Analysis Overview
SHA256
916c8c70c91f4106ea10e1034d10a0500577fd1698c6be593b64e5456b19dfc7
Threat Level: Shows suspicious behavior
The file a7eb06a589f09380dbf42e5dbea0698d_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks Android system properties for emulator presence.
Loads dropped Dex/Jar
Queries information about running processes on the device
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 03:54
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 03:53
Reported
2024-06-14 03:59
Platform
android-x86-arm-20240611.1-en
Max time kernel
15s
Max time network
131s
Command Line
Signatures
Checks Android system properties for emulator presence.
| Description | Indicator | Process | Target |
| Accessed system property | key: ro.hardware | N/A | N/A |
| Accessed system property | key: ro.product.device | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex | N/A | N/A |
| N/A | /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex | N/A | N/A |
| N/A | /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex | N/A | N/A |
| N/A | /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex | N/A | N/A |
| N/A | /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex | N/A | N/A |
| N/A | /data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex | N/A | N/A |
| N/A | /data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex | N/A | N/A |
| N/A | /data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex | N/A | N/A |
| N/A | /data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.zhuoyianbeauty.beautyparkour
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/oat/x86/classes10.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
Files
/data/data/com.zhuoyianbeauty.beautyparkour/app_md/x
| MD5 | 88bdecb774a8064fa04101414cf011e5 |
| SHA1 | b05bbac75fd36c0a5f25ec7bd9fa873eb0439be2 |
| SHA256 | 32e2462586dcdfe27b3f7d42fdfc8d9c0da3e7d106a01cf16a1890f23a2139b5 |
| SHA512 | 95cb2795796a27cf620ca6c0f17dff10301cc3c8389ce435cd35663c4599f5e4bd342f5f653ac8842fb4ee8a39a0790f873f63271208af92acf2bc734b9c8f45 |
/data/data/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex
| MD5 | 9bf77105f794d97ef415f1f34e4514e0 |
| SHA1 | eb6bcb9034a1b7521e02a47030d2b00a54fabc43 |
| SHA256 | d3448d62a728fdfb4506cea5eb8f38f616426bc3c0f59d08e38ee770de2781d0 |
| SHA512 | b9b7b36c98cd0a5956d7a82b5aa7b4b1308b5093f7e6a7c4672a7e1e6dadc42d14793e797e0d3e784193fb97b67bd47a06bac217d084685b1d5f811467d0388b |
/data/data/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex
| MD5 | add761770372c6a1557d2c7408682ff1 |
| SHA1 | 3fb2b29959cd16c7502a2f930578963f7bea2d0b |
| SHA256 | 536bd347a0cfe2f4e74731301348a081a49791b189a589cc81692e496d7a7f98 |
| SHA512 | e9b41546a674a3039de87ec8c8b7cd5f7af5878fac0dae60018d6c2d7cf42cefd8703e187be59a6145fcaa5a58cef61697d2007da31cc15337455ecd983375b3 |
/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes10.dex
| MD5 | abf94f2a7b99e3912362c4c7b6b0553f |
| SHA1 | 6e96cc839b4b4ffd001591190d73646d593bac66 |
| SHA256 | 6b4c7bae2b25e6ab0649f712afb4882fc9c3ed35528af13db4580e839cb5abcf |
| SHA512 | cac18d3532d8ec3626ef8ad7750949b0a51ebbcd8fbf1a2d52c33f7aff36f62b06d89cac952e9e065f529a34e1803698ca40ffefe45861d7cbdfa2c6f866456a |
/data/user/0/com.zhuoyianbeauty.beautyparkour/app_md/classes.dex
| MD5 | e0a4c9101eac1d9216513314d06175de |
| SHA1 | 4bac24ee07afa8883e4997358411c12f9bf2dc1a |
| SHA256 | e1e04232f32c6f933f1f4bdcf2fc07df9a643cb4dcf88531ba93910599a494d7 |
| SHA512 | 2e3976031f8ab29890e10ae9dcd2c3135147541ea2aaf7b69b73860ae4b956c6e189ca9dc26dd9df2dd8f84014fc24bcae3a45f4d5cda452bfc15180497dcd65 |
/data/data/com.zhuoyianbeauty.beautyparkour/app_gp/t
| MD5 | 04f6f301989aff5355cf318df8d6dc55 |
| SHA1 | a4c3e079096c506767375cc6c506cd092d34b634 |
| SHA256 | 327d6345fae25f15e50e7ad01ff455c9d933ab3e46bc003d12c6d5e33197d518 |
| SHA512 | b54dc34b0e16c82d8b46892a1a1f2ea23fbac72fc1b6e811322da4a33150b0b64a89dd22d40cf1681dcf74622eca50445d4d039878720c0109b1c804dfb442d6 |
/data/data/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex
| MD5 | da805724e150bfea2986d5f5c0102327 |
| SHA1 | 5545754631da913a9afc837ffef857ea57dba233 |
| SHA256 | 433fec52c533980c0b5430633751460b3e2e276f7799fa012dc6370ac87f5ebc |
| SHA512 | e8f9706f5ad368ea71046f7f93f4668415312413f38d6ff93d056f666bc06f1ae118114252deb6a63e8c67e973be3f654e25debd702bfb31fe3cebaf7ae1b92f |
/data/user/0/com.zhuoyianbeauty.beautyparkour/app_gp/1.dex
| MD5 | 2defb6b4874acffec1ff896e7455550c |
| SHA1 | 8e8c5d5dd10846d96b89ad142ca591a54321fe85 |
| SHA256 | 50eb89c24b4bf055b21c36d87bd099ae73c9911d757917f0c4e7f6657bea2e3c |
| SHA512 | 152a8ff7843fa591f42155d4a6f9aa17cccfc3ed34cf94f0bb3707394c05e508b8e3a6755e5e8f7b1668dd3f17e3b640d96279b62619f0f596739aab28055e5e |
/data/data/com.zhuoyianbeauty.beautyparkour/files/.hljrhp/hljrhp
| MD5 | 8c66b2a88f0731ca23b594daac68c309 |
| SHA1 | 2215e08c50769afbd40177ec7c4c041b000f1016 |
| SHA256 | 8b2fb38ec222ef6690bf8c3c15e87278b9011ba7a680e80e6fa167d685634049 |
| SHA512 | 0b414daddd9dadb86dccdc0a6ac7950d0af4d88103d1f285f7e62e3ad70ac6f685c22aac7662ec9e0930ebb02f752c828dd4fe768e0fc067e2ada39b53a6141c |