Analysis Overview
SHA256
fa498cfe5afae738e736455a910de45933785858125d92fa9530e8a8f6083f33
Threat Level: Likely malicious
The file a9d034cb4cc4d0111a97260da12f99fb_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Obtains sensitive information copied to the device clipboard
Queries information about running processes on the device
Queries information about the current nearby Wi-Fi networks
Queries information about the current Wi-Fi connection
Queries the mobile country code (MCC)
Queries information about active data network
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 13:02
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 13:02
Reported
2024-06-14 13:05
Platform
android-x64-20240611.1-en
Max time kernel
64s
Max time network
147s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /system/bin/su | N/A | N/A |
| N/A | /system/xbin/su | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.yxxinglin.xzid538136
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.169.42:443 | tcp | |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | fuli.bianxianmao.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 172.217.169.42:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.194:443 | tcp | |
| GB | 172.217.169.42:443 | tcp | |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 142.250.179.238:443 | tcp |
Files
/data/data/com.yxxinglin.xzid538136/files/umeng_it.cache
| MD5 | 3d42ccc6f3e8623285a65575ea838fed |
| SHA1 | c243f3a939cf6f403b36898eba6d49026e384c3f |
| SHA256 | f0e7101e62fc9d471b720e15c93f8aec8f29d9436a737b9c9be3ef1a358f2e06 |
| SHA512 | 2cb283d33215769fcdfd98ca44a5cd47fc1734a2f9e2dab443524933417def9b32a4992d776ec2cc05312853ddac43b33b8033300ae43270492ddd40c0dae943 |
/data/data/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTU5MzIx
| MD5 | 549b53ba850a0eee1da4610bf3fb7af2 |
| SHA1 | 33842337fa73bc294dca20a77a16a7117283a121 |
| SHA256 | 1e375f52fce2a43f144a872df2400b6ce43ae57ce90e2d81f94fe44c2c1f3c67 |
| SHA512 | 70b3df8be42a4e04758749fc4ced1628bdd78672f7f33721d38d28bd5d06d755fbef15ba5d8dd383534682ae7837e2df3c4d386ccdbf9df209a8bb072ac2b0a5 |
/data/data/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTg5NDg1
| MD5 | 21bda50c7149e1600399fbb5db6ef7c9 |
| SHA1 | 835b0134ec6209fca38d55097c5e2d8ab928f5e9 |
| SHA256 | fa7122adb4a3c70b0e882b4e9a31ebc5151c9560d5e4a6c2c00999958243e772 |
| SHA512 | 6e48f6eb78c14ade8df932281ddc66e04ed8a8352c1cfd4cc0f0118fdf44ffbda2d0b5acf0788973661264475a6bd030f702c6f223f010884224ed8821b17805 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 13:02
Reported
2024-06-14 13:05
Platform
android-x64-arm64-20240611.1-en
Max time kernel
64s
Max time network
132s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.yxxinglin.xzid538136
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.106:443 | tcp | |
| GB | 216.58.201.106:443 | tcp | |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | fuli.bianxianmao.com | udp |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.75:443 | plbslog.umeng.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp |
Files
/data/user/0/com.yxxinglin.xzid538136/files/umeng_it.cache
| MD5 | e846d02b1316497268d4aa8b6542dcc0 |
| SHA1 | 75fef41204420eae03064de27987afef9ea4f0d9 |
| SHA256 | 5a4e0b5cf60b10601b095878c2ae1684bfcc7f334691d7e306311566254546e6 |
| SHA512 | 56106acb821d6abab40d01cfba532bb094b6b7b3016706d12b2a3d65821dc9d1ffa95d6a6899769af39fe8cb652ba15937279dc27bb83033bde3fcf4eb35713c |
/data/user/0/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTU5NTI5
| MD5 | 96eb33742d631bdbd22556162508b719 |
| SHA1 | b88bdfa8a8d88fd4598fc62934ea04e84503d23a |
| SHA256 | 74e3a0c1664b9379c4b3fe393bf569bb0aa87abcc7a00963f9dcebf2cb7faf62 |
| SHA512 | 477d553afb3eb61983e7c9e4405ee8049e08bd00330eeb536762736443591fc49db30651259157caa7fb1bfad23ed85723f6f728f1f83e9fc0464f657ffb4397 |
/data/user/0/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTg5Njgx
| MD5 | 604db0670e9bf818faa123465f5117f6 |
| SHA1 | 3a5dc6ec7c7952e8b7b15ab0963700e8e359fbd9 |
| SHA256 | 5f98be70d597b1a650e435886d98866450c7d9d17cea95532e9c9336dff2557d |
| SHA512 | 11518f019ef331b9a742fd52a8ecc5c978a1daae23b1db0d6e39259509aa418557062e2fd28aba4c449d9728aad4094fc9946a6b944e64faff8f5ff1a4cea8c9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 13:02
Reported
2024-06-14 13:05
Platform
android-x86-arm-20240611.1-en
Max time kernel
64s
Max time network
130s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.yxxinglin.xzid538136
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.74:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.73:443 | plbslog.umeng.com | tcp |
| US | 1.1.1.1:53 | fuli.bianxianmao.com | udp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 172.217.169.74:443 | tcp | |
| GB | 172.217.169.74:443 | tcp | |
| US | 1.1.1.1:53 | plbslog.umeng.com | udp |
| CN | 36.156.202.68:443 | plbslog.umeng.com | tcp |
Files
/data/data/com.yxxinglin.xzid538136/files/umeng_it.cache
| MD5 | 8ceee2929466f4b3b62da8191b571d36 |
| SHA1 | f152ad1b2da2ed2524c83687fea75b0c5c17c11b |
| SHA256 | ea8913e9642b0988d5c324cb7ed05fc220710155776babe163210c1600d01070 |
| SHA512 | 698fa043bdc813c26b407ce227fce8f32c4eb122ee79cbeeed69001636470edb52ca9314165e600d1ea8c9fdc1ea44c5bc3f7086ee0aa14d0a51ff240db2ff51 |
/data/data/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTU4NTAy
| MD5 | e10feccb42b6fef5f1b3d7e036d4cd68 |
| SHA1 | bfacabab4efed661e896ecaa58b1a02ff7b8e268 |
| SHA256 | 0d31ba858c79296de6d4509145cff63af4b60bf0f6aca53379410816a1ddff87 |
| SHA512 | b0f6b8737d507a7bdde87ecfa6aee55e9320475d78df9b1e8f00b6ae2c2dd6808157cb44a4da7dee69ecfdc22b519cf9cb2e84da8f53919bd9322441dae59aa5 |
/data/data/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTg4ODA1
| MD5 | ec1031ebbb2632e8ad23a534987d71f5 |
| SHA1 | 32a2dbaf48c8572fc3fc7aa930d694f7c37b9003 |
| SHA256 | 455e6d16101f4eafd28b9c15a8a03d1dd2e1c7ca08afc75b828928ac2bad714a |
| SHA512 | 511f7314c16e3d89d91738059aee9e84e3081dcacf18daea1e0dddffe66a30ba89f8af6866a37c18b2792efb4050373288bfbdded9b7905fe6fbc6db4e2b075d |