Analysis Overview
SHA256
bfd50d7a681ebbe18fbbc2b375737e1f2a54e8d7a28ceef45deb1c301020aa8a
Threat Level: Likely malicious
The file ab556e65ca96f69da7977dcad91b20bc_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Reads the contacts stored on the device.
Loads dropped Dex/Jar
Queries information about running processes on the device
Reads the content of SMS inbox messages.
Acquires the wake lock
Reads information about phone network operator.
Tries to add a device administrator.
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
Queries the unique device ID (IMEI, MEID, IMSI)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 20:32
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 20:32
Reported
2024-06-14 20:35
Platform
android-x86-arm-20240611.1-en
Max time kernel
179s
Max time network
169s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar | N/A | N/A |
| N/A | /data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Reads the contacts stored on the device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://com.android.contacts/contacts | N/A | N/A |
Reads the content of SMS inbox messages.
| Description | Indicator | Process | Target |
| URI accessed for read | content://sms/inbox | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Reads information about phone network operator.
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Processes
com.kdneyuiko.xrwxr
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/oat/x86/qxvnrw.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 85.93.5.109:80 | tcp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| DE | 85.93.5.109:80 | tcp |
Files
/data/data/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar
| MD5 | ff264728847ded68d9f24c9bce4686e0 |
| SHA1 | 0d1e7c3793cbb624745dc7e9500676c6cf0f7b0e |
| SHA256 | 8c56b566cc4522764cdc8755d7daa098497fb6c9cc74146e4399777803273dc7 |
| SHA512 | 697926138d8bc3de9cdea6571cce8b15b54f24ebc3f9afde665dca260d3e01d128a4a28254b8e395de697ed038fd5650e7916d9d873d5626a7c965508d1f7b49 |
/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar
| MD5 | e9e233438d90689dd4214e8a0eae6200 |
| SHA1 | e27d14532d63f24c635005ad8eee609100161d42 |
| SHA256 | 8c538b4cf04b73b168eb9ee1b52c6c393eedeeb6736b6e53df1cecd7c7e549ec |
| SHA512 | 57070ce9e281942f67d2396566afa91542d4af55834b024856bc43b93adbc9967322a8ec46dcc47e9b14a8dd908093aa9fee5c88e651335bc7d42efd57d94610 |
/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar
| MD5 | a7251a2c56502de0292795c545a0b98d |
| SHA1 | 1831a16bf6f063ca32870e344aaff5c83dbf0f58 |
| SHA256 | 5b8c194b625af412b2fb6f59d47d4723fe9cc4ca851b0654059bccf594734486 |
| SHA512 | de14465bb9dfc2f212bc7c5241dcee748491a5cc5fe669541b4973943915607f01ce045c6b6ca24aa5720fb948bd3afa91e984cb6ba785ea8eee04f672625b79 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 20:32
Reported
2024-06-14 20:35
Platform
android-x64-20240611.1-en
Max time kernel
179s
Max time network
175s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Reads the contacts stored on the device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://com.android.contacts/contacts | N/A | N/A |
Reads the content of SMS inbox messages.
| Description | Indicator | Process | Target |
| URI accessed for read | content://sms/inbox | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.
Processes
com.kdneyuiko.xrwxr
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.42:443 | tcp | |
| DE | 85.93.5.109:80 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.194:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 142.250.179.238:443 | tcp | |
| DE | 85.93.5.109:80 | tcp |
Files
/data/data/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar
| MD5 | ff264728847ded68d9f24c9bce4686e0 |
| SHA1 | 0d1e7c3793cbb624745dc7e9500676c6cf0f7b0e |
| SHA256 | 8c56b566cc4522764cdc8755d7daa098497fb6c9cc74146e4399777803273dc7 |
| SHA512 | 697926138d8bc3de9cdea6571cce8b15b54f24ebc3f9afde665dca260d3e01d128a4a28254b8e395de697ed038fd5650e7916d9d873d5626a7c965508d1f7b49 |
/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar
| MD5 | e9e233438d90689dd4214e8a0eae6200 |
| SHA1 | e27d14532d63f24c635005ad8eee609100161d42 |
| SHA256 | 8c538b4cf04b73b168eb9ee1b52c6c393eedeeb6736b6e53df1cecd7c7e549ec |
| SHA512 | 57070ce9e281942f67d2396566afa91542d4af55834b024856bc43b93adbc9967322a8ec46dcc47e9b14a8dd908093aa9fee5c88e651335bc7d42efd57d94610 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 20:32
Reported
2024-06-14 20:35
Platform
android-x64-arm64-20240611.1-en
Max time kernel
179s
Max time network
177s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Reads the contacts stored on the device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://com.android.contacts/contacts | N/A | N/A |
Reads the content of SMS inbox messages.
| Description | Indicator | Process | Target |
| URI accessed for read | content://sms/inbox | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Reads information about phone network operator.
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Processes
com.kdneyuiko.xrwxr
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.234:443 | tcp | |
| GB | 172.217.16.234:443 | tcp | |
| DE | 85.93.5.109:80 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| DE | 85.93.5.109:80 | tcp |
Files
/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar
| MD5 | ff264728847ded68d9f24c9bce4686e0 |
| SHA1 | 0d1e7c3793cbb624745dc7e9500676c6cf0f7b0e |
| SHA256 | 8c56b566cc4522764cdc8755d7daa098497fb6c9cc74146e4399777803273dc7 |
| SHA512 | 697926138d8bc3de9cdea6571cce8b15b54f24ebc3f9afde665dca260d3e01d128a4a28254b8e395de697ed038fd5650e7916d9d873d5626a7c965508d1f7b49 |
/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar
| MD5 | e9e233438d90689dd4214e8a0eae6200 |
| SHA1 | e27d14532d63f24c635005ad8eee609100161d42 |
| SHA256 | 8c538b4cf04b73b168eb9ee1b52c6c393eedeeb6736b6e53df1cecd7c7e549ec |
| SHA512 | 57070ce9e281942f67d2396566afa91542d4af55834b024856bc43b93adbc9967322a8ec46dcc47e9b14a8dd908093aa9fee5c88e651335bc7d42efd57d94610 |