Malware Analysis Report

2024-09-09 16:01

Sample ID 240615-dqk89s1djl
Target acb50a5ddc692be06ae0acdb4d92bd24_JaffaCakes118
SHA256 42e581f9d9f3293de31480360a6634377491a202242d642d45af50ebc082f52d
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

42e581f9d9f3293de31480360a6634377491a202242d642d45af50ebc082f52d

Threat Level: Shows suspicious behavior

The file acb50a5ddc692be06ae0acdb4d92bd24_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Queries the mobile country code (MCC)

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 03:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 03:12

Reported

2024-06-15 03:16

Platform

android-x86-arm-20240611.1-en

Max time kernel

174s

Max time network

131s

Command Line

com.AndPhone.game.beyondthewar

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.AndPhone.game.beyondthewar

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.anbeans.com udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
US 1.1.1.1:53 media.admob.com udp
BE 74.125.133.100:80 media.admob.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
GB 216.58.212.202:443 tcp
CN 59.82.29.249:80 www.umeng.com tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp

Files

/data/data/com.AndPhone.game.beyondthewar/files/mobclick_agent_cached_com.AndPhone.game.beyondthewar

MD5 ac28c7d283d06fadd41b3951e4d423cd
SHA1 7f88050f1470a66b91d39ecc5a56bff7ec255e37
SHA256 5bc0bda82292575173c3aeb718dbdcbe6b6865f2efd7d60ca07222df6bd8cdb3
SHA512 5ba82c67b40872f11f7af36c77275963a25a05af1359b1550c16eebc81b22a5819271f6fd7c707a1d7236ab6c2226fe277c9fe0ee8905fc40f25f37e3e0b2ea5

/data/data/com.AndPhone.game.beyondthewar/files/mobclick_agent_cached_com.AndPhone.game.beyondthewar

MD5 84428a74aeb55635f6089e873aed2658
SHA1 4b00ae5b8a582ecc26eeefb24f1f78cb57500db5
SHA256 f5d6521168094b53c76b06eefb0ac4e13b46b980ef4b82db4eaac522b447eaeb
SHA512 d880229fddff2a9de5dac3f0bc8ac1deb246ad0d8c6623bf637e6a44b2de98c6a7b177b45e2315b8fbf2a69767bc21818b6c4cd69d0be8a6222b26e34f07f4ad

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 03:12

Reported

2024-06-15 03:16

Platform

android-x64-20240611.1-en

Max time kernel

127s

Max time network

147s

Command Line

com.AndPhone.game.beyondthewar

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.AndPhone.game.beyondthewar

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.anbeans.com udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 media.admob.com udp
BE 64.233.166.113:80 media.admob.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
CN 59.82.29.249:80 www.umeng.com tcp
CN 59.82.31.154:80 www.umeng.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp

Files

/data/data/com.AndPhone.game.beyondthewar/files/mobclick_agent_cached_com.AndPhone.game.beyondthewar

MD5 ac28c7d283d06fadd41b3951e4d423cd
SHA1 7f88050f1470a66b91d39ecc5a56bff7ec255e37
SHA256 5bc0bda82292575173c3aeb718dbdcbe6b6865f2efd7d60ca07222df6bd8cdb3
SHA512 5ba82c67b40872f11f7af36c77275963a25a05af1359b1550c16eebc81b22a5819271f6fd7c707a1d7236ab6c2226fe277c9fe0ee8905fc40f25f37e3e0b2ea5

/data/data/com.AndPhone.game.beyondthewar/files/mobclick_agent_cached_com.AndPhone.game.beyondthewar

MD5 8a60720931b6cc4f1a02dd323533ed42
SHA1 24fceb1b6469876278c23f41a8091d2f90afcd55
SHA256 9e3dc1d0e50280a2b3532da262e686cb4c0642e41e5002f0aa6bc735aa439e09
SHA512 d890737f5828ae23ffa06ad6c32fa08902334702a8e533d39f0e916244278d44d2195591323eca65a25d89acbaf253bed8272001dc67f2f041e2b19d423b1c95

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 03:12

Reported

2024-06-15 03:16

Platform

android-x64-arm64-20240611.1-en

Max time kernel

127s

Max time network

135s

Command Line

com.AndPhone.game.beyondthewar

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.AndPhone.game.beyondthewar

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.anbeans.com udp
US 1.1.1.1:53 www.umeng.com udp
US 1.1.1.1:53 media.admob.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
BE 64.233.184.102:80 media.admob.com tcp
CN 59.82.29.162:80 www.umeng.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
CN 59.82.29.249:80 www.umeng.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp

Files

/data/user/0/com.AndPhone.game.beyondthewar/files/mobclick_agent_cached_com.AndPhone.game.beyondthewar

MD5 ac28c7d283d06fadd41b3951e4d423cd
SHA1 7f88050f1470a66b91d39ecc5a56bff7ec255e37
SHA256 5bc0bda82292575173c3aeb718dbdcbe6b6865f2efd7d60ca07222df6bd8cdb3
SHA512 5ba82c67b40872f11f7af36c77275963a25a05af1359b1550c16eebc81b22a5819271f6fd7c707a1d7236ab6c2226fe277c9fe0ee8905fc40f25f37e3e0b2ea5

/data/user/0/com.AndPhone.game.beyondthewar/files/mobclick_agent_cached_com.AndPhone.game.beyondthewar

MD5 f7d6c24a04880d89e53e5f05b0bbadf0
SHA1 927006cb44ee2526fd94e3589c21c46b9fbc850f
SHA256 6bb6cd0b46402e233cfccb1f4bf13535e654c842c5a185ffbb0b57d677776635
SHA512 bf504aae4aa1aa0adc11a32bea92708eeb31c97d5d9a7afc9d4f1ebe09e6e0c64800f0c384f4e10e8a772a3f592d4923ed1f53b7da9ae1b6c8e6caf73e2edf05