Analysis Overview
SHA256
503b2b5b161845f4a00466796da15c204b5cafe456d1bac0dba1e8ae0d09c729
Threat Level: Likely malicious
The file a97dcfe02c28b44dace50693e4b14016_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Queries information about the current nearby Wi-Fi networks
Obtains sensitive information copied to the device clipboard
Queries information about running processes on the device
Queries information about the current Wi-Fi connection
Queries information about active data network
Queries the mobile country code (MCC)
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 11:41
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 11:41
Reported
2024-06-14 11:45
Platform
android-x64-arm64-20240611.1-en
Max time kernel
66s
Max time network
132s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.yxxinglin.xzid76468
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.10:443 | tcp | |
| GB | 142.250.178.10:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | wendsldj.com | udp |
| NL | 78.41.204.27:80 | wendsldj.com | tcp |
| NL | 78.41.204.27:80 | wendsldj.com | tcp |
| US | 1.1.1.1:53 | ww1.wendsldj.com | udp |
| US | 199.59.243.226:80 | ww1.wendsldj.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | partner.googleadservices.com | udp |
| US | 1.1.1.1:53 | www.adsensecustomsearchads.com | udp |
| GB | 172.217.16.226:443 | partner.googleadservices.com | tcp |
| GB | 216.58.212.206:443 | www.adsensecustomsearchads.com | tcp |
| US | 1.1.1.1:53 | afs.googleusercontent.com | udp |
| GB | 216.58.204.65:443 | afs.googleusercontent.com | tcp |
| GB | 216.58.204.65:443 | afs.googleusercontent.com | tcp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
Files
/data/user/0/com.yxxinglin.xzid76468/files/umeng_it.cache
| MD5 | 144e5af91ca695fe6a3738ba4c8ecc4c |
| SHA1 | e039cba11183a921f9e9458afff619a9e89f05d8 |
| SHA256 | bfbaab28516a61bbbd184ac9711310f545edf274aedd7b8473d3d150b39ed100 |
| SHA512 | 367a4a1a5ed4f638fa46fd343f9c417e47dd76e038edf7db67ed9e342d3a54746b812a0e3fdcfa376c70a89d3a2b5b37a239c8b9324b71c365bb4bd46ca739da |
/data/user/0/com.yxxinglin.xzid76468/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzY1MzMzOTg1
| MD5 | a383e67bee14bcd0f7c38be58a7ef51e |
| SHA1 | 38e102f7eb594ddc420b01879bdad2bad97cb46c |
| SHA256 | 6eadd369a2ac02a78f9630329931239096ea677629bacda6e9e23f6c81160ce6 |
| SHA512 | 9331a115924579e2f58fcb6b77f53936360dceb994c6657a3e65170207cddf9ccf9c70c9ebc720ff77947d24105061902cdba02c087859711bf0d35325e5f8a9 |
/data/user/0/com.yxxinglin.xzid76468/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzY1MzY0MjQ3
| MD5 | 5b73d0145cd591500d07793ee3510699 |
| SHA1 | 9634fbf82dfba58af5660a02c659ff5b0e3b798f |
| SHA256 | 28a571037339b8053ae7608917143cef3a71bcf89de572b6e55bbdc06ad82741 |
| SHA512 | d7746e22c1a5248650d5159235c310b74f409ec8c57cea8edcbdb012456dfa677b9081a77124743ceb3124fd231a3cf6c3ba7a1123c818ea2fda18f0b73351e9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 11:41
Reported
2024-06-14 11:45
Platform
android-x86-arm-20240611.1-en
Max time kernel
3s
Max time network
131s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.yxxinglin.xzid76468
ls /sys/class/thermal
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 11:41
Reported
2024-06-14 11:45
Platform
android-x64-20240611.1-en
Max time kernel
67s
Max time network
182s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /system/bin/su | N/A | N/A |
| N/A | /system/xbin/su | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.yxxinglin.xzid76468
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.179.234:443 | tcp | |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| US | 1.1.1.1:53 | ulogs.umeng.com | udp |
| CN | 223.109.148.176:443 | ulogs.umeng.com | tcp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | wendsldj.com | udp |
| NL | 78.41.204.27:80 | wendsldj.com | tcp |
| NL | 78.41.204.27:80 | wendsldj.com | tcp |
| US | 1.1.1.1:53 | ww1.wendsldj.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 199.59.243.226:80 | ww1.wendsldj.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | partner.googleadservices.com | udp |
| US | 1.1.1.1:53 | www.adsensecustomsearchads.com | udp |
| GB | 142.250.179.226:443 | partner.googleadservices.com | tcp |
| GB | 216.58.213.14:443 | www.adsensecustomsearchads.com | tcp |
| US | 1.1.1.1:53 | afs.googleusercontent.com | udp |
| GB | 142.250.179.225:443 | afs.googleusercontent.com | tcp |
| GB | 142.250.179.225:443 | afs.googleusercontent.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.179.226:443 | partner.googleadservices.com | tcp |
| CN | 223.109.148.177:443 | ulogs.umeng.com | tcp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| CN | 223.109.148.178:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.141:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.130:443 | ulogs.umeng.com | tcp |
| CN | 223.109.148.179:443 | ulogs.umeng.com | tcp |
Files
/data/data/com.yxxinglin.xzid76468/files/umeng_it.cache
| MD5 | 8e5c2342f629ad1dccec80ba45765347 |
| SHA1 | 33d25dbef38f764c34b4dc8ad77f33d783c9b63a |
| SHA256 | a4c7fd6d94cb6e27e6f438120c9ac816ab2c45e6c67cd92177d3d7097b99306c |
| SHA512 | 11addf16a42f8398f2e5bbb87a8c25b5ded14d004a92bcf38ffe0a84e3e814ce69eaaeb043bc7e26f47bf804de8edbc887f2457e46fb2798ba88202357a976f4 |
/data/data/com.yxxinglin.xzid76468/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzY1MzM1NzA1
| MD5 | aa9415f32c530c227eee452220df4d68 |
| SHA1 | 2fa36239ca0cb5a755dec47f236e915afa7cdf52 |
| SHA256 | de5b2a45d9c90fd551ecba8a8f00b045f5dd4ef16f47a7cd7fa151e9ba1ff5a2 |
| SHA512 | 61f918c97d080bc12363311064d369adf7654f8eafc3262daea1b8a08e43d68469f8596fa65a9cd7f242d646a030dbb03f548e2872a8754a92d858b8de44e357 |
/data/data/com.yxxinglin.xzid76468/files/.umeng/exchangeIdentity.json
| MD5 | 877c86ff8262f401389a8183feed5084 |
| SHA1 | 5ad4ae769c751cbd40c7e12ddff3a36f415993b3 |
| SHA256 | 4bc9b9d31791e207c3083bf81e0fd5c29991c9a4e979e00d269cac6fa52c7488 |
| SHA512 | c54d1f7633dde189b349c7a73e32be8dac5574f12358e1a2c3ccba433e534dba3f0f46580c808c3c708f1359ced60dfb2f61b478528896f544900d2babfaa2b3 |
/data/data/com.yxxinglin.xzid76468/files/exid.dat
| MD5 | 162b798c0623d619ae7da02295de5e50 |
| SHA1 | fd977c594928139ebb6c6f3b3014ff0fb6bceec6 |
| SHA256 | 2c0ff049983ca195d6aba19951803f2ebd8d830f0d4a9f2732c5bcc5caaa688a |
| SHA512 | 64fc8724dbb93161e2feeb1a1a15faec716c7869d4499ed5b2ddeeea2c52b4ee77c1b270e239c3f066e8ca5ba25d47770fba77acecf5329b9dd858f508eb7146 |
/data/data/com.yxxinglin.xzid76468/files/.envelope/i==1.2.0&&1.0.0_1718365335760_envelope.log
| MD5 | 64981a96ce756eb79d7e5938b39c14c1 |
| SHA1 | 2e670c1201b84cc3efa09808667a0b1fac04df4b |
| SHA256 | 4bbe8b25880616e3475fcec686368f78a536952fa540aae42967b7c87d7828c2 |
| SHA512 | 101ad0b4c9f46389ebedade9cc43ac514a4e55a247040c6c38bff1fe48d3c77d16a555060799e329855098caf3061c68f9d2ad8d191a1cddfd55a550eda09e66 |
/data/data/com.yxxinglin.xzid76468/databases/ua.db-journal
| MD5 | f6767a082dd37d4ac8ff6c6debea0194 |
| SHA1 | ab8e81ab1f43f30db38474bdf6b4539305f1ff6a |
| SHA256 | 45a42a041b27e686a2bec7914eb12741be37dc311c90cdd3fe254df5f4aac9b0 |
| SHA512 | ed680fdbb7cdd166467009d1e838b04015834c4688b3456ebe4c9ebbb823dc2b37ddf243c7558978356a38fa8bc1443fe92dcedc80f991740ebec28c83b8b8cd |
/data/data/com.yxxinglin.xzid76468/databases/ua.db
| MD5 | b7036131b84bdf2b66c67fde18d62308 |
| SHA1 | 18b1e5a358d68c846495cab5cfef7c6679659093 |
| SHA256 | c2c0bc8842203ccf1665dbb5b3333b22ae5a6ae3ef8eafe83e7f43adf32d0295 |
| SHA512 | 256bc83e1a516a58f5d1d024d27dad3c26723df0f96e0deca6baac86d84518000212570b06996a14bcbeadff05fed05125862aba2d4aa08c15a6999563dac067 |
/data/data/com.yxxinglin.xzid76468/databases/ua.db-journal
| MD5 | 2fb0d911c0d699b159f0a479b670c4d3 |
| SHA1 | 29f53b15293f715063ef69d83b5aea45560ebb41 |
| SHA256 | 36d17fa609982824271f90bc9e87acf13b0df8c2ab8a001600a8cc7494ea5808 |
| SHA512 | 6ab524de6927ef103fbc26385aa18558912023c0265a0be8b315d0243c9311045ebb2ea0f0f826a834186b9cb4be87967814f61eb64b3d0681349daa3d913e24 |
/data/data/com.yxxinglin.xzid76468/databases/ua.db-journal
| MD5 | efa5ee33ce1c9d21c3a4617e48307ae1 |
| SHA1 | 38d51bdc2534eec74ca2a641bf2fef51b146e1e0 |
| SHA256 | f635c348234b44c7d0fba32242cc310a54d12d41c546c566e5c69236322a8095 |
| SHA512 | fe1825d40a9848891115eb0e57c1bbec66dbcba2f4c40404c35bc5aeb6de6a5d39ca9e531f7027ed7cc52b72f7d7089f4c5c303cfba15c71b0a1fb91b0197964 |
/data/data/com.yxxinglin.xzid76468/databases/ua.db-journal
| MD5 | e3abc97adbbf3815262f561aacfe6f4c |
| SHA1 | d3e22655c7e4b4985a381200d1eaa6de83209217 |
| SHA256 | 1ad23d47e7c239a7cb581dfb560419ef48f56b0247dfc733d3c0ccf3378a8d8c |
| SHA512 | 17b689878baf0581d7c30fd6122a4dcf4317a993c363d8a48545f2775524377a0ebecdbb9343d3aa8cd82e397694805d435bf64305da3d66eef905374a4f4c2c |
/data/data/com.yxxinglin.xzid76468/databases/ua.db
| MD5 | 4e3b78c0df05ef4a74b1979fcccdb080 |
| SHA1 | f814a0b66084a26b62ec2fd901f7766780e15772 |
| SHA256 | cc65d9658b1f88069a418465ffc74f39ef41833eba04db69b0042cc74639e128 |
| SHA512 | 5533aef9a095ce0b7800b99eadf1c54b8eb82e573b47e9997345b29aebaccd1b4e5a89978542738426c72a0976c4124741002711b9379eee2874973e05884faf |
/data/data/com.yxxinglin.xzid76468/files/.envelope/a==7.5.0&&1.0.0_1718365342105_envelope.log
| MD5 | 171093dd5b0137164cc5c79d206496be |
| SHA1 | ee657dc80d7b874da07c42c53549956db04a53a4 |
| SHA256 | f8a29fe0bed8cd78e2b72210b6724647873a5537b0e822c0c78bf72aa0517e40 |
| SHA512 | 656cb2ea814d6fc2e04df82d5dca5058b22fd66793a8e8ff61651d17bf3c408856db35f8a344151a758e54070acd83625d56a3e02fff311d08f9c720b8522eb0 |
/data/data/com.yxxinglin.xzid76468/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzY1MzY2MTE2
| MD5 | e48490a4bbec5f0d59854b1b551d22a2 |
| SHA1 | 796cb5ca3c9660466c1dd96d039035e052e9d07a |
| SHA256 | bb7fd25e839593beab24695b0653dc296fe06339298588b43963b541fd2cb99b |
| SHA512 | 21837d4a4992e121c5d1931f4f8852bf2e322454a86baae04ccded06def047c8e3e209254f1991d5ea09f03f227107dca6d0cb4436d5e288d5132c6d737b833f |