Malware Analysis Report

2025-01-19 08:00

Sample ID 240616-yyqtyawanf
Target b4fbf7fbb98cae5e382ddcea1befcfa3_JaffaCakes118
SHA256 0c54d011bd6aa8c3e8fb1f28ed190e44e363b56fbf04ea9d5098b6406cf0a317
Tags
banker discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0c54d011bd6aa8c3e8fb1f28ed190e44e363b56fbf04ea9d5098b6406cf0a317

Threat Level: Likely malicious

The file b4fbf7fbb98cae5e382ddcea1befcfa3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Loads dropped Dex/Jar

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 20:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 20:11

Reported

2024-06-16 20:18

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

169s

Command Line

com.raindrop.CrazyCube

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.raindrop.CrazyCube/cache/1582435991586.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.raindrop.CrazyCube

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stats.unity3d.com udp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 cca.mob.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.raindrop.CrazyCube/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.raindrop.CrazyCube/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/com.raindrop.CrazyCube/files/umeng_it.cache

MD5 a2397c0f25dd9e33e38c5017c4f8f110
SHA1 627e862039cfb80ca5d4707237c75a28009a1f6c
SHA256 99be19819d34384ed8009e4bfd5c41e0470de410e36d56d5aa6c8b20443dad18
SHA512 e456698d7047f4a4ef032fab8ede73a39808309dfa36722ebe278ed1bcbedd542f5ac7543e8207f048b7ec94a38512520523e7850b2471d6b5092e243d917e08

/data/data/com.raindrop.CrazyCube/files/.umeng/exchangeIdentity.json

MD5 d0e99466c3871fe3f188ca26fc63ea42
SHA1 0ddf7f6b4e465ad40d5f32ab6d16cbe4ec03d205
SHA256 0ddfadda78d2a73aa043ecd444671987c83ffa72468149df4517f7a1f39d23da
SHA512 17036b46ec4c74a8652d65b86bc9b7d540fda14fb4abcd7c74855e1077a08da6ac6b712e92ce2f352c3e8235e2ddf625cb23fd1b967ed099e94112c1fc1f5eee

/data/data/com.raindrop.CrazyCube/databases/ThrowalbeLog.db-journal

MD5 9d02e7d076c93654b015246332314c6c
SHA1 022af4e814579edb8eeefff06524afa52253cf90
SHA256 55eb3fd1cf31aba5b6b61c2a8953d1168525b49be9a84c207028623dcd1655b0
SHA512 926a7825140cbf93ae3b037ba95e449f750212f2e8f0f20d29de6a63425ce04f78a8c9173e6bbce6addccd8838917e677c0b00e0707802181b7308b2d173c80b

/data/data/com.raindrop.CrazyCube/databases/ThrowalbeLog.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.raindrop.CrazyCube/databases/ThrowalbeLog.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.raindrop.CrazyCube/databases/ThrowalbeLog.db-wal

MD5 d3fb308c319b545e6b3e15905329ad82
SHA1 cb632e4f83265806a3c8d0053f9ba463d2a16a7d
SHA256 208df3387c6c1e430ba6599f4bfc8424a4ee177b3bd71c91e5ff7de2e49d8053
SHA512 5c95eb43d20cf2962be4b51c9ffe46104fe655bc932a3e1f2b7a9b7d472c3099ed09a440940a71f2e761125063a2794db9ef73e478615ac13bbc352d9c03d11b

/storage/emulated/0/Mob/.db_accache

MD5 f0d406e98155624b74fbbab7aed462ef
SHA1 583331e56c3b142607584c8473be583b3baae7f6
SHA256 c70a315f5f537057bb589619c98407089d89c27c909f85321f6c0ab534d52ba8
SHA512 cd70e2e9f4798d13412f9e0e15209deae07eaf56abbaa1d6b6be5657f3b2ea6708625802cfb7331b6ab9c2eb5a3eadccf6c798cd4493773fe1cf32e36ac92a9d

/data/data/com.raindrop.CrazyCube/files/.um/um_cache_1718569012708.env

MD5 e3f5ae61ce73e95b03df52cbc178d037
SHA1 f8abac692b7009b9aa148e40dfb1b9d3889f9123
SHA256 0c93d7d5d464eee826f731d92e735ec8d78174385f3a2af75d0fa604e15457b8
SHA512 ea1fc230fba8fcd090a1e919391c53eb6319c65302b2e5328a5ac7b736e483b9311ed31ab8756d055617ba8dad26c4f7e58628771ad77ac22f3e8ff468fb551b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 20:11

Reported

2024-06-16 20:17

Platform

android-x64-20240611.1-en

Max time kernel

7s

Max time network

131s

Command Line

com.raindrop.CrazyCube

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.raindrop.CrazyCube

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp

Files

N/A