202ea7f017b11e31fdda83f8013ed99a75b5d9fa54770a6a570e9cc1bca1167b313a1a001898 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 14:34
Reported
2024-06-11 14:37
Platform
android-x64-20240611-en
Max time kernel
64s
Max time network
155s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.yxxinglin.xzid25697
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | wendsldj.com | udp |
| NL | 78.41.204.34:80 | wendsldj.com | tcp |
| NL | 78.41.204.34:80 | wendsldj.com | tcp |
| NL | 78.41.204.34:80 | wendsldj.com | tcp |
| US | 1.1.1.1:53 | ww1.wendsldj.com | udp |
| US | 199.59.243.225:80 | ww1.wendsldj.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 172.217.169.68:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | partner.googleadservices.com | udp |
| GB | 172.217.16.226:443 | partner.googleadservices.com | tcp |
| US | 1.1.1.1:53 | syndicatedsearch.goog | udp |
| GB | 142.250.178.14:443 | syndicatedsearch.goog | tcp |
| US | 1.1.1.1:53 | afs.googleusercontent.com | udp |
| GB | 172.217.169.65:443 | afs.googleusercontent.com | tcp |
| GB | 172.217.169.65:443 | afs.googleusercontent.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/data/data/com.yxxinglin.xzid25697/files/umeng_it.cache
| MD5 | 9dd9f5b7f1d6ee4e092e3ed40c466787 |
| SHA1 | e68b10bfd75b6f25ce2748663466a07c0c318a07 |
| SHA256 | e4882d0b0a790ca2ce9d2a209791fd1db60a7cd00469b77f34607b673ade7e27 |
| SHA512 | c483341cad9525b0c4b8005ab71417d7c8a3a351bcfba0748d354868302f02c435ce73f865e954d1f549d2f1f18f8568ddcf6daa9720ee417805fa5f3a662ea6 |
/data/data/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDY4Mjk0
| MD5 | 12d1326cff81f7b87b221f2e6cdf0540 |
| SHA1 | fc1bf909d3d1b6da8cf896ea7f1741a4cd1882f8 |
| SHA256 | e6bfa02da05c98017e8b3f895b1d71bea952d972a6a6bfa5b7b1861a801590c7 |
| SHA512 | ff6f59a7c7d0b7ee5033eaa11410080dc37e4255c74913dd4d28dbae162598857a78d4af104b471039c2f3763c214a3332c1153d3419ca2f039b1dbca18e97a7 |
/data/data/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDk4NDg2
| MD5 | 612eecf004c25b4cc052aa14c1895f70 |
| SHA1 | 295251bf631b4309ae7556d7ca7a08cfac8aa979 |
| SHA256 | 23392ea7832b37b4a21d7a8effcd5b7f36ce93bc4776cf93de002ddfc6d3d612 |
| SHA512 | 18bf8897d7fe1763665bee94ba52cfee7f6d7e8f0b8ff3235b161458e3d406fb64624ff50597f23ea77ae1936ea94ba9a6d074b9cb8a74f327e487b5f28ea795 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 14:34
Reported
2024-06-11 14:37
Platform
android-x64-arm64-20240611-en
Max time kernel
87s
Max time network
163s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.yxxinglin.xzid25697
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.78:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | wendsldj.com | udp |
| NL | 78.41.204.34:80 | wendsldj.com | tcp |
| NL | 78.41.204.34:80 | wendsldj.com | tcp |
| US | 1.1.1.1:53 | ww1.wendsldj.com | udp |
| US | 199.59.243.225:80 | ww1.wendsldj.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | partner.googleadservices.com | udp |
| US | 1.1.1.1:53 | www.adsensecustomsearchads.com | udp |
| GB | 172.217.16.226:443 | partner.googleadservices.com | tcp |
| GB | 142.250.178.14:443 | www.adsensecustomsearchads.com | tcp |
| US | 1.1.1.1:53 | afs.googleusercontent.com | udp |
| GB | 172.217.169.1:443 | afs.googleusercontent.com | tcp |
| GB | 172.217.169.1:443 | afs.googleusercontent.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 216.58.201.99:443 | tcp |
Files
/data/user/0/com.yxxinglin.xzid25697/files/umeng_it.cache
| MD5 | c5c3442ce38db9bd53a30a6878396637 |
| SHA1 | 2e6627acc214f2eab4153aa767a77673c16a852b |
| SHA256 | 6eb0edfd7af7ae562320f45e92259c99b26cfa192815f716338494b14edafe6e |
| SHA512 | a11f72a9c81435a220fdb1d3dd8584ab0ee679834ebee32d41fc9f5cd8b6f206f10c7da93fb8a3d55b204354d33b537fc2d1b50ad49147f64f609541f3b86cbd |
/data/user/0/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NDcwNDE1
| MD5 | 1f9d3d467d7fb8951ffefa18471f255c |
| SHA1 | cf18fab7593acbc3b9cba841279aa1aa842e840b |
| SHA256 | 7fefc4026e4e5e1a7fcc40c8f1b1d22b720d62ca58c66fece7bb410d3ed09188 |
| SHA512 | ebcdab6758e203ecd0621ca2467ba5f41122e845b5345aad5de94f1332c1c4794b2e8a1b45fed10a55db20875176198e35064412cb6446e875698e47aba394a1 |
/data/user/0/com.yxxinglin.xzid25697/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MTE2NTAwNTY2
| MD5 | e050e18278ecc60db5f96c9c4bb75a16 |
| SHA1 | 6ede5ee4533fc56536314bbf94315178c465d157 |
| SHA256 | eacf874748f57f0d5174916b2fdf100d45dffc9a4d2e806d0ffced331b741082 |
| SHA512 | 915bffc24134974e52384d670461cca6dcc22d94867512754ba7043111ac14cbac38e1fa0179c43abd56ef799c5687eac12a2b52666a2986d5cfa7109af029be |