Analysis Overview
SHA256
5cbdc05183fb0ce11248ead0c4a5de031cc724171360b38214a4b3facf58ce7d
Threat Level: Shows suspicious behavior
The file 57dd974e400ea936f5d4e3260f792428_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Queries the unique device ID (IMEI, MEID, IMSI)
Requests dangerous framework permissions
Queries information about active data network
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 14:09
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 14:09
Reported
2024-10-18 14:12
Platform
android-x86-arm-20240624-en
Max time kernel
123s
Max time network
152s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.lbeing.word.kaoyan
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | app.wapx.cn | udp |
| US | 1.1.1.1:53 | www.umeng.com | udp |
| CN | 59.82.29.162:80 | www.umeng.com | tcp |
| CN | 59.82.29.163:80 | www.umeng.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| CN | 59.82.29.248:80 | www.umeng.com | tcp |
| CN | 59.82.29.249:80 | www.umeng.com | tcp |
| CN | 59.82.31.154:80 | www.umeng.com | tcp |
| CN | 59.82.31.160:80 | www.umeng.com | tcp |
| CN | 59.82.31.210:80 | www.umeng.com | tcp |
| CN | 59.82.31.92:80 | www.umeng.com | tcp |
| CN | 59.82.31.95:80 | www.umeng.com | tcp |
| CN | 59.82.60.43:80 | www.umeng.com | tcp |
| CN | 59.82.60.44:80 | www.umeng.com | tcp |
| CN | 59.82.112.112:80 | www.umeng.com | tcp |
| US | 1.1.1.1:53 | www.umeng.co | udp |
| US | 1.1.1.1:53 | www.umeng.com | udp |
| CN | 59.82.29.162:80 | www.umeng.com | tcp |
| CN | 59.82.29.163:80 | www.umeng.com | tcp |
| CN | 59.82.29.248:80 | www.umeng.com | tcp |
Files
/data/data/com.lbeing.word.kaoyan/files/ky
| MD5 | d8ce491db29e31bdcf05c4d5dbc522f7 |
| SHA1 | b0129ebae577fc35bf405bbf84df5339647dc36b |
| SHA256 | 6ba5073f14ed2c1ef3ee85d38c7a0f68493bc7e6c0ae293e1c409d333f530705 |
| SHA512 | 6d9200e3096c6a11bc66e598a6849bbb0f65f3dd307fa305a3dd118b02f3291b49835bc85f962380bcafbbdae50948f2759c3642f52226ecb23550627b5a2584 |
/data/data/com.lbeing.word.kaoyan/files/ky_plus
| MD5 | 75b3129e0db314f16a2d5cf30c48ceee |
| SHA1 | d215527de64ea8fb51d26f2a314a2492e3b27132 |
| SHA256 | e34f754a95a179ccf5abe6aa38300e280b2a8af7b2db21fa50b076e134fa8e1b |
| SHA512 | ed2d15017f526756bfba8bf54a1dea83014bd9e17764383b680d3d7961a73b59fea77e5bab081a6d713028cb69a0c068c127014095deeabaf9740e45111149e8 |
/storage/emulated/0/Android/data/cache/CacheTime.dat
| MD5 | 2012c9229f55fb03fcb3d4b7dd739507 |
| SHA1 | 4a4afa54adc9f363bf7264bc4838b72a45c176ad |
| SHA256 | 6dc0fb3f3379c7682164fed3a8ea26a5dd00e5416283d51c2ad58a4e2d00cf37 |
| SHA512 | 2a7e6a1ee5fa4f63fe9467c59805a9001162bdc4000aa0ba53763b96e75906a4534641490cf80de48c8bcb20eb35708af4b4857763359190aab8ced352a2194a |
/storage/emulated/0/Android/Package.dat
| MD5 | 1d6e256292874124f0dfd5e2a4a0309f |
| SHA1 | f5b6976fed1ca499a6b9ebca320296473766d57a |
| SHA256 | 92aecd706a7a49df24f0a6af56c2d70c8be5b795243bcbe1637b6918b9e09255 |
| SHA512 | 10513ab466c43d96f55b1ac68c3cc0f26e5f0ccfa9789bdf060fd3a692e407d52afe62ac5a409e2956fe76241bcc09b6813873fdc212c81cea240ce7e76ab1bd |
/storage/emulated/0/Android/data/cache/UnPackage.dat
| MD5 | 560f77d585f5e016cc9c596f17a9df4c |
| SHA1 | 583da15bf76713120a99fccdd06abb68d43226cd |
| SHA256 | 68da782533a64203db2961ea6114f94255233548e7233457519e66f5598c05bd |
| SHA512 | b3fb7f4f436fb046568f1e5a9d857b298e64965f71ce574251f9b347a8fd2bb463bb7fc5d3e52944f1422a18ebd2065bb111c9253d7996791de4c215ce2906ca |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 14:09
Reported
2024-10-18 14:12
Platform
android-x64-20240624-en
Max time kernel
124s
Max time network
153s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.lbeing.word.kaoyan
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | app.wapx.cn | udp |
| US | 1.1.1.1:53 | www.umeng.com | udp |
| CN | 59.82.29.162:80 | www.umeng.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| CN | 59.82.29.163:80 | www.umeng.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| CN | 59.82.29.248:80 | www.umeng.com | tcp |
| CN | 59.82.29.249:80 | www.umeng.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| CN | 59.82.31.154:80 | www.umeng.com | tcp |
| CN | 59.82.31.160:80 | www.umeng.com | tcp |
| CN | 59.82.31.210:80 | www.umeng.com | tcp |
| CN | 59.82.31.92:80 | www.umeng.com | tcp |
| CN | 59.82.31.95:80 | www.umeng.com | tcp |
| CN | 59.82.60.43:80 | www.umeng.com | tcp |
| CN | 59.82.60.44:80 | www.umeng.com | tcp |
| CN | 59.82.112.112:80 | www.umeng.com | tcp |
| US | 1.1.1.1:53 | www.umeng.co | udp |
| US | 1.1.1.1:53 | www.umeng.com | udp |
| CN | 59.82.29.162:80 | www.umeng.com | tcp |
| CN | 59.82.29.163:80 | www.umeng.com | tcp |
| CN | 59.82.29.248:80 | www.umeng.com | tcp |
Files
/data/data/com.lbeing.word.kaoyan/files/ky
| MD5 | d8ce491db29e31bdcf05c4d5dbc522f7 |
| SHA1 | b0129ebae577fc35bf405bbf84df5339647dc36b |
| SHA256 | 6ba5073f14ed2c1ef3ee85d38c7a0f68493bc7e6c0ae293e1c409d333f530705 |
| SHA512 | 6d9200e3096c6a11bc66e598a6849bbb0f65f3dd307fa305a3dd118b02f3291b49835bc85f962380bcafbbdae50948f2759c3642f52226ecb23550627b5a2584 |
/data/data/com.lbeing.word.kaoyan/files/ky_plus
| MD5 | 75b3129e0db314f16a2d5cf30c48ceee |
| SHA1 | d215527de64ea8fb51d26f2a314a2492e3b27132 |
| SHA256 | e34f754a95a179ccf5abe6aa38300e280b2a8af7b2db21fa50b076e134fa8e1b |
| SHA512 | ed2d15017f526756bfba8bf54a1dea83014bd9e17764383b680d3d7961a73b59fea77e5bab081a6d713028cb69a0c068c127014095deeabaf9740e45111149e8 |
/storage/emulated/0/Android/data/cache/CacheTime.dat
| MD5 | cc29a785efc3abd871fe032760e258c7 |
| SHA1 | 399cccf524f3fc5c4f626eee40759a37346912a5 |
| SHA256 | 5407c4145ee026983735199300faab8f3d08492ab79933b1dd62b561e4d6eaa5 |
| SHA512 | 0dbbde6274658ee0c834aa6d99d2ed38a536097bc22b7e938191ac67240c55cbd75838915e07fccca2506a50b425b076f55dbd08588273808b21973e50d1456a |
/storage/emulated/0/Android/Package.dat
| MD5 | 1d6e256292874124f0dfd5e2a4a0309f |
| SHA1 | f5b6976fed1ca499a6b9ebca320296473766d57a |
| SHA256 | 92aecd706a7a49df24f0a6af56c2d70c8be5b795243bcbe1637b6918b9e09255 |
| SHA512 | 10513ab466c43d96f55b1ac68c3cc0f26e5f0ccfa9789bdf060fd3a692e407d52afe62ac5a409e2956fe76241bcc09b6813873fdc212c81cea240ce7e76ab1bd |
/storage/emulated/0/Android/data/cache/UnPackage.dat
| MD5 | 560f77d585f5e016cc9c596f17a9df4c |
| SHA1 | 583da15bf76713120a99fccdd06abb68d43226cd |
| SHA256 | 68da782533a64203db2961ea6114f94255233548e7233457519e66f5598c05bd |
| SHA512 | b3fb7f4f436fb046568f1e5a9d857b298e64965f71ce574251f9b347a8fd2bb463bb7fc5d3e52944f1422a18ebd2065bb111c9253d7996791de4c215ce2906ca |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-18 14:09
Reported
2024-10-18 14:12
Platform
android-x64-arm64-20240624-en
Max time kernel
124s
Max time network
155s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.lbeing.word.kaoyan
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.umeng.com | udp |
| US | 1.1.1.1:53 | app.wapx.cn | udp |
| CN | 59.82.29.162:80 | www.umeng.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| CN | 59.82.29.163:80 | www.umeng.com | tcp |
| CN | 59.82.29.248:80 | www.umeng.com | tcp |
| CN | 59.82.29.249:80 | www.umeng.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| CN | 59.82.31.154:80 | www.umeng.com | tcp |
| CN | 59.82.31.160:80 | www.umeng.com | tcp |
| CN | 59.82.31.210:80 | www.umeng.com | tcp |
| CN | 59.82.31.92:80 | www.umeng.com | tcp |
| CN | 59.82.31.95:80 | www.umeng.com | tcp |
| CN | 59.82.60.43:80 | www.umeng.com | tcp |
| CN | 59.82.60.44:80 | www.umeng.com | tcp |
| CN | 59.82.112.112:80 | www.umeng.com | tcp |
| US | 1.1.1.1:53 | www.umeng.co | udp |
| US | 1.1.1.1:53 | www.umeng.com | udp |
| CN | 59.82.29.162:80 | www.umeng.com | tcp |
| CN | 59.82.31.154:80 | www.umeng.com | tcp |
| CN | 59.82.29.248:80 | www.umeng.com | tcp |
Files
/data/user/0/com.lbeing.word.kaoyan/files/ky
| MD5 | d8ce491db29e31bdcf05c4d5dbc522f7 |
| SHA1 | b0129ebae577fc35bf405bbf84df5339647dc36b |
| SHA256 | 6ba5073f14ed2c1ef3ee85d38c7a0f68493bc7e6c0ae293e1c409d333f530705 |
| SHA512 | 6d9200e3096c6a11bc66e598a6849bbb0f65f3dd307fa305a3dd118b02f3291b49835bc85f962380bcafbbdae50948f2759c3642f52226ecb23550627b5a2584 |
/data/user/0/com.lbeing.word.kaoyan/files/ky_plus
| MD5 | 75b3129e0db314f16a2d5cf30c48ceee |
| SHA1 | d215527de64ea8fb51d26f2a314a2492e3b27132 |
| SHA256 | e34f754a95a179ccf5abe6aa38300e280b2a8af7b2db21fa50b076e134fa8e1b |
| SHA512 | ed2d15017f526756bfba8bf54a1dea83014bd9e17764383b680d3d7961a73b59fea77e5bab081a6d713028cb69a0c068c127014095deeabaf9740e45111149e8 |
/storage/emulated/0/Android/Package.dat
| MD5 | 1d6e256292874124f0dfd5e2a4a0309f |
| SHA1 | f5b6976fed1ca499a6b9ebca320296473766d57a |
| SHA256 | 92aecd706a7a49df24f0a6af56c2d70c8be5b795243bcbe1637b6918b9e09255 |
| SHA512 | 10513ab466c43d96f55b1ac68c3cc0f26e5f0ccfa9789bdf060fd3a692e407d52afe62ac5a409e2956fe76241bcc09b6813873fdc212c81cea240ce7e76ab1bd |