Analysis Overview
SHA256
59c6fa98a482bc60fcbe92538d0f66b7258d5c513a62eebd50cdef11208ae13b
Threat Level: Shows suspicious behavior
The file a8444d28197e06d165e39dfdc453e9f5_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks known Qemu pipes.
Checks Android system properties for emulator presence.
Checks Qemu related system properties.
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 06:09
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 06:09
Reported
2024-06-14 06:12
Platform
android-x86-arm-20240611.1-en
Max time kernel
3s
Max time network
159s
Command Line
Signatures
Checks Android system properties for emulator presence.
| Description | Indicator | Process | Target |
| Accessed system property | key: ro.product.device | N/A | N/A |
| Accessed system property | key: ro.product.model | N/A | N/A |
| Accessed system property | key: ro.product.name | N/A | N/A |
| Accessed system property | key: ro.serialno | N/A | N/A |
| Accessed system property | key: ro.bootloader | N/A | N/A |
| Accessed system property | key: ro.bootmode | N/A | N/A |
| Accessed system property | key: ro.hardware | N/A | N/A |
Checks Qemu related system properties.
| Description | Indicator | Process | Target |
| Accessed system property | key: ro.kernel.qemu.gles | N/A | N/A |
| Accessed system property | key: ro.kernel.qemu | N/A | N/A |
| Accessed system property | key: init.svc.qemud | N/A | N/A |
| Accessed system property | key: init.svc.qemu-props | N/A | N/A |
| Accessed system property | key: qemu.hw.mainkeys | N/A | N/A |
| Accessed system property | key: qemu.sf.fake_camera | N/A | N/A |
| Accessed system property | key: ro.kernel.android.qemud | N/A | N/A |
Checks known Qemu pipes.
| Description | Indicator | Process | Target |
| N/A | /dev/socket/qemud | N/A | N/A |
| N/A | /dev/qemu_pipe | N/A | N/A |
Processes
com.lerays.weitt
getprop ro.product.cpu.abi
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.lerays.weitt/files/libexec.so
| MD5 | b373c875e5f94591bef495c900b9117b |
| SHA1 | 540f1dad31b336619402a0c56715c749d60fa3a7 |
| SHA256 | 7d91ea267e66a41f11e3266f7c25dad9a02f8b798e36b66f6c7b8757eb2b8b98 |
| SHA512 | 6529d0c6c746bcfc9ab3e249bc8064f8b0246fda03dd7ba1a205985def030f8a873754f90d7b6a3ca0f7c567f66ee3e2a08b623baabf044680233000f6af45d3 |
/data/data/com.lerays.weitt/files/libexecmain.so
| MD5 | bc0800b3b012152cb0777c37095bd112 |
| SHA1 | dbc55b0412436cde0525d31982ed4d1ee1472329 |
| SHA256 | 465d0e121f47af6242f8d62bfcb94d9574de8f59d3bb4a8f58e59f7c996e9505 |
| SHA512 | 77f28c55610ad14fad45cf5cb2bed971337d98703aaac3e4a1e10f88b9b9e754be19b6b6b28367365d662b6d63b8a7f49d4cb992f801dc85ba974af287186006 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 06:09
Reported
2024-06-14 06:09
Platform
android-33-x64-arm64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.204.74:443 | tcp | |
| BE | 142.251.168.188:5228 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.68:443 | udp | |
| GB | 172.217.169.68:443 | tcp |