Malware Analysis Report

2024-09-09 16:00

Sample ID 240615-atfleawemk
Target ac3ac9cc7970a5668c9516d38afe51a4_JaffaCakes118
SHA256 b5f3947e12df86e739ecbb2250c8c354701a75cebe29544640048ecc145f519c
Tags
collection credential_access discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b5f3947e12df86e739ecbb2250c8c354701a75cebe29544640048ecc145f519c

Threat Level: Shows suspicious behavior

The file ac3ac9cc7970a5668c9516d38afe51a4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery impact persistence

Obtains sensitive information copied to the device clipboard

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 00:30

Reported

2024-06-15 00:33

Platform

android-x64-arm64-20240611.1-en

Max time kernel

123s

Max time network

132s

Command Line

com.quizman.footballstar01

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.quizman.footballstar01

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 www.startappexchange.com udp
DE 152.70.183.52:80 www.startappexchange.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 eula.ad-market.mobi udp
US 34.211.97.45:80 eula.ad-market.mobi tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp

Files

/data/user/0/com.quizman.footballstar01/files/eula.zip

MD5 1a6d49d2adb9303a161a950db2de3927
SHA1 3f9a3ff691d967a4bc3bdffe6327cfab0c416ef4
SHA256 2eec668519c3ac15ba5e1c7bb8d83abb9bf935a32bde220e42a7047d66c824d2
SHA512 6459e8004f34945396fcec424bc37e34c7f86483a63a74a9bca2e9c70791cb0fda0ccb23b72944167693c7c71b418db41acd08dc83f2bf55594a02c5725fa4cb

/data/user/0/com.quizman.footballstar01/files/offline_eula_footer.html

MD5 9818dabc2eb86d5f4f071e9d67334570
SHA1 117e7978c9293d86ea5492b90a4999cc24225dbb
SHA256 1f075332b57fdfbb9417718f3c0d9f27ffbb2c135b3291aca4b9f2911d7e9e3b
SHA512 79937390d4b02688abb0e24cef356024c3dbd3cd59d85ea3300556af59f0648293ed24fb5db740a4329fdddccf43af3b7679135555397a3adedd3eeccf5423a0

/data/user/0/com.quizman.footballstar01/files/offline_eula_body.html

MD5 7813643485a5318f68291e87315a6fca
SHA1 207f1059f5ea34b0fc4011848fa4682608d26443
SHA256 c0487218c63d176ff68c0c6bc91866222ad9ae6420ea6fdf06790ff01a1db918
SHA512 e571984238e162b5d2c61973fa62645950f69b2a75a0c7b11d6854c9b89ab0164475c96515b7c48c8d60926c90f439e7c172d5df00b11413bd6584b0d0b3f19c

/data/user/0/com.quizman.footballstar01/files/mobclick_agent_cached_com.quizman.footballstar01

MD5 13e4996938efbeebaa9b0518516c6db8
SHA1 a1b236af01bdf244339c31967761b249bfe7292b
SHA256 2fa4cda0a32dbf2d184ff03f6ebf2c27b251e673727572c15ef429ad4c861375
SHA512 357ccb9782c88297f8b7b043cd2cee42296fcaa8f7bdeacd26303da25018a9bc582a362499b18f6097ad8469e860dd291f83d2e7a496a03a1952dc6c7b5f15f0

/data/user/0/com.quizman.footballstar01/files/mobclick_agent_cached_com.quizman.footballstar01

MD5 6385ea453395936addd769b56a0e80b5
SHA1 4d109213eabe89ac37c155ca809764c523bb46c7
SHA256 40548d5f062f0ced591fa570339dab30bc9497f173b4342077f1e0a0bbc9dcf8
SHA512 d09d53dd101eae876e2d508deeda360ea16f0d861cc4c0d1e16745a2a6df26757cac645786c06bae781796dc6816cb4de3258075a622e8ec04ff0dd21365c1af

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:30

Reported

2024-06-15 00:33

Platform

android-x86-arm-20240611.1-en

Max time kernel

123s

Max time network

138s

Command Line

com.quizman.footballstar01

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.quizman.footballstar01

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 www.startappexchange.com udp
DE 132.145.224.90:80 www.startappexchange.com tcp
US 1.1.1.1:53 eula.ad-market.mobi udp
US 34.211.97.45:80 eula.ad-market.mobi tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp

Files

/data/data/com.quizman.footballstar01/files/eula.zip

MD5 1a6d49d2adb9303a161a950db2de3927
SHA1 3f9a3ff691d967a4bc3bdffe6327cfab0c416ef4
SHA256 2eec668519c3ac15ba5e1c7bb8d83abb9bf935a32bde220e42a7047d66c824d2
SHA512 6459e8004f34945396fcec424bc37e34c7f86483a63a74a9bca2e9c70791cb0fda0ccb23b72944167693c7c71b418db41acd08dc83f2bf55594a02c5725fa4cb

/data/data/com.quizman.footballstar01/files/offline_eula_footer.html

MD5 9818dabc2eb86d5f4f071e9d67334570
SHA1 117e7978c9293d86ea5492b90a4999cc24225dbb
SHA256 1f075332b57fdfbb9417718f3c0d9f27ffbb2c135b3291aca4b9f2911d7e9e3b
SHA512 79937390d4b02688abb0e24cef356024c3dbd3cd59d85ea3300556af59f0648293ed24fb5db740a4329fdddccf43af3b7679135555397a3adedd3eeccf5423a0

/data/data/com.quizman.footballstar01/files/offline_eula_body.html

MD5 7813643485a5318f68291e87315a6fca
SHA1 207f1059f5ea34b0fc4011848fa4682608d26443
SHA256 c0487218c63d176ff68c0c6bc91866222ad9ae6420ea6fdf06790ff01a1db918
SHA512 e571984238e162b5d2c61973fa62645950f69b2a75a0c7b11d6854c9b89ab0164475c96515b7c48c8d60926c90f439e7c172d5df00b11413bd6584b0d0b3f19c

/data/data/com.quizman.footballstar01/files/mobclick_agent_cached_com.quizman.footballstar01

MD5 fd91e786bb850bfb3c51a769b46af657
SHA1 e4f15c678bada9857a1229a3a6b62e0a25641684
SHA256 6efba4638b8624b74aae7c9afa5c38812f5fc5b219f552cae7bfc647a9c2cbdd
SHA512 f3fa29283e1263c8e62774880f8576d9578b05488dfe555efc93c9df4694d156f301a9d3f028763681d5582b19852001a34c56c7c83ab0b43381f791065bfd94

/data/data/com.quizman.footballstar01/files/mobclick_agent_cached_com.quizman.footballstar01

MD5 abdbeaedd9678051ffd9a6a8067e99b7
SHA1 63e5a7d61897991735578e6b2edf1a10b0f2ca5b
SHA256 20315c6eb3666b2f59064c7d9775c725b5cb7e4eba8c025eb2e7de5415936ed5
SHA512 3e81e809663ef77a60fc1028e8357d042a1016aad1c6dac8f1a40dd3c9608bd68c2efee310f54dbeae6915cd75faecb118119b12968bebcd425a967c5e308fac

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:30

Reported

2024-06-15 00:33

Platform

android-x64-20240611.1-en

Max time kernel

123s

Max time network

148s

Command Line

com.quizman.footballstar01

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.quizman.footballstar01

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.startappexchange.com udp
DE 152.70.183.52:80 www.startappexchange.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 eula.ad-market.mobi udp
US 34.211.97.45:80 eula.ad-market.mobi tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.quizman.footballstar01/files/eula.zip

MD5 1a6d49d2adb9303a161a950db2de3927
SHA1 3f9a3ff691d967a4bc3bdffe6327cfab0c416ef4
SHA256 2eec668519c3ac15ba5e1c7bb8d83abb9bf935a32bde220e42a7047d66c824d2
SHA512 6459e8004f34945396fcec424bc37e34c7f86483a63a74a9bca2e9c70791cb0fda0ccb23b72944167693c7c71b418db41acd08dc83f2bf55594a02c5725fa4cb

/data/data/com.quizman.footballstar01/files/offline_eula_footer.html

MD5 9818dabc2eb86d5f4f071e9d67334570
SHA1 117e7978c9293d86ea5492b90a4999cc24225dbb
SHA256 1f075332b57fdfbb9417718f3c0d9f27ffbb2c135b3291aca4b9f2911d7e9e3b
SHA512 79937390d4b02688abb0e24cef356024c3dbd3cd59d85ea3300556af59f0648293ed24fb5db740a4329fdddccf43af3b7679135555397a3adedd3eeccf5423a0

/data/data/com.quizman.footballstar01/files/offline_eula_body.html

MD5 7813643485a5318f68291e87315a6fca
SHA1 207f1059f5ea34b0fc4011848fa4682608d26443
SHA256 c0487218c63d176ff68c0c6bc91866222ad9ae6420ea6fdf06790ff01a1db918
SHA512 e571984238e162b5d2c61973fa62645950f69b2a75a0c7b11d6854c9b89ab0164475c96515b7c48c8d60926c90f439e7c172d5df00b11413bd6584b0d0b3f19c

/data/data/com.quizman.footballstar01/files/mobclick_agent_cached_com.quizman.footballstar01

MD5 fa658fa509c001a009e71ed6a459a500
SHA1 1dc51051dc6f9d599c163155943f37b783f743c1
SHA256 1a68c773e9603f28bd7813104b213e761f0d1419bc1a77b91f49ab01210020ce
SHA512 da9016f4909fca57e139bc822849e7774fffb4a98e68afe540b6dddcea758e53ec69142f5d6bed7a1960dbec76434095542faa9386623b9231fde4721991815d

/data/data/com.quizman.footballstar01/files/mobclick_agent_cached_com.quizman.footballstar01

MD5 98b2505d172005061834c31a1a452f77
SHA1 ab65de3717bafaf84e6b19d831a4f800d9850fe7
SHA256 eb8c7613a9442d3fbf5e707d474a4f3e53d48780aef045dad8e5dbfdc4ce0861
SHA512 1c2f5f566fb2baa2b53025c4eb99c873da33114c7d77c36b489f53cc84fb9e7bc91c0c932f2cc6615849b7bfff7a5bc39bec36da2fb260d43f0d289bcabdb0e3