Malware Analysis Report

2025-01-19 07:59

Sample ID 240616-rpexrazhnr
Target b3f63d77337d17dd761710d43a14d8b0_JaffaCakes118
SHA256 2122c12052c92943269916fe4c567f9bbac48700e25eae076f67e645e2768044
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2122c12052c92943269916fe4c567f9bbac48700e25eae076f67e645e2768044

Threat Level: Shows suspicious behavior

The file b3f63d77337d17dd761710d43a14d8b0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Acquires the wake lock

Makes use of the framework's foreground persistence service

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:21

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:21

Reported

2024-06-16 14:25

Platform

android-x86-arm-20240611.1-en

Max time kernel

165s

Max time network

188s

Command Line

com.mgtv.mgui

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mgtv.mgui

com.mgtv.mgui:log

ping -c 1 -w 3 233.5.5.5

ping -c 1 -w 3 180.76.76.76

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 as.mgtv.com udp
DE 47.91.91.18:80 as.mgtv.com tcp
DE 47.91.91.18:80 as.mgtv.com tcp
US 1.1.1.1:53 inott.api.mgtv.com udp
US 1.1.1.1:53 ott.v1.data.mgtv.com udp
CN 123.60.209.247:80 ott.v1.data.mgtv.com tcp
CN 101.200.223.108:80 inott.api.mgtv.com tcp
CN 8.131.104.77:80 inott.api.mgtv.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 101.201.59.63:80 inott.api.mgtv.com tcp
CN 182.92.215.82:80 inott.api.mgtv.com tcp
CN 123.56.135.74:80 inott.api.mgtv.com tcp
CN 101.201.59.23:80 inott.api.mgtv.com tcp
US 1.1.1.1:53 inott2.api.mgtv.com udp
CN 49.233.125.184:80 inott2.api.mgtv.com tcp
US 1.1.1.1:53 inott3.api.mgtv.com udp
CN 47.93.15.115:80 inott3.api.mgtv.com tcp
CN 101.200.223.108:80 inott.api.mgtv.com tcp
CN 8.131.104.77:80 inott.api.mgtv.com tcp
CN 101.201.59.63:80 inott.api.mgtv.com tcp
CN 182.92.215.82:80 inott.api.mgtv.com tcp
US 1.1.1.1:53 ottupdate.api.mgtv.com udp
CN 101.201.59.63:80 ottupdate.api.mgtv.com tcp
CN 123.56.135.74:80 ottupdate.api.mgtv.com tcp
CN 182.92.215.82:80 ottupdate.api.mgtv.com tcp
CN 101.201.59.23:80 ottupdate.api.mgtv.com tcp
CN 123.56.135.74:80 ottupdate.api.mgtv.com tcp
CN 49.233.125.184:80 inott2.api.mgtv.com tcp
CN 101.201.59.23:80 ottupdate.api.mgtv.com tcp
CN 47.93.15.115:80 inott3.api.mgtv.com tcp
CN 101.200.223.108:80 ottupdate.api.mgtv.com tcp
US 1.1.1.1:53 inott.api.mgtv.com udp
CN 101.200.223.108:80 inott.api.mgtv.com tcp
CN 8.131.104.77:80 inott.api.mgtv.com tcp
CN 8.131.104.77:80 inott.api.mgtv.com tcp
US 1.1.1.1:53 ottupdate2.api.mgtv.com udp
CN 120.53.128.236:80 ottupdate2.api.mgtv.com tcp
CN 101.201.59.63:80 inott.api.mgtv.com tcp
US 1.1.1.1:53 ottupdate3.api.mgtv.com udp
CN 101.201.59.63:80 ottupdate3.api.mgtv.com tcp
CN 182.92.215.82:80 ottupdate3.api.mgtv.com tcp
CN 8.131.104.77:80 ottupdate3.api.mgtv.com tcp
CN 123.56.135.74:80 ottupdate3.api.mgtv.com tcp
CN 123.56.135.74:80 ottupdate3.api.mgtv.com tcp
CN 101.201.59.23:80 ottupdate3.api.mgtv.com tcp
CN 101.201.59.23:80 ottupdate3.api.mgtv.com tcp
US 1.1.1.1:53 inott2.api.mgtv.com udp
CN 49.233.125.184:80 inott2.api.mgtv.com tcp
CN 101.200.223.108:80 ottupdate3.api.mgtv.com tcp
US 1.1.1.1:53 inott3.api.mgtv.com udp
CN 47.93.15.115:80 inott3.api.mgtv.com tcp
CN 182.92.215.82:80 ottupdate3.api.mgtv.com tcp
US 1.1.1.1:53 ottupdate.api.mgtv.com udp
CN 123.56.135.74:80 ottupdate.api.mgtv.com tcp
CN 47.93.15.115:80 inott3.api.mgtv.com tcp
CN 101.201.59.23:80 ottupdate.api.mgtv.com tcp
US 1.1.1.1:53 log.v2.hunantv.com udp
CN 123.249.20.65:80 log.v2.hunantv.com tcp
CN 101.200.223.108:80 ottupdate.api.mgtv.com tcp
CN 8.131.104.77:80 ottupdate.api.mgtv.com tcp
CN 101.201.59.63:80 ottupdate.api.mgtv.com tcp
CN 182.92.215.82:80 ottupdate.api.mgtv.com tcp
US 1.1.1.1:53 ottupdate2.api.mgtv.com udp
CN 120.53.128.236:80 ottupdate2.api.mgtv.com tcp
US 1.1.1.1:53 ottupdate3.api.mgtv.com udp
CN 101.200.223.108:80 ottupdate3.api.mgtv.com tcp
CN 8.131.104.77:80 ottupdate3.api.mgtv.com tcp
CN 101.201.59.63:80 ottupdate3.api.mgtv.com tcp

Files

/data/data/com.mgtv.mgui/databases/mgtv_data_aphone_sdk.db-journal

MD5 70f6bd77ff40b0a1b9c7d5b6392440f3
SHA1 901a9ea93f3fa892b4b36584a61cd2e5bbb64277
SHA256 6754fa0910dffaa44b9240cefa7c3b3fe2fd6f53bdb794d38e736f5e174a2958
SHA512 5b423c06a6f0d06798b0bec5278ddf44b28f53cf621f61f1ef46d9d830d936af47c957bcfeb05678b1ed91ebe0a3209d2325f3aec2793bee8f3cd60fcaa9b1bf

/data/data/com.mgtv.mgui/databases/mgtv_data_aphone_sdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mgtv.mgui/databases/mgtv_data_aphone_sdk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mgtv.mgui/databases/mgtv_data_aphone_sdk.db-wal

MD5 4c2d2497467c89cb8a0f5bdbe878c465
SHA1 79b8f4599df4dc1a3c189d8179b72451693292ed
SHA256 7ae380d1d2a72a0f4c4a96ccea9a53408efc64cff36b4082324e4d854d5e4934
SHA512 fdcb5f1cece4135f642b064f9f8bb942a0b1713223587f75cdf2115cedd331323bdc3b9f6a0584a2655bfa354d643a2a978fe6ddfbc8af25110c451eb3ec63c9