Analysis Overview
SHA256
59c9f08faaad1a89a358f69361b98909d6497640f692d533e927701cc25c9588
Threat Level: Likely malicious
The file a74b5f768ff71f0607f06016e28baac9_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Queries information about running processes on the device
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 00:22
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 00:22
Reported
2024-06-14 00:26
Platform
android-x86-arm-20240611.1-en
Max time kernel
6s
Max time network
140s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.nd.up91.p71
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.nd.up91.p71/app_crashrecord/1004
| MD5 | 7c7407701e34caae6e2066334182e92c |
| SHA1 | 1bd7c42e84877b2263048d1b7612ae32b0d4bfdd |
| SHA256 | 950b0679ebc1806c2e7bc7a0951b2d571976b3fd82155a39e010d0d316f6468e |
| SHA512 | 2b973c9b6e6c6877c5ca70e625320978e1e9fd6d37d7ea0b01b8464ee74391db35bf25517bee89870f2c4d7cb912247c77bbd9bd555a5d2d6a2e6ff9d2ec8032 |
/data/data/com.nd.up91.p71/databases/bugly_db_-journal
| MD5 | 517863502240a7b975790f6a2dc9165d |
| SHA1 | 08cde592c7eb78516ebfa00b46b51f44064fee3a |
| SHA256 | 15a7a6d95b78b152f61d6a30bf89db3addb352c068b88bdfed0456706a6ad3f6 |
| SHA512 | adc6f158351d9473a7955667450ebf04ca1b5bf0584518ecedf7e020dbec8bc08a3a5559bab233c7cbe39742e09015a961b33aa8c8ccb870de0577631914f6da |
/data/data/com.nd.up91.p71/databases/bugly_db_
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.nd.up91.p71/databases/bugly_db_-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.nd.up91.p71/databases/bugly_db_-wal
| MD5 | ebaafad59828d936b32a67092ce0633b |
| SHA1 | f77bed9321fb390b6350bed009e0645f4744821a |
| SHA256 | 90be17e830dc7ce7520a4b0525a3488e09ad157c1a3dc02447a733a51cdd5139 |
| SHA512 | bbb179f51c6bc60e9f858772a82df0b54a57962c2d359ef7502529ce9796ee863f6716884fba65c87973862a4d8461c21d951595fc21b24c1d5c3dc687e481e8 |
/data/data/com.nd.up91.p71/app_crashrecord/1004
| MD5 | 0d210bfb2a0e1f1b4c082a6a0f79de07 |
| SHA1 | bb8ed9e364db79d1d9f2fcde3f15091893222faa |
| SHA256 | 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d |
| SHA512 | 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1 |
/data/data/com.nd.up91.p71/app_crashrecord/1002
| MD5 | 8cf08b47ad57327fdaf17000c698e905 |
| SHA1 | 9c5533c27bd020e764b75dcbea912e9e11d175bc |
| SHA256 | 749f85a214665ece23004bc858f2193e924e793350d5d31c56cd2253e6649cca |
| SHA512 | d81cbcb0366a0d94d174efd683a5dcbd9144ae1f22ac7f2366302adf71ffbea6bc6327871bf9d0b2ef9aa158d25f2c45d977d2e92a040ba1174f722141c33e74 |
/data/data/com.nd.up91.p71/databases/datalayer.db-journal
| MD5 | 1e84bba1c8a2437ac0345cc2160fe00a |
| SHA1 | 76114a7b7afa95e7ad1186050a817b21e0e5038c |
| SHA256 | 5c4a14978ebb1a01b2f3a0a56b8de9f0b0ad81e6cf798c74ab766c596baf567a |
| SHA512 | 96ec84d44ec85654d77f49cfcd7dc5810d97c0e6b1a0aac825ea68a7f1f23184cbf4b22b8843199ede2889fd49c3a4a176e8dfa4c517259b71c1e695f01af487 |
/data/data/com.nd.up91.p71/databases/datalayer.db-wal
| MD5 | 0c4559b016d49fd5b912d9a888c43476 |
| SHA1 | 6818a50c20aa839cfeba06042344015e645c7bfd |
| SHA256 | 318c2f1a13a90879aeb2c1b39d64fcb1f90de3ab4c98334a0a27bb32406d5001 |
| SHA512 | d5f74179f6f9f79f06eda51912041deb6713ceea2b57d25e1f279e9d608384a28a19053ed99f6fc982a79923f54aa1ba2257aeb1fd5e111f5b4b68a76b320958 |
/data/data/com.nd.up91.p71/databases/UcAccount.db-journal
| MD5 | e1cf135b6f1df68221662dd69063a47b |
| SHA1 | 90cf8b5116d8496650db9dc6aa596659f2b161b3 |
| SHA256 | 527b0e1982b4288ee5718c8e9a3147e5ab94672bb832981a59c42dea46180dca |
| SHA512 | fb04d94976e32979a5cdc51f2190ff1b06dcac8b468deab8a298418b8cd86729fe467986c58797a3468220c15cf5e34d79620e75255b466a685f7a71205fa271 |
/data/data/com.nd.up91.p71/databases/UcAccount.db-wal
| MD5 | 4f1ebd74508ff6cc0e6b52fa1dcba3e0 |
| SHA1 | a824058a3bc34677f3d9b5b9ccf88fc3c8414aaf |
| SHA256 | b85d7f6ff0f1646f132b39a25e2851bfa84dbc53966545791f111580e8909ccb |
| SHA512 | 5768a4fcda42ec9128825e76a1a954a4ebdfce798162dfe4e8c29cc7c1e197a45002b331b13e3fb1a0d6bc2e1b68079fec4b2d0fdfef66b8e1bb892bd8297926 |