Analysis Overview
SHA256
6423976bcb2e13f356558fa01c864001746aeca873916ec4dfe83c8399f05f0a
Threat Level: Shows suspicious behavior
The file b50ca2f4459545b009cba052dc7bbc9b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Reads information about phone network operator.
Requests dangerous framework permissions
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 20:27
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 20:27
Reported
2024-06-16 20:31
Platform
android-x86-arm-20240611.1-en
Max time kernel
104s
Max time network
148s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.centurysoft.threekingdom.offlinechs2/files/egame_temp.jar | N/A | N/A |
Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.centurysoft.threekingdom.offlinechs2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | stats.unity3d.com | udp |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.213.10:443 | semanticlocation-pa.googleapis.com | tcp |
Files
/data/data/com.centurysoft.threekingdom.offlinechs2/files/egame_temp_.jar
| MD5 | 27a61b63db430421f61121aeb541c85e |
| SHA1 | a5c736e8ac5e3ec0401e9ca52dbfcc716e46261a |
| SHA256 | 73736a10de784bbf1e2d71b8af67dc8f872bb6ae745f51edaec4b14987c64bc0 |
| SHA512 | 5cff91bc9f264bacfe10f45e98b49aee0bc41573c2a461250db3179e5bd26a837213dd31889b876b6ccb266bdf5e318abfa8e22045baeb66b97785e74d1d712f |
/data/data/com.centurysoft.threekingdom.offlinechs2/files/egame_temp.jar
| MD5 | 6cc0bff28d139d635c3567536ca09ccc |
| SHA1 | 1364ad6ea85da6767ad29e17275088c8570d2042 |
| SHA256 | 31f5e8689e871354dd788afb909fbc01abfa4988cd862b47e64311be4164658a |
| SHA512 | d078975b5c67459b0eed3ce3f52d1547f48dc20b61ccbc713968bf657f6387e1c1ea05498f18f387589b1cbaa1994fdc86885488e69b7f9737a33afa30b826c8 |
/data/user/0/com.centurysoft.threekingdom.offlinechs2/files/egame_temp.jar
| MD5 | d873492305de936dd25f6f062357f2db |
| SHA1 | 941a740ab7bef317a3d7dbfb39e504dee529f13c |
| SHA256 | 8aa6834c442eff6e6a7775c2910fe6093d2e5b60afcbb2a31c75b7149ce8e7c3 |
| SHA512 | 7eabfabbd105dfeedb9f946b64fa07e63712ba93e143e6e73f9b9e38e70ee8c5bb19efd8b65b3ebbb45bb643baaa639b96615cd8b1c8b18f78264a1d8281bc3f |
/storage/emulated/0/Android/data/com.centurysoft.threekingdom.offlinechs2/files/ThreeKingdomSOK.sav
| MD5 | ef84f6940883962da4a7338b8e1b0b76 |
| SHA1 | b232d8c51c54f7d6dfebdb68698bccf5a88b50d8 |
| SHA256 | 546af5f26a9f89fc8e121fc734183db5fe772a02a9706a3be41162bee6f0f7c5 |
| SHA512 | 2912032134768a1dc43c57819976c6a5e150cf659c483afbd7ef6ba32576c55d158a6a453540aeb72b910f526c08e170341eefef3877b07e056fc9a4b3ece05a |
/storage/emulated/0/Android/data/com.centurysoft.threekingdom.offlinechs2/files/ThreeKingdomSOK.sav
| MD5 | cc4e6b2ffa0e041cdc337b6699d5dbc1 |
| SHA1 | f12c8cdcb344e68298e5ffaa7ca6d99c3ee20460 |
| SHA256 | 0dc7a87e029b4ac30d94bfe468ed57bcef440c55b5a2fe6a08389833a3394d0f |
| SHA512 | 8866008affe84aade0914a5b7dffeb0bdfa9ec37905f3ba603b7b830e0dd13a09a348c408363a6600ee02be110829cd775cc4e67b7d67e827d8ed5c50097e240 |