Analysis Overview
SHA256
c3e1f72f1b44d27c824aed2453bca4c239fc6939138718b7cea8d21b01092bd2
Threat Level: Shows suspicious behavior
The file a527e3067a0c86696ff75a60328f8c74_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Requests dangerous framework permissions
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Queries information about active data network
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Checks memory information
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 10:49
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 10:49
Reported
2024-06-13 10:52
Platform
android-x86-arm-20240611.1-en
Max time kernel
63s
Max time network
140s
Command Line
Signatures
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
oms.mmc.app.almanac_inland
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | wap.ggwan.com | udp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 118.31.134.91:80 | wap.ggwan.com | tcp |
| US | 1.1.1.1:53 | dazhaxie.ggwan.com | udp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
Files
/data/data/oms.mmc.app.almanac_inland/files/mobclick_agent_cached_oms.mmc.app.almanac_inland
| MD5 | faac54715c6cf3f19617313b9d4cc601 |
| SHA1 | 84c2222cbb4d698f9cd5c1f5b55a355c7e151608 |
| SHA256 | 6442356e369d10c5a4fef4b6441191c9fbc196866d7abaa5ccf6a55d8716e233 |
| SHA512 | 02fc5607850d45f4067d9a9c3f8735cc67eb3e4f460034370b25ec414606fed919d742f1c78f39a1336d9a009ace9e1f6c0007b3f5ac49eaae25ddc93313c99c |
/storage/emulated/0/pushNotification/push.db-journal
| MD5 | c3cf0ba5b05b26baa032bab6b883be97 |
| SHA1 | 026391669d4cc9b3416b12da18df01c107e0628f |
| SHA256 | 0eb27bf053e2826258c392af05c9b79e20be398f8e9cb8b80edff124d3723446 |
| SHA512 | c4e86d402b82d60026aeb92fd9c4345f140882a176b875bbeac2567c5842b6c324756385251fa3bbd1a106a8f3a7d6e61ef09bd4373fa3601926d19434c20f9b |
/storage/emulated/0/pushNotification/push.db
| MD5 | 7a3d914efd883da7c6d2d9dfa97c797b |
| SHA1 | d41ab7a82ccf521efeb16a5660cbee76bbdf392a |
| SHA256 | e63e24f4968113ff14f1b9fc9b325830bce9f1e8f00cf4d3bea52f2eac5e4e1c |
| SHA512 | d8529d7de39599dad10dd2e92c17662c4a1fd866318591cc5a12fc677f39ba18ce90fa14adf7d6c078c9fbcd1af16fd01b9c3a55ec147b07bf07542ea2035408 |
/storage/emulated/0/pushNotification/push.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/storage/emulated/0/pushNotification/push.db-wal
| MD5 | b36ad4edee5eef1e87d662af948122ae |
| SHA1 | 30b5f11852694e711319f7bd7c8b4b831a10721b |
| SHA256 | d31a0b465bffd2ce509031a9d3bb95717d9c5bf48d7467dc3b3cb2bae5a6a841 |
| SHA512 | 50796fdfbb9e1f2f1e4aa595a2b88a58de67980ef6241ee9a2fc4dcf65c186e43bdfa5733b2ebcec99e2a3707b76e0e58ac2f8021ddd68e539bf3a51b197cdbd |
/data/data/oms.mmc.app.almanac_inland/files/mobclick_agent_cached_oms.mmc.app.almanac_inland
| MD5 | c54669f7777a8ab230b076af27aef101 |
| SHA1 | f0324a4a1f7cf4fecf253b8719f3fd3d942e35b5 |
| SHA256 | e5f8671e62d9bd8c1596c9501b05c6efac09954068f43361adae7c5b3c92494f |
| SHA512 | 73bff9cf8a51a8d62a0b78dc826ef32d230a55f405d5431267076becce8217aa82123cbe57f9bba9c9fca5158b6c9613481990a4ce9e34c3a2b999755aa1c929 |