Malware Analysis Report

2025-01-19 07:59

Sample ID 240616-y8vkwazgjn
Target b50ca2f4459545b009cba052dc7bbc9b_JaffaCakes118
SHA256 6423976bcb2e13f356558fa01c864001746aeca873916ec4dfe83c8399f05f0a
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6423976bcb2e13f356558fa01c864001746aeca873916ec4dfe83c8399f05f0a

Threat Level: Shows suspicious behavior

The file b50ca2f4459545b009cba052dc7bbc9b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 20:27

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 20:27

Reported

2024-06-16 20:31

Platform

android-x86-arm-20240611.1-en

Max time kernel

104s

Max time network

148s

Command Line

com.centurysoft.threekingdom.offlinechs2

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.centurysoft.threekingdom.offlinechs2/files/egame_temp.jar N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.centurysoft.threekingdom.offlinechs2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stats.unity3d.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.centurysoft.threekingdom.offlinechs2/files/egame_temp_.jar

MD5 27a61b63db430421f61121aeb541c85e
SHA1 a5c736e8ac5e3ec0401e9ca52dbfcc716e46261a
SHA256 73736a10de784bbf1e2d71b8af67dc8f872bb6ae745f51edaec4b14987c64bc0
SHA512 5cff91bc9f264bacfe10f45e98b49aee0bc41573c2a461250db3179e5bd26a837213dd31889b876b6ccb266bdf5e318abfa8e22045baeb66b97785e74d1d712f

/data/data/com.centurysoft.threekingdom.offlinechs2/files/egame_temp.jar

MD5 6cc0bff28d139d635c3567536ca09ccc
SHA1 1364ad6ea85da6767ad29e17275088c8570d2042
SHA256 31f5e8689e871354dd788afb909fbc01abfa4988cd862b47e64311be4164658a
SHA512 d078975b5c67459b0eed3ce3f52d1547f48dc20b61ccbc713968bf657f6387e1c1ea05498f18f387589b1cbaa1994fdc86885488e69b7f9737a33afa30b826c8

/data/user/0/com.centurysoft.threekingdom.offlinechs2/files/egame_temp.jar

MD5 d873492305de936dd25f6f062357f2db
SHA1 941a740ab7bef317a3d7dbfb39e504dee529f13c
SHA256 8aa6834c442eff6e6a7775c2910fe6093d2e5b60afcbb2a31c75b7149ce8e7c3
SHA512 7eabfabbd105dfeedb9f946b64fa07e63712ba93e143e6e73f9b9e38e70ee8c5bb19efd8b65b3ebbb45bb643baaa639b96615cd8b1c8b18f78264a1d8281bc3f

/storage/emulated/0/Android/data/com.centurysoft.threekingdom.offlinechs2/files/ThreeKingdomSOK.sav

MD5 ef84f6940883962da4a7338b8e1b0b76
SHA1 b232d8c51c54f7d6dfebdb68698bccf5a88b50d8
SHA256 546af5f26a9f89fc8e121fc734183db5fe772a02a9706a3be41162bee6f0f7c5
SHA512 2912032134768a1dc43c57819976c6a5e150cf659c483afbd7ef6ba32576c55d158a6a453540aeb72b910f526c08e170341eefef3877b07e056fc9a4b3ece05a

/storage/emulated/0/Android/data/com.centurysoft.threekingdom.offlinechs2/files/ThreeKingdomSOK.sav

MD5 cc4e6b2ffa0e041cdc337b6699d5dbc1
SHA1 f12c8cdcb344e68298e5ffaa7ca6d99c3ee20460
SHA256 0dc7a87e029b4ac30d94bfe468ed57bcef440c55b5a2fe6a08389833a3394d0f
SHA512 8866008affe84aade0914a5b7dffeb0bdfa9ec37905f3ba603b7b830e0dd13a09a348c408363a6600ee02be110829cd775cc4e67b7d67e827d8ed5c50097e240