Malware Analysis Report

2024-09-09 17:39

Sample ID 240614-jes3matgnr
Target a88c71df45fc84aa4c51249ce5a22a50_JaffaCakes118
SHA256 75a0c29df2903ebb2c78800b38ebc3da9e65ef7fb4941f479079ea6f1347841e
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

75a0c29df2903ebb2c78800b38ebc3da9e65ef7fb4941f479079ea6f1347841e

Threat Level: Shows suspicious behavior

The file a88c71df45fc84aa4c51249ce5a22a50_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:35

Reported

2024-06-14 07:38

Platform

android-x86-arm-20240611.1-en

Max time kernel

149s

Max time network

183s

Command Line

com.mrcq.manba.tyy

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.mrcq.manba.tyy

/system/bin/cat /sys/devices/system/cpu/present

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/meminfo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cdn.tianyuyou.cn udp
CN 61.160.192.101:80 cdn.tianyuyou.cn tcp
US 1.1.1.1:53 cdn1.tianyuyou.cn udp
CN 1.62.64.108:80 cdn1.tianyuyou.cn tcp
CN 42.7.60.104:80 cdn1.tianyuyou.cn tcp
CN 110.249.196.101:80 cdn1.tianyuyou.cn tcp
CN 221.204.43.72:80 cdn1.tianyuyou.cn tcp
US 1.1.1.1:53 airdownload2.adobe.com udp
US 1.1.1.1:53 res.cdn.junlin.xianyv.co udp
US 1.1.1.1:53 airdownload2.adobe.com udp
US 1.1.1.1:53 res.cdn.junlin.xianyv.co udp
GB 104.115.32.170:443 airdownload2.adobe.com tcp
CN 123.6.40.213:80 cdn1.tianyuyou.cn tcp
CN 182.254.233.92:8082 tcp
CN 123.6.40.248:80 cdn1.tianyuyou.cn tcp
CN 59.80.47.124:80 cdn1.tianyuyou.cn tcp
CN 14.205.47.78:80 cdn1.tianyuyou.cn tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 115.56.90.188:80 cdn1.tianyuyou.cn tcp
CN 116.177.225.240:80 cdn1.tianyuyou.cn tcp
CN 222.161.212.242:80 cdn1.tianyuyou.cn tcp
CN 119.167.229.212:80 cdn1.tianyuyou.cn tcp
CN 123.6.40.224:80 cdn1.tianyuyou.cn tcp
CN 42.56.81.104:80 cdn1.tianyuyou.cn tcp
CN 123.6.40.242:80 cdn1.tianyuyou.cn tcp
US 1.1.1.1:53 cdn2.tianyuyou.cn udp
CN 61.160.192.102:80 cdn2.tianyuyou.cn tcp
US 1.1.1.1:53 cdn3.tianyuyou.cn udp
US 1.1.1.1:53 cdn4.tianyuyou.cn udp
US 1.1.1.1:53 cdn5.tianyuyou.cn udp
US 1.1.1.1:53 cdn6.tianyuyou.cn udp
US 1.1.1.1:53 cdn7.tianyuyou.cn udp
US 1.1.1.1:53 cdn8.tianyuyou.cn udp
US 1.1.1.1:53 cdn9.tianyuyou.cn udp
CN 182.254.233.92:8082 tcp
CN 182.254.233.92:8090 tcp

Files

/storage/emulated/0/UcQkDir/qk.dvid.txt

MD5 c2fb36fc52bc03cd5b3ab01a3e77f9c7
SHA1 8ea077b39698e4accdc50a87de0c7f5f9d821193
SHA256 b939b20624cd953f376a64ff2f1022339af2b47281a1c3d226efd3c243d03652
SHA512 6603fa6b7985f79c45d7c577cead6c7798e457af8988ca0af6494412475ad9a36eb99fc5d0b60a68d64c501da790d2da6097866325f3dc00687cc47d04b09dc9

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/META-INF/AIR/application.xml

MD5 f66d9a5bb697c37f354f96b1a219f863
SHA1 1d8bb35cf9ffda12ea46feab3b56fe10d5cfe042
SHA256 e93d569b1d90ca28bffaf071aeef8eb18847402547df277324e547645ddcb444
SHA512 3290ebe7a58b1aa182fad04f97618787835580aec8a110fca94fe6e2af02480006309c1ecfb592bb42fa804f0d315d640bf71912549dc56e9bc24134c35002b1

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/GameLoader.swf

MD5 6675ef6ab5720abe4c5fcc5f03d2cdc4
SHA1 aac4606a7b665d9cbdf27ac261b03efbf6e972a5
SHA256 62e55b4e453e87e88da05be73eea3bbff28e706a84eac85a3db9bc4e8188a1ca
SHA512 6e2286750be3db1d01471c8cc6c936073e7b9763fcccc6dab784671ba8ceafe75b83356d371edad34030a233d91dc2f4911f065a5acd71d1fa75e1d0f5268c6f

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/META-INF/AIR/extensions/com.freshplanet.KeyboardSize/META-INF/ANE/extension.xml

MD5 c8bb35e45eda1c55ae62fbb6880a2bb7
SHA1 074b79744e270a595f7f37694a388d93b5fcd412
SHA256 5d67ba5690c7d91c398130725848fd82767a0495a1a36cf54519d3b3c343d78b
SHA512 0db3eb87f1eee12f63864059e985e321c50e0037a007f7612cb2e1ab27a64374c20c7a4d2a7fa392f4732134f633f783e3f6495d7260707e4315471724da818b

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/META-INF/AIR/extensions/com.xyane.utils/META-INF/ANE/extension.xml

MD5 ebdfb3381511b36c8bcccd6a04a17ac7
SHA1 85db017629590c41cbba499f863b537be2e178c2
SHA256 359ee3304b898b5b2aa9410174b07a11e09883df256cb295292bf3136deb8e6a
SHA512 f810427be59954cc88731328101ef9b7d787eba4beef6fa5c9ca892a764e9c536390642952939d0169df85c0ae18c8f27859e08a3945fbcf3e841d4d78389fc4

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/META-INF/AIR/extensions/com.quicktq.Extension/META-INF/ANE/extension.xml

MD5 b4a9b33358507b0b73c80c965a498ea9
SHA1 a505b3e278a8095804e24f0407880cf64eb106fd
SHA256 ce482d7099ce58c2278ee66e7f1fc94b170178a59cdf8c68982b39cb09590bf5
SHA512 1d80837785a8df4960ed3a51c5cea9b2297031b1f34d6dc39a0068a6b0b32daec69fb81ad1eafba3c9e701e6da64ef208044624ef4d5636506b15da33fb2f53d

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/META-INF/AIR/extensions/com.quicktq.Extension/META-INF/ANE/Android-ARM/library.swf

MD5 0256cfb040cf0f00487b5936d6c1dc1c
SHA1 9b3a299f02e797eb5a070746848112e6aa7a9cc1
SHA256 25c17f5d9c47dedb59d01696cebeba0ddc556cef0a078b7e716652e04182c30c
SHA512 c1c6120d174dfb43a9f08accba39e4a2f66142a1056a0ef76269560729df0b181720205db6af98a09c502bc2bf44b40a0d4e0b133965350028c13b0428c25c83

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/META-INF/AIR/extensions/com.xyane.utils/META-INF/ANE/Android-ARM/library.swf

MD5 0b6d13067014907230f72d1068aab7b0
SHA1 6ebc24dbfa7f3c54071916aeb6b72cdc3d01b4b9
SHA256 2aef68d2578a1bc609f0f5ce47700ce24023bf2ac74eb2e5bce4b52946feecc1
SHA512 b0ddf61b650a51fe15c1285cb95ffa660c7521161ded50c95903cfaa4461632a50e4c2f4c9f2ac3321c95d625b9a774bdd4ec1e1c2e59c876e1c8d61cd4e9161

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/META-INF/AIR/extensions/com.freshplanet.KeyboardSize/META-INF/ANE/Android-ARM/library.swf

MD5 859750b9558d44c159c22a2c09a1b3f5
SHA1 2cd03bfbc227a8e8eb31e3c576547c2579f9cd45
SHA256 295e9a9134b74522a02e983beb966639a273052690ac4bb753f6a731053eac33
SHA512 0b17741812addc2a2cb055afd3adb104399925e990ed88b10d5fa16d9e6de2899968758d8f37b3b6a5711ed962098dea74dc8484367ccb7bb54f06c34c77c2e4

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/assets/config/config.txt

MD5 31b351eb78afe2ac5e05cf30f1737601
SHA1 f184da333a1eae783b0e80f8238af6555107aac3
SHA256 52be091328a58d83c9ecafd1a760b1d3448d025675128547d465ff0f0716b0ab
SHA512 14b2d8552770ef03806ef7b77edb88a2f919739e6e52bac0b64c55390bacc65c682e0bcca8821e59703c4439b88e0bfd3856b2c8d841f420a15148916729b45f

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/assets/loadbg3.jpg

MD5 6d7335066a75069369c681bc225c513d
SHA1 c74e0ac4595692b535adcab084f32c1423491d8b
SHA256 16239791878dee31970084f0ac5b58ea4fd42753dfea61ec67faaea627b84825
SHA512 896f821e4cd9bb3dc32a8cbbda77619210f79d6caa8eff6b23d77eedbe32cc1fd2a68edbbc46164025c9816ad52e90f57ff96b4dd6046371066718bf28da815b

/data/data/com.mrcq.manba.tyy/cache/.AIR/certificates/javaTrustStore.tmp

MD5 fa47a888a58e9c45b88b001a4ac72367
SHA1 ef46029106b6ecb561383075e43b26f3afb90fb6
SHA256 1628758e26b6106cdbd0b44a792d1e2f2705a53e7d0c606f5a5a21661008c858
SHA512 f69f21ce74990951dd1ea714ad26e62c1fac8c35d30e0c7fb057a7ccc501a32be4b2851303309c83d0f411be4af43e6afe8d24bb83bb6852f261fc5f047ab38b

/data/data/com.mrcq.manba.tyy/cache/.AIR/certificates/javaTrustConverted.tmp

MD5 716f9e5ba9b89c640a964df82c8ecd33
SHA1 b5cec8bb11901787248f0e87dd63c644bef451bb
SHA256 90654227683d65fe2db9adad80e7c13cc13a73e956462e9e25a3056d9c05a667
SHA512 1faab965ba2ecf12e979785c17549df8c118e8ca25f8e3264f3d2be8506c531e36e9e96d945e16955522aa83c7b6921de3ed0474b99042f7354d46da5b07620a

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/assets/patch/v.txt

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/assets/loading_m/jd.wdp

MD5 ce11b043c2039132fac3cdd0017f3744
SHA1 d8beb6c862ea4543293038a941662db56638c5a7
SHA256 39828e1362af8c616fd677bafe37433c8e2cf23e2e65bc41a7f3ee66844d38a9
SHA512 c5de3235beb1627dc579bca657eb08ce81c8ac9461249c8397e2ce89bcdd01a34c838b5b1eedb5c994b9e0f1780104b68d7d375fe7f00508ccbd2fddbe0e4154

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/assets/loading_m/lan.wdp

MD5 17b61021de213a2054158981974928d3
SHA1 807e94d968b9d99f1572c15232cf717fb22ad538
SHA256 8687f0d12c9f0e04ed4d34343854ce0ee708a978baeb748698a0e159b25a6f34
SHA512 9b99aa9f120355645b490cf460e5e1ca50b115cfe93a593a679e42c5f3ceac997a6e0f43fcc8c864aba7bffd7ab4707daa383590ce24e4ef6233eb4997940809

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/MobileMain.swf

MD5 860da7a6da65fe0e4a99b8de3d527d8a
SHA1 d178d0a81a53cae2651da24679263cc17633b590
SHA256 0071211a34426270a8ae83c469f7c0f5c1f473833cc6400d8fbdb5240b123bca
SHA512 60b668dd3f5c4e830928c017dd2f08668cbe926d54995562b3a79a2ea08f38646951abf6de5fb314ce7c3d8c9b6793dac5d3896ec40724ee449f99eafd5a92cb

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/assets/config/parameters.txt

MD5 69d5a1e3c492415923122dd1777e281c
SHA1 bc986a22cc400c314313ee83a7973992ff39f44f
SHA256 7f766f7cb7194884bb4ad48d77095afdbb95820340116b5a19551751914a7324
SHA512 d5520c431ab3eff4a88a177300ba459cc1c77576cec84d3d8a1a6d4cf7013ef4346bebfb03f598157499892db1ab178e3486b9dfcab19d36c0ee6b46094ed53d

/data/data/com.mrcq.manba.tyy/com.mrcq.tianzhan/Local Store/#SharedObjects/GameLoader.swf/delvers.sxx

MD5 21e0f9b99b2c17addbc8d0cc9c296b6e
SHA1 3c9b9b08650605ef03cd12aefc6087637fbab70e
SHA256 e4217dfbc6ad0a573d75616f27c53d30c3d437db7a6ee047234ae7322d67707d
SHA512 ee920fb6e4be6c5932f8b8e3db692e6968e3c38bb6b2853cf91d1b9885f00925e0e701606c58b03b522470f0197a3ce27f38dde6237329486a8d6ef219cc71d6

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/assets/ui_android.dat

MD5 00cd24f5566ef49e3dfbe72ffb550e07
SHA1 9b483e27b2b0421896cf58d7362a1b3a67ca7d59
SHA256 e9225b5e8e612990ed0b43610e08fcb46771b08733504fc7ff0add2451a74ed2
SHA512 df52cfeb58f7bd16115c8d6f8614db1da5fe1cf89700d079d9b734a13e99523dc4256101409f7d57bfef3da1a5fa9671a322f824ccff086243664859b8defe39

/data/data/com.mrcq.manba.tyy/cache/app/eb80fcb8-baec-4c9c-a64b-75cc891354eb/assets/assets/ui_xml.dat

MD5 935581e1d249e594b921c605ce1846c0
SHA1 6177588b73a2c5d25dbbbe54aadd4d05f5afae8f
SHA256 c7ee4d5d2fb46d488ea9863cd4c8edb9eb489cee484597085e7afccc6130582c
SHA512 11793e8881fa56642288eb5d14c62067fe3cb348a9de310d73aa5b5b857351bfdbd9f27d9b22e581d4b2b46cb93bccac7d100d6c44e1ba151b077029b6f98f26