Analysis Overview
SHA256
aae892b25535148adf57cbd96b8347975efe6ae836de5b87478aedf9680382e1
Threat Level: Shows suspicious behavior
The file 52a154f5d9b73a9588885d8c80eb71f5_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 16:30
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 16:30
Reported
2024-10-17 16:33
Platform
android-x86-arm-20240624-en
Max time kernel
5s
Max time network
130s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /storage/emulated/0/Android/data/ix/cx.zip | N/A | N/A |
| N/A | /storage/emulated/0/Android/data/ix/cx.zip | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Processes
com.android.pentatonix
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/ix/cx.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/storage/emulated/0/Android/data/ix/oat/x86/cx.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
Files
/storage/emulated/0/Android/data/ix/cx.zip
| MD5 | 1d24c7d268ae6540d944380b8b1b7559 |
| SHA1 | ee43adcc1048aa9004e86046162c96404e0fdde3 |
| SHA256 | cfd31401bcf91d208184198176c0a21dab03d1c887c9e1872f74282c42edc0c0 |
| SHA512 | 5a815a813bbdfca467f9d7340f382c2a000cb1d2732dc5f44fae7822bd9e37edd8c0bb0966caa8b95fa09a01f56dd95dc2d70d27cad2e295395c492119db5f53 |
/storage/emulated/0/Android/data/ix/cx.zip
| MD5 | cfe3ab8a8114241a7be7cf2fc3a13bdf |
| SHA1 | d57e0e7e420784900592c11c179ab39fb4c8e216 |
| SHA256 | 4dbd0312934b1570ca10c8ece61c3af2f6dc8095f283eb8a336234c44a201552 |
| SHA512 | 6efd0c5a109fe2da73b2f4d5f2a3c8fb556e08ebd44658f13b6a820edbded0fb1cb7060623fa3c900ef889fbc330a39a06ed9ca80e3ba78fb89917a435d7fe77 |