Analysis Overview
SHA256
520adf9d85c6254d911e97a2cd0394afa7d9f4624a5942d796c9ee8779270923
Threat Level: Likely malicious
The file b54350d9ff187c0c59a3dd45cbf1c39b_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about the current Wi-Fi connection
Queries information about active data network
Reads information about phone network operator.
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 21:20
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 21:20
Reported
2024-06-16 21:23
Platform
android-x86-arm-20240611.1-en
Max time kernel
150s
Max time network
174s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.thesmartmelon.StarDefense
/system/bin/sh -c type su
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.202:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android-api.ccplay.com.cn | udp |
| CN | 203.107.44.252:80 | android-api.ccplay.com.cn | tcp |
| US | 1.1.1.1:53 | config.uca.cloud.unity3d.com | udp |
| US | 34.111.113.40:443 | config.uca.cloud.unity3d.com | tcp |
| US | 1.1.1.1:53 | counter.yomob.com.cn | udp |
| US | 1.1.1.1:53 | s.yomob.com.cn | udp |
| CN | 47.99.203.193:443 | counter.yomob.com.cn | tcp |
| CN | 47.99.203.193:443 | counter.yomob.com.cn | tcp |
| CN | 47.99.203.193:443 | counter.yomob.com.cn | tcp |
| CN | 47.99.203.193:443 | counter.yomob.com.cn | tcp |
| CN | 47.99.203.193:443 | counter.yomob.com.cn | tcp |
| US | 1.1.1.1:53 | sgpublic.yomob.com.cn | udp |
| CN | 47.99.87.170:443 | s.yomob.com.cn | tcp |
| CN | 47.99.203.193:443 | sgpublic.yomob.com.cn | tcp |
| US | 1.1.1.1:53 | t.appsflyer.com | udp |
| NL | 18.239.18.125:443 | t.appsflyer.com | tcp |
| US | 1.1.1.1:53 | api.appsflyer.com | udp |
| GB | 18.165.227.10:443 | api.appsflyer.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| GB | 172.217.169.10:443 | tcp | |
| CN | 14.22.7.199:80 | android.bugly.qq.com | tcp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 14.22.7.140:80 | android.bugly.qq.com | tcp |
Files
/storage/emulated/0/Android/data/com.thesmartmelon.StarDefense/files/save.json
| MD5 | 5294fec0d9806c58a90e1a1ddbe380d4 |
| SHA1 | 2fd8ab4c2b1a655f59bc4ce633aff33c85ca497c |
| SHA256 | 4ca267143399d45778e3350929379281b50bb4e1383e108b1c82545af487d34a |
| SHA512 | 57372972355460f832dc01c990aa791342253b157727fc2392b71cedfe5d54d0704805a915cae061cae15b4e0d850d78e7dfce1505c8a9b3b43de53726899856 |
/data/data/com.thesmartmelon.StarDefense/databases/tgsdk_counter.db-journal
| MD5 | e88b537f0c48552bf20f88357ea1c5eb |
| SHA1 | b10f80582e89ddb39564200da366fd04d045a1a7 |
| SHA256 | 6b9fe44c6fbb802e99e26836ce2f31ae238c2d572cdd7292606180cac3a91c27 |
| SHA512 | 3aa3385c5fcbbb2b24d8194e13fe206f7bf60410b3bd91219f0c6c9bdf2789516400e3e5527dc6ca283855af56e13c7efaf6b1e82695cbc96248cb1cf913be2c |
/data/data/com.thesmartmelon.StarDefense/databases/tgsdk_counter.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.thesmartmelon.StarDefense/databases/tgsdk_counter.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.thesmartmelon.StarDefense/databases/tgsdk_counter.db-wal
| MD5 | 7f3f719d4f1de804db2f3d9fb3a3e470 |
| SHA1 | 867eb811ca7c370ab80db7709d2bae8c9d063397 |
| SHA256 | 6ea47129be4b114a496af4882f497db0ec2fae7af1e2409497a10438433502c7 |
| SHA512 | 5ed58c81d654977858b15343fd027c89dd0809773876d6cfd6298f735c1468758ea2a2b414471fab7ee5aa9b75ca13cf74fc57b34513afed74b77537c248326d |
/data/data/com.thesmartmelon.StarDefense/databases/tgsdk.db-journal
| MD5 | 882ab59555cc2ac783dd652ff97cae89 |
| SHA1 | 1dfbc333edc87bcdb584ec03412a38537eca1076 |
| SHA256 | 14dbf391cc917f9cf06960c2fb94cedd0ab3e53931cbf4237a5c9d86e5cd03ba |
| SHA512 | dbd481a967173038bbcd5dd7abd03f55f2b17de6536f5032223f7771fd3283496cc8ebe7f2203fe56b562bfbd52b11cbd3f13e17f87871bc6172b112c64edda3 |
/data/data/com.thesmartmelon.StarDefense/databases/tgsdk.db-wal
| MD5 | b9346fbb47fd1b37baab063520fc629c |
| SHA1 | e2583625f9ee9c9ecdae10369adfda0512dbb506 |
| SHA256 | 729e2ccb47bd08149b1c00854e59018cd1fb57b36cf150f542a7df3495da52d8 |
| SHA512 | 6163e9b64d2d9728549fdec6722848e0149df14c8aa113edb15eea26e768b3754a562feaffcdbd0cb13c0812eb5bfd7d1f6702eb682f05c5e43233d044b16240 |
/storage/emulated/0/Android/data/com.thesmartmelon.StarDefense/files/Unity/13af0e9f-3fe3-4c87-becc-a208a0659d1b/Analytics/values
| MD5 | f4fc584463db18d2f51a352d427604f8 |
| SHA1 | 5b89ac635522ac62012e8a55853904399988da7e |
| SHA256 | db0aad0aee5372043afaa8b758fd7cc28dd2e755bae748e238277f410861f6ad |
| SHA512 | 02aaafc391d5cdaae7cc988794d9611007f3eed1bec268a8376fd91eec2b06681bc5e98cd028c48653e0fb7a36a495e80fb8ddeac7137005b92261fa139edb50 |
/data/data/com.thesmartmelon.StarDefense/databases/bugly_db_tgsdk-journal
| MD5 | b99e41bc2be8567aaa3ea7d5b99279a7 |
| SHA1 | da355fd4d672133c21fcac32334047c3615d26db |
| SHA256 | 571620399779667df78696251a04fd1d2c072b13c934259a75d0a7e93d171675 |
| SHA512 | 7603fdc77851e3742ef79eec5b9cb2af4dd76f53d35a0898fe7cd7c9f1a6aac48a4bbc90677f3e53aa30babae4b49c314c786e07561353c9c46428a58df69589 |
/data/data/com.thesmartmelon.StarDefense/databases/bugly_db_tgsdk
| MD5 | ba8bc47c9a97881bf3451f4c51955c4f |
| SHA1 | 536e22000d866bbd4a32f058b3689e51a5722ed9 |
| SHA256 | a5766611f0766fabb93177283f2ff90cd8890247170946a4baa6a9217998e008 |
| SHA512 | b0559cc73e1bc9a970cbebcd09e2267e5838825a0d08ba8e8fe027a2c93dc7cb3d31cbb048dff317f76eaf4b8ba22dc57150153265de6221e04539f0083b80d5 |
/data/data/com.thesmartmelon.StarDefense/app_crashrecord/1004
| MD5 | d36ab9da64a164560d24f045730304d5 |
| SHA1 | 64e2c32eb56cfaf64dce8c561d31a5abe508baf2 |
| SHA256 | e71dbbf2159f3e466bac2dfbf06d57233ea8b203fb885f839f9985f5188861ea |
| SHA512 | 1a58aab5343c44ddff1ac9bd58231f24a0601db6834d2f0ffe87a1683251da4313efaeeb76facebb7612b4a26b5029034c723823b8ffa9fef51d7da9b2f4b637 |
/data/data/com.thesmartmelon.StarDefense/databases/bugly_db_tgsdk-wal
| MD5 | c7176b36728f0d075e5049e3b8bb918e |
| SHA1 | 5fd8a32bca12de24fc5299d9eb9afaa549dc5b60 |
| SHA256 | 42ead67b5b33c06bbb8f6a9c68d69bfccddbb5385feb35519a399a8d5000fed7 |
| SHA512 | d2b3ce50f3d8471605620c489ace619cb25d0c8ad7ac9b10ea0853212c3a636b1573e0cf8fc930047834745c2da24cd6cce9a0c24fe874405da0c31d06176436 |
/data/data/com.thesmartmelon.StarDefense/app_crashrecord/1004
| MD5 | 0d210bfb2a0e1f1b4c082a6a0f79de07 |
| SHA1 | bb8ed9e364db79d1d9f2fcde3f15091893222faa |
| SHA256 | 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d |
| SHA512 | 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 21:20
Reported
2024-06-16 21:20
Platform
android-33-x64-arm64-20240611.1-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.16.228:443 | udp | |
| GB | 172.217.16.228:443 | udp | |
| BE | 173.194.76.188:5228 | tcp | |
| GB | 216.58.212.196:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.202:443 | udp | |
| GB | 142.250.187.202:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-16 21:20
Reported
2024-06-16 21:20
Platform
android-x86-arm-20240611.1-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-16 21:20
Reported
2024-06-16 21:20
Platform
android-x64-20240611.1-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-16 21:20
Reported
2024-06-16 21:20
Platform
android-x64-arm64-20240611.1-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |