Malware Analysis Report

2024-09-09 17:48

Sample ID 240613-n7gbraxgla
Target a56ee60631964e11dea6cb92da087f6b_JaffaCakes118
SHA256 a9d096152e30950093856c611c57a80461952ba12992c623a328420a00c234df
Tags
discovery impact
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

a9d096152e30950093856c611c57a80461952ba12992c623a328420a00c234df

Threat Level: Shows suspicious behavior

The file a56ee60631964e11dea6cb92da087f6b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Acquires the wake lock

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 12:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 12:02

Reported

2024-06-13 12:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

128s

Max time network

165s

Command Line

com.jiayou.dudu.egamemod

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.jiayou.dudu.egamemod

com.jiayou.dudu.egamemod:ngds

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 pushnode.gameservice.com udp
US 13.248.169.48:6225 pushnode.gameservice.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp
US 13.248.169.48:6225 pushnode.gameservice.com tcp
US 13.248.169.48:6225 pushnode.gameservice.com tcp

Files

/storage/emulated/0/7723box_pjz.apk

MD5 c2ca346c035c9289f1d8a9e52b9843af
SHA1 3f93bb083a90da85bb5b54368219056da3c19310
SHA256 928f9ec0b8fb5ea2e10a47c904e832fc0854d0640f6d936a1961eb7abf9cef4c
SHA512 acb46a7229be9a3ae93666cefbc424cacbb28b60c483f981724da16a2f381b52e95e4d65481f9e7e946bd6dc0bc11a53bccfe9af223993ddce97c91f143f5915

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 12:02

Reported

2024-06-13 12:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

140s

Command Line

com.upgadata.up7723

Signatures

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.upgadata.up7723

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 04e08163a2b79d697ca7b818f2fbb3d8
SHA1 532e6c175926107638fda83667b24b4bd8cb489f
SHA256 1ab5773004ff5441614a07079bcc6b86b753fbcc12fb23f455f704156f7d30f1
SHA512 919f779be91fa68b5b42dd4029af69929d7606ed74eb714551d7818db527ec33264f36512fc482949191d141e1ebbc4b9cf35c556d064db1e8cf977290f4e366

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 428f3ced1a0a45e2f94e475a207ac0da
SHA1 c1fd56bc8d959e7579701bddd63715050514ce01
SHA256 32269c87828e0082fe32b18e997a819631c09afec5972ff228102f3e8f5eba4b
SHA512 59a484916cb86f1164c4d533cfc17ef825b6598f2a4068468f8504c275883192cc762957f7eac7ad4b535980971006d03d5172cdc263505fbef768298894d414

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 758dbe501b7133e4466196576a23a80e
SHA1 7b7b1d948ddc345959ebecda3bd94b966409ca5c
SHA256 3a1465471525ab7b9598bfe4467a78575556a257e0e6702af28114cae67f6e56
SHA512 78f4ab5feae26f123296ead4b0139142f45124e9ba85e8a96a2e83e707d5690a393cf251b94b3a647800d76ffc1050026bbf6992b106b6b60310f26436f5c946

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 12:02

Reported

2024-06-13 12:02

Platform

android-33-x64-arm64-20240611.1-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 tcp
BE 173.194.76.188:5228 tcp
GB 172.217.16.228:443 tcp
GB 216.58.201.106:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 12:02

Reported

2024-06-13 12:05

Platform

android-x86-arm-20240611.1-en

Max time network

172s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 12:02

Reported

2024-06-13 12:05

Platform

android-x64-20240611.1-en

Max time network

138s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 12:02

Reported

2024-06-13 12:05

Platform

android-x64-arm64-20240611.1-en

Max time network

133s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A