Malware Analysis Report

2024-09-09 16:01

Sample ID 240615-h22gvasaqc
Target ad48cc4795c3af1c7e4de278c7b484d0_JaffaCakes118
SHA256 95478cb2abec5dfab5d71994d2ca7cc89141128f63f5c1fd7c88706f7f5829f5
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

95478cb2abec5dfab5d71994d2ca7cc89141128f63f5c1fd7c88706f7f5829f5

Threat Level: Shows suspicious behavior

The file ad48cc4795c3af1c7e4de278c7b484d0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Reads information about phone network operator.

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 07:14

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 07:14

Reported

2024-06-15 07:17

Platform

android-x86-arm-20240611.1-en

Max time kernel

18s

Max time network

157s

Command Line

com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 receive.client.c-launcher.com udp
SG 54.179.170.13:80 receive.client.c-launcher.com tcp
US 1.1.1.1:53 api.c-launcher.com udp
SG 52.220.64.57:80 api.c-launcher.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a/files/uuid.md

MD5 5d3f058ad2357a1eb0aff83197be2d5c
SHA1 e7f1262ad454357f13afdb344768c9fe1060f791
SHA256 3136c417424734fd690f3536171628726536c20702ba27e590284f6b8d5db5a3
SHA512 217abbe7afcda9327a7b8cb3edfba6617d81fb02e9ee5698b6fe04993f7938bc49e8232cd2b8728d56dfd6818020c749549482828dc9b5b375460dd21f149a2b

/data/data/com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a/files/.imprint

MD5 f824242f5ff2869b6541fbf2febeea75
SHA1 61a81cc1ae1e79f491629f3499f33f0b25e0ecc1
SHA256 00bb5470bed19a187479f7f1acda1d3c325f0ec652d167e609042c127ab03620
SHA512 ee964f5eb05764fda3734c1c8b37b5ec074cfd4a7cafb36ba65344d9c44e997165241221a11fde7c055184041cdc297ad8e65b10ba723c97c107982965313f9e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 07:14

Reported

2024-06-15 07:17

Platform

android-x64-20240611.1-en

Max time kernel

63s

Max time network

129s

Command Line

com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 api.c-launcher.com udp
US 1.1.1.1:53 receive.client.c-launcher.com udp
SG 52.220.64.57:80 api.c-launcher.com tcp
SG 54.251.178.82:80 receive.client.c-launcher.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.14:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a/files/uuid.md

MD5 c678ed8ca6be188b69e93baddecd7d70
SHA1 accd8e9f07f7d87997d01a5f5d78ae341241046d
SHA256 a6dc0943b2558e2601993b44cf23e9e3e5b01753d5d77ced1b00a467eef65f79
SHA512 8812be74c7ffc8309afed30530c11f7588363b078e79c202f2d2312714fc340ab23d85078f1d6262eda0530f0ad30543a1e23b9bd1ec874484f14bde2081a80e

/data/data/com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a/files/mobclick_agent_sealed_com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a

MD5 a77d800adc6cb44c1422eb1b40dffbae
SHA1 07bb285d9535f41bc4b0cfaf04cc08295c287d1e
SHA256 75f9130820e3f9704caf67c31af1ed3628282e51af1f7ea7518cf964e0c6ef73
SHA512 5e199b4ed302094da7db7c18695ba0c1176c6a07fb3fa14de76f51a010f06e8d3f27a05756abd1f946a7835ca5fcf35cf6c9509a8decf8f03f3d661d8115de87

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 07:14

Reported

2024-06-15 07:17

Platform

android-x64-arm64-20240611.1-en

Max time kernel

64s

Max time network

132s

Command Line

com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 receive.client.c-launcher.com udp
SG 54.251.178.82:80 receive.client.c-launcher.com tcp
US 1.1.1.1:53 api.c-launcher.com udp
SG 3.0.217.185:80 api.c-launcher.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a/files/uuid.md

MD5 1bed19e748e65eee7ebd188f29918259
SHA1 e8e7f21b2fe1af1e411d5d1de29f1b1795073392
SHA256 73031b2f918bc24f79057f91f488fc7828c00dbf00461be58be836f076be64fb
SHA512 70b3f5a77b9dc091aadc6815c1d8080ef7b89c750ff2e32ee7697df5db69718e04b8141e78075d4182b729deb244171d0db552895fa0e790865e6c17be33c33e

/data/user/0/com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a/files/mobclick_agent_sealed_com.cyou.cma.clauncher.theme.v547ca025e373c10b4aa5915a

MD5 b4ae4ee324088ab9e4781f72b3daa30c
SHA1 bcce928d79c2c5420c46d38df75567626d73ca13
SHA256 faae776c5e82229736deb3ad6a821e606a4bab32125718499502985cefd8b3ff
SHA512 3a2adc328182fbf3c83c1246712d064bbf5134f7af767f28e6c7132f79ee5ee73be1e6618eec1af61518ee04b2231bbe39e8e166cac0833bf186b0d2fd7a321b