Malware Analysis Report

2024-09-09 17:33

Sample ID 240613-mwqwdavhng
Target a527e3067a0c86696ff75a60328f8c74_JaffaCakes118
SHA256 c3e1f72f1b44d27c824aed2453bca4c239fc6939138718b7cea8d21b01092bd2
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

c3e1f72f1b44d27c824aed2453bca4c239fc6939138718b7cea8d21b01092bd2

Threat Level: Shows suspicious behavior

The file a527e3067a0c86696ff75a60328f8c74_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 10:49

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 10:49

Reported

2024-06-13 10:52

Platform

android-x86-arm-20240611.1-en

Max time kernel

63s

Max time network

140s

Command Line

oms.mmc.app.almanac_inland

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

oms.mmc.app.almanac_inland

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 wap.ggwan.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 118.31.134.91:80 wap.ggwan.com tcp
US 1.1.1.1:53 dazhaxie.ggwan.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/oms.mmc.app.almanac_inland/files/mobclick_agent_cached_oms.mmc.app.almanac_inland

MD5 faac54715c6cf3f19617313b9d4cc601
SHA1 84c2222cbb4d698f9cd5c1f5b55a355c7e151608
SHA256 6442356e369d10c5a4fef4b6441191c9fbc196866d7abaa5ccf6a55d8716e233
SHA512 02fc5607850d45f4067d9a9c3f8735cc67eb3e4f460034370b25ec414606fed919d742f1c78f39a1336d9a009ace9e1f6c0007b3f5ac49eaae25ddc93313c99c

/storage/emulated/0/pushNotification/push.db-journal

MD5 c3cf0ba5b05b26baa032bab6b883be97
SHA1 026391669d4cc9b3416b12da18df01c107e0628f
SHA256 0eb27bf053e2826258c392af05c9b79e20be398f8e9cb8b80edff124d3723446
SHA512 c4e86d402b82d60026aeb92fd9c4345f140882a176b875bbeac2567c5842b6c324756385251fa3bbd1a106a8f3a7d6e61ef09bd4373fa3601926d19434c20f9b

/storage/emulated/0/pushNotification/push.db

MD5 7a3d914efd883da7c6d2d9dfa97c797b
SHA1 d41ab7a82ccf521efeb16a5660cbee76bbdf392a
SHA256 e63e24f4968113ff14f1b9fc9b325830bce9f1e8f00cf4d3bea52f2eac5e4e1c
SHA512 d8529d7de39599dad10dd2e92c17662c4a1fd866318591cc5a12fc677f39ba18ce90fa14adf7d6c078c9fbcd1af16fd01b9c3a55ec147b07bf07542ea2035408

/storage/emulated/0/pushNotification/push.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/storage/emulated/0/pushNotification/push.db-wal

MD5 b36ad4edee5eef1e87d662af948122ae
SHA1 30b5f11852694e711319f7bd7c8b4b831a10721b
SHA256 d31a0b465bffd2ce509031a9d3bb95717d9c5bf48d7467dc3b3cb2bae5a6a841
SHA512 50796fdfbb9e1f2f1e4aa595a2b88a58de67980ef6241ee9a2fc4dcf65c186e43bdfa5733b2ebcec99e2a3707b76e0e58ac2f8021ddd68e539bf3a51b197cdbd

/data/data/oms.mmc.app.almanac_inland/files/mobclick_agent_cached_oms.mmc.app.almanac_inland

MD5 c54669f7777a8ab230b076af27aef101
SHA1 f0324a4a1f7cf4fecf253b8719f3fd3d942e35b5
SHA256 e5f8671e62d9bd8c1596c9501b05c6efac09954068f43361adae7c5b3c92494f
SHA512 73bff9cf8a51a8d62a0b78dc826ef32d230a55f405d5431267076becce8217aa82123cbe57f9bba9c9fca5158b6c9613481990a4ce9e34c3a2b999755aa1c929