Malware Analysis Report

2024-10-19 13:10

Sample ID 240618-mwehcathqp
Target bb876861f133a5ecd283d674933c796f_JaffaCakes118
SHA256 8dedafc31a1eb5c9597faa3e3a8ec898f11d12380c4f44b2494cf13211042585
Tags
discovery impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8dedafc31a1eb5c9597faa3e3a8ec898f11d12380c4f44b2494cf13211042585

Threat Level: Shows suspicious behavior

The file bb876861f133a5ecd283d674933c796f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence collection credential_access

Obtains sensitive information copied to the device clipboard

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 10:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-18 10:48

Reported

2024-06-18 10:51

Platform

android-x64-arm64-20240611.1-en

Max time kernel

8s

Max time network

133s

Command Line

cn.emagsoftware.gamehall

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

cn.emagsoftware.gamehall

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 a58585a3cb84d42725ef0b0a325758e4
SHA1 5793c4abbe7147a25de514ac5879461e2141d1c8
SHA256 de096d88e0e34b6444ef4b0fcc21c35058c15f78e9df499f4165ab5004769103
SHA512 e3fc094251da4089d9888688fc412f1dd6ec03e4b1391da3da8ef50a07ecb4c8dfda8eacef265f62d1716d14c9a2348ce798638cbeaaf6022c7cfa922e0a420b

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache

MD5 f1654b6985eeca3980460f8c663a86ac
SHA1 2685ba462be1ac7a63f6937d28fa7099434ce18b
SHA256 3ad7220c6e66f0a87c2e907fa2adb0ae0d8478bf18c510910e8a0d53a8c07225
SHA512 c10122123608c916d47f57002c70280030714429e8b46b56b9aeb667728efa3bd1e1dd487931353baab0ea804c6c426708678e2b1064d7992380fa6a29c2f78b

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 5214dd547aa807a30fb2e0dafd30f5a4
SHA1 18a6dfb5ae9e8fed157c2e06406508e220be1a3e
SHA256 73471683c8fba5c36a52dcde59424bd53314ecbc57ad7777fa155d5ab9b9a93c
SHA512 eadc3958c65fdbaf0d53315d79a478c90d2866d057f425c458bc92c159615d91cc5112d9d74a9328611973f0b4e3032e442c631cc13f73383286868262d68b2d

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 72eaa010f6a32f4144bba970fe609654
SHA1 5dbfc0db91a6edce0e87b5a5cf9582beb4a4144d
SHA256 6b80788273ff66bdaf1b3a97de7a5acd5b45b0613afae55e434acff5ce4a3a1f
SHA512 a066d447bf380fbf6fd572c4b763175919a90305d0e60b34a1f1007d1b297d73aa1f9e00c6258f08fc9bc216c01f28fc6c41e1b9418e2172d75f37a1439499b8

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 10:48

Reported

2024-06-18 10:51

Platform

android-x86-arm-20240611.1-en

Max time kernel

19s

Max time network

132s

Command Line

mr.midlet.tafang1.gbox

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

mr.midlet.tafang1.gbox

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 omsjf.cmgame.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/mr.midlet.tafang1.gbox/databases/recordstoredb-journal

MD5 393a0a10b1b56ad84949757b5c942a15
SHA1 93c2fa222d9e9ed1ac4ca29aabb45a76729a028f
SHA256 0444bedf6d87daf2b98ad5c8ee99ff5102ccce40063ff78e218b413d440b22c5
SHA512 757d72e88b96bb39acf8138b45b9a15f761817a80d6eac655b84705910be87698fe04f0b769b52a7ee65e9e6720fdd881f5a80577dd09b7ccd733192e56dc435

/data/data/mr.midlet.tafang1.gbox/databases/recordstoredb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/mr.midlet.tafang1.gbox/databases/recordstoredb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/mr.midlet.tafang1.gbox/databases/recordstoredb-wal

MD5 e7674109d51392ba670bef481927e68f
SHA1 189bf2f0c237898aba4c44eb259f2693e479c068
SHA256 bcb2a15b21f92a95daa8efc65bba8d1c38a16508c2272e30d8fe7d1fb5ad56c8
SHA512 d5b9ee26a1a5654e320e2367fa1a15579800277e3deed86edcb7947cc181031eb82e77155f9a030c62ee2316faf1876d038c6c01561253f8f4175da87bd763e2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 10:48

Reported

2024-06-18 10:51

Platform

android-x64-20240611.1-en

Max time kernel

51s

Max time network

152s

Command Line

mr.midlet.tafang1.gbox

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

mr.midlet.tafang1.gbox

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 omsjf.cmgame.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/mr.midlet.tafang1.gbox/databases/recordstoredb-journal

MD5 6279a6c259efd41ef4c3330031ac27b1
SHA1 e1356a178a24c18c89ff73c1019806799eb2c58b
SHA256 205ce1633676d8d31754e9546d024193dc2c8ec0cc51f01c33e9bdf45e5de9fb
SHA512 329dccd0ef7b20bc58a8a682845e4e5a98c16d9260fda89ec13ef2699c500c557a080a5ab059fdb6fa4fa966f9b10b5d150b688c9cb618ea86acf1d46987b21b

/data/data/mr.midlet.tafang1.gbox/databases/recordstoredb

MD5 b490e130e9694441f52b1057517e614b
SHA1 d098b151ce22b96f03d15df57893fe4cfa7432d0
SHA256 e325e8f7405d4d79efe28e7e811108622ba8a0f703a4bdca7b87c124232a0526
SHA512 4d6976db77ebbb2084f428af8cd8f58a7db8c676e3a844207c5243085046925ccc104a9f8f609273a160802da120fde36eeb8ee437051e4381efaa4024ddbd2d

/data/data/mr.midlet.tafang1.gbox/databases/recordstoredb-journal

MD5 ec84653820c5b08775ba80c151778a47
SHA1 fa86dd2c4a8e6f421f15d2c1f818be0b6d9b00e5
SHA256 1c61bf4deee7fdb73aef3e1e4f7f7321a1add770e827f037043569898f12beb3
SHA512 93c9e3ad085ac967d7f9f7be4eecaf383a7e14d79c63cb4524a2201e672bf6dbaf22837ec9eb1c973b8c3a3bfa124c5000573b70ff1c72db5e10e00e526753d9

/data/data/mr.midlet.tafang1.gbox/databases/recordstoredb-journal

MD5 2ef28b850e4665c4eb22e32649f235bd
SHA1 b9d31b02ee86d49bd03c6a6d572fa894779b8e34
SHA256 f03d1ad307b7c8d8f1776fd56a7171e7a22e8cd687e45e3bdc1a56b29b902ed1
SHA512 78882d3d4e3e49bbe1dd528187805559804f8528893d815e7b65f18428e414b78203970dc4a49f1c5e389adb2fb62d58ff790e20c61240c3d9b1aecec4c37f4a

/data/data/mr.midlet.tafang1.gbox/databases/recordstoredb-journal

MD5 c162d4087e6fe5c1f0bbf89d862dfbd8
SHA1 8ba60dbcb825f2cd4e69a5c066d3f7343f2d9f4b
SHA256 44c05a399aafc94d07d2ecb0c3d29325b8d5de85014c42418190c9b16788029d
SHA512 22728c965eb1f50467ba35b851e73c7658f3bb4e75d1d1e6b1faab8c4a485cd044fe57f378791be6cabf12f882d66bc1dea494f2899370c509b5dfebbb7d9afa

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 10:48

Reported

2024-06-18 10:51

Platform

android-x64-arm64-20240611.1-en

Max time kernel

20s

Max time network

131s

Command Line

mr.midlet.tafang1.gbox

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

mr.midlet.tafang1.gbox

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 omsjf.cmgame.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/mr.midlet.tafang1.gbox/databases/recordstoredb-journal

MD5 9e4297f762a749e54e51c45738239916
SHA1 16459680394222465c2c079337c518e0fe2c4f64
SHA256 f1ee8c08f17c7eedc3c8f449391e80147eb0471998fbf90bf75be1472ff835fa
SHA512 66698cec1ae9a93193c701a7a55f1ef03fc2219b1238254ae3ed1a749ac6fe9f95d3d006eab51d4356df61bba70621f8a846345ee756f971718d1b926c1616f1

/data/user/0/mr.midlet.tafang1.gbox/databases/recordstoredb

MD5 e77d0fa487941af4c6f30e324ec148ce
SHA1 682cf6b142a5d61707f090ac85b017f9d60c8a18
SHA256 6777782393d84399d1e6e2bd3a0bedd677566efc6b22609b81df9b35362f792e
SHA512 58a6b12f493732706afd9a4e2863997aec67c2ffaaacea2e28ff247b794d58321f1a48697f4097a39d1e59c60b4790520847e13f75bde1b4937e982f3381e61b

/data/user/0/mr.midlet.tafang1.gbox/databases/recordstoredb-journal

MD5 c8c1d96be636a3b50bf2efef888bef8e
SHA1 e7d1ed2e00c5892d05488f2492c62c04b7a59a31
SHA256 b43eafdc648f399ea7ddcb173acbbc09448ab8bcfb1b81ef01ee72be7ead3904
SHA512 f21f7251d5cfc631170d8887c1f9427b8dc359562aa6ad5d6abc5d7252f9fdd69236a6162eb603431c6fa21576e6f259ba81a04c5b07d518ce946b796c2377d8

/data/user/0/mr.midlet.tafang1.gbox/databases/recordstoredb-journal

MD5 92504e68f89d0ad9512063959fb71dd5
SHA1 824b81bb3b8d3cc11ffe42055b3fb906da5fa0ec
SHA256 11fe0a4a1fb76d89deefc108c53183c4990afd61a86c0503027e88810f375239
SHA512 55e27be96321834a2411fb55334d3d72cc447456ca2d452b5816ea00b1d1237bb8d8e32956d2db396df7c54378a66c11732abc894536ff626b8a944f09706dc8

/data/user/0/mr.midlet.tafang1.gbox/databases/recordstoredb-journal

MD5 30792c5f5df369f6c415e32fdccc0964
SHA1 04b7584bd45ad411ed39f13d5797dfdb0ef38fb5
SHA256 832a5a7ca0e6437cc027503f253ad2b437ac5f223028c4a7465d2f744f3b6182
SHA512 2eb98b90ecc75ef96893b0bf6fc765c768c75f0774a1427a179faf920d5e2d0160e829e1d854faf6b079b44fd92dc2d86c5c35d8ec965634570605dcd89ee88c

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 10:48

Reported

2024-06-18 10:51

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

142s

Command Line

cn.emagsoftware.gamehall

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

cn.emagsoftware.gamehall

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 95c4e8c79fb6dd44c762b4327edf4c46
SHA1 9dd8720e6b8b7162a967791c82b3ca063a5c3715
SHA256 f4cf8ff320c064fbfcc145615c36cffdb2874a7f945178e96c1432b717cab437
SHA512 cd64576dbafed0465d321e6da3e4027712b60a30bfe277bde1cd03c33b7b3d16180bba5f7f303609eb7882f216746e31df91ad9042e96376cac27fc2e4a5f361

/data/data/cn.emagsoftware.gamehall/databases/GameCache

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.emagsoftware.gamehall/databases/GameCache-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.emagsoftware.gamehall/databases/GameCache-wal

MD5 4f19568e7e18fbd59995b7ed65aa751f
SHA1 8cf434deb30af5fda01748bc00a5998ca76f4488
SHA256 ea455f4b0d954a2758a57bbcb41fc6fe7b4a46e0a8972bfb4fbbd5c651464eb0
SHA512 427882eea31e0e2fd247aa7fd3a776359cb67de3406b4155280b33a3ee0904115304756d06048bb8e822b552f2c982bd703deb76728681b92defad1023f4b8ce

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-18 10:48

Reported

2024-06-18 10:51

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

154s

Command Line

cn.emagsoftware.gamehall

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

cn.emagsoftware.gamehall

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 549adc2884949fcfb5ae2b1f94642495
SHA1 4b7681eda66dad69fe2faf07212ad4c4b8ac4035
SHA256 7c7538fa9d16a30e4d2fff2d487a108e15808c2ee21c60196b993ad41beb8ebe
SHA512 5ab6fb6323e8077d90b296fee0594747f0788dcd25de584efbfbb3fa06e7abec819804613d34bd0a3c29e07df2ac7cf525a6ee107cce39c694e1cb2416ae7b48

/data/data/cn.emagsoftware.gamehall/databases/GameCache

MD5 18c57d7fa53a40b1b6fadef97d7c43ca
SHA1 8e6167b7b7eaf2d596ad3f18f9004c64bfd06891
SHA256 64f46157b8b35229f3636c039a1e9c059e2107af0a107c52fe99ea4bbf4d7109
SHA512 68a2dae3fb34c9578a6ad14e9f5dc6a1228c78536f82bde28fefea59b4a7234984c1e744cd9f2efc758b982e767720b7b37d28af95ae81505da353d8245e9d1b

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 727aade4492c4e919b605d3af11c58b1
SHA1 3ac4576c7954bcdd374f6ce4be2e5972ce3b9c0e
SHA256 b2747a5a9be33b739c48888a3bd6a186c91849ae760bf6d5a6b0819958ae9d1f
SHA512 d5ee0da5f53066284e84f5aac7760fdff0ce75db16bd81188172789d9dea9b66a63ce2761f2bf30ce0d27e09fba8dc20c0b63c47e1b3d2bbe25cf741cc0075f3

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 85bc4677c43ab741784c436b49e7a8c4
SHA1 941c4695af1880852d173722d365677176a27215
SHA256 760a72454b31a74593e2ec294b69be62dd58cbef282e130bdf8af6adab62d05a
SHA512 d0d94239ba5de243412435d76f871ee45b29870eaa4f5f8f98ee21862df84833741f1fad4164440ac41899c0aedf10bcce3231552109e01b65debe3006413557