Analysis Overview
SHA256
2bc497fabcc11f6e76061a71f2d54e841aab0f32f71fd937bd04566e2ba7c5a4
Threat Level: Shows suspicious behavior
The file b3b67f794470bfe4a269ba32d39a45de_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Requests dangerous framework permissions
Queries information about active data network
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 13:19
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 13:19
Reported
2024-06-16 13:22
Platform
android-x86-arm-20240611.1-en
Max time kernel
8s
Max time network
159s
Command Line
Signatures
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.conferplat.aq
com.conferplat.aq:remote
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
Files
/storage/emulated/0/Android/data/com.conferplat.aq/cache/uil-images/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
/data/data/com.conferplat.aq/databases/defaultjpushim.db-journal
| MD5 | e9d5469399ae20d22685d84f9f57e02d |
| SHA1 | 729eeb82d5f232b4cc2439c2b43e36ba56a661b5 |
| SHA256 | ae828987720bf4c7f0daf79de7db4951433e4f1439b6586cc0e268f3f172f343 |
| SHA512 | bc53bafd023e2dde456c7c78882830b2fea386bcb2d9a6e0cd706eba7a2c38ca049cd72db3558287845a34e914f284d5ae101c482e8178785af022d53d54d380 |
/data/data/com.conferplat.aq/databases/defaultjpushim.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.conferplat.aq/databases/defaultjpushim.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.conferplat.aq/databases/defaultjpushim.db-wal
| MD5 | bf4d1141ce0f39a59eb7a5ddd7ad9236 |
| SHA1 | d98a7da431e1f2cce5c319d79779bb911ef86197 |
| SHA256 | 6758826af362de88df78ed362515cba1a793ec20cdaa61e51073d233d06fd5d2 |
| SHA512 | 6cb2de34e3afe4a328845a72275dc2e305eb5390afe3010b941dab364c098a87294a646a5bf4cdb2ef08b0844f63be68a663fea70b9bdd75b3dc0bad14b9f4ee |
/data/data/com.conferplat.aq/files/olS.zip
| MD5 | 04beed8b2c96255605ad3cceb6ad1f46 |
| SHA1 | 6f3201c4f72af194a4d8fac26937a224b3c3044b |
| SHA256 | b2e9e900cb9b5760cae5d1d58bcc03527c987886a9fa02a998c912cc4aff6683 |
| SHA512 | 6c8fc66139916575564374e687dd6ca2b181d845e5438e8ce47c77d9eeb43102c696cb1d20236c0e74a444c328018311d44fea255b703c011aff0b0ce85587dd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 13:19
Reported
2024-06-16 13:22
Platform
android-33-x64-arm64-20240611.1-en
Max time kernel
10s
Max time network
133s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.conferplat.aq/files/olS.zip | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.conferplat.aq
com.conferplat.aq:remote
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.68:443 | udp | |
| GB | 172.217.169.68:443 | tcp | |
| BE | 142.251.168.188:5228 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 216.58.204.74:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.74:443 | udp | |
| US | 1.1.1.1:53 | 11art.cn | udp |
| US | 1.1.1.1:53 | www.mdownl.cn | udp |
| GB | 216.58.212.227:443 | tcp | |
| HK | 156.232.205.103:80 | www.mdownl.cn | tcp |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | udp | |
| GB | 172.217.169.68:443 | udp | |
| GB | 142.250.179.228:443 | udp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
Files
/data/user/0/com.conferplat.aq/cache/uil-images/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
/data/user/0/com.conferplat.aq/files/olS.zip
| MD5 | 04beed8b2c96255605ad3cceb6ad1f46 |
| SHA1 | 6f3201c4f72af194a4d8fac26937a224b3c3044b |
| SHA256 | b2e9e900cb9b5760cae5d1d58bcc03527c987886a9fa02a998c912cc4aff6683 |
| SHA512 | 6c8fc66139916575564374e687dd6ca2b181d845e5438e8ce47c77d9eeb43102c696cb1d20236c0e74a444c328018311d44fea255b703c011aff0b0ce85587dd |
/data/user/0/com.conferplat.aq/files/olS.zip
| MD5 | fce57d160ffdcc9b7dfb08ccafc35a25 |
| SHA1 | ae9365343f5eea8f1a5bc6f797e87dd2dc6740a2 |
| SHA256 | b82e2d4dae9c27a95a263e4728004479a3e04f0bfa3507a3d4e402c67f2d6cdc |
| SHA512 | a463314a3e28132b0bf43be4693df7b8d7359bc7b1d7d13d29aadb0a4d1069fb97ea18048b56a29a34bb2483bb92ae523032565388573d44946c9c483e165bc8 |
/data/user/0/com.conferplat.aq/databases/defaultjpushim.db-journal
| MD5 | 5257bac6a0b6388eecbe0f8bd7b89779 |
| SHA1 | 20e5a700e721f05e4caff28fecda90226d5a4676 |
| SHA256 | bad69bab46f86bd5ae1dd7175aedcdb1cf648b8383fff185dcb2dda020fa61e7 |
| SHA512 | 2dc86dab3368ad52476bbff5945b882893e821850bebffc7531b5053f69b0d2b3e28a47f778ef2a13e61a5d4efb248fca21816e1c26fe75c5a4f37c0f230168d |
/data/user/0/com.conferplat.aq/databases/defaultjpushim.db
| MD5 | f152c3162890d92ae57fc1ba9d8edc32 |
| SHA1 | d71430b4ff2ad16412d1f33a7d1be2d5eb1da724 |
| SHA256 | 6312e99dd2c70e1ea5f7e1bd50ba9dce19f41169f9a19694c52a14d578e16161 |
| SHA512 | c52320ac7d3c1787a962a3a18b3f3528325717261d20896f339d03878de19c7877344c9d84b04c83b9f863f706f9f9e9bb512d6a31d0581bbc861172247f0a2f |
/data/user/0/com.conferplat.aq/databases/defaultjpushim.db-journal
| MD5 | 2861cfd7e65f44bbffaf8fe4fd21ced4 |
| SHA1 | ef7a71e817e200db6d6ff271ca0099c311a58094 |
| SHA256 | 29373c2dbe116ab595961f4426267f43d9d4c3337f3a7819853f4304ce151204 |
| SHA512 | 770d9eb463ea54c5c55fdd9b20c6fc5f6e52b16434e450eb0794c24a8bbb8b9f29bd0a4132bdc65b63f3b87dc896e242adcd47518dce1156d1b869c0d81deb0d |
/data/user/0/com.conferplat.aq/databases/defaultjpushim.db-journal
| MD5 | 40253cd36bc06e575dfe08d9f602d101 |
| SHA1 | 1d0f1196338a9efebbe95a539ad400a77de8db85 |
| SHA256 | 3877d26da9e3f4fdbfe8caabb5808b06c014f0b7dcf7a19ef424be14fdec5ef7 |
| SHA512 | e30bdaa508e48307e76a55e3449ebea648a8569ac936b3ab343a280fa310e9a2b84c673a79ef993a421a548158cdc26241d28baf23a0b42ecb79f23ffcffaa6d |
/data/user/0/com.conferplat.aq/files/jpush_stat_cache.json
| MD5 | e91f7d0b7aef0339532264d243879b5f |
| SHA1 | 759dfcb02ddd4d96ff3d7874f7ce14cae4dab700 |
| SHA256 | a699fc9c5c416a9d3cb03cb1784050d1fe70b85c2588251fd0404f6fe1be6534 |
| SHA512 | 6a6b2c2e1e13c7585810cab484608181a7bf33bd23b16981fc8295a5cf2452b8d290b1360b82c1ba57eb8561912518ebec99d8d44a6282c7d31b0817d5d3231b |