Analysis Overview
SHA256
9579d69ede30626ee7615739d19bf1aee654ffcdaad5d4b4ba8cec42eef2a3e0
Threat Level: Likely malicious
The file afecf973b5cc3d22cb18dae57cc3917d_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Obtains sensitive information copied to the device clipboard
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Schedules tasks to execute at a specified time
Checks CPU information
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-15 19:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 19:09
Reported
2024-06-15 19:12
Platform
android-x86-arm-20240611.1-en
Max time kernel
26s
Max time network
131s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.puzzlegame.puzzledom.hack
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | freegeoip.net | udp |
| US | 104.21.81.232:443 | freegeoip.net | tcp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | lp.androidapk.world | udp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal
| MD5 | 28b1aea91869f1e0ee19509099c263d7 |
| SHA1 | 03b0ba0ffb42743dfe5757476b389ef0d4d59b66 |
| SHA256 | eb64099cc3c5af4ad6ebf8817873156589f50c3ca3b1841fbd1882290682d358 |
| SHA512 | bbac516d7dff7201be60b6e395f0701ec85c2a4b2a22a162c81e224f02e177f0cb1f5e8edcd937a9c8d4c5e486b3088be8dcc7f43bcc7b2e01ad250e671c95d9 |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db
| MD5 | 5d85664f8e614fcaef42be2e6f649027 |
| SHA1 | 09c6288922102f6114a823f4992415fd3373d61e |
| SHA256 | 55f8907e91226ef43a05583c7b4623b4e26994b62d20c8603975ccc1fa3b9409 |
| SHA512 | 3d6006a3e82d00fe9bc443e940acc5df12ec84114fcbcf8fbc8099c085cb1229b21a217b7445129b50558bfef5100894686d7359eb80b7ef087b65c7be3bc6e9 |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-wal
| MD5 | e118d87d5aebae2406c939ebf1cf880e |
| SHA1 | 4a945858387260c1a50ba0e0ae3ae73c124e0602 |
| SHA256 | 3ee63561ff363c64d95e44044d164548ae819bbf5e53efb68d98906a8cbc2ec3 |
| SHA512 | 28325bc7d0149398d6a4ae1a5da86c262d2f2804ce9edb6de246d1483b9f339fc983cac9bdc86e6efc360e73eb026c9f3cca03e5ff55534ee884089616f96a99 |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-wal
| MD5 | a0aee3c281d45749a45110a11bb01669 |
| SHA1 | f80699dc2890f6e5c3528457e98e6e248454f800 |
| SHA256 | 8c9e063948a131e8f71e7c4456387af6bb8e67c4bcce5662ca2a591a0ee3ad9f |
| SHA512 | c5b5fae617bf62aa78e824f4f1232ed398928fbd0ff64457a74ae5fa9ad15f2652266e0289faf2656672dd0f687c305f46231778ad242d48d98ef8f75f27cffa |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db
| MD5 | 24661e00e51c30188995cf21ce0ed658 |
| SHA1 | 7295da62d82a15e9d1453b5ac8d1e0b82bfb489f |
| SHA256 | f38b0fa6b80733960a2c1a92fd081fb2f77c54115d4d00f75e7c7fb2acea6ab2 |
| SHA512 | 1f3ae1c8caa08f012f5b953e68820ac9ab171b379399b9728d664e9c39766907ad17bda706554b6d59f20337da7fc398fd0c43ddeb6ff1545e2efff82fb23e85 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 19:09
Reported
2024-06-15 19:12
Platform
android-x64-20240611.1-en
Max time kernel
51s
Max time network
152s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.puzzlegame.puzzledom.hack
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.10:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | freegeoip.net | udp |
| US | 172.67.165.196:443 | freegeoip.net | tcp |
| GB | 216.58.213.14:443 | tcp | |
| US | 1.1.1.1:53 | lp.androidapk.world | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| GB | 142.250.178.14:443 | tcp | |
| GB | 216.58.201.98:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal
| MD5 | 70dd35b96294512e1ad8386f61623f53 |
| SHA1 | 972df5f6cd73bd555f5ea3becdf735da3630c1e2 |
| SHA256 | 167c8c676f44c793f49057d1598e5bb42b4078c3e019180ac323c99dcc639ee1 |
| SHA512 | b41b55d4f97491526600b1ec249d167b3b5ac59f14a571258eb82efb9efe870f4dfb1b0e4246f7b6d0210ed7543707e87eaa127dba54ba7082576b8a3f267eb7 |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db
| MD5 | 12627a2ec645c4a4bc50dba5903afd59 |
| SHA1 | 504005c938517e61bcf68b65a055c2faba635c2e |
| SHA256 | f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903 |
| SHA512 | 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal
| MD5 | 261b78422cb3965942479cf6ef560bae |
| SHA1 | ca852592f5fac0d9a63498c6ab23490a3d115fc8 |
| SHA256 | b75cbac29107d22235c582a76b8bdbc05b32ec09de76b737a5327f32b6e2fc9a |
| SHA512 | 56a4f0c9c5718298ca11f5648adfc87acf9624ee62968f95a8e25f9ae2d4422f979eac1bd783f3cb45a065dbaff637951017a50456e081a1a924076847880dc8 |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal
| MD5 | 2ee2495793da1d5183d3bcee819abd07 |
| SHA1 | 95fad09225f000024942dbdbe7290dafb7d99fcd |
| SHA256 | 10794a6facbb41f7a89622a350309f21e3bb76a2f5bf411309e9b59be063888f |
| SHA512 | 90648f0bd33553f20160017ea5798a6ccfae68058f6b36022b17991ff8065d7c814c6ed0b065454c9e790933765d9cd80917bbdf56e02553cc4fd8d878c3c2f2 |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal
| MD5 | 655b8e13a7bc5ff8bd722b13748a69cd |
| SHA1 | b11c546a2a75c35a8c01833da9e37ee25ed8f6b9 |
| SHA256 | f48131ff356200e98c4f395ecac0d31e680e05a67a7e588370394bb87f7b0fc6 |
| SHA512 | ec10ccd8c34f59a78a9c32570a3be1bf2882f5af22adde46fc9505da3fce4a0ca8e3d89ba15f7e3b0c0c87f84899388c097d076126c7d6715bdc6e2c62739a6d |
/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db
| MD5 | af6e40df2d4821ae6b78c5356006e01f |
| SHA1 | 217667f50ba96496112bc4197fafb58bab52ba23 |
| SHA256 | 39bbcbcd7448564a949f80304d3d6a7fa9a6c18f3bd19a63d612a88631d29d38 |
| SHA512 | 43949fea9953fb5a6aa0dedd3bd24440c263a9ccb4f760bc892c3bc85ba82cf4705a2d13fd77e8166c9efd8306384f52c45065160eda9ed42dbb2a9a4820a65a |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 19:09
Reported
2024-06-15 19:12
Platform
android-x64-arm64-20240611.1-en
Max time kernel
99s
Max time network
132s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.puzzlegame.puzzledom.hack
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.106:443 | tcp | |
| GB | 216.58.201.106:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | freegeoip.net | udp |
| US | 104.21.81.232:443 | freegeoip.net | tcp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 1.1.1.1:53 | lp.androidapk.world | udp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp |
Files
/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal
| MD5 | 3d62821dfd1d87e61a730e42b70fc6fc |
| SHA1 | a926cbdb30058169c084915b5f534dd1e8233cfe |
| SHA256 | 156cdc4e663d3854154e2670992bfad2a75781988dd0707a82d64af39415e654 |
| SHA512 | 3c74289a18a93e1a7b03adf43f70637aaaea61e90771666054327c0ff9c8a3f1c961a5cb80569a5ba45c34178acddf3728a9fc76978bbef1a2abe712360e6eda |
/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db
| MD5 | 58c0b6e45328752b20ac6e719ac034f8 |
| SHA1 | 372b2638afd00bbbc4034657b3df3d2e428fb367 |
| SHA256 | 9d74f93afa5a179b1ba2f19f154b2880aa8b99c88209802099045a0874d2426a |
| SHA512 | 2d347d5824b9ab701e341c89e8327a95fd6bab8e92ee15ce9550da368d773e22bff304072a4854df5ab763750a7401f7aa61a49e3292d62c27fa9f20536eb3ab |
/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal
| MD5 | 4ae8a08da72d3a65908684a3ca14a188 |
| SHA1 | 4beba1107281a4bfe10808ecadf39fbc17ebfa04 |
| SHA256 | 2041cdacf2379ce257fd193496dc7457b9f4dceabb1240ff78ca1b491ecc683e |
| SHA512 | 17f16f6a52a34a61574f43f5e45dc49aeb3c5b3c3f3f76bb2d4c07c5e4413d1b1f40dc31226813ecdf6550c30dfdf89adb329acbfabc99b1c985da0535ae897d |
/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal
| MD5 | 086709e23fbc1c4f7e02766a3eb3090d |
| SHA1 | 60f13e34d25cf53ed77e7a3cc51facc2f5910da5 |
| SHA256 | 1aa8f38f423bcd482fe370d4bde745bf8180317c3b567bcc3d6967030860e2a0 |
| SHA512 | 40a5d755b862bd46cacd2d30bc14ba5f3abc4192070508151058870ac44f78a9499ce04b0103ca634e140b4eb3d9c94b322a745c06a3a4cf636d2c10667c8279 |
/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal
| MD5 | e8a577021eb17dbcfc86412e375372f2 |
| SHA1 | 81a9b25575f37da50cacd6075a268d9e67d01488 |
| SHA256 | 85434efae6c15f3f9c13048be216ea947f2dd7e8879fe97e77d9104acc80aca1 |
| SHA512 | 4974c9f4b67dd63373ceaebc97e89e425db380d0d9c20f77c3c995e06a1dad463f463d0918b8c926628eb54f5fa2ba81cedd75e51ea9696a7e3db8321a66c9a9 |
/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db
| MD5 | 0c332993e2254573a13735c1faf1972a |
| SHA1 | b3b1544ead5a363c16ac7bfdb6c1a3f87e61fe1d |
| SHA256 | 909f0efe9e945909b6fbcbb7003321c60489076d1389f671e3e4d29a22aed2f1 |
| SHA512 | 7b0dd44d3a1bc425a148acea83de48081d7ad6e501fd0cd45a074b228d1cb1683351307a56e81a0fa33fa8f3230b4e991c3bc5550ea49fbe073d6fe9c4bb6d52 |