Malware Analysis Report

2024-10-19 13:10

Sample ID 240617-316emazbjb
Target ba31892a4ec9bb79f6d97c5b2c5a9302_JaffaCakes118
SHA256 4c61c0f33e7f6a6c4f6dea58507fb86fed6cb4e26b38f2ac70c61e13075205fe
Tags
persistence discovery collection credential_access impact evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4c61c0f33e7f6a6c4f6dea58507fb86fed6cb4e26b38f2ac70c61e13075205fe

Threat Level: Likely malicious

The file ba31892a4ec9bb79f6d97c5b2c5a9302_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence discovery collection credential_access impact evasion

Checks if the Android device is rooted.

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 23:59

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to add voicemails into the system. com.android.voicemail.permission.ADD_VOICEMAIL N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

141s

Command Line

com.exce.wv

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.exce.wv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/.com.excean.gspace/extra/appeal.js

MD5 2b6f75369a538f32a5fe05c7f7bf58e0
SHA1 b815647b31036750d297befee6b39c8da850da13
SHA256 0ed39c90cbead0197ad28adffbb974c8de89f3394924bb94a46a92d8b5d51849
SHA512 58831cf38a1ff62b4f5dbe4f7381872325ecebe387d5a641e2f44c901a52c80c0470389634aea30715f1a7ef33d94f54973a9dfbb006133b9de78739de6d1880

/storage/emulated/0/.com.excean.gspace/extra/hook.js

MD5 efbf2777c999ee119498d4368fad00d0
SHA1 c2f40d259c0f9f04ddc391984d507dfde4b7eea8
SHA256 dc0c8c17bbd348712faa43049b09db318e870941beb8f4e2bd8b80cea2f77ea2
SHA512 40f963374f5dd3846b86452e8675b378d15941d8f36b9a92bd9a311629fe5f807c08484b1c854da58da06b5b26e94860311de018c2f561ef96bd99090453f7e4

/storage/emulated/0/.com.excean.gspace/extra/login.js

MD5 8069a5fc01af56b924e42d1d4619209e
SHA1 252c63dccdb2f2920ddb125ad1caa4e7a86793f4
SHA256 eb738b475786d34094bf6697fbc74b6186829ddb3beea0eba2ce520dba6fc7d6
SHA512 882b277e899619c50eff23dcce4ce3f13fd3b6d17459f7e56539cb2e2954179c43f26aafe36ee32edf1e5d4ee8bf99e08acf04edc0f8b2795fea8cee640c26ad

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

153s

Command Line

com.exce.wv

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.exce.wv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp

Files

/storage/emulated/0/.com.excean.gspace/extra/appeal.js

MD5 2b6f75369a538f32a5fe05c7f7bf58e0
SHA1 b815647b31036750d297befee6b39c8da850da13
SHA256 0ed39c90cbead0197ad28adffbb974c8de89f3394924bb94a46a92d8b5d51849
SHA512 58831cf38a1ff62b4f5dbe4f7381872325ecebe387d5a641e2f44c901a52c80c0470389634aea30715f1a7ef33d94f54973a9dfbb006133b9de78739de6d1880

/storage/emulated/0/.com.excean.gspace/extra/hook.js

MD5 efbf2777c999ee119498d4368fad00d0
SHA1 c2f40d259c0f9f04ddc391984d507dfde4b7eea8
SHA256 dc0c8c17bbd348712faa43049b09db318e870941beb8f4e2bd8b80cea2f77ea2
SHA512 40f963374f5dd3846b86452e8675b378d15941d8f36b9a92bd9a311629fe5f807c08484b1c854da58da06b5b26e94860311de018c2f561ef96bd99090453f7e4

/storage/emulated/0/.com.excean.gspace/extra/login.js

MD5 8069a5fc01af56b924e42d1d4619209e
SHA1 252c63dccdb2f2920ddb125ad1caa4e7a86793f4
SHA256 eb738b475786d34094bf6697fbc74b6186829ddb3beea0eba2ce520dba6fc7d6
SHA512 882b277e899619c50eff23dcce4ce3f13fd3b6d17459f7e56539cb2e2954179c43f26aafe36ee32edf1e5d4ee8bf99e08acf04edc0f8b2795fea8cee640c26ad

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

134s

Command Line

com.excean.safetynet

Signatures

N/A

Processes

com.excean.safetynet

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

135s

Command Line

com.excean.safetynet

Signatures

N/A

Processes

com.excean.safetynet

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

181s

Command Line

com.excean.android.vending

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.excean.android.vending

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 play.google.com udp
GB 216.58.201.110:443 play.google.com tcp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
GB 142.250.187.246:443 play-lh.googleusercontent.com tcp
GB 142.250.187.246:443 play-lh.googleusercontent.com tcp
GB 142.250.187.246:443 play-lh.googleusercontent.com tcp
GB 142.250.187.246:443 play-lh.googleusercontent.com tcp
GB 142.250.187.246:443 play-lh.googleusercontent.com tcp
GB 142.250.187.246:443 play-lh.googleusercontent.com tcp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 142.250.187.195:443 ssl.gstatic.com tcp
US 1.1.1.1:53 stats.g.doubleclick.net udp
BE 142.250.110.154:443 stats.g.doubleclick.net tcp
US 1.1.1.1:53 www.google.co.uk udp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/storage/emulated/0/com.excean.android.vending/hook.js

MD5 3dc2e0358cd098ffab48dd777178231d
SHA1 3205a0259ada02818c19df9dc6469148dc560dec
SHA256 018f4a25446f519dbf49557da24ecd0b4d92d7b827748a27c6da5db243bf9004
SHA512 a05233fd1fe286d67d92c42fd6426f7fcc7f318c9ffc1117a66ceb920c570032ad3254f55822fb4320a89e0164c0b338f0449e60bb568450bb2f658cd790d464

/storage/emulated/0/com.excean.android.vending/tt.js

MD5 e92fe1f2a29f509878e61217a2563a99
SHA1 c57d5fea1e372ebd538fd3f97b7533bc2f7cd5c0
SHA256 dc9ba26e3eb711105170b59195d0fe19e18d39b1834544a25436e9557bb4f572
SHA512 26a7eee6bf621486fb76d925392c4f81eacbab21a860ea55687c721f61551539f4c8710d4d13d3510194e064cb5f29f698f16b38c7791d8f73f9343719f9cb8a

/storage/emulated/0/com.excean.android.vending/xx.js

MD5 a27daa00d9ddbdecb227e27cb3372e68
SHA1 79405ced9eb6768362253abc54fef3e9fb768209
SHA256 78f4f184c43f3757306297516127d511a773b0545535013fc68548f26f15f749
SHA512 6f4d904f2551a8a24a5f37763165f4bcdefd90a4fa40a4da1c9a7ad5e1bf608a1b8a1840de026a92a674033d7e0b683d9fe0aa88219ef9cee715297652c8170d

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

158s

Command Line

com.excean.android.vending

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.excean.android.vending

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.10:443 safebrowsing.googleapis.com tcp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 142.250.178.3:443 ssl.gstatic.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 stats.g.doubleclick.net udp
BE 142.251.173.156:443 stats.g.doubleclick.net tcp
US 1.1.1.1:53 www.google.co.uk udp
GB 172.217.169.67:443 www.google.co.uk tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/storage/emulated/0/com.excean.android.vending/hook.js

MD5 3dc2e0358cd098ffab48dd777178231d
SHA1 3205a0259ada02818c19df9dc6469148dc560dec
SHA256 018f4a25446f519dbf49557da24ecd0b4d92d7b827748a27c6da5db243bf9004
SHA512 a05233fd1fe286d67d92c42fd6426f7fcc7f318c9ffc1117a66ceb920c570032ad3254f55822fb4320a89e0164c0b338f0449e60bb568450bb2f658cd790d464

/storage/emulated/0/com.excean.android.vending/tt.js

MD5 e92fe1f2a29f509878e61217a2563a99
SHA1 c57d5fea1e372ebd538fd3f97b7533bc2f7cd5c0
SHA256 dc9ba26e3eb711105170b59195d0fe19e18d39b1834544a25436e9557bb4f572
SHA512 26a7eee6bf621486fb76d925392c4f81eacbab21a860ea55687c721f61551539f4c8710d4d13d3510194e064cb5f29f698f16b38c7791d8f73f9343719f9cb8a

/storage/emulated/0/com.excean.android.vending/xx.js

MD5 a27daa00d9ddbdecb227e27cb3372e68
SHA1 79405ced9eb6768362253abc54fef3e9fb768209
SHA256 78f4f184c43f3757306297516127d511a773b0545535013fc68548f26f15f749
SHA512 6f4d904f2551a8a24a5f37763165f4bcdefd90a4fa40a4da1c9a7ad5e1bf608a1b8a1840de026a92a674033d7e0b683d9fe0aa88219ef9cee715297652c8170d

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x64-arm64-20240611.1-en

Max time kernel

178s

Max time network

194s

Command Line

com.excean.android.vending

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.excean.android.vending

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 play.google.com udp
GB 216.58.201.110:443 play.google.com tcp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 142.250.187.195:443 ssl.gstatic.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 stats.g.doubleclick.net udp
BE 66.102.1.157:443 stats.g.doubleclick.net tcp
US 1.1.1.1:53 www.google.co.uk udp
GB 172.217.169.67:443 www.google.co.uk tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.179.238:443 tcp
GB 172.217.169.66:443 tcp

Files

/storage/emulated/0/com.excean.android.vending/hook.js

MD5 3dc2e0358cd098ffab48dd777178231d
SHA1 3205a0259ada02818c19df9dc6469148dc560dec
SHA256 018f4a25446f519dbf49557da24ecd0b4d92d7b827748a27c6da5db243bf9004
SHA512 a05233fd1fe286d67d92c42fd6426f7fcc7f318c9ffc1117a66ceb920c570032ad3254f55822fb4320a89e0164c0b338f0449e60bb568450bb2f658cd790d464

/storage/emulated/0/com.excean.android.vending/tt.js

MD5 e92fe1f2a29f509878e61217a2563a99
SHA1 c57d5fea1e372ebd538fd3f97b7533bc2f7cd5c0
SHA256 dc9ba26e3eb711105170b59195d0fe19e18d39b1834544a25436e9557bb4f572
SHA512 26a7eee6bf621486fb76d925392c4f81eacbab21a860ea55687c721f61551539f4c8710d4d13d3510194e064cb5f29f698f16b38c7791d8f73f9343719f9cb8a

/storage/emulated/0/com.excean.android.vending/xx.js

MD5 a27daa00d9ddbdecb227e27cb3372e68
SHA1 79405ced9eb6768362253abc54fef3e9fb768209
SHA256 78f4f184c43f3757306297516127d511a773b0545535013fc68548f26f15f749
SHA512 6f4d904f2551a8a24a5f37763165f4bcdefd90a4fa40a4da1c9a7ad5e1bf608a1b8a1840de026a92a674033d7e0b683d9fe0aa88219ef9cee715297652c8170d

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x86-arm-20240611.1-en

Max time kernel

17s

Max time network

160s

Command Line

com.excean.gspace

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A
N/A /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.excean.gspace

chmod 755 /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar

chmod 755 /data/user/0/com.excean.gspace/.platformcache/main.jar

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.excean.gspace/.platformcache/oat/x86/kxqpplatform2.odex --compiler-filter=quicken --class-loader-context=&

com.excean.gspace:lbcore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sdk.ourplay.net udp
US 98.98.103.126:443 sdk.ourplay.net tcp
US 98.98.103.126:443 sdk.ourplay.net tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/storage/emulated/0/.com.excean.gspace/game_res/verinfo.cfg

MD5 fc71f5e4e805a2ec310cc2edf303d84d
SHA1 022e729e32fb093b37fba686a97abae42cd4757e
SHA256 3073389a228e6bee85dd40f1da6422d97cb6ee838ba3b68f88a02f33ac34bf07
SHA512 a925e670eb126891bc70038c05cd960d50812c1f9b35fbebe9af34524b5918df94fa53aa5d0149ac9a1a27b2730b3ee237f3facb2d89189e89d41dd3b9155da6

/storage/emulated/0/.com.excean.gspace/game_res/compVersion

MD5 bd78ebbf05924aada6d575e30ee411e9
SHA1 f09db33af5ddac6032b5bfa560517e10bc35c217
SHA256 d3fa78a16a4ef58b48116a8675c000214ccb05577b1652c927dee00651a98be0
SHA512 4d065a078ce085b34014b42e1738e6fef38788fe6719108f600687f7e1941d7733eb96cd66c3c1f2f78ebf917314c4c764ea0c3b6970c887d29dec1387dabdc4

/storage/emulated/0/.com.excean.gspace/game_res/verinfo.cfg

MD5 d17bb9a9ba580f1f00aaab095fc1bf66
SHA1 cea38a22debedc891ff89c2ec7501325122a6f99
SHA256 3feef8baadb6e26e071711da59617ee5695733323ca03df23161c1ce10491172
SHA512 d7af4c0443567445ef75099a64ebf530430a66ac0a5a1191130d6bab975fe78747c832a7c4a8adcc9914489dd637df2f1b15ea8eae75f549a10104b98c9169e2

/data/data/com.excean.gspace/.platformcache/kxqpplatform2.jar

MD5 30525875f3b40cb3317bad9cd15d44b7
SHA1 4bb16fe5ea922818d3b51dfaf2e01701f7f11c1a
SHA256 7c333097c0be419d16065b310eaa9a7d5b3b60ae4797a9060236e25845f0b363
SHA512 6841a0f2c9b66caa48cd5fcd5ad2e65970fcb42337865549abb9abeba29195db351dcbcd34f24b0345b3e729326c41bf97df63f3ff3ed0c75500c7ab89b34aa8

/data/data/com.excean.gspace/.platformcache/main.jar

MD5 81a6b68f93a2a6ebd99773e7acb69bb9
SHA1 aad12c03915062b5820034d7026cbbb4d5e2ffef
SHA256 de6b351b54176858e1b1a3263509a936b677758ba375d4de40b0b42139bcdb6e
SHA512 ad55ac3afdcad24b8d85d1a6473190733ffd97c8da65499841ac0e6e0abae2a9883310875719e82e8eb659a35928b30e6bf7419f2dd0bad97ff51ae8cc657f01

/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar

MD5 cdeef1728825127066a839eaacc29f95
SHA1 aa0baa92842ce7b84ffe89e8ac5dfaa6fe92c0e1
SHA256 ef388bdcb59deac7449972450cf99a7784aab5d9b61f721974a42a15b5cb059c
SHA512 1180a2eb5cf2b6e82adee2aeff03ba18ad7af86e50b00d2218e18d186846e7b0b43af3551c44ab7715945bc6699594dea7ba07b17b32bb01da0d22b4ac9cacb3

/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar

MD5 ecac07d95f325f0e3ef728be1a22659d
SHA1 2f1c072bfdcd847c3031e275805c19b177eeed9e
SHA256 b9455514624c8519a5e16aac00fdfd04bf7d61805ce97ae8d9f2c54389d7fccf
SHA512 ef080dd996d4ab3b230459eb7aec3dcae96f478b41fc8f6649be41844d399a645320097aa5f3046583b2a00cd70ec74e41c7a6d5f68127559dc5908cf781e0de

/storage/emulated/0/.com.excean.gspace/game_res/info.data

MD5 44c986a883f31781c180a3418445a767
SHA1 1bb940f9adaf5a0fe687eb66fe5c36200f389ad0
SHA256 9eea0f70c28f1357da08aae5c0861b87a10a6f27b34d7325afd04f91d4b3120a
SHA512 d40fcf33dbe30f56f65d0842c587f06177a8f6dc0e4e42aebd529c32b4c74be78d607a59b1836c56f14d401b3b392eb08e90cc580844e2e76d27014a02725d8b

/storage/emulated/0/.com.excean.gspace/init_time.txt

MD5 92685f57d9fea3561ea0ca908e8aa422
SHA1 907d179b00ede6dd563c3a881f6130685aa086cd
SHA256 fbc6ed2c7644564d7df4abd69a0d349d7951f94406955f51d8f8b35a90192e27
SHA512 05cb4d4612244f171f85fe9c98b4882feca788db29cc8cdfa121482c84fe90f1622b3271d8b7367a62f5c09ed73c2114a7f23ac6d76dc3ff2281078839ec4c48

/data/data/com.excean.gspace/.platformcache/lib_kxqpplatform/classes.dex

MD5 5d81f1b764b48fd8b8e7cb35de54df42
SHA1 e60195e1b7b99138ec02425139a357c39385da12
SHA256 bb1b0801aa5af16c20d13d308dc267d0fb8c3db4ab94521af8965cda73dd7183
SHA512 588d429a00f7f115d5b8a552124023765ee387414d48f3b5ebb3fdc98f83ec76c1d331a7ce9d8baaefb5c2d84b739cac35042d607292b25259ad021fb0a5a86c

/storage/emulated/0/.com.excean.gspace/.phoneInfo.cfg

MD5 e5916159f87693114bb211591b53e6d9
SHA1 aaaf055adca6acbaee1b747f0a52740fe30fa387
SHA256 1de77a4b0a3b6545c8fd9cb343671d2a6877b28079a776897d0a9ca91d46e4a2
SHA512 767d87f6fe3822c1e8314755a8093f862179b17ef5670a4ab41e12fd07accd9a1d2a77134876ee75cd704619d1a4a90acde94f1529269f917fed0d0dea91a719

/data/data/com.excean.gspace/databases/lio_statistics.db-journal

MD5 6e0656967bf99f5975e58908b165c7dd
SHA1 947b75756bc93018a0b1b16ac40b55817df82120
SHA256 f04458e0bfd6044396ddd432827090b15d4832a56b84330fdffa54b2f2bac792
SHA512 edcc89ef65358b8ecdcfa7f537c36abc0864daa2112edec583635d8e63c34369450101f7a85053cc38ce9fa3c1d542167cd4387dfb5cacafe2f7ba7ff734cff0

/data/data/com.excean.gspace/databases/lio_statistics.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.excean.gspace/databases/lio_statistics.db-wal

MD5 015d0411a60ab7848e9837b914ec4b21
SHA1 6c41e4fff0102c4ac21e6194b1a40906e45d4e2f
SHA256 c3d8900221f53956e8e170391bd9d82faadf144bb977ce0a12f7fe35b621a447
SHA512 47e27263c8d811ed61d29ee19f0655496611cc022aef5efe39393ebd219e892eebd608c381fb72935b039dc4af0f2f2b2d036f079fd11bc659a6b3352f4f1a1d

/data/data/com.excean.gspace/gameplugins/lb_packages

MD5 48949aa2d439216961e2d48e2c14821e
SHA1 3d7d8981b8fa107ad9974f41dfc640d4bc9d2a6e
SHA256 28958225e65bc7fdfed593ed7719558c5086b4ebf008135b0f239adeeab71343
SHA512 0ce0c2b62afcd50af6b4e575f26cc7d040e6120f0956f6135f7ab0f0e3ee011755add0bc6fcd8053547d7bedb5a3c58cd3e16d266e5373405787d2acb99f8c13

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x64-arm64-20240611.1-en

Max time kernel

8s

Max time network

169s

Command Line

com.exce.wv

Signatures

N/A

Processes

com.exce.wv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.212.202:443 tcp

Files

/storage/emulated/0/.com.excean.gspace/extra/appeal.js

MD5 2b6f75369a538f32a5fe05c7f7bf58e0
SHA1 b815647b31036750d297befee6b39c8da850da13
SHA256 0ed39c90cbead0197ad28adffbb974c8de89f3394924bb94a46a92d8b5d51849
SHA512 58831cf38a1ff62b4f5dbe4f7381872325ecebe387d5a641e2f44c901a52c80c0470389634aea30715f1a7ef33d94f54973a9dfbb006133b9de78739de6d1880

/storage/emulated/0/.com.excean.gspace/extra/hook.js

MD5 efbf2777c999ee119498d4368fad00d0
SHA1 c2f40d259c0f9f04ddc391984d507dfde4b7eea8
SHA256 dc0c8c17bbd348712faa43049b09db318e870941beb8f4e2bd8b80cea2f77ea2
SHA512 40f963374f5dd3846b86452e8675b378d15941d8f36b9a92bd9a311629fe5f807c08484b1c854da58da06b5b26e94860311de018c2f561ef96bd99090453f7e4

/storage/emulated/0/.com.excean.gspace/extra/login.js

MD5 8069a5fc01af56b924e42d1d4619209e
SHA1 252c63dccdb2f2920ddb125ad1caa4e7a86793f4
SHA256 eb738b475786d34094bf6697fbc74b6186829ddb3beea0eba2ce520dba6fc7d6
SHA512 882b277e899619c50eff23dcce4ce3f13fd3b6d17459f7e56539cb2e2954179c43f26aafe36ee32edf1e5d4ee8bf99e08acf04edc0f8b2795fea8cee640c26ad

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-17 23:59

Reported

2024-06-18 00:03

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

154s

Command Line

com.excean.safetynet

Signatures

N/A

Processes

com.excean.safetynet

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

N/A