Analysis Overview
SHA256
4dfe8eaa00d00e6edf6f3c582aed17fa68d3ef8c2a679fc6a1e19dfcac1be4af
Threat Level: Shows suspicious behavior
The file a4b0a47a0b97ecc67ddd0f98f31482ba_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Requests cell location
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 08:45
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 08:45
Reported
2024-06-13 08:45
Platform
android-33-x64-arm64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.16.228:443 | udp | |
| GB | 172.217.16.228:443 | udp | |
| GB | 216.58.212.196:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 08:45
Reported
2024-06-13 08:48
Platform
android-x86-arm-20240611.1-en
Max time kernel
3s
Max time network
171s
Command Line
Signatures
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Processes
com.alipay.android.app
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 08:45
Reported
2024-06-13 08:45
Platform
android-x86-arm-20240611.1-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 08:45
Reported
2024-06-13 08:45
Platform
android-x64-20240611.1-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 08:45
Reported
2024-06-13 08:45
Platform
android-x64-arm64-20240611.1-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 08:45
Reported
2024-06-13 08:48
Platform
android-x86-arm-20240611.1-en
Max time kernel
5s
Max time network
160s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.upbaa.android/app_push_lib/plugin-deploy.jar | N/A | N/A |
| N/A | /data/user/0/com.upbaa.android/app_push_lib/plugin-deploy.jar | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.upbaa.android
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.upbaa.android/app_push_lib/plugin-deploy.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.upbaa.android/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | www.upbaa.com | udp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
Files
/data/data/com.upbaa.android/databases/upbaa2-journal
| MD5 | 56265be18c6e440a36ad5ceb958ac245 |
| SHA1 | 2ec38a2401e7d6a7d787185386a43576bdd9ffb1 |
| SHA256 | bc3104ec7275516495b06add6985eafd7263d988ead0fee084027581d7568eb4 |
| SHA512 | 705376bb87219d2199099f67a2fdaac0c4252359257adaa340507e6b2334555429ec87885166bd802d8cbe4f28a6082acf26b72f15f1d1df49768c180743c48a |
/data/data/com.upbaa.android/databases/upbaa2
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.upbaa.android/databases/upbaa2-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.upbaa.android/databases/upbaa2-wal
| MD5 | 5d15b3a4c929095c708e77074b2924a1 |
| SHA1 | d5734bce727e7c85f83edfff7331ffd1f1f8277d |
| SHA256 | 9e913e5e49b26c373d66156803471396ff8fea8a1bc967fddb6099a84666499b |
| SHA512 | 45cbd2c33512d910b7324e459bdcdcb09eedb3e1dc42aee2fab5bc7c2793fb641f6622250c04d0ad84f23d4471ea7afa41a830b45b6ec24a47bc3018f7005766 |
/data/data/com.upbaa.android/app_push_lib/plugin-deploy.jar
| MD5 | 68c5fb6ae4cb9e584f674aaaef50cbcd |
| SHA1 | 349b8ba3605e08a2733dcc048941a73967144521 |
| SHA256 | 5f13a0370e09ab461c49e9c4b7c4e74f5a2de48c8c02d16f1eeda5fd192a41b7 |
| SHA512 | bf597b2ff97fbc64f390efc6189188ceadd1959e6ce9ea0daa7be609a013440ea4be569bdc2d0e592e5cf63042e8fdbffa5e9f34507d207331667eab9af415e2 |
/data/data/com.upbaa.android/app_push_lib/plugin-deploy.key
| MD5 | 18d5c436057a6aaa0a8e91f18fbdbf2b |
| SHA1 | 9decdb589ba380e7e99dd333470c026029fba09e |
| SHA256 | f449de0653609605253eb4de5ab53f8a65edcdb2b6e4b081132e54d87b6d2894 |
| SHA512 | 6441e96fb09d544716d6a2f7541676b6a1b8e071e07ad654fe473764bafd826fe90cd379505e9ab722d028af97f8e0e6ca98db32b90c66be593fac131286258c |
/data/user/0/com.upbaa.android/app_push_lib/plugin-deploy.jar
| MD5 | 04157447d237be80c2218b4aaa4a0419 |
| SHA1 | 5145be92981ed052d7cba76a01eff0c0f812be2b |
| SHA256 | 28d8230be2cd583697af4c0857c6e14e29bfa7803fa98fd9f0932324f8158dff |
| SHA512 | aebd5643d1675291d8357f5566530c4c723deee508347f72554b5aae7f7b450985821a86270932612e5319c0f82da6f211bfc6dddedca3bfc3b3455a4741724d |
/data/user/0/com.upbaa.android/app_push_lib/plugin-deploy.jar
| MD5 | 86766c678bbc1ff8cb977da6d0cb5342 |
| SHA1 | df261ac52344bbbdcb8e5e4d3542d75c9d63bfca |
| SHA256 | a11d32fbb954878f01dcec0c345cd6567b71b20b7423253dc6cf8955159367fa |
| SHA512 | f7278941845625857af318f5ec6d91bea5da36f182a1d758efe99dde754fe6102198c488d7bc395e73a400fd47813f34db92bab7fc8b99669a40ae2960fd975a |