Analysis Overview
SHA256
eeffdcac273d84c73d9b64f410119a0f0cd084a5bd194b2395bab4386a8a661f
Threat Level: Likely malicious
The file a4fffb1ee16a7ed71309cd41a7d281f8_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 10:06
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 10:06
Reported
2024-06-13 10:09
Platform
android-x86-arm-20240611.1-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.ggffghhj.kjhhuki.jytfgh/files/3182611z.jar | N/A | N/A |
| N/A | /data/user/0/com.ggffghhj.kjhhuki.jytfgh/files/3182611z.jar | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.ggffghhj.kjhhuki.jytfgh
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ggffghhj.kjhhuki.jytfgh/files/3182611z.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.ggffghhj.kjhhuki.jytfgh/files/oat/x86/3182611z.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | live.chartboost.com | udp |
| US | 34.107.157.36:443 | live.chartboost.com | tcp |
| US | 34.107.157.36:443 | live.chartboost.com | tcp |
| US | 1.1.1.1:53 | ci.hi.chabh.com.cn | udp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.ggffghhj.kjhhuki.jytfgh/files/3182611z.jar
| MD5 | 464565b36939a4b7c95dee8001d8a4f4 |
| SHA1 | 02a04a9695c47f288b9c6cb13696aafd015bc012 |
| SHA256 | 5e98a787582cd27088307c82b2ddfd826af30622ffc99c7fa20d8862dfb8c77d |
| SHA512 | ae77d3c6d9ca7d9abda402a198b8e519858d3b2d63f6d6b6f20c30b3fe69e2356624e4a4761dcc50746861f545c8c9ec54a8181559fb021ba70b881f0dd3ef96 |
/data/user/0/com.ggffghhj.kjhhuki.jytfgh/files/3182611z.jar
| MD5 | 4073533fa19df758c0d24e16ccbbd9a8 |
| SHA1 | d4ceb3eaa23d35f1b8e3296659286cd83f3d72f0 |
| SHA256 | 22fd6785ced056786a41e9e9e920487e536d38deef9b3a3cafc29c2dd4aefc6c |
| SHA512 | 7f07a4dfa29c8fa7d9d8f12d47638968427166c6e48ba022596b6190ffd9c64e0e4efb3628a86a20ceacfb488d35c6c1aec6ab45ee036e8ff8394b0d487a85ef |
/data/user/0/com.ggffghhj.kjhhuki.jytfgh/files/3182611z.jar
| MD5 | b38fe5c46741d26c9f108f90c05fc882 |
| SHA1 | 1b26e02205b972606bd52a5476c3a451cba9fa96 |
| SHA256 | 66a71893c43be7e502b1d526de213299e7675781287fdbefe43f7e2688b868a6 |
| SHA512 | 827eac3fef1f4015d56612738f97a98d88cbce976cd098fc7f0397c0fce3d62da711a75bbc4cc61df9ad43465b1114366484c4e66a715df1f3d6920eb522aa10 |
/data/data/com.ggffghhj.kjhhuki.jytfgh/cache/__chartboost/CBSessionDirectory/cb_previous_session_info
| MD5 | 762c38c62cc6c9752db108e1b5a88d8b |
| SHA1 | a98081fa017b8f5eab4a2b74682020a516db4800 |
| SHA256 | 66916d50fbb887c05a24acaad98e4db6af6c8fd09418630f235a0ce299285525 |
| SHA512 | 9a1bc4b037b4b2ae88152ccea6bcb09f9aaabf98d06febcb2d51275c39ce6434927bd2db2b8744a7f129aca122093464fe26cd1404cf41fe30765c943230002d |
/data/data/com.ggffghhj.kjhhuki.jytfgh/cache/__chartboost/CBRequestManager/57831622300
| MD5 | 50b6c4fe65dbe4b0135640f9e9a40e3d |
| SHA1 | 7661ab5fcd6ac44846d8febd53ed00999de247fa |
| SHA256 | 343dcfb32b1fa8529b1e29bf23093e69567c904d4ba07d20a732968c2866922e |
| SHA512 | 7711372790e145625abede333b642b8826a58328f09da66039fdaa865a596384ab3b9a134b78834846b54bd71435cf232379414f08479180f59eb53f6c7cc6cc |