Analysis Overview
SHA256
1bf557b100da1527bc8219a0a6ee4964de96d7df179fca39917d76b5d068a9f5
Threat Level: Shows suspicious behavior
The file a6c3785b12d36cfef8a0fd47f9002de3_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads the contacts stored on the device.
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 21:57
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 21:57
Reported
2024-06-13 22:00
Platform
android-x86-arm-20240611.1-en
Max time kernel
12s
Max time network
131s
Command Line
Signatures
Reads the contacts stored on the device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://com.android.contacts/contacts | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.wondertek.paper
cat /proc/cpuinfo
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.202:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | tcp |
Files
/data/data/com.wondertek.paper/fontConfig.xml
| MD5 | 621650ac5bec3c7d39e1e9cf6d914ec4 |
| SHA1 | c1b0e892e4d539f782428fba71450a77fd6ae61f |
| SHA256 | c68552424ef07f48ffb778280a1c1b4017b691d5ef22ccca75feb4fe3910afff |
| SHA512 | ac41074bf51cd6ee95f1bd38ebf85fb35ff462aead0d789299b39d31553b82c821efa6cd29f47b4e69a6beab56a2a4275594a8ee2bd01dd5177af1f03799d2bb |
/data/data/com.wondertek.paper/fonts/FZBIAOYSK.TTF
| MD5 | ef089c84c9b22262eaa4f9706733fec8 |
| SHA1 | 153b7f7080b0c3672ad9bf22cd185319bd22c7c2 |
| SHA256 | 2cc419807bb89dbeecc4cc76b6a2ebe7b6e5a51398d6ba75e9229d681a03ee7f |
| SHA512 | fd08926e729ebcd613c5de6c43f0010a8a1cdf61ee2b0883b05783216f0484701518af82285294fcf5315f06df1a3f708ba7a1c09f0b6065e18fe96ed55ed1c7 |
/data/data/com.wondertek.paper/framework.dat
| MD5 | acfbf1a9d071c0b6d67f393ee8f6633e |
| SHA1 | 1c6b88b0bae104f3a0fc84276edb3242700a28fd |
| SHA256 | ddd7f503b156c3f93dc579248a940d1b37f629be1522cefdcac1fd469fb5a4db |
| SHA512 | ec73fbd353f017b7dfc1800cb836fd080a8a7c1d110f760a83bbfaf2ce9051c82e8132aa86741c717bd068c0eb51e1ded86313324a3e5f09f7f54a071ffe389c |
/data/data/com.wondertek.paper/lib2/libapi.so
| MD5 | 1a26135ad59a2eac84c87e9b4417c3ec |
| SHA1 | 4594a5b849141ebfe20d20819cf8872301cbfe26 |
| SHA256 | e761d75451902c6022f6d16ed49149b6043b6e6a424459fb131326fd3559433c |
| SHA512 | 3ff957fb94bc00438b6c2d87ee311175c357f3c23a54a73b8bdcf151f26bb06c41a00b225e977c9f2f88dee0d7bd8e7c359edeeb15cf2c5a51e20673119f675c |
/data/data/com.wondertek.paper/module/comrepository.xml
| MD5 | d3a437176a08a18ed80d4eae5a8d3324 |
| SHA1 | 19f908256b2d65e58f5c19ceff64163d67a887b2 |
| SHA256 | 19181fb0a2599d940076c39a7e0df1130d62e5ae21797a9fb9a9a0231f99f8ce |
| SHA512 | 730135a1e22042dc555cdc7544d37833dc64ac4ce84d7f9bf28a8049ace35f7e020bcc2e01ab04888e837864c6941268e8ae6fc0bbcaa5fec8b6c4db505af8cd |
/data/data/com.wondertek.paper/module/com_wondertek_paper.zip
| MD5 | 0ddec2a461d6eec693c7ed8acaf85f1e |
| SHA1 | 26d2e8c3d84d5412437ac595cc2c60254c71cacc |
| SHA256 | 12ba8dbf69359d008f0d4dfdff48e95013c4697425efc76cb72e5bf1e2ac6207 |
| SHA512 | 4e1651d8a225f552e39b6afd6269620d0aa323c3f19e51ad28d3b0fe5b35ef000089f5544be862217f727e69870c3eb52e9a0cb91925358ff19cb216b74eb86e |
/data/data/com.wondertek.paper/module/icon.png
| MD5 | 2045246c78360bbe4cc69aaa7d4c7bcc |
| SHA1 | 80ee7b42d694016ffd494c2273540df1c1767422 |
| SHA256 | 92989a926a3161b835c5fd7379fb3c40a264258bff8a46189c6698c42cc31af7 |
| SHA512 | a62f75e220fdb843d22c3e9d71443bebe5703af61dee08b143bfa92f847351df1a55bbb6ab5cd77cbfd3875a4479fcfdceee30e3d135ba7b67644834cf662232 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 21:57
Reported
2024-06-13 22:00
Platform
android-x64-arm64-20240611.1-en
Max time kernel
13s
Max time network
132s
Command Line
Signatures
Reads the contacts stored on the device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://com.android.contacts/contacts | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.wondertek.paper
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.234:443 | tcp | |
| GB | 216.58.212.234:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.72:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.212.196:443 | tcp | |
| GB | 216.58.212.196:443 | tcp |
Files
/data/data/com.wondertek.paper/fontConfig.xml
| MD5 | 621650ac5bec3c7d39e1e9cf6d914ec4 |
| SHA1 | c1b0e892e4d539f782428fba71450a77fd6ae61f |
| SHA256 | c68552424ef07f48ffb778280a1c1b4017b691d5ef22ccca75feb4fe3910afff |
| SHA512 | ac41074bf51cd6ee95f1bd38ebf85fb35ff462aead0d789299b39d31553b82c821efa6cd29f47b4e69a6beab56a2a4275594a8ee2bd01dd5177af1f03799d2bb |
/data/data/com.wondertek.paper/fonts/FZBIAOYSK.TTF
| MD5 | ef089c84c9b22262eaa4f9706733fec8 |
| SHA1 | 153b7f7080b0c3672ad9bf22cd185319bd22c7c2 |
| SHA256 | 2cc419807bb89dbeecc4cc76b6a2ebe7b6e5a51398d6ba75e9229d681a03ee7f |
| SHA512 | fd08926e729ebcd613c5de6c43f0010a8a1cdf61ee2b0883b05783216f0484701518af82285294fcf5315f06df1a3f708ba7a1c09f0b6065e18fe96ed55ed1c7 |
/data/data/com.wondertek.paper/framework.dat
| MD5 | acfbf1a9d071c0b6d67f393ee8f6633e |
| SHA1 | 1c6b88b0bae104f3a0fc84276edb3242700a28fd |
| SHA256 | ddd7f503b156c3f93dc579248a940d1b37f629be1522cefdcac1fd469fb5a4db |
| SHA512 | ec73fbd353f017b7dfc1800cb836fd080a8a7c1d110f760a83bbfaf2ce9051c82e8132aa86741c717bd068c0eb51e1ded86313324a3e5f09f7f54a071ffe389c |
/data/data/com.wondertek.paper/lib2/libapi.so
| MD5 | 1a26135ad59a2eac84c87e9b4417c3ec |
| SHA1 | 4594a5b849141ebfe20d20819cf8872301cbfe26 |
| SHA256 | e761d75451902c6022f6d16ed49149b6043b6e6a424459fb131326fd3559433c |
| SHA512 | 3ff957fb94bc00438b6c2d87ee311175c357f3c23a54a73b8bdcf151f26bb06c41a00b225e977c9f2f88dee0d7bd8e7c359edeeb15cf2c5a51e20673119f675c |
/data/data/com.wondertek.paper/module/comrepository.xml
| MD5 | d3a437176a08a18ed80d4eae5a8d3324 |
| SHA1 | 19f908256b2d65e58f5c19ceff64163d67a887b2 |
| SHA256 | 19181fb0a2599d940076c39a7e0df1130d62e5ae21797a9fb9a9a0231f99f8ce |
| SHA512 | 730135a1e22042dc555cdc7544d37833dc64ac4ce84d7f9bf28a8049ace35f7e020bcc2e01ab04888e837864c6941268e8ae6fc0bbcaa5fec8b6c4db505af8cd |
/data/data/com.wondertek.paper/module/com_wondertek_paper.zip
| MD5 | 0ddec2a461d6eec693c7ed8acaf85f1e |
| SHA1 | 26d2e8c3d84d5412437ac595cc2c60254c71cacc |
| SHA256 | 12ba8dbf69359d008f0d4dfdff48e95013c4697425efc76cb72e5bf1e2ac6207 |
| SHA512 | 4e1651d8a225f552e39b6afd6269620d0aa323c3f19e51ad28d3b0fe5b35ef000089f5544be862217f727e69870c3eb52e9a0cb91925358ff19cb216b74eb86e |
/data/data/com.wondertek.paper/module/icon.png
| MD5 | 2045246c78360bbe4cc69aaa7d4c7bcc |
| SHA1 | 80ee7b42d694016ffd494c2273540df1c1767422 |
| SHA256 | 92989a926a3161b835c5fd7379fb3c40a264258bff8a46189c6698c42cc31af7 |
| SHA512 | a62f75e220fdb843d22c3e9d71443bebe5703af61dee08b143bfa92f847351df1a55bbb6ab5cd77cbfd3875a4479fcfdceee30e3d135ba7b67644834cf662232 |