Analysis Overview
SHA256
e408dcf2ef3f8b9f2c2b4dea7fcf8c59f491011ab4082262cbbd13f62acbceaf
Threat Level: Shows suspicious behavior
The file a4e5a86adc222f7b94cd4c651d5e8710_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 09:41
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 09:41
Reported
2024-06-13 09:44
Platform
android-x86-arm-20240611.1-en
Max time kernel
7s
Max time network
131s
Command Line
Signatures
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
org.silentchen.www.agilebuddy
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | img.ninebox.cn | udp |
| US | 1.1.1.1:53 | s.ninebox.cn | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | semanticlocation-pa.googleapis.com | tcp |
Files
/storage/emulated/0/Android/data/code/MID.DAT
| MD5 | c679783f144b5b77cbcc89952b9590de |
| SHA1 | 339c29f74856fbb0a27070d1d90c1acde4d49142 |
| SHA256 | 03e9e03b09bb456d2e730f787e5b232d119d59547959fd73617cbf44dcf56de3 |
| SHA512 | 5ac8cdf1e7950029ccd418c6df2991e9763083cc631f549ab2302758b0cd634817c1f712db7310927ba39aa9612e7be746532142434d314fb7231e2f97d4aa2f |
/storage/emulated/0/Download/9j/1.dat
| MD5 | 927480efb7cbb7e260eb70a77c9dd19c |
| SHA1 | a99b69e337352448652f3b47cf4b603806ca97b9 |
| SHA256 | f6d40c4149c098ca475bd6fb9d5c84460a0899af5c1cac2b93b9ee4c00931dd0 |
| SHA512 | 70edddd7ec081baa286a8713cf5402d7f820eea6650fcaf22ec5f45dc3fd2c73d06001731ee71a0819520f5fbd84d6b3a973fe32e9f79c221cb282dab3903c19 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 09:41
Reported
2024-06-13 09:44
Platform
android-x64-20240611.1-en
Max time kernel
7s
Max time network
150s
Command Line
Signatures
Queries the unique device ID (IMEI, MEID, IMSI)
Processes
org.silentchen.www.agilebuddy
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | img.ninebox.cn | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.179.234:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.179.226:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.200.46:443 | tcp |
Files
/storage/emulated/0/Download/9j/1.dat
| MD5 | 780acff759a26a5665e1325f1877f875 |
| SHA1 | f72ad8a92cd08f34d1776781afb73184d3c6a40f |
| SHA256 | b4bf6760e0524c72997d32a1fa16b92d280161ece3e2b816a7328cab0c30e1d4 |
| SHA512 | 8a939748f562b6f8418bcac25d75f979cf544b1f72714e1f21f131ac11f81c6a26442ff48b7548492347c4eff672442a768f058deb46cdfeb4da348fde4d2b90 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 09:41
Reported
2024-06-13 09:44
Platform
android-x64-arm64-20240611.1-en
Max time kernel
7s
Max time network
167s
Command Line
Signatures
Processes
org.silentchen.www.agilebuddy
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | img.ninebox.cn | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 216.58.201.110:443 | tcp | |
| GB | 142.250.179.226:443 | tcp |
Files
/storage/emulated/0/download/9j/1.dat
| MD5 | cbfaba32687f8e7906777d1bf0b63cc5 |
| SHA1 | 270d56db95e65b7d433171ce919ee4eaa63cb556 |
| SHA256 | 0e115551d048a5bbdc08948637064faeab349f4babb4521a5676989c7dc5d0a2 |
| SHA512 | b519d6c2b18cd4d094bfeff487daf47fa3f88e3f40658771d13b6892485ed123219636e3dadc88afc802b9531662a9de3648d6e4eb8e01c82192662f2653c548 |