Analysis Overview
SHA256
d0ae64254cf57c871171844a3524118debf769b4e9cef071eb45e00f96750f66
Threat Level: Shows suspicious behavior
The file 885296e8bcc1272c71bfaba29d53822e_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-02 23:10
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-02 23:10
Reported
2024-11-02 23:13
Platform
android-x86-arm-20240624-en
Max time kernel
4s
Max time network
137s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /storage/emulated/0/Android/data/wu/cu.zip | N/A | N/A |
| N/A | /storage/emulated/0/Android/data/wu/cu.zip | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Processes
com.android.erqiwu
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/wu/cu.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/storage/emulated/0/Android/data/wu/oat/x86/cu.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/storage/emulated/0/Android/data/wu/cu.zip
| MD5 | 12d9b38e85d542f5f0610fa92b71ce2c |
| SHA1 | 800abdeb5c83cfde70ba248795bded9037bf736e |
| SHA256 | 83ddc41be3975cd18d2e1c9bcee7b2e024396e93ca109d72e392bdc40ab521fb |
| SHA512 | 4e33929bcbfcd7110a14d386f7329baeb22009b03a663b3ae922004ace9478b216fd07b52f94f73bea317cac591f7d7ae2e69c1b57157c1b800a2d4a4384dd1d |
/storage/emulated/0/Android/data/wu/cu.zip
| MD5 | 173fe4e906168cffd0260cfebe58e979 |
| SHA1 | 04a8bd61bda158d453aea084cbf9d8e75cfb5f9c |
| SHA256 | f5ce1e2bfe5af7cc9ec1e877cd4f1f85845444e2cb79945187e4f5d794419c1e |
| SHA512 | 273e775d5ab3a92340269ee130c2be4d80a0791a060d3ad404d6cdce902e250978631c1d55339e58ed1a9e319cf0b4b5638eaaddf9b8936a0db0f057128dfa44 |