Malware Analysis Report

2025-01-19 04:51

Sample ID 240618-grepnavckr
Target bb07d855a3fcf8c736a5fda57b7348ee_JaffaCakes118
SHA256 ab59bada13df46154a1037dd610d9306d70fc599731b0986b6d01f146a78c3f3
Tags
collection discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ab59bada13df46154a1037dd610d9306d70fc599731b0986b6d01f146a78c3f3

Threat Level: Shows suspicious behavior

The file bb07d855a3fcf8c736a5fda57b7348ee_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery impact persistence

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Reads the content of photos stored on the user's device.

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 06:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 06:02

Reported

2024-06-18 06:05

Platform

android-x64-arm64-20240611.1-en

Max time kernel

125s

Max time network

132s

Command Line

com.skyworth.skyclientcenter

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.skyworth.skyclientcenter

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 video.tc.skysrt.com udp
CN 111.230.188.72:80 video.tc.skysrt.com tcp
US 1.1.1.1:53 config.inmobi.com udp
US 20.39.59.188:80 config.inmobi.com tcp
CN 111.230.188.72:80 video.tc.skysrt.com tcp
US 1.1.1.1:53 video.tc.skysrt.com udp
CN 111.230.188.72:80 video.tc.skysrt.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 video.tc.skysrt.com udp
CN 111.230.188.72:80 video.tc.skysrt.com tcp

Files

/data/user/0/com.skyworth.skyclientcenter/databases/com.im.db-journal

MD5 c8d51e3db1c2b8ca78be21a11bb30d2e
SHA1 504d6e09a35a5b2472fea961dad838a92637fade
SHA256 77422b87be2e18364ca37f9a65ded504fceb69eabc4c600af538e374bee8ea56
SHA512 e5defde51c2f0c055c7a28a481e7bcb96da284a8ae7429f47eb60e670036bd6b4008406adc6851dfbc2c79d2885426f207ad48e49610ee1475dd9f958e629cf4

/data/user/0/com.skyworth.skyclientcenter/databases/com.im.db

MD5 283220cbe5e9b6e475e93ebba11ef75f
SHA1 ea77df71f4e4c2ba960947e192e0ddeda5a48b84
SHA256 c01f6ccb167217afe0b8fb282bb78c8c8980a75f758bcd55edc5d2cf7658ac5b
SHA512 e8277914047d050d7813368d72a3a7b800920b5b1ce2d28071a1ea37691ea55c259ffcad9419efbae26989956ce1df0840895640a44d357563f5210d3cc134a1

/data/user/0/com.skyworth.skyclientcenter/databases/com.im.db-journal

MD5 4b08457ebc61e417a4957981f72acce8
SHA1 c8a72a0da45d65fbb274bd146e4bb6bdafb4c4a4
SHA256 457a8db6b0d8deaaf67c18665598ce94f8d61773dd07aaa58000b53c2b05a6e7
SHA512 589eb8044a1543423066275e4aee8bb06634b211a6cf818fc8c0b50af736ed6552f61a8bdc97b26287526147edfc8d51d7846da7775ba7c5bd6c69bd951a830c

/data/user/0/com.skyworth.skyclientcenter/databases/com.im.db-journal

MD5 56bd1d7023c1bc0752630730c0feaf12
SHA1 5f45ca104aa74a6dc61c62fa7dee893c105b52d0
SHA256 99dddfec408843660e67114a265fa25800281da8603d7d0b1f540b665c85a3ce
SHA512 8d16dd69b009181222811c8abd7a5c56cbfd85df7d9ad3e1e6c35dbce8ad28db9dce027bf99bd330c0f3f1b5638253ba614db130499fbc0d7b55e432baad65c9

/data/user/0/com.skyworth.skyclientcenter/databases/com.im.db-journal

MD5 c4090bcac2f9b70da84639e807259b6e
SHA1 fc26dc7471216578228b7b7b8a73138602567820
SHA256 0144a49fc3bd7ed098f75f9e86687b26f5c4ae97b80ce737374f60fc8e9ecad2
SHA512 cf6a386cbdbc8468870ddd2e97b59d91411ac11c91ef4753e3c332b21cb4f1913f5f247f4158a8d3b4f69ff91abb6e806330ae19d4f6a388caadbc61133a489d

/data/user/0/com.skyworth.skyclientcenter/databases/com.im.db-journal

MD5 cbe1a8b96a29f890ac05de4da400aa71
SHA1 7273c4fe3143a93bb1d83896768a477fe93999a3
SHA256 e17bf288a583e2740d440522f1863e59dbb98303eecb671bfbd6321bf3a0e25b
SHA512 a26cac29bac1dad4ad3ec3bfd03a5741ac4d8780e873f29a75ae444456092e8d5f63ee3f5b1fb18f8dd810eaae83f29d7f8b3511b5fa6b6653a45064c602a6b0

/data/user/0/com.skyworth.skyclientcenter/databases/com.im.db

MD5 876f86564ca48477d3bd0ca28de63986
SHA1 1e841c92cd948c397cb29ee0746d694eac3cc7a3
SHA256 f55a71938a6d87d8318bf94207cbb04fdd3ac9fc9d9de70851cfbff946eacc76
SHA512 3eee47221a49c609e2a9566625faf309e3ba5ca434d554808498f146e166ac0fa3972464492037a684ec6d51c90aadbd0820f93119cc1a7c1793ba9a2a95ebaf

/data/user/0/com.skyworth.skyclientcenter/databases/com.im.db-journal

MD5 253db17697108e9b8af0bcd2eef66434
SHA1 941d0352a06d5a812888ca9696f06a3340fb652f
SHA256 6ef6f87259527993064f535622e1c6817f6371eb78b2532330e77ad1e1931f66
SHA512 6fbe69ef388628a029766b6a6ed262dfb03a4b0d7bba6f7c486b3598e38395c594b38a6e2baa14ff9f6d5425809f2c7aa196f2c7361bd2c4d50b832b88f1c1c4

/data/data/com.skyworth.skyclientcenter/databases/cc/cc.db-journal

MD5 bcf538b56ba561685444a1e6883d8675
SHA1 c0b0668dc29788d16af2bd2abc049df5313e5dce
SHA256 5a1dd4ce7ee05fadb04a6f7c12d64c1f1f8f66ff569d7991bee4880fb7f7e165
SHA512 5e92392debbe820878c19be3b317569eed150dab3b3515009ea20d6715b018bd2e2875b4f930ecaa03d09f7eab257c9bc7d089685f8a68d3ed356ed88639d02d

/data/data/com.skyworth.skyclientcenter/databases/cc/cc.db

MD5 4cfe777c9f6e7859f5efe2197401d8e5
SHA1 bb3774e8879ad5f6db0c37f151c3d6bc7b4b207a
SHA256 c422190539b6414072fc3950da19a17985c0c4c2172740b2f74682b520af5231
SHA512 6be469864edaf8eaa110f618f8abd27962da92e20945dcd38073ade2b60b10f00552d54d5db9d9f75ca133213031030e71e2e30113ff033e5ef507a28fe0b1de

/data/data/com.skyworth.skyclientcenter/databases/cc/cc.db-journal

MD5 1e4b50fd761543da1e8939abddeaa3f4
SHA1 ce05326baa678a4cd68a0bf76b3414f956b6ac34
SHA256 a20a2b0dc08c820b4260133bdbbb5fd3537c2f693a8cfdb3f2da2400741bf56a
SHA512 0f253296ed8049488c63dfc31d1585335492bbfd52c407283da973c71de487602dff40c331e367a26d50c556a50b4f62329e828e172244c40ca39272d9d3ae3e

/data/data/com.skyworth.skyclientcenter/databases/cc/cc.db-journal

MD5 41f512f08c743caf3c010f6d1ae7551e
SHA1 e23d2e50cae950ac0cad054507bcfa0262d39310
SHA256 73d1269f093c80cf7b7ebf358c3999f6db1dabf0dae00afe6ac8b53fbd4c449a
SHA512 dc961f67c8059439fbaf76e2f113ef127cfca9ebac713ed4e2cb9f07dd968700685fb2c05b4f512ffd1dd0b1324a24930e433f79a2737209bf93bf4188471ba2

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 06:02

Reported

2024-06-18 06:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

125s

Max time network

137s

Command Line

com.skyworth.skyclientcenter

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.skyworth.skyclientcenter

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 video.tc.skysrt.com udp
CN 111.230.188.72:80 video.tc.skysrt.com tcp
N/A 239.253.0.1:1980 udp
N/A 255.255.255.255:1980 udp
N/A 239.253.0.1:1980 udp
N/A 255.255.255.255:1980 udp
N/A 239.253.0.1:1979 udp
US 1.1.1.1:53 config.inmobi.com udp
US 20.39.59.188:80 config.inmobi.com tcp
CN 111.230.188.72:80 video.tc.skysrt.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 video.tc.skysrt.com udp
CN 111.230.188.72:80 video.tc.skysrt.com tcp
GB 216.58.212.202:443 tcp
US 1.1.1.1:53 video.tc.skysrt.com udp
CN 111.230.188.72:80 video.tc.skysrt.com tcp

Files

/data/data/com.skyworth.skyclientcenter/databases/com.im.db-journal

MD5 ca2c9d84f673dd38add8bc6d746ea45d
SHA1 ce7ec3147c8b75e9ad53a76146ce658e0332549f
SHA256 fdf68de4eac69c9ddd7da612d7c1db806b778ee04c9ea11f14e4c8c5c58b7b42
SHA512 2bd3b021b39c7b7e1e8ab317056e06391464fc6410b97a7b5a5f3a63068ae43e6ac1bedda825394381e9d3ae57a05b55aa6b3f9b986819d3f37f12edbce12193

/data/data/com.skyworth.skyclientcenter/databases/com.im.db

MD5 7f5f65fac24b5af49ea53b4016f4b35d
SHA1 73b3dad6abcea6585bbcd50e038a33e16f95fd32
SHA256 4240342b0052edd3fe45948dc511246295dc7b3291848d2dcfc7952d8ffa9eb3
SHA512 e5de3d2ef8d446c4087bd36dbe4d0007303bf20d5a37c0951addf456d22cbf4f6c9b0014a0212dbd85c18597e693ed2cc734cd4b9fa7fed7d5a86ba395ccc500

/data/data/com.skyworth.skyclientcenter/databases/com.im.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.skyworth.skyclientcenter/databases/com.im.db-wal

MD5 215dee0db61647ca1a30da1c7e9ec611
SHA1 8bffdb3fe1606e3c9dfe1d84d71cc38aec714193
SHA256 75e2ac24550b8cb17670577f776c0a9740c8e78e83b45df93d69258c34beaa53
SHA512 81c53c7ffe84cdc14fccc1eb5b5a1132143e6b6935b1cb7b1a7a55ececd74f4af9f2b2500b7b5a0dfbbc59be6e25c16e2c897d68b50c07e1c199545c7c4d6618

/data/data/com.skyworth.skyclientcenter/databases/com.im.db-wal

MD5 6512e6bed5a3d1255ac0ca9a25636750
SHA1 d778f4c4fc4f51a4626cab6c86c895dea7feed89
SHA256 1156a36b33c004d89d3a1ad6c34bd9f5c17e08855c25d0c82ec14df1d9af6ee5
SHA512 400487c5350d71d38ab0d763e5eb454ed6d854851ddc7f8d0811c81cb92199c1ee7f3be5c585c3bbe56cc54ba18542c415e451b2b57bcc2cf377acf48d7cf250

/data/data/com.skyworth.skyclientcenter/databases/cc/cc.db-journal

MD5 124e0512aed64b8a130b537e9bfdc63d
SHA1 78d1cc1c826184e1b7bd216cbcc60b592376967b
SHA256 79f402a3723609edb3ae9a37746fcdd32518b25cc28cbbbaaa10be43e447e3ad
SHA512 74402f45ff88aafeaf39d63e492532faa3050eb87d6118cc934bef555203f878522c9962f019caf41bbd99b667bb10d63495b6fc7bf871c5cba317906d189b8e

/data/data/com.skyworth.skyclientcenter/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.skyworth.skyclientcenter/databases/cc/cc.db-wal

MD5 461d6341a22c5de8dfbba65a796dbb61
SHA1 22d8ecea8e1dbbb3b13af6d3fdc24f7300092508
SHA256 d950fec25d1e56c9013bbb3928b4a703cef6e8878e21f414ed02558e0565a187
SHA512 1ee758810a077966594dc90f1d482c3c6c6cf963fb79e93f27eb3199b6aa25224a83ee0328561e24e24785e19250dc6f6d1c4a3c103990dd79e84ab3a0d85701