Malware Analysis Report

2025-01-19 08:01

Sample ID 240616-z6rlwaselm
Target b54350d9ff187c0c59a3dd45cbf1c39b_JaffaCakes118
SHA256 520adf9d85c6254d911e97a2cd0394afa7d9f4624a5942d796c9ee8779270923
Tags
banker discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

520adf9d85c6254d911e97a2cd0394afa7d9f4624a5942d796c9ee8779270923

Threat Level: Likely malicious

The file b54350d9ff187c0c59a3dd45cbf1c39b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Queries information about active data network

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 21:20

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 21:20

Reported

2024-06-16 21:23

Platform

android-x86-arm-20240611.1-en

Max time kernel

150s

Max time network

174s

Command Line

com.thesmartmelon.StarDefense

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.thesmartmelon.StarDefense

/system/bin/sh -c type su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android-api.ccplay.com.cn udp
CN 203.107.44.252:80 android-api.ccplay.com.cn tcp
US 1.1.1.1:53 config.uca.cloud.unity3d.com udp
US 34.111.113.40:443 config.uca.cloud.unity3d.com tcp
US 1.1.1.1:53 counter.yomob.com.cn udp
US 1.1.1.1:53 s.yomob.com.cn udp
CN 47.99.203.193:443 counter.yomob.com.cn tcp
CN 47.99.203.193:443 counter.yomob.com.cn tcp
CN 47.99.203.193:443 counter.yomob.com.cn tcp
CN 47.99.203.193:443 counter.yomob.com.cn tcp
CN 47.99.203.193:443 counter.yomob.com.cn tcp
US 1.1.1.1:53 sgpublic.yomob.com.cn udp
CN 47.99.87.170:443 s.yomob.com.cn tcp
CN 47.99.203.193:443 sgpublic.yomob.com.cn tcp
US 1.1.1.1:53 t.appsflyer.com udp
NL 18.239.18.125:443 t.appsflyer.com tcp
US 1.1.1.1:53 api.appsflyer.com udp
GB 18.165.227.10:443 api.appsflyer.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
GB 172.217.169.10:443 tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/storage/emulated/0/Android/data/com.thesmartmelon.StarDefense/files/save.json

MD5 5294fec0d9806c58a90e1a1ddbe380d4
SHA1 2fd8ab4c2b1a655f59bc4ce633aff33c85ca497c
SHA256 4ca267143399d45778e3350929379281b50bb4e1383e108b1c82545af487d34a
SHA512 57372972355460f832dc01c990aa791342253b157727fc2392b71cedfe5d54d0704805a915cae061cae15b4e0d850d78e7dfce1505c8a9b3b43de53726899856

/data/data/com.thesmartmelon.StarDefense/databases/tgsdk_counter.db-journal

MD5 e88b537f0c48552bf20f88357ea1c5eb
SHA1 b10f80582e89ddb39564200da366fd04d045a1a7
SHA256 6b9fe44c6fbb802e99e26836ce2f31ae238c2d572cdd7292606180cac3a91c27
SHA512 3aa3385c5fcbbb2b24d8194e13fe206f7bf60410b3bd91219f0c6c9bdf2789516400e3e5527dc6ca283855af56e13c7efaf6b1e82695cbc96248cb1cf913be2c

/data/data/com.thesmartmelon.StarDefense/databases/tgsdk_counter.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.thesmartmelon.StarDefense/databases/tgsdk_counter.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.thesmartmelon.StarDefense/databases/tgsdk_counter.db-wal

MD5 7f3f719d4f1de804db2f3d9fb3a3e470
SHA1 867eb811ca7c370ab80db7709d2bae8c9d063397
SHA256 6ea47129be4b114a496af4882f497db0ec2fae7af1e2409497a10438433502c7
SHA512 5ed58c81d654977858b15343fd027c89dd0809773876d6cfd6298f735c1468758ea2a2b414471fab7ee5aa9b75ca13cf74fc57b34513afed74b77537c248326d

/data/data/com.thesmartmelon.StarDefense/databases/tgsdk.db-journal

MD5 882ab59555cc2ac783dd652ff97cae89
SHA1 1dfbc333edc87bcdb584ec03412a38537eca1076
SHA256 14dbf391cc917f9cf06960c2fb94cedd0ab3e53931cbf4237a5c9d86e5cd03ba
SHA512 dbd481a967173038bbcd5dd7abd03f55f2b17de6536f5032223f7771fd3283496cc8ebe7f2203fe56b562bfbd52b11cbd3f13e17f87871bc6172b112c64edda3

/data/data/com.thesmartmelon.StarDefense/databases/tgsdk.db-wal

MD5 b9346fbb47fd1b37baab063520fc629c
SHA1 e2583625f9ee9c9ecdae10369adfda0512dbb506
SHA256 729e2ccb47bd08149b1c00854e59018cd1fb57b36cf150f542a7df3495da52d8
SHA512 6163e9b64d2d9728549fdec6722848e0149df14c8aa113edb15eea26e768b3754a562feaffcdbd0cb13c0812eb5bfd7d1f6702eb682f05c5e43233d044b16240

/storage/emulated/0/Android/data/com.thesmartmelon.StarDefense/files/Unity/13af0e9f-3fe3-4c87-becc-a208a0659d1b/Analytics/values

MD5 f4fc584463db18d2f51a352d427604f8
SHA1 5b89ac635522ac62012e8a55853904399988da7e
SHA256 db0aad0aee5372043afaa8b758fd7cc28dd2e755bae748e238277f410861f6ad
SHA512 02aaafc391d5cdaae7cc988794d9611007f3eed1bec268a8376fd91eec2b06681bc5e98cd028c48653e0fb7a36a495e80fb8ddeac7137005b92261fa139edb50

/data/data/com.thesmartmelon.StarDefense/databases/bugly_db_tgsdk-journal

MD5 b99e41bc2be8567aaa3ea7d5b99279a7
SHA1 da355fd4d672133c21fcac32334047c3615d26db
SHA256 571620399779667df78696251a04fd1d2c072b13c934259a75d0a7e93d171675
SHA512 7603fdc77851e3742ef79eec5b9cb2af4dd76f53d35a0898fe7cd7c9f1a6aac48a4bbc90677f3e53aa30babae4b49c314c786e07561353c9c46428a58df69589

/data/data/com.thesmartmelon.StarDefense/databases/bugly_db_tgsdk

MD5 ba8bc47c9a97881bf3451f4c51955c4f
SHA1 536e22000d866bbd4a32f058b3689e51a5722ed9
SHA256 a5766611f0766fabb93177283f2ff90cd8890247170946a4baa6a9217998e008
SHA512 b0559cc73e1bc9a970cbebcd09e2267e5838825a0d08ba8e8fe027a2c93dc7cb3d31cbb048dff317f76eaf4b8ba22dc57150153265de6221e04539f0083b80d5

/data/data/com.thesmartmelon.StarDefense/app_crashrecord/1004

MD5 d36ab9da64a164560d24f045730304d5
SHA1 64e2c32eb56cfaf64dce8c561d31a5abe508baf2
SHA256 e71dbbf2159f3e466bac2dfbf06d57233ea8b203fb885f839f9985f5188861ea
SHA512 1a58aab5343c44ddff1ac9bd58231f24a0601db6834d2f0ffe87a1683251da4313efaeeb76facebb7612b4a26b5029034c723823b8ffa9fef51d7da9b2f4b637

/data/data/com.thesmartmelon.StarDefense/databases/bugly_db_tgsdk-wal

MD5 c7176b36728f0d075e5049e3b8bb918e
SHA1 5fd8a32bca12de24fc5299d9eb9afaa549dc5b60
SHA256 42ead67b5b33c06bbb8f6a9c68d69bfccddbb5385feb35519a399a8d5000fed7
SHA512 d2b3ce50f3d8471605620c489ace619cb25d0c8ad7ac9b10ea0853212c3a636b1573e0cf8fc930047834745c2da24cd6cce9a0c24fe874405da0c31d06176436

/data/data/com.thesmartmelon.StarDefense/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 21:20

Reported

2024-06-16 21:20

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 udp
BE 173.194.76.188:5228 tcp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 udp
GB 142.250.187.202:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 21:20

Reported

2024-06-16 21:20

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 21:20

Reported

2024-06-16 21:20

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 21:20

Reported

2024-06-16 21:20

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A