Analysis Overview
SHA256
d35ccc58e26691df745531bb9ac636c6715c89c842eccfc023a57fee4cbe27ce
Threat Level: Shows suspicious behavior
The file 5781188cae90337bec12ae0e353e5b4b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about the current nearby Wi-Fi networks
Queries information about active data network
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 12:43
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 12:43
Reported
2024-10-18 12:46
Platform
android-x86-arm-20240624-en
Max time kernel
7s
Max time network
130s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Processes
cn.leaves.sdclean
/system/bin/sh
ls /data/local/tmp
su
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | hmma.baidu.com | udp |
| HK | 103.235.46.195:80 | hmma.baidu.com | tcp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.206:443 | android.apis.google.com | tcp |
Files
/data/data/cn.leaves.sdclean/files/INSTALLATION
| MD5 | 8a58fed97f032f93108f9219af41d7cd |
| SHA1 | dceac5b59eda88c60ded959d6077c500a2664e9c |
| SHA256 | 21562d9a7b79cd1d9860cc4359db4e9e2a667aab5771afecc6372ab72c18f268 |
| SHA512 | c636f2ae5f4cb9df0083ff433c3b611e498926be03c37929613734c1d1bca53be78c37f8fa74d10ca3267994f33377660ccc1449aaa7fa9700818db483d49d8f |
/data/data/cn.leaves.sdclean/files/prop.properties
| MD5 | 826c5d64aad25dff6755ccd55e45126d |
| SHA1 | ab5259e84906b20d2dee7c48e25a91340514589f |
| SHA256 | 856212fa4be14edeb0747a253895bd54eae0703644ce83e6b59817341d3c1368 |
| SHA512 | e7032c1908e29b65813f6aaad3968eaf4ac99aa966a6de902558679fb233f96c08f6fccd1b7ec11292d94b3466a11d4af6cce54d168761e46f364a2c9f684112 |
/data/data/cn.leaves.sdclean/databases/db.db
| MD5 | 503d7a2603b85185ee7380b3d44242a4 |
| SHA1 | e78ad0f4a0aef74d5f4db639861c5394476a03f4 |
| SHA256 | 5a944692d5fefdf005f055931c67692ce3e9ae3afb5cae72a16cf0b355c83ac4 |
| SHA512 | d6276cd3660ec1d5163f65403652ff19a9243df31f4196638f77c155b96e1d1b00d3b0c5811cce36ff30c6d22b4576bddfde24895f6bb4d191295757bb2d6b9d |
/data/data/cn.leaves.sdclean/files/__local_stat_cache.json
| MD5 | 19fbbcc1a6dc8adea99e855c8d835061 |
| SHA1 | 9d6ca2a353669daff56adc0f3c7a5f1b14e00753 |
| SHA256 | 221247f67c0a497ec55cd3198448a25fc25e6824f0722d8066ea7f41fa22cdd4 |
| SHA512 | a92fb0f4c2e7f2c89f11ac79f1074aa9a89a9840ab5c53271610494841ca9ddf542df57981124463ff6bd19acfaf360be6ff7060ac2ca15df6e0f0e764fc971e |
/data/data/cn.leaves.sdclean/files/__local_stat_cache.json
| MD5 | c727c5b718fbbc0c86acca4c710570c5 |
| SHA1 | 259ebc280877ada05adae459b2550e18a986af7e |
| SHA256 | 8c79996ebaace68dee2ce614caef9de0c8788228da2451e085f277cc364b2e2a |
| SHA512 | d44776ffb528ce9ee1a88193aad38eb1621fb37fd08621323d5898663e65dc23fb7fbc322103d203bd1c51653b856fd5885ff5d4732682fa3dfbcd15c7a0e5c0 |
/data/data/cn.leaves.sdclean/files/__local_stat_cache.json
| MD5 | 2d805b13f2f28dc3ca9bbcc000f49bb5 |
| SHA1 | 9eac165b4d81258fd3967cde5cc53b53b1dabcb1 |
| SHA256 | c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19 |
| SHA512 | 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 12:43
Reported
2024-10-18 12:46
Platform
android-x64-20240624-en
Max time kernel
7s
Max time network
149s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.
Processes
cn.leaves.sdclean
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | hmma.baidu.com | udp |
| HK | 103.235.46.195:80 | hmma.baidu.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.78:443 | android.apis.google.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/data/data/cn.leaves.sdclean/files/INSTALLATION
| MD5 | f9283eaadaeaf61e9260e5b60785cbd8 |
| SHA1 | 1dc5a87f82836811ffc568f310e4c1b8154993e5 |
| SHA256 | 810eea1469407554035b3db95547b72543bc6b757bb928e49976fb7c4d9787fb |
| SHA512 | 3bc5a7529a4b5ad06aec888ef71463fa67ef75918dfee3f309a10b36678543d9f354aec3434f58710179e1bb08bb4a5e6793bb410b55375012f98c968f4d1345 |
/data/data/cn.leaves.sdclean/files/prop.properties
| MD5 | 826c5d64aad25dff6755ccd55e45126d |
| SHA1 | ab5259e84906b20d2dee7c48e25a91340514589f |
| SHA256 | 856212fa4be14edeb0747a253895bd54eae0703644ce83e6b59817341d3c1368 |
| SHA512 | e7032c1908e29b65813f6aaad3968eaf4ac99aa966a6de902558679fb233f96c08f6fccd1b7ec11292d94b3466a11d4af6cce54d168761e46f364a2c9f684112 |
/data/data/cn.leaves.sdclean/databases/db.db
| MD5 | 503d7a2603b85185ee7380b3d44242a4 |
| SHA1 | e78ad0f4a0aef74d5f4db639861c5394476a03f4 |
| SHA256 | 5a944692d5fefdf005f055931c67692ce3e9ae3afb5cae72a16cf0b355c83ac4 |
| SHA512 | d6276cd3660ec1d5163f65403652ff19a9243df31f4196638f77c155b96e1d1b00d3b0c5811cce36ff30c6d22b4576bddfde24895f6bb4d191295757bb2d6b9d |
/data/data/cn.leaves.sdclean/files/__local_stat_cache.json
| MD5 | e8de294c97b797be269e099a35397f9b |
| SHA1 | 269763e9206dc7d7739d99f137261b272f2f4288 |
| SHA256 | 883fc2a338167d2cfbb2fa0305fbb527a057300300bc88807a1187f47927c830 |
| SHA512 | e5ba3feced7d14d1957d020f2902e204c570c3e48672b4940aa77f6ab015a2d2acb1a0f1467f39c6a7c3cd983539027e2a0455c35f82f3f4e2d35534d56dfd17 |
/data/data/cn.leaves.sdclean/files/__local_stat_cache.json
| MD5 | 3c485686b80b728de9e674433ec20686 |
| SHA1 | e19bc0d8e89a2be2528ea84159acacee10cbf062 |
| SHA256 | e64ca142ecae43441e96e26aadc8f554619cf17adcb0522ec2087e7fa721155f |
| SHA512 | 7e91772084646b01236c581e67e9e8cd3f91d6823de5be1cc7e1c46204ab2c7d0950d77627a9fec58987844e7bbc1c816ef8889670c1aac5dfb0e87d1eef96a3 |
/data/data/cn.leaves.sdclean/files/__local_stat_cache.json
| MD5 | 2d805b13f2f28dc3ca9bbcc000f49bb5 |
| SHA1 | 9eac165b4d81258fd3967cde5cc53b53b1dabcb1 |
| SHA256 | c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19 |
| SHA512 | 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-18 12:43
Reported
2024-10-18 12:46
Platform
android-x64-arm64-20240624-en
Max time kernel
7s
Max time network
130s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Processes
cn.leaves.sdclean
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | hmma.baidu.com | udp |
| HK | 103.235.46.195:80 | hmma.baidu.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.196:443 | tcp | |
| GB | 142.250.187.196:443 | tcp |
Files
/data/user/0/cn.leaves.sdclean/files/INSTALLATION
| MD5 | fb77bb32ea76677717a4a7e44cfd6a3d |
| SHA1 | 6e486278745ffc7071749251c53e856751fd089b |
| SHA256 | b21fe960769ac19437fdec0093eeb83bab2762a29539a22f91a0079b61502365 |
| SHA512 | c7509966865b6f9d844028dd877ea83775676d7cecc5bfbb3083b56fad1f4be2e5854b3269468eace00b9d14bc9b615714f68f7f759ea907aba61bde366eded4 |
/data/user/0/cn.leaves.sdclean/files/prop.properties
| MD5 | 88b3f802cda07232c2e4b153857257f8 |
| SHA1 | f38a457417077da6efc4514764ae861d40d839d3 |
| SHA256 | a9487beb8b2a4c5a021771f50941c482167f618782cc522c56facb63b0b2eb8f |
| SHA512 | 0554d22fefd9030c05c1bd1ed19723378c3fe841de4a70a3c227d916dcfd01e39a72ccadbba09fb194f0051460bb7149865b2e40549c25110351ea6685333b74 |
/data/user/0/cn.leaves.sdclean/databases/db.db
| MD5 | 503d7a2603b85185ee7380b3d44242a4 |
| SHA1 | e78ad0f4a0aef74d5f4db639861c5394476a03f4 |
| SHA256 | 5a944692d5fefdf005f055931c67692ce3e9ae3afb5cae72a16cf0b355c83ac4 |
| SHA512 | d6276cd3660ec1d5163f65403652ff19a9243df31f4196638f77c155b96e1d1b00d3b0c5811cce36ff30c6d22b4576bddfde24895f6bb4d191295757bb2d6b9d |
/data/user/0/cn.leaves.sdclean/files/__local_stat_cache.json
| MD5 | 15edad51ecb4c8c262f107c6979c4ad0 |
| SHA1 | b085e449ff07d074b8114e07eb9258d94c66c4d5 |
| SHA256 | c8dd0a2dc2d9298e94bad4eadd8c424fff32f46fcb45269fdd28c67a16f5536e |
| SHA512 | 1a78f83352f8f35c0766b1b20d459b6314ea21b6befc0abb14644457464cc0b8212b25e444bd3e6d3f7930c03cae5448bac9571068d79d86ca59f5ef79530151 |
/data/user/0/cn.leaves.sdclean/files/__local_stat_cache.json
| MD5 | f817ca8888dece280a98407d21a8d5d9 |
| SHA1 | c1dc224d17e7afa5ae5b508ba96d5b2639fcfd01 |
| SHA256 | e7543aada9fec988354bcb9ed64d6cdd374f178fb779f5b4024872a771a2bbfb |
| SHA512 | 51e3238b3c128cc352380a495763c06299318fbb8cf2c95e5d3d9909ae19a604b9e4fb9cddd683bc080c0a8021380e1673856652a4a285f1a29a5da6064b9c3e |
/data/user/0/cn.leaves.sdclean/files/__local_stat_cache.json
| MD5 | 2d805b13f2f28dc3ca9bbcc000f49bb5 |
| SHA1 | 9eac165b4d81258fd3967cde5cc53b53b1dabcb1 |
| SHA256 | c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19 |
| SHA512 | 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0 |