Malware Analysis Report

2024-09-09 12:56

Sample ID 240614-l2tzjszblj
Target a919a52d914d17db6f1e951718e24232_JaffaCakes118
SHA256 a5a4890af6c8de34aaa7177907e0ea11595ffdfe8e873b44b04c849639c45afb
Tags
collection discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a5a4890af6c8de34aaa7177907e0ea11595ffdfe8e873b44b04c849639c45afb

Threat Level: Shows suspicious behavior

The file a919a52d914d17db6f1e951718e24232_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence

Requests cell location

Acquires the wake lock

Queries information about active data network

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 10:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 10:02

Reported

2024-06-14 10:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

183s

Command Line

com.sohomob.android.aeroplane_chess_battle_ludo_2

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.sohomob.android.aeroplane_chess_battle_ludo_2

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sohomob.com udp
US 54.183.102.22:80 sohomob.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:80 www.google.com tcp
US 1.1.1.1:53 data.flurry.com udp
US 74.6.138.67:80 data.flurry.com tcp
US 54.183.102.22:80 sohomob.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.cooguo.com udp
US 54.183.102.22:80 sohomob.com tcp
HK 107.151.99.169:80 www.cooguo.com tcp
US 54.183.102.22:80 sohomob.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.179.228:80 www.google.com tcp
HK 107.151.99.169:80 www.cooguo.com tcp
GB 142.250.179.228:80 www.google.com tcp
HK 107.151.99.169:80 www.cooguo.com tcp
HK 107.151.99.169:80 www.cooguo.com tcp

Files

/data/data/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads-journal

MD5 5647d623a27d317d47b8f74c2bb50b70
SHA1 53d606fe15ba49de2ed92cf87e24fcc51fa1ea88
SHA256 b9fe8d5f7f0719cfe0afad782f5de8d797f07be48f23640a0a2bf024b4a494da
SHA512 c1a57c183c7e353b6c958809765a7cbd9aed371286ddfa746d035ddf78688c3b50c702986b9392ca7bc4d49d374cf6f039f2a41c288116a1c660855fa9c7c178

/data/data/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads

MD5 e07b3465c58af2f92d31f2a1ba443bde
SHA1 9b3407e110af63e34bd755451fc471bb230fa8d8
SHA256 cd586187569b203caafc29642918a0505a04cfb8af7f54eeea386311a160b46f
SHA512 06c48ed793e56d923ce20d4683fef4d6b62f24fff7739001ff55fdd4bb7e5d8485be175a8a31ee62a766a7b8d01b8cd9b6e99732a4c6451dba534b4012bbabc3

/data/data/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads-wal

MD5 b19ef6334750271fa3aaa64876867d39
SHA1 3a3485cbe417519795c3662020798adb52162ba4
SHA256 2e24feef5fdaf247801bcff07fcfed534524ecfd3657e3253a7410b8d29d04ab
SHA512 e09d9394db614a516223ff40bfadea6cb27d00b468391f2007f3bbd06c4388222898a1415dcac43ab8ae08311a66c739a19891e2f1284184bdea8d7ca15211c0

/storage/emulated/0/.android_/b

MD5 0f89cd47751d3b6c53f0caf011cc5633
SHA1 214563c60938e39d0fcb9d48002b1ff3131126bd
SHA256 f36215e8925dccd33ffd15ccb864a5c335b32524924364d5cfd22d62659d66ea
SHA512 773f8afa025ac15fab4297845855b23b4c98ca5b039ef48243e58984bff14c7b85bbab084955058370bf8d64e51cc6a871996cf530e696f43f03252340fc111d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 10:02

Reported

2024-06-14 10:05

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

180s

Command Line

com.sohomob.android.aeroplane_chess_battle_ludo_2

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.sohomob.android.aeroplane_chess_battle_ludo_2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sohomob.com udp
US 54.183.102.22:80 sohomob.com tcp
US 1.1.1.1:53 data.flurry.com udp
US 1.1.1.1:53 www.google.com udp
US 74.6.138.67:80 data.flurry.com tcp
US 54.183.102.22:80 sohomob.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 1.1.1.1:53 www.cooguo.com udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 54.183.102.22:80 sohomob.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
HK 107.151.99.169:80 www.cooguo.com tcp
US 54.183.102.22:80 sohomob.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.200.46:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.228:80 www.google.com tcp
HK 107.151.99.169:80 www.cooguo.com tcp

Files

/data/data/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads-journal

MD5 56e62dbd80a0e448758d969b579e95dc
SHA1 dc40265ed4f682dc575e487605debb379a13af07
SHA256 4c42ea944635d309765b4142c0a9d31d7bcf3f3ed879b732396f5d19cb6b58f8
SHA512 9f1cd0c34d362a09bcd2b644fbe3a8d288ea0e5e4c2eeecfebe2b6b4428ae0ba83eebcb494e803c549f340d718463ca75ccbdd1421ede70d035f325441ad34a3

/data/data/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads

MD5 c6aaa4f863ecf344e5b2d8f089e2c8ab
SHA1 864dbd72dd750d017092af8043de00dc7b4ea492
SHA256 0a5c55867d3998b91573358e211750eeea4556bbb64ac7ec0bb23cb8bcb759f3
SHA512 c144a94c6030b59c7f987e9133c4fd48ca70fb683d248f1fa9ae2ac87cbe514a32107b44c454cfa1adb2210f67732cce76c1ae6cdf80df80aed560f9a497d191

/data/data/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads-journal

MD5 febe9a535c9ed160252f4455f490d435
SHA1 3cbcaeadfa42bc103afa9c0094445192d3ec39a9
SHA256 19afdae1be04315b6c7d7c9bcc38d5a34380107624f02080e707fdfeaf041412
SHA512 a89e5b440bb2bf9c94d33bacff310d64ad8d3042c08d7d3365dd5a4b1bc8d2472d8426f9693d73107815886bc953eaef092a072e8d4f5fe751c55cbdaa1199e5

/data/data/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads-journal

MD5 b8939edbb504297e17a568cbff841ea8
SHA1 7fdf669ee0877111787d90b903c9b5a59f3b11a3
SHA256 02d49db6e205bb0bf4ae9f02c7aff983e8915f1a3e2531203d8c9b2e346b157f
SHA512 8ca931efe39800f66b9e18ac4677891da9e0fdfa729eb4b64fbb988868291dde10fbb228ddccafd2da0cc18736ae8f06c33321d077b3d4008a817a1480f81460

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 10:02

Reported

2024-06-14 10:05

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

175s

Command Line

com.sohomob.android.aeroplane_chess_battle_ludo_2

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.sohomob.android.aeroplane_chess_battle_ludo_2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 sohomob.com udp
US 54.183.102.22:80 sohomob.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
US 1.1.1.1:53 data.flurry.com udp
US 74.6.138.66:80 data.flurry.com tcp
US 1.1.1.1:53 www.cooguo.com udp
US 54.183.102.22:80 sohomob.com tcp
HK 107.151.99.169:80 www.cooguo.com tcp
US 54.183.102.22:80 sohomob.com tcp
US 54.183.102.22:80 sohomob.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
HK 107.151.99.169:80 www.cooguo.com tcp

Files

/data/user/0/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads-journal

MD5 465c1b3a445316f2c1e3638585e565b3
SHA1 7380a643a50bfac2cbac4e20f68fd1ddab3b10fb
SHA256 e4d82a6caea9a72e864ca2e00e6db55de606d1991da856a7b5d7345f399ddcad
SHA512 66513c8f56d54c278d97a159586d2242e4c81bc038b6c5141ccc4de10783277e84e665dc6c03e91fd7c7bc8987d8e69833d2674d15dd1eb6757d6efe3cb196b1

/data/user/0/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads

MD5 25e789992a726d032bd536e07398e23b
SHA1 a9dd8afe6763b8ebaf001c7336905164f97fa177
SHA256 adc84a900fab366754e4fc80d1479352d4500788906b0349726ea04db43eece7
SHA512 5935e670fb6f4b31d3e20963842fcfd833c9d54ba35d737322b9c4bd89b5c1363ba68b3a1972781a1677ad5de4f14a1643ba56f83f8aced1482af52c118cb7e3

/data/user/0/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads-journal

MD5 027029756dd9883b6a477df1c0037ffa
SHA1 235ec0d83cb2903c162d39f0daf92a0bf9df7884
SHA256 570b4cf8f46bbaf9e258ff2e680a63cd08856743d2fd29d4b50d4eb5667e4d9e
SHA512 1ed7a3ed26e8db81ac497be8a5e89f0eda7d5a1d83bb1c9597a478058b2f95b2cdcb92dfef207879894c3f25ee26d88127bfc278eaf14e799ee3c1a1243a6e14

/data/user/0/com.sohomob.android.aeroplane_chess_battle_ludo_2/databases/downloads-journal

MD5 906cba6a6e14cdd236df5fb751ac60a9
SHA1 7d32e75b8e6671d5424d811a901c2f567947d51a
SHA256 a3706d189b66ccbce5f002c9ac2258f75c62d9da28c5a172d990bc0e8fc33ef9
SHA512 1a83b9cd218b01d15ecba0ccebbb149806024327fb2b93b495bea686eb671b423182ef94be54fcbdd172fa9602a82acf0195f060ab16199ee4ea3469c2abec36