Malware Analysis Report

2024-09-09 17:34

Sample ID 240613-pmwrdasfpm
Target a587f216ea8072e41ec68ed53d9027af_JaffaCakes118
SHA256 49c8ef6d28ec25d9de155748d2e52fa35bcdfc4406c23967a411f122d741458c
Tags
discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

49c8ef6d28ec25d9de155748d2e52fa35bcdfc4406c23967a411f122d741458c

Threat Level: Shows suspicious behavior

The file a587f216ea8072e41ec68ed53d9027af_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 12:27

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 12:27

Reported

2024-06-13 12:31

Platform

android-x64-20240611.1-en

Max time kernel

88s

Max time network

138s

Command Line

com.lxwx.tom.pkxyxmp

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.lxwx.tom.pkxyxmp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 g.tom.com udp
N/A 10.0.0.172:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
N/A 10.0.0.172:80 tcp
N/A 10.0.0.172:80 tcp
US 1.1.1.1:53 android.apis.google.com udp
N/A 10.0.0.172:80 tcp
N/A 10.0.0.172:80 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 12:27

Reported

2024-06-13 12:30

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

132s

Command Line

cn.emagsoftware.gamehall

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

cn.emagsoftware.gamehall

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.10:443 tcp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.10:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 180bd7b2a53d88b0e308632cdd2a6370
SHA1 ff24af3f98b75ff63b68fb56c97141f22ec9a034
SHA256 dd661f4cb4614e3f8b438611e4cb8871884f3c4f6e9e8b49187bf7939ccedb86
SHA512 088b93efc2688d5b2e21f4725c4e446654b9d09cadd76a06a68299dd659a608748c5333fe9f671b2eadc158f4f8eabc100fa46559979d9375b8d324384117608

/data/data/cn.emagsoftware.gamehall/databases/GameCache

MD5 18c57d7fa53a40b1b6fadef97d7c43ca
SHA1 8e6167b7b7eaf2d596ad3f18f9004c64bfd06891
SHA256 64f46157b8b35229f3636c039a1e9c059e2107af0a107c52fe99ea4bbf4d7109
SHA512 68a2dae3fb34c9578a6ad14e9f5dc6a1228c78536f82bde28fefea59b4a7234984c1e744cd9f2efc758b982e767720b7b37d28af95ae81505da353d8245e9d1b

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 b5e48170cc55d2fa52c09b1edd239eb1
SHA1 ba165f2871f7afa19090fdaeab416e814674d14f
SHA256 10959d08fac0edc257b4c692c119ac2a9ad200cc9578f64273d9fbdcea07caa8
SHA512 19a4c953be38e8e1381998bbb68c1046979fe2d31136d6a034ffb8f9b6883a616b9823a24ad88cb767bc6869f6a112e6715f723c3880ea68531861fc60c7f104

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 9bcd741855fdc1f19c2ceb347bcf1a22
SHA1 258fee9e5bcfde541214d104b41725bc3402afbe
SHA256 fa9af9e7e8fedbfeb6ddea78b412195f8a6857bd86411ce9b08848ad1b0cb1df
SHA512 9ff26efa79ac5918ebb0b1be9f76da0381fce7f5fbe095d3e8dc8b1c0d83044e17ebe2139a33477ce6ca6a22ef4ae2a550193b0414fc142191b1d447d247cfa7

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 12:27

Reported

2024-06-13 12:30

Platform

android-x64-arm64-20240611.1-en

Max time kernel

8s

Max time network

133s

Command Line

cn.emagsoftware.gamehall

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

cn.emagsoftware.gamehall

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 bf4a03b3bece94c012131d456fbfb7a4
SHA1 55ebed55cbc0484b4845ca559bf736c3596ff6f6
SHA256 7c2b6163f769e029c86530c25187cfd2400cdbc63e8cd959a4e70a525b923f1c
SHA512 864d2c35c075b9cde6482ffb448f13f96b01367bea84d959bb4bb058a95c5b662dcba6a803e3b5ced4a41cb7da3a2a9e346154eca17f7dc0fd7a82ec303ad1c4

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache

MD5 f1654b6985eeca3980460f8c663a86ac
SHA1 2685ba462be1ac7a63f6937d28fa7099434ce18b
SHA256 3ad7220c6e66f0a87c2e907fa2adb0ae0d8478bf18c510910e8a0d53a8c07225
SHA512 c10122123608c916d47f57002c70280030714429e8b46b56b9aeb667728efa3bd1e1dd487931353baab0ea804c6c426708678e2b1064d7992380fa6a29c2f78b

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 efb73b8ed9c52e6bd008e570e4451763
SHA1 2be6bc63bdd739982480639d9a91506cdd2bcb6f
SHA256 d35ea19b2660d7469f4f649849fafbf3ab0622c209a8177c19c9010216329d05
SHA512 3316fb6b328be799a037246b21a6ec3593574754079d5b591c86ed92a6eb15d92f9431c0d9af6da08b8c601b2168556bbeead314e54c709cf4cae1e57ce585e9

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 7769646818a2d859f8e257da82d86eb7
SHA1 73d28ee923b69e281fc57063d9832cff7d22667e
SHA256 90e1caee0e60e068e0ee8d81563a4c890704efdb810c70bcfd8bb0fb1ded1a34
SHA512 601cff4feb18f7f110fa2ce9465e1a63e429ce26c0a217de4990ad8b89b675b62f25c65112d8df58f04c80f94a3061acf2f4577d692674c487dab7c1a1fbd2e4

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 12:27

Reported

2024-06-13 12:30

Platform

android-x86-arm-20240611.1-en

Max time kernel

168s

Max time network

170s

Command Line

com.lxwx.tom.pkxyxmp

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.lxwx.tom.pkxyxmp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 g.tom.com udp
N/A 10.0.0.172:80 tcp
N/A 10.0.0.172:80 tcp
N/A 10.0.0.172:80 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
N/A 10.0.0.172:80 tcp
N/A 10.0.0.172:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 12:27

Reported

2024-06-13 12:30

Platform

android-x64-arm64-20240611.1-en

Max time kernel

16s

Max time network

134s

Command Line

com.lxwx.tom.pkxyxmp

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.lxwx.tom.pkxyxmp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 g.tom.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
N/A 10.0.0.172:80 tcp
N/A 10.0.0.172:80 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
N/A 10.0.0.172:80 tcp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
N/A 10.0.0.172:80 tcp
N/A 10.0.0.172:80 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 12:27

Reported

2024-06-13 12:30

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

151s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 12:27

Reported

2024-06-13 12:30

Platform

android-x64-20240611.1-en

Max time kernel

3s

Max time network

146s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 12:27

Reported

2024-06-13 12:30

Platform

android-x64-arm64-20240611.1-en

Max time kernel

3s

Max time network

143s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 12:27

Reported

2024-06-13 12:30

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

152s

Command Line

cn.emagsoftware.gamehall

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

cn.emagsoftware.gamehall

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 7918fd729af1d27c73f5d5f60528ddc2
SHA1 8a79e0ee4034bab3fe17e13299d1a8e19beda922
SHA256 fe0832e5384ca4c4ad15aa2d7b16c49ca061eafd2330a3f3ca5b56906919fcfb
SHA512 f7cab570b98c339e58c45659a96bf78d3c13dae4c976cec790b638f29200b0239ad5c01d89895dc817ccd88a64941731e09fd9082e5b823e371c6890ea88efc1

/data/data/cn.emagsoftware.gamehall/databases/GameCache

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.emagsoftware.gamehall/databases/GameCache-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.emagsoftware.gamehall/databases/GameCache-wal

MD5 b447b6eaf19e77b6bbae273f58086d9e
SHA1 b5ee2c897cd5ac81f25c7ae7f02c1794c90b9486
SHA256 615c1b9b94b7fb92d14f2fb7743fb999622520f16b53f6e327fb593ae6d52bf2
SHA512 c4cf95361c139f0640a9f1e99e81f35322cc9cc28b0776db05ecda337cf0f2fad9178995a813ae7faa399af4f0653e1a94dbf04874b5d3bd8a59e3b3109d8d2f