Malware Analysis Report

2024-09-09 17:48

Sample ID 240613-jdmjfszamh
Target a4718a0fecad0e9d6b11ed4084d42390_JaffaCakes118
SHA256 0eac53e4877d6376162315513eb3cae62e33e15603358c3bb4106bdb9a48589f
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0eac53e4877d6376162315513eb3cae62e33e15603358c3bb4106bdb9a48589f

Threat Level: Shows suspicious behavior

The file a4718a0fecad0e9d6b11ed4084d42390_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:33

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:33

Reported

2024-06-13 07:36

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

158s

Command Line

com.squareenix.tombraider1classic

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.squareenix.tombraider1classic/app_app_apk/tombraider1classic.dat.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.squareenix.tombraider1classic

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 data.flurry.com udp
US 74.6.138.66:443 data.flurry.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.squareenix.tombraider1classic/files/libsplash.png.so

MD5 d1531b1622de54fe3a0187c3344600e9
SHA1 d47cbc8e977ffc6f492483716f00534153677778
SHA256 3bdbb4fe8397cd2b842430b39ccff01a8663c751945ef5e9a09e267fb8b1d359
SHA512 e1931e50078ec69a0ba99ee2098dfe20afce3c7a75283e50b585ef585ed8eb28db887895fa73b04991e6e590ddbf71ceeaffe37d836068348e5f7fc7049c6d12

/data/data/com.squareenix.tombraider1classic/files/libsplash.png.so

MD5 41a9fd0a83bd3d665786313f7c656673
SHA1 5ee00844ebcaab8d5294625315ef62740041c1ed
SHA256 fd916e99b25a9fd2f6bfd84d392f445e3ab2cb5a48aa1dbf50ee7d70a224ba68
SHA512 3a8e7344dbcd03ee83dc2f5b6afcc511033689912e1ee209da1eaa876246f61774e2df9fb46617ad13fd937d8ff8404ee77eda4698a7dd76026a78423a12ed94

/data/data/com.squareenix.tombraider1classic/files/libsplash.png.so

MD5 1d464a8f2972fe163d90eaa1091f3268
SHA1 fbe0788bb2042fb4bd9a83bb91e6573482d5ca9f
SHA256 e2a986fb185601d3fc7d48437551cd45ee83a7b47147bd6c264bb30ede655fbb
SHA512 9f8c6f3959fcb510ca9a805c7c837c53b8cbe1daeb8e9cb535e3e4adaab20b7cfbc98db45eba5242b5d54ee5aa1f4f3f9ddd1ff138968a658a7725f6df0ef1b7

/data/data/com.squareenix.tombraider1classic/files/libsplash.png.so

MD5 21e9cb70c07adbba3c1d979d8fb65ec9
SHA1 12bb8ed403cdaaf57cfbf145c4e0f0a15e6dc79b
SHA256 7257266defb25c2c05b1db9269879e57bed6d8be7d62fe1668fa3d5ab10f93d6
SHA512 4f5c2bb841efe560da56172cd75ad583e49cd61f8f45a98594589407329232694468dc700f202764813fcb759c3df10eb5e810e0e9e705ee6c6958a1e68a3ad2

/data/user/0/com.squareenix.tombraider1classic/app_app_apk/tombraider1classic.dat.jar

MD5 e86288c00f92925e79a2116146255e5c
SHA1 83e892161884155597c688e9e0a6e25c15d1de22
SHA256 41700f1c9f91dddfb44b967030c3d1d2ab9c98b508f931a097ee60e23078c4d3
SHA512 e9189f15051cb57fb0332329d475867b0a957030735b9e86cc5211580e3a0aefce97d3707d05b14fa0a401c6a3384c18c539301fc027e42d37da326a15d4d750

/data/data/com.squareenix.tombraider1classic/databases/google_analytics_v4.db-journal

MD5 a5c603734ff90cd28ec57194f7d5d139
SHA1 32d48879bacc6028d61063db7241af3031e10341
SHA256 aad1ea7adcc37df96fd4fdffc534a64ca6fd74ff445e165f3648424caef21343
SHA512 5c3a02a464234c79757f5590b0b822b730b61e8d77ef6ef16f134a420add4ee1bf5a480a6bf468f9c72f8f2d17e9ce92875e0fbca10914f1a36e5ec4ca8dc68a

/data/data/com.squareenix.tombraider1classic/databases/google_analytics_v4.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.squareenix.tombraider1classic/databases/google_analytics_v4.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.squareenix.tombraider1classic/databases/google_analytics_v4.db-wal

MD5 14311e7cb6610cd110f4c006c3049265
SHA1 a5d7ecbe2aac5a50ed1611cad3aac3142e1bde2a
SHA256 1ee267688fe7a2eb523275786b07f67cca2c1e4ad6f8274cf430753ca146214c
SHA512 ef1003f8bd21fbe4c371a2d7733e2a863d93189b81e99917870f05c86fad2c3982143ae02ec48c688a453866a83275f394d5aa7bc7b7a94145de8919595e0ce9

/data/data/com.squareenix.tombraider1classic/databases/DownloadsDB-journal

MD5 185f0f25210a821b2a09cf528955d963
SHA1 8875495cb0183c4c4b2be4051dd9ef165317e8c1
SHA256 ab20088837372c12473aa77050cf46dbe5c99494b809c5442ae100c1aba0c029
SHA512 9dddaf4b07dbb645e615ca65c372bf525647c44165bc94cc448b1bddab558d462cdf2bfd13de6d79dfd103c66aada31c06f58729746e045862ba4a5875a5159a

/data/data/com.squareenix.tombraider1classic/databases/DownloadsDB-wal

MD5 9eb8d503f5e3215a8e7de642329e9f5e
SHA1 a4fc27d591184bec2d30ef8699bf0bb7214e4d81
SHA256 4f36c69ef2a2ec1d3a0ebd95095573a61c31e7d60fa2c8190a3959ff3b3925bc
SHA512 491ed4d75b31a89525da3336b486a59fa12e91a49005d4b23d3911bda0d47555b9bfc39eed30d9f13352a13c4408e480115fc21c4017b72aec02a0cbeec95d86

/data/data/com.squareenix.tombraider1classic/files/gaClientId

MD5 30f99395f0d77d940f1eef6f05b70ad6
SHA1 d1868e5a0adaf88e5d9f28eabe9e6a979bed1a5c
SHA256 a5dbb008b2101a8dfa13af517fd9c3e4d7160940613426614833cb24c36c376c
SHA512 704820e6def63db9ceb310e99e7c539f3bc5345b1f92313ae758cb8aa290f49ab708c1f44fbe313dbcd228b05e39a80b7fe01c5fbfdd83740bedb180d6fbaaac

/data/data/com.squareenix.tombraider1classic/files/.flurryagent.-38313e77

MD5 3daf5088c4cce3b873da8aa58f24916e
SHA1 dcd71228e2befd5f5a428047722762022d8156cb
SHA256 e42828ac8354f15909bcfdee8c1246359de833ddb1a8997383b7bc49c3c05d99
SHA512 5828ea878d3ff470f1d5d94dbbfeed3e429c7eb1add63a338162743c4de286eda833aa37f08bf57154480937f3984101f90fda678061eedaf2af2f7b60fa64fa

/data/data/com.squareenix.tombraider1classic/files/.yflurrydatasenderblock.c32a5538-17bb-4d78-b793-f45576947fab

MD5 7e789ebeb8c80afe9edc16a700dd225f
SHA1 876ab9cd22ddcf48693bce3a7e5de5963d42a566
SHA256 7b98bead9ca493d3295cc8e041d74c0d0df5a1a01e7756fcab98bca5e649eeca
SHA512 f8b9dc4e0aa1f18798707ee9aab46a5b07ec8c21be5287976c38ac4f5a9ecce478a43c524a9e71a28e48a5bd84e3470201b7d477451e5de40709ac78a9b486ec

/data/data/com.squareenix.tombraider1classic/files/.YFlurrySenderIndex.info.AnalyticsData_K56V5RX7GPV57DZT6SZQ_184

MD5 2aa7d3f26b29884fd111484b928dbc1f
SHA1 197a6e29e8f9e16946899d74c9f316377d3e9658
SHA256 f38560616575f32520c49edfe09b758465fbffe88f5ddb6d91d1035ee492a98e
SHA512 d9d4ce4b87b9e7127997d2a746007e291f289ddd44022372c4d93de40ded873325bbee407718e47fd24c0274d778884e207b97dfc61cfdf22ae7a63c48f4fc1d

/data/data/com.squareenix.tombraider1classic/files/.YFlurrySenderIndex.info.AnalyticsMain

MD5 47416319de9e2e75efeae81d149eadec
SHA1 feb5c4a45168651837be1283a971ac91e33e717e
SHA256 1644e9d2feb139c9ff8c7fd9a6d06b2fdc6b4586e5c8d4354b8bf7c487c5e907
SHA512 673c7cf6b56ed4b5867710b039848ff3a69e6a4a0a352acfdc125f46b8fa98a99ecf2f809b59e079b41bb2fe4872bd2263d0b9e4da45416fa0df64d1d91f22a9