Analysis Overview
SHA256
3f8f6d307ff497b21fa48ecef396bd76e632f2fc7ac3a2f6963d737a9d5608bf
Threat Level: Likely malicious
The file bbc39f755b123ae1d1a2f8ed279badd3_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Queries information about running processes on the device
Loads dropped Dex/Jar
Requests cell location
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Listens for changes in the sensor environment (might be used to detect emulation)
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks memory information
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 11:47
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 11:47
Reported
2024-06-18 11:50
Platform
android-x86-arm-20240611.1-en
Max time kernel
8s
Max time network
131s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.mobile.kadian/mix.dex | N/A | N/A |
| N/A | /data/data/com.mobile.kadian/mix.dex | N/A | N/A |
| N/A | /data/data/com.mobile.kadian/mix.dex | N/A | N/A |
| N/A | /data/data/com.mobile.kadian/mix.dex | N/A | N/A |
| N/A | /data/data/com.mobile.kadian/mix.dex | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation)
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.mobile.kadian
/system/bin/sh -c getprop ro.board.platform
sh -c getprop ro.yunos.version
getprop ro.board.platform
getprop ro.yunos.version
/system/bin/sh -c type su
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.mobile.kadian/mix.dex --output-vdex-fd=50 --oat-fd=53 --oat-location=/data/data/com.mobile.kadian/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
com.mobile.kadian:pushcore
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.bugly.qq.com | udp |
| CN | 119.147.179.152:80 | android.bugly.qq.com | tcp |
| US | 1.1.1.1:53 | log.umsns.com | udp |
| CN | 59.82.29.162:443 | log.umsns.com | tcp |
| US | 1.1.1.1:53 | cloud.xdrig.com | udp |
| US | 1.1.1.1:53 | i.tddmp.com | udp |
| CN | 116.198.14.3:443 | cloud.xdrig.com | tcp |
| CN | 116.196.71.30:80 | i.tddmp.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | tcp |
Files
/data/data/com.mobile.kadian/databases/bugly_db_legu-journal
| MD5 | 410301444adb7b642d603f548b7f7606 |
| SHA1 | 7750a42ac40b3bfbd81c38b1601bc9820a33e05f |
| SHA256 | 3d99637597dbdaf8ccc35daf6a10e2f857b5cf0c21bef802b99cd3486e8f5c10 |
| SHA512 | 431b68e167b84dd099bfc446b6a53af91f9b2ef0363cc63afc754d88862c079b6cbd70d2c90cca8221d992695961603770fcbee7daadf0035403aeb32d25b2c4 |
/data/data/com.mobile.kadian/databases/bugly_db_legu
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.mobile.kadian/databases/bugly_db_legu-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.mobile.kadian/databases/bugly_db_legu-wal
| MD5 | 506406bb68fa2fa3388786ab5c20305d |
| SHA1 | e2d5ef60c2b6e7243fa9b90c453337c84909adbd |
| SHA256 | 5b920f4b559d9ed28e1ab55ba0184941b9f8f76c4041487c4f6dc2a836d5ab99 |
| SHA512 | 1013fcf17a2af3e34d1569f02a8af8f0a23959e1d8509ab746a737d1ae85d105e6e9b0379eed9821260d9b45cbd20cf4e17619184f2f05d8daf3c3c60175714f |
/data/data/com.mobile.kadian/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 11:47
Reported
2024-06-18 11:50
Platform
android-33-x64-arm64-20240611.1-en
Max time kernel
9s
Max time network
180s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.mobile.kadian/mix.dex | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.mobile.kadian
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.36:443 | udp | |
| GB | 172.217.169.36:443 | udp | |
| GB | 172.217.169.36:443 | tcp | |
| BE | 173.194.76.188:5228 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.234:443 | udp | |
| GB | 216.58.212.234:443 | tcp | |
| GB | 216.58.212.195:443 | tcp | |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| GB | 172.217.169.42:443 | remoteprovisioning.googleapis.com | tcp |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| GB | 216.58.212.227:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 216.58.212.227:443 | udp | |
| GB | 172.217.169.36:443 | udp | |
| GB | 142.250.179.228:443 | udp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal
| MD5 | 721ac4f36d1e6ef60b4898550510e95d |
| SHA1 | d81341304f0a2c15d49311dbc50ed212bd5129c0 |
| SHA256 | f05fbfa13804f95ecc7b55380852a0f3f52f1bb783e568aaa72eb20780f17502 |
| SHA512 | 202afac63a7cf211e37efc07567a92c08f0a230fa1e31cd33732569cd9220e23f9b1ca9899e31652a9c54f06ab53cdb5bb9231b176279c1683a21e93d0679be2 |
/data/user/0/com.mobile.kadian/databases/bugly_db_legu
| MD5 | 88d714eb09fb5570c81bce5c1b0a504b |
| SHA1 | a7f772d4f9b80a4eb548d9f411467b5211e4da11 |
| SHA256 | 8c443a95f9ed2cb81adf3a5159d6250cbf6ec402f83bee5f893b3f7c572808c0 |
| SHA512 | f8c8be5f386eb278c5c603fbef8648d1f1a199c73d3fcbe6f0e631320af2e5dfe2e8f7d345abdf7ece48b4b9617e2ec92f05c1ce26a8adce1919aa4d110fa17b |
/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal
| MD5 | b0a5600ef17be6a76f43c56cf7cd6277 |
| SHA1 | fc41340249450d5002535abf22cfda1102d85630 |
| SHA256 | 690b7238b9488d9f10b5f3d801f4bb730186ea90f2ee155596200c233bbe99f1 |
| SHA512 | 03ec4afacf880f817fc806f328e89bafea2858689e9796da9f579bf45b58ee2d0bf94bd9f5fe8510663611a293390686ca08152e4a2fd8275ce8ac4389fb9d99 |
/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal
| MD5 | 58c661fb7e35209fbfeca2bd276779fd |
| SHA1 | 40fedc33ea4c54b334df8cc339c91ef2a8782c9f |
| SHA256 | a7006dc5bb98def2ce236cb975d0d91af977ac965d4b20408bda9a456550b26a |
| SHA512 | 3ca0755b7a9e8e6a97a4356dfe85474090416784a45708ea223b9e9177206e4ee282562a905291d3e3eb34e0bb8451a0188ef532b98dd55a43abdc939d419bfb |
/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal
| MD5 | 70e9b78e8b08c9c5e89a2e3a8b2c259d |
| SHA1 | b9d428aa222f44d69fa7e2d43f442f6437a4ad22 |
| SHA256 | 8e0d583ace320d93ac89d15f6f8755b36640c70dfba28af374253d4feb3dea0e |
| SHA512 | 6a171e1c105c3061a51dab5fc862ba944d59eb8bfb3b26bcb857899a51bbcc1e7f048cce4960ed60843347e0c932f6201d89cfa46cc121583b17a31c48909dc1 |
/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal
| MD5 | c41dea4d0c6750931bfb6f9c44012488 |
| SHA1 | 423932bc7d5cc9ce0886f7fc88c43ef81705609c |
| SHA256 | 9ea829d4eedd41cf19196e9f1527456fe270b7a3ba7e57b5a531bed97fc4a816 |
| SHA512 | b6e5ae51bef5653ac61cdf3602adc47854d2621c9a36e05eb1616d0a165afd0d6f5a010edbadd49c515d34f3a5265c01328c3ab215f3a9d8bd68fb2d20dc70a7 |
/data/user/0/com.mobile.kadian/databases/bugly_db_legu-journal
| MD5 | b7097f6c10cadefacf30ca89d3af0cd5 |
| SHA1 | e910a69039d908f35317bb0322e9dc445378e290 |
| SHA256 | 4367c6b5807c4080aac2cfb8dcb3992edabc0f88ab95aca0f7b89ebc797a5a38 |
| SHA512 | 438b967ff6b4f9eb1a9b8439a49290372e5b7966919324431bec77ed23a97f7512589d39ccfc3879b71be6a69f088a198c3de8313407991022e4bccf4b08ca0b |
/data/data/com.mobile.kadian/mix.dex
| MD5 | 63f77f99bd2c2b772a479923bde11974 |
| SHA1 | c7632e7d301e4463fafce85f84e9c3d7da3fdbbe |
| SHA256 | 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615 |
| SHA512 | 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c |
/data/user/0/com.mobile.kadian/app_bugly/tomb_1718711277549.txt
| MD5 | bd0f8f8f3ad93fa07623422ec6e72003 |
| SHA1 | c3589295e7a4ddcf35bcd7a2c13bfd381783821a |
| SHA256 | 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647 |
| SHA512 | 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b |
/data/user/0/com.mobile.kadian/app_bugly/rqd_record.eup
| MD5 | 5c9c46148175a50fe6afc580ba6ad968 |
| SHA1 | 7b73c764d525bdfb0a9daa2512120ae194e306b7 |
| SHA256 | cdb68d6f29d5dfd129b11720fe82fb182e56bebf00bb980703a4a444fda9489b |
| SHA512 | 34d28eb6aa4c5029984b361b314996bdda8269aa2859e013b2716b7e3840e851b718511777c811ee62755a397fada558246e9a70295c8586e24a5f50fd5f1fb8 |
/data/user/0/com.mobile.kadian/app_bugly/rqd_record.eup
| MD5 | 8602bd7731a92c9b843c6b7d5e5f61e5 |
| SHA1 | 01e69cbcec679f499453b0b7a1a6d55b74aa963e |
| SHA256 | bc37c19150f04667af0d8ba91b157326e40221151f3fcf7c4a679e99fd41c978 |
| SHA512 | 2b3a71e6b28428032de420d9d8f0e0d6dec23f3a2fdb8a52fc9fa6482e206dbd3d5cb7d4e6ab5631d305aced0387667087326ef829203dd0773a9b25be2200c1 |