Malware Analysis Report

2024-10-19 11:54

Sample ID 240612-m8dftawclr
Target a07061faa8213d27754c0f8c50da7d85_JaffaCakes118
SHA256 171b0d607eb19ff1816012769e9a1c0671b16d238ec2b0a6295f9316345af4ed
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

171b0d607eb19ff1816012769e9a1c0671b16d238ec2b0a6295f9316345af4ed

Threat Level: Shows suspicious behavior

The file a07061faa8213d27754c0f8c50da7d85_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 11:07

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 11:07

Reported

2024-06-12 11:11

Platform

android-x64-arm64-20240611.1-en

Max time kernel

2s

Max time network

137s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.3:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 11:07

Reported

2024-06-12 11:11

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

130s

Command Line

com.cdjm.app.gdmahjong.core

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cdjm.app.gdmahjong.core

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 update.jiemai-tech.com udp
US 1.1.1.1:53 ad.jiemai-tech.com udp
US 1.1.1.1:53 gm.jiemai-tech.com udp
US 1.1.1.1:53 cn.api.vpon.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/data/com.cdjm.app.gdmahjong.core/databases/gamedb_new-journal

MD5 c31bc4083347695263eb9075d3719d37
SHA1 a00569b46e6d7a97aee30ec4681d4a6782d725b9
SHA256 61a04457f37cdb6f4c63c0e0cb6b6cfa0b680fef581bfbe59e0a034b02f1d53d
SHA512 d59c98d46873d7dbb78f8e51d86c2b71773bf96cda4aaa368c88a08719e4618a29db537045a4c07dfc26b4627aab00765fc41f713f56a6f8165a408893b2cbe7

/data/data/com.cdjm.app.gdmahjong.core/databases/gamedb_new

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cdjm.app.gdmahjong.core/databases/gamedb_new-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cdjm.app.gdmahjong.core/databases/gamedb_new-wal

MD5 d6c37a943891612312e6e9653d4e9d23
SHA1 ffe3d0e76ddcfb0ecc69993764edbe05e746ddb3
SHA256 dfadb33809490837528d5e3efb5621405e651c7b905e0bd2160ded82ecd63d17
SHA512 ac4af6e5c5f13e7f187cae93f2fcaa2cdcd347d8f231e105fe8d35ebe93e2e8522d7d18fe9a6222becf19dad8d9f47cb1775b200e57a8aab8f712ac76c39583e

/data/data/com.cdjm.app.gdmahjong.core/databases/jutaskdb-journal

MD5 1b78367fdf28b6af15e5769f60d5b633
SHA1 5e8ea1b7fa0132391a2c7a054407d2dc997f146a
SHA256 fc006d8b66ce7bd4d97cee684db17472af5596f3e948f8677bcb716314984d36
SHA512 8080fda004363e4547a6b9ed34cda4ff7ce850ee4ea87ecbb6fc5803ce74a9891d4db3883ef9c033c4cddf2b1a695a66787bbfd8cad232d7630821e7bf344426

/data/data/com.cdjm.app.gdmahjong.core/databases/jutaskdb-wal

MD5 5928bad6414775206a7c7f25a0627ee8
SHA1 8a0d0383e6f9c3fd084596063ddafe036e79160f
SHA256 cf9cc930c10b144bbb5cf90511a5e229cf310d5a958d7a9e165a538606da2b15
SHA512 77f26f3857262fb6e65db896da80d2f424c6c67ac4e593420e5dcb061506f45348b28878354664d0da0096b0aa1c38fd8f5543e4a3fd54d6187474939997a60c

/data/data/com.cdjm.app.gdmahjong.core/databases/jmgdmj-journal

MD5 cc222296e9a7a7ae638d186f00437fa7
SHA1 3009318002d7a8843d4823b0925692c2bd9e473e
SHA256 be5204648a6f9413dd40a4700afe908d78de31808a55b2b6c4eead762e08d677
SHA512 85c9c992a3f4887951fc37e2be4fb6e3f025d98945c13e820645918a8134c51af695ecd887c353bd9fa2c370366021b1152ebc7da466abc78887a02ad43bd2a0

/data/data/com.cdjm.app.gdmahjong.core/databases/jmgdmj-wal

MD5 c174bbc39c99858338ca9ee9086b2eec
SHA1 0b29416c6ae9436e952e47f5d4b1e1f6cdcdabb6
SHA256 5d04372aec3196bf98b09c2462caaf2697191f3aca21b9280435a5e6205bb365
SHA512 c3f967f6fff52f3860e60b6b606a6b3fbb283c8ffcd96aec052a1313bca9725c7b9d2784505603a3819c71fc8b583b3f38dc03540cb5133f09c8a3ccacd43049

/data/data/com.cdjm.app.gdmahjong.core/files/temp

MD5 907809c7a0beb0272cfb3c0ea089b19f
SHA1 99e2f552fb9d3d618a48236eddfd108188aef9cb
SHA256 6bd2dc0b7ab7bf46f4119bbb09fddce969c83aa896312a4874df89451d58cf53
SHA512 1a53e006b98b802f3addbd8ef9d85b6962f570e76c0dfca93abd295e41203025637a801ddcd41d5ff8cefc75e5f49ec040d167a8b69048245f09e5eabcf6bc63

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 11:07

Reported

2024-06-12 11:10

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

157s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 11:07

Reported

2024-06-12 11:11

Platform

android-x64-20240611.1-en

Max time kernel

4s

Max time network

187s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp

Files

N/A