Analysis Overview
SHA256
e290d1f43acd117b4d015d037fb080680b2653dd91ef698470cc99df08632f81
Threat Level: Likely malicious
The file a4436a777cd222803316ce6c71619302_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Requests cell location
Makes use of the framework's foreground persistence service
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Queries information about active data network
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 06:44
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 06:44
Reported
2024-06-13 06:47
Platform
android-x86-arm-20240611.1-en
Max time kernel
67s
Max time network
159s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/bin/su | N/A | N/A |
| N/A | /system/xbin/su | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
tv.pps.tpad
df
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | dy.ugc.pps.tv | udp |
| US | 1.1.1.1:53 | www.baidu.com | udp |
| CN | 183.240.99.202:80 | www.baidu.com | tcp |
| CN | 183.240.99.24:80 | www.baidu.com | tcp |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.baidu.com | udp |
| CN | 183.240.99.24:80 | www.baidu.com | tcp |
| CN | 183.240.99.202:80 | www.baidu.com | tcp |
| CN | 183.240.99.24:80 | www.baidu.com | tcp |
| CN | 183.240.99.202:80 | www.baidu.com | tcp |
| CN | 183.240.99.24:80 | www.baidu.com | tcp |
| CN | 183.240.99.202:80 | www.baidu.com | tcp |
| US | 1.1.1.1:53 | www.baidu.com | udp |
| CN | 183.240.99.24:80 | www.baidu.com | tcp |
| CN | 183.240.99.202:80 | www.baidu.com | tcp |
| US | 1.1.1.1:53 | www.baidu.com | udp |
| CN | 183.240.99.24:80 | www.baidu.com | tcp |
| CN | 183.240.99.202:80 | www.baidu.com | tcp |
| CN | 183.240.99.24:80 | www.baidu.com | tcp |
| CN | 183.240.99.202:80 | www.baidu.com | tcp |
Files
/storage/emulated/0/.pps/uuid.data
| MD5 | 61c90f4a35b254a11225d499a9e70cfd |
| SHA1 | a215eb0bd645e8a85019d1de2eb37285bed25b15 |
| SHA256 | 250db5e501fa9e84764206fdcab8ac1792df0c62f1675733e89d5eea5978653d |
| SHA512 | ced4986a7ddf3d22dec07f56b8c30da52ff9635ea7b9b54f4b0ae293054a849f13a045d0a935fbbd0764f9fea7f2a72a1720f5613308825b40026e20ab4896f2 |
/storage/emulated/0/.pps/parnter.data
| MD5 | 125d74905933bf990b1225d6b834d224 |
| SHA1 | 5cbd34d3d2204fd53faed1c50a6bd1f59d917ce6 |
| SHA256 | 339fdb2ea2a116ae902e65c4311fccadba527b25351ecb5743f6f9f3c71002ea |
| SHA512 | faad29f0f392ee31aa5b00b4190fb0ee9ca0dcf037599d8f8009e81c760bb854a74564d82c0b0efae8ef1edbe96352756eb1691b5c5604917b9b982f7abef16d |
/data/data/tv.pps.tpad/databases/pps_user_data.db-journal
| MD5 | c11aee09f0ace08a9194215aaff07f7e |
| SHA1 | c2285535aeaebe9d6ae34d64d09f72dd7f405fb3 |
| SHA256 | 2820ff5731d8c99ef871c4403dd9c6d1bc01609b0e1488632aa15a0c66fa4a58 |
| SHA512 | 5c82981b3d6120b8015ddd8f3b49e5f2f720b1ab0cb0402cae9a3a2b683d8164d08c354a45ca398d5798e0c6208dd26b289cae239f41cbcedb6371a3f0d9c3a9 |
/data/data/tv.pps.tpad/databases/pps_user_data.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/tv.pps.tpad/databases/pps_user_data.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/tv.pps.tpad/databases/pps_user_data.db-wal
| MD5 | 6f7dfe6c37d31d231cd6b3e8930c4a52 |
| SHA1 | 4f716dc8e38507750549671bab8b42cf271d8fcf |
| SHA256 | 9f7b3c06d8d6e69926cec5efd31db1ffd10b6b770a7defe02ad92a0de5a8d09f |
| SHA512 | aa3eb41599fcf0af0b51770430191b71d034ef93a7886262816f10e7d525db485d9bbed137a25a872fd7a645973caa11af67d6710fda04498188493cad7accca |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 06:44
Reported
2024-06-13 06:47
Platform
android-x86-arm-20240611.1-en
Max time kernel
3s
Max time network
148s
Command Line
Signatures
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Processes
com.alipay.android.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |