Analysis Overview
SHA256
51231955a19a1fc3b7ba77c8bcb7ca456f66cdba32696b3c1b98fe7144e56d99
Threat Level: Shows suspicious behavior
The file bccb647da9a26caa5333317a445ca15c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obtains sensitive information copied to the device clipboard
Queries the mobile country code (MCC)
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 16:02
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 16:02
Reported
2024-06-18 16:05
Platform
android-x86-arm-20240611.1-en
Max time kernel
105s
Max time network
186s
Command Line
Signatures
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.wzrjcsdrz
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | 360stat.org | udp |
| US | 1.1.1.1:53 | checksum.cc | udp |
| US | 1.1.1.1:53 | qq.com | udp |
| HK | 203.205.254.157:80 | qq.com | tcp |
| HK | 203.205.254.157:80 | qq.com | tcp |
| US | 1.1.1.1:53 | xgbox.25lm.cn | udp |
| US | 1.1.1.1:53 | www.qq.com | udp |
| US | 1.1.1.1:53 | www.vizy8.cn | udp |
| US | 1.1.1.1:53 | safebrowsing.googleapis.com | udp |
| HK | 107.148.12.130:80 | checksum.cc | tcp |
| HK | 107.148.12.130:80 | checksum.cc | tcp |
| US | 1.1.1.1:53 | log-report.com | udp |
| US | 104.21.75.58:80 | log-report.com | tcp |
| HK | 107.148.12.130:80 | checksum.cc | tcp |
| DE | 43.175.60.134:443 | www.qq.com | tcp |
| DE | 43.175.60.134:443 | www.qq.com | tcp |
| US | 1.1.1.1:53 | mat1.gtimg.com | udp |
| US | 1.1.1.1:53 | inews.gtimg.com | udp |
| US | 1.1.1.1:53 | xw.qq.com | udp |
| GB | 23.215.228.198:443 | inews.gtimg.com | tcp |
| GB | 23.215.228.198:443 | inews.gtimg.com | tcp |
| NL | 43.152.43.24:443 | mat1.gtimg.com | tcp |
| NL | 43.152.43.24:443 | mat1.gtimg.com | tcp |
| NL | 43.152.43.24:443 | mat1.gtimg.com | tcp |
| NL | 43.152.43.24:443 | mat1.gtimg.com | tcp |
| GB | 23.215.228.198:443 | inews.gtimg.com | tcp |
| US | 172.67.214.214:80 | log-report.com | tcp |
| US | 172.67.214.214:80 | log-report.com | tcp |
| US | 1.1.1.1:53 | staticfile.qq.com | udp |
| HK | 107.148.12.130:80 | checksum.cc | tcp |
| SE | 43.152.140.54:443 | staticfile.qq.com | tcp |
| SE | 43.152.140.54:443 | staticfile.qq.com | tcp |
| SE | 43.152.140.54:443 | staticfile.qq.com | tcp |
| US | 1.1.1.1:53 | xgbox.25lm.cn | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | static.tinyadx.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | safebrowsing.googleapis.com | udp |
| US | 172.67.214.214:80 | log-report.com | tcp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 142.250.187.202:443 | safebrowsing.googleapis.com | tcp |
| US | 1.1.1.1:53 | xw.qq.com | udp |
| US | 1.1.1.1:53 | xw.qq.com | udp |
| DE | 43.175.60.134:443 | xw.qq.com | tcp |
| DE | 43.175.60.134:443 | xw.qq.com | tcp |
| US | 1.1.1.1:53 | i.news.qq.com | udp |
| DE | 43.175.60.134:443 | i.news.qq.com | tcp |
| DE | 43.175.60.134:443 | i.news.qq.com | tcp |
| US | 1.1.1.1:53 | tun-cos-1258344701.file.myqcloud.com | udp |
| US | 1.1.1.1:53 | vfiles.gtimg.cn | udp |
| CN | 112.84.131.219:443 | tun-cos-1258344701.file.myqcloud.com | tcp |
| CN | 112.84.131.219:443 | tun-cos-1258344701.file.myqcloud.com | tcp |
| NL | 43.152.43.24:443 | vfiles.gtimg.cn | tcp |
| NL | 43.152.43.24:443 | vfiles.gtimg.cn | tcp |
| US | 1.1.1.1:53 | h.trace.qq.com | udp |
| HK | 129.226.106.225:443 | h.trace.qq.com | tcp |
| HK | 129.226.106.225:443 | h.trace.qq.com | tcp |
| HK | 129.226.106.225:443 | h.trace.qq.com | tcp |
| CN | 112.84.131.219:443 | tun-cos-1258344701.file.myqcloud.com | tcp |
| CN | 42.177.83.115:443 | tun-cos-1258344701.file.myqcloud.com | tcp |
| CN | 42.177.83.115:443 | tun-cos-1258344701.file.myqcloud.com | tcp |
| CN | 42.177.83.115:443 | tun-cos-1258344701.file.myqcloud.com | tcp |
Files
/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt
| MD5 | d8c3cf1f7289b3418d471b1fd04cc7c8 |
| SHA1 | 2f5d5cd2979eb701e9d08f20e4f2eb51fee6c79b |
| SHA256 | c69f56288539e7dea4acacd899642a6cbf9e410c1c3ee3b31d2d0e1ad16faaf9 |
| SHA512 | e7e842661c5c2a490b41782e652dc27dc070506d58535bccd5ba74102caddef359e39ce7c3347cf717527174fd78b1971e1da1ac77668c69190fa676ba88b8ab |
/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt
| MD5 | e4f22496c7876af4630bf325a9ad642f |
| SHA1 | a64c33431a60ab546b71211374feb1864e36f447 |
| SHA256 | 3d5ebd95b6256956cb14ec8a51bf0557b60ba464cf79eb4ce9596eaa20d42c7c |
| SHA512 | 1834a551a275735193bb8b2149fc4b90a33e4123e7ceb6e9dd7e88ce28a08fdd61d8bcab4e2037eb160e3fbd9d00f5815cfd38a782e0210bcbaff35e05aa5fe7 |
/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt
| MD5 | e350865c16447f0e677edfbfc2cca6f5 |
| SHA1 | aa0874bc1792bbd32ecaefa8659bff1b9cab2d24 |
| SHA256 | 8653979cea9633440c61e4ef98cbd3f6d65e29b6b27b786ed167831f235d83fc |
| SHA512 | 1ec804caebb2808106b2319cd17020f54a3f02f9b0d458d6e8fc673a0393d246816fdc6e9d41325f045e3d89d2dc6dcdbc2ddd5887e2ba3c3f1507d2ccc01ba3 |
/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt
| MD5 | 43d2ee2984cea326b24fb99f835a683a |
| SHA1 | 2d9fcc209ee901ff830a2a565a9d5f3640e00dbf |
| SHA256 | 45a1f492218154aeb4af6063575845c2ed37717260f8f641269afe56254fcef4 |
| SHA512 | e5fbd11755a2376df015f1211ee27bde0f49d133b0ef0e006b89f4c1f3773bd7227097c8b19bd573ad47523c96b55fe54a4ca0c8674a97b7f2721eea643792e9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 16:02
Reported
2024-06-18 16:05
Platform
android-x64-arm64-20240611.1-en
Max time kernel
123s
Max time network
178s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.wzrjcsdrz
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.234:443 | tcp | |
| GB | 216.58.212.234:443 | tcp | |
| US | 1.1.1.1:53 | 360stat.org | udp |
| US | 1.1.1.1:53 | checksum.cc | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | xgbox.25lm.cn | udp |
| US | 1.1.1.1:53 | qq.com | udp |
| CN | 123.150.76.218:80 | qq.com | tcp |
| CN | 123.150.76.218:80 | qq.com | tcp |
| US | 1.1.1.1:53 | www.vizy8.cn | udp |
| HK | 107.148.12.130:80 | checksum.cc | tcp |
| HK | 107.148.12.130:80 | checksum.cc | tcp |
| US | 1.1.1.1:53 | static.tinyadx.com | udp |
| US | 1.1.1.1:53 | log-report.com | udp |
| US | 1.1.1.1:53 | log-report.com | udp |
| US | 1.1.1.1:53 | log-report.com | udp |
| US | 1.1.1.1:53 | log-report.com | udp |
| US | 172.67.214.214:80 | log-report.com | tcp |
| US | 172.67.214.214:80 | log-report.com | tcp |
| CN | 123.150.76.218:80 | qq.com | tcp |
| GB | 216.58.212.196:443 | tcp | |
| GB | 216.58.212.196:443 | tcp | |
| CN | 113.108.81.189:80 | qq.com | tcp |
| CN | 113.108.81.189:80 | qq.com | tcp |
| CN | 113.108.81.189:80 | qq.com | tcp |
Files
/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt (deleted)
| MD5 | b3ce0b79b46a29ef575a12d74e172902 |
| SHA1 | fbd04ccbdce1bf7dd8a957c7cf967206057b6b9b |
| SHA256 | eeb3b3811602ca37f16f35d868ae9365b0f47f6a5652129ade5f46f73a6af618 |
| SHA512 | ee3744848c7bb6438369e076cebe872c705ec53bfe85f6e20d0654f8fa74f36e27b833363c560cf5b3e9217d82d2f012a6ccf30a8897b2c480104c06b6d89964 |
/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt
| MD5 | a7b036474694e3198ecf7d818564284a |
| SHA1 | 846a492566b99164019c48bfdaf4716f07a05690 |
| SHA256 | a71e44bc1a7a0fa42238382ac701b7ee491a7d84cadcddad4e8809e8f581d6d6 |
| SHA512 | 69048db99eb646e06b4d18abcce5ac8e21295c70cff2294bdef192ba585f83b4b4114f22bd75cb0da02f32cfd148321e6bb86092199be369e27a5f6b7ea52f25 |