Analysis Overview
SHA256
30d80b3e80b4971e34a3beb9d30269e8fe31187b74b95400321e4cee31ae3cd0
Threat Level: Likely malicious
The file a861b5adf601edea92c6f5ed1178866e_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Obtains sensitive information copied to the device clipboard
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Schedules tasks to execute at a specified time
Checks memory information
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 06:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 06:44
Reported
2024-06-14 06:47
Platform
android-x86-arm-20240611.1-en
Max time kernel
24s
Max time network
131s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.zynga.crosswordswithfriends.hack
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | freegeoip.net | udp |
| US | 104.21.81.232:443 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | lp.androidapk.world | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 216.58.212.202:443 | tcp |
Files
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal
| MD5 | 86872e68994f1cf62b2fe2a3d3bbd979 |
| SHA1 | 9c5214e9f859e741b096716495008592e2c74487 |
| SHA256 | 5ae0eeb322aa5c3cf7883a9ddc52c05a1f6c41293b8499ecf568bb9eb36bb8a4 |
| SHA512 | c51b74310c8131b7ca2fd9508b8c0e78a530eea8dd5a8ca5f7d6899d61f9af0a06ca5b28c6a94f414460ba849ef758eca57fce3c8b20feead2dccb6746b9e91c |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db
| MD5 | 5d85664f8e614fcaef42be2e6f649027 |
| SHA1 | 09c6288922102f6114a823f4992415fd3373d61e |
| SHA256 | 55f8907e91226ef43a05583c7b4623b4e26994b62d20c8603975ccc1fa3b9409 |
| SHA512 | 3d6006a3e82d00fe9bc443e940acc5df12ec84114fcbcf8fbc8099c085cb1229b21a217b7445129b50558bfef5100894686d7359eb80b7ef087b65c7be3bc6e9 |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-wal
| MD5 | 0f4eaedeefb3659c1b6d766a20bd7651 |
| SHA1 | 893345c3fe18f382385d369e44842bdeead0a07a |
| SHA256 | 9a69c1c527b90276d6dcecf99432308374df05d509687b1f0bb4d7dd9ad6a5dd |
| SHA512 | 271810f4cf19410a486da9fbcb618fb50fef3f6b824199351b26eacffc27e312bbe6d57801e5d0a796bbcb28d19a0f40068302b6e35a5c6b6d0670c42e09fc7f |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-wal
| MD5 | 40a0a04ca56a28defb32747c1fd3baf9 |
| SHA1 | f07638c57a3d8b333c0271ae21ef6a3fd76dfbe6 |
| SHA256 | b6d185df27015653380e320ac2206b421a94b7d69eb6a4a71aba21e1333378da |
| SHA512 | 17b92c1ae676fba6ac638bf62ea9e1c1d8452c923519539de29b2d5539651958eaf8da028475476c8789c9a5c249c232082b6b6af29ac30a80bc1414e2aba54d |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db
| MD5 | dc2fa02fb3ad817cbdffb94e547ee420 |
| SHA1 | d947a926c5abf5570c09bbcb8026ca5a40f0fe4b |
| SHA256 | 577d2cd4071b484acca06726a0f50e7688b1d462c211762202ce67072901a33a |
| SHA512 | 8262c10785a01dddfe7d96ca83241c9900c0f3d2b47bbda69a120846f0b411d4a56472636c25f5313627aca72be8a6d8b3c1afafc662d90c6d35d30ca512b4aa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 06:44
Reported
2024-06-14 06:47
Platform
android-x64-20240611.1-en
Max time kernel
25s
Max time network
152s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.zynga.crosswordswithfriends.hack
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | freegeoip.net | udp |
| US | 104.21.81.232:443 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | lp.androidapk.world | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| GB | 172.217.169.10:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 172.217.169.78:443 | tcp | |
| GB | 142.250.179.226:443 | tcp | |
| GB | 142.250.187.196:443 | tcp | |
| GB | 142.250.187.196:443 | tcp | |
| GB | 172.217.169.14:443 | tcp |
Files
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal
| MD5 | 559c8a076accb2f88e7e2f05e4085675 |
| SHA1 | 2cd740e180a42b28f732ac4cc055a5adb51056cb |
| SHA256 | 0ac5ffea64f916380403f9dbbc4a9c6bae6a25b2cc06ff569f1384a33d3dc1dc |
| SHA512 | 74dc58c94095e57b72081ca00e5472b267b38797bb93e4866a79db08f810acb1e28ed245a3ba53af3b26d6086041c43057de55b20b2d774c8733db94daf74496 |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db
| MD5 | 12627a2ec645c4a4bc50dba5903afd59 |
| SHA1 | 504005c938517e61bcf68b65a055c2faba635c2e |
| SHA256 | f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903 |
| SHA512 | 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal
| MD5 | e54a53c6048b6f5d9872a4102d18b3e4 |
| SHA1 | 1c7a72fdf38d38acbd640f025ea0602319d98dfb |
| SHA256 | 0915b376f865f8083dc0f3bb825ec1079b2cbe733ea3e8f06ccaa83f22ae8374 |
| SHA512 | 50341bcee3dba10e37c2cf10451b8cd2d8d6f6f1c2a6219df9fe0c905457a3f7720921f11b81c397737c42f41c933000a8c222e42479d31dadbcceada747dbe0 |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal
| MD5 | 86a7bda04b0ce1e6607f9a6c4513cac3 |
| SHA1 | 287e9ad7edfaa780ecc6877a2afebbd9cfc199ce |
| SHA256 | 37a0e09c5c318869e005f22f2b2bc8938788d72b545b025068aa61f7a8dbe2b1 |
| SHA512 | 47ac24493f0285147ee00486fd5e5222659b5d350752159a4fe9f9cdcd4bff56f2a054ae0d0e278defeae8bab8da14f0533f7fd00c131d458ca0e19d5e0db7f5 |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal
| MD5 | b90620f14d526b0b7a31e52293757590 |
| SHA1 | 8089ee6770fd1364e90b659cae3859eaaa9c3861 |
| SHA256 | a92b333bfa7a90865ac2731faca69651e4239faec6a523832d29fd9d1dc499cc |
| SHA512 | 8d726f08f257bb069fa7193cdf7aaa662aeed80d59f8a92c79bf664efc8f11d3c31096ce5f54855cb6249bafc88c09dafcdef5f4c17d606374e068e16f5d799e |
/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db
| MD5 | 5e6479bbc08c61e215963834c60f9a02 |
| SHA1 | eb957f1f741d4be929d96fd1cdde2c029f845303 |
| SHA256 | 30f08e3fffe5d26eb7f09ffc8daeb4782581d106d27d2a78327f07e5a7705355 |
| SHA512 | a812590ef5682d8d2149bc71e01d7fc56ad8512555f4b00de96377d6967f7949e5c8d68355ab80d9040b32ccea87ceeb8793f1fbb5482e3e89e227a453748ea0 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 06:44
Reported
2024-06-14 06:47
Platform
android-x64-arm64-20240611.1-en
Max time kernel
26s
Max time network
133s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.zynga.crosswordswithfriends.hack
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 216.58.201.106:443 | tcp | |
| GB | 216.58.201.106:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | freegeoip.net | udp |
| US | 172.67.165.196:443 | freegeoip.net | tcp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | lp.androidapk.world | udp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp |
Files
/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal
| MD5 | b5d30e32f9976f424fe596b9ed7fc67a |
| SHA1 | bd2c33036ad483dac586a1fd5fd88c840cc3a261 |
| SHA256 | 6f75b5d887d37c375145802ed11b53195586685c9629fce938a4501dec76abb8 |
| SHA512 | fe4a79330e9196e704c48a7f14d69036454e0def8f016b4e9ef75677d1b11f2d11035bef205dfe94b45a860b55f0581ed37bf01bcee63c3223e1cc91c814ba5a |
/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db
| MD5 | 58c0b6e45328752b20ac6e719ac034f8 |
| SHA1 | 372b2638afd00bbbc4034657b3df3d2e428fb367 |
| SHA256 | 9d74f93afa5a179b1ba2f19f154b2880aa8b99c88209802099045a0874d2426a |
| SHA512 | 2d347d5824b9ab701e341c89e8327a95fd6bab8e92ee15ce9550da368d773e22bff304072a4854df5ab763750a7401f7aa61a49e3292d62c27fa9f20536eb3ab |
/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal
| MD5 | bc8c9bca61820c563f96a1bdba547ee2 |
| SHA1 | c1de98395473ed7cbefa8b1a01970d28c2276676 |
| SHA256 | 0884d531bd1f3b79cda6c66a279b0f494ba94f6164b25180fe4892106600df59 |
| SHA512 | 9fb648457df0ba924da35bcb20d7e4a92895723198fdb2e27d2e16ad63d0aa7dbbd27eb34b3e02ae3ca943bc52ac245c549f149926c12eaa4a4532ab690d5955 |
/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal
| MD5 | b369b0de7b1a43f893b564ad6ed46f26 |
| SHA1 | b52e572a7eb7359de267b4b9afb801cb2c3930ca |
| SHA256 | 89638af749323715ad59e90d7ad797425adde313ebf86f9253665037f0f1b8f3 |
| SHA512 | 07d29be95d641b74af450582175684ea3d58eb00c8dd5dfb18a38d58a66b772618027d34649501964d792b69dd5752b476cb15162bb7eab67eb4890ca70a7c26 |
/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal
| MD5 | 2a36c5518fea44215c5c82f123bf72df |
| SHA1 | 25d90ed0f621f5616725e0f42e2637ca5be0870b |
| SHA256 | 8908ff12d08c437c3c4284cfcfa01b29976d56a1abc3f7e290615085a0b12fa5 |
| SHA512 | fa23a6fea6a66e3e182246bfc0b51b0c84fa1ac76346eee01f0fb052e08eddaa59e2375677beb93ee7466496806baa3cb30d6bc023fb86fb5a5e8e3d2ebf0efd |
/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db
| MD5 | 2e0dbecb2180efc21252083113ee6a1b |
| SHA1 | 27d25ddbaac404019653edb4cc94a3d7d534c0f0 |
| SHA256 | 3f9d03e0f6d5774fddaee86a93ae05012a4146a7bd0a484aa93f04b4594b7a84 |
| SHA512 | 798295f9f0c58182e625d2c1b18022ab962023850e86f1f3d5330e927ad5ad46f0cadaa77b60ff22597683ee87258cf7ed00040a4469085f434270b177032c4e |