Malware Analysis Report

2025-01-19 08:01

Sample ID 240616-tgsvrazbng
Target b45da6f7755b7165294f5464101e2d8e_JaffaCakes118
SHA256 eea73696095d12b8dce5b3a08ca59541fb83525a3ff17903128a3376d8a17159
Tags
impact discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

eea73696095d12b8dce5b3a08ca59541fb83525a3ff17903128a3376d8a17159

Threat Level: Shows suspicious behavior

The file b45da6f7755b7165294f5464101e2d8e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

impact discovery

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 16:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 16:02

Reported

2024-06-16 16:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

131s

Command Line

com.phanovatives.gunshipIII.usnavy

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.phanovatives.gunshipIII.usnavy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sdk.byfen.com udp
GB 163.171.130.139:443 sdk.byfen.com tcp
US 1.1.1.1:53 stats.unity3d.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 16:02

Reported

2024-06-16 16:05

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

148s

Command Line

com.phanovatives.gunshipIII.usnavy

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.phanovatives.gunshipIII.usnavy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sdk.byfen.com udp
US 1.1.1.1:53 stats.unity3d.com udp
GB 168.235.193.123:443 sdk.byfen.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp

Files

N/A