Malware Analysis Report

2024-09-09 16:01

Sample ID 240615-aa91xavhmm
Target ac221059f7e5dc0ee25fd653768a342d_JaffaCakes118
SHA256 4df7d83aac260de02169b2e1fb2c1b3fcd15e0b68647bc23d63762239718b757
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4df7d83aac260de02169b2e1fb2c1b3fcd15e0b68647bc23d63762239718b757

Threat Level: Shows suspicious behavior

The file ac221059f7e5dc0ee25fd653768a342d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:01

Reported

2024-06-15 00:04

Platform

android-x86-arm-20240611.1-en

Max time kernel

64s

Max time network

169s

Command Line

com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 receive.client.c-launcher.com udp
SG 54.251.178.82:80 receive.client.c-launcher.com tcp
US 1.1.1.1:53 api.c-launcher.com udp
SG 3.0.217.185:80 api.c-launcher.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 216.58.212.202:443 tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad/files/uuid.md

MD5 5d3f058ad2357a1eb0aff83197be2d5c
SHA1 e7f1262ad454357f13afdb344768c9fe1060f791
SHA256 3136c417424734fd690f3536171628726536c20702ba27e590284f6b8d5db5a3
SHA512 217abbe7afcda9327a7b8cb3edfba6617d81fb02e9ee5698b6fe04993f7938bc49e8232cd2b8728d56dfd6818020c749549482828dc9b5b375460dd21f149a2b

/data/data/com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad/files/mobclick_agent_sealed_com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad

MD5 f3a851d12bb87e4099dd3e37deebf9d2
SHA1 775e42057a7bff3fa80af7d0958ee71279a8e060
SHA256 4416b038bdeb4df083088eb737b7098e1268cf3dd12c76c2b215be547a5cf76e
SHA512 9c5cf40355fae0f01c4bff13b48350da227bb70a9de3f5cdf46b40f6d6f1735881aa706bebffd758c920f29afa1c83110ce8c1b8ac1829c8af8f6bf73bfe112b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:01

Reported

2024-06-15 00:04

Platform

android-x64-20240611.1-en

Max time kernel

21s

Max time network

161s

Command Line

com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 api.c-launcher.com udp
US 1.1.1.1:53 receive.client.c-launcher.com udp
SG 52.220.64.57:80 api.c-launcher.com tcp
SG 54.251.178.82:80 receive.client.c-launcher.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.212.234:443 g.tenor.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
BE 64.233.166.188:5228 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp

Files

/data/data/com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad/files/uuid.md

MD5 c678ed8ca6be188b69e93baddecd7d70
SHA1 accd8e9f07f7d87997d01a5f5d78ae341241046d
SHA256 a6dc0943b2558e2601993b44cf23e9e3e5b01753d5d77ced1b00a467eef65f79
SHA512 8812be74c7ffc8309afed30530c11f7588363b078e79c202f2d2312714fc340ab23d85078f1d6262eda0530f0ad30543a1e23b9bd1ec874484f14bde2081a80e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 00:01

Reported

2024-06-15 00:04

Platform

android-x64-arm64-20240611.1-en

Max time kernel

123s

Max time network

132s

Command Line

com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 receive.client.c-launcher.com udp
SG 54.251.178.82:80 receive.client.c-launcher.com tcp
US 1.1.1.1:53 api.c-launcher.com udp
SG 52.220.64.57:80 api.c-launcher.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad/files/uuid.md

MD5 1bed19e748e65eee7ebd188f29918259
SHA1 e8e7f21b2fe1af1e411d5d1de29f1b1795073392
SHA256 73031b2f918bc24f79057f91f488fc7828c00dbf00461be58be836f076be64fb
SHA512 70b3f5a77b9dc091aadc6815c1d8080ef7b89c750ff2e32ee7697df5db69718e04b8141e78075d4182b729deb244171d0db552895fa0e790865e6c17be33c33e

/data/user/0/com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad/files/mobclick_agent_sealed_com.cyou.cma.clauncher.theme.v545ae1c23affdfb0752f15ad

MD5 dba931e51660ac2b26408c4dea7b2ca8
SHA1 637ae2b75fb03f1ee4a875879e0bef5726ae117b
SHA256 ecbaffc3daa6c0e591ffecfa6a3ec6d1cb6193e9ce34aa1dddc39d21372e5d6a
SHA512 494e165626d14c6ddb36f6cf30fc7e1c9b9cfd5c0177c4ec94a33ababd6418bec83c53854e3a93257aa4c4e223aa117cfadbb0a5b0c50307ecebe5bbd0bbb775