Analysis Overview
SHA256
6ffee7d16d48d1eb6472db7fc48f42f0423bfa791dab14c0f364cc85cbcf2ecb
Threat Level: Shows suspicious behavior
The file 531469fedd0085f4d2471cbe11b53b38_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Loads dropped Dex/Jar
Reads information about phone network operator.
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 18:29
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 18:29
Reported
2024-10-17 18:31
Platform
android-x86-arm-20240624-en
Max time kernel
4s
Max time network
130s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /storage/emulated/0/Android/data/wu/cu.zip | N/A | N/A |
| N/A | /storage/emulated/0/Android/data/wu/cu.zip | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Reads information about phone network operator.
Processes
com.android.liulingwu
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/wu/cu.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/storage/emulated/0/Android/data/wu/oat/x86/cu.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
/storage/emulated/0/Android/data/wu/cu.zip
| MD5 | 27767da9a20e0c7944d7c61dff416cf0 |
| SHA1 | f801cb3cbd26f526c2905fa77f4678217076685c |
| SHA256 | 1eb0b938c3a1b0008b289c53d0db83731119ad26066a1aea3f565908b95216b3 |
| SHA512 | 0ffaacb3d917d133ffcf0418f8b2e4ae3e9a2a6028c44a7c4f1427185d9cce078bc364925f1507a8be5626edd8cc72bc01edba3851bbbe5c6f810a7e7beb3ebc |
/storage/emulated/0/Android/data/wu/cu.zip
| MD5 | fcfd1aa04d087b04919326dea53bdc8e |
| SHA1 | 9ca95ef4ae5d69d98526c52596771aaacb462b64 |
| SHA256 | c635ecd002b8e136b813ed7d79e451ecd758137e9319a6a1a11f8339f772267c |
| SHA512 | f142596fdb19a1719ede2ef1f5f44367ddd3c759468871db82b476a93a49231f467e9778694fe1766338b84c6c6b383a518ace39ac691e1f974f9878a788f944 |