Malware Analysis Report

2024-10-19 13:10

Sample ID 240618-sq294stcql
Target bca25b8062ae19ae2822e3384618ec32_JaffaCakes118
SHA256 1efdfec67614e4aef41aaf0a24c9feb2acbcb9ee6334428df2c36974464e8dba
Tags
discovery evasion collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1efdfec67614e4aef41aaf0a24c9feb2acbcb9ee6334428df2c36974464e8dba

Threat Level: Shows suspicious behavior

The file bca25b8062ae19ae2822e3384618ec32_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Acquires the wake lock

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 15:20

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 15:20

Reported

2024-06-18 15:24

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

137s

Command Line

com.joycity.god

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.joycity.god

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 stats.unity3d.com udp
US 1.1.1.1:53 control.kochava.com udp
US 107.178.254.148:443 control.kochava.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 15:20

Reported

2024-06-18 15:24

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

com.joycity.god

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.joycity.god

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 stats.unity3d.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 control.kochava.com udp
US 107.178.254.148:443 control.kochava.com tcp
US 1.1.1.1:53 gbranch.joycityplay.com udp
US 1.1.1.1:53 imp.valuepotion.com udp
US 1.1.1.1:53 analytics.valuepotion.com udp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/storage/emulated/0/Android/data/com.joycity.god/Exceptions/2024-06-18___31941___1521165807___C_SetJoypleGlobalInfoSdkConfigc__AnonStorey1B1.m__AC(Boolean, String) (deleted)

MD5 950c27f7758337b73bcf6db6f20486e9
SHA1 0102fd690e498f26b54c651fc35308d4dd489d5e
SHA256 957123d5dd0e89b54a3ab3e43c3997592868c27e0b955fc6346e4a734c6a9e2c
SHA512 9e5f5a58a2c3faa584b49a7ff0dfeb0d91620aa08a719bdb36fa13a58a4971698552c4e7f3a5bd301587de68df1d0c42dfe84c73f4a96e0f66e7f7ef0783a135