Malware Analysis Report

2025-06-15 22:32

Sample ID 241102-g6y2vaykdv
Target 84de8f4e8f79e7b3271cac3b2d4ca7fa_JaffaCakes118
SHA256 8dc5a50cfb17110faf8614d27ca02130a933b03ea4d9e6626d5eb48fff095118
Tags
collection discovery persistence credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8dc5a50cfb17110faf8614d27ca02130a933b03ea4d9e6626d5eb48fff095118

Threat Level: Shows suspicious behavior

The file 84de8f4e8f79e7b3271cac3b2d4ca7fa_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery persistence credential_access impact

Queries account information for other applications stored on the device

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 06:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 06:25

Reported

2024-11-02 06:28

Platform

android-x86-arm-20240624-en

Max time kernel

33s

Max time network

132s

Command Line

vn.adflex.process

Signatures

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

vn.adflex.process

com.gasgarena.store

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 update.adflex.vn udp
VN 125.212.201.144:80 update.adflex.vn tcp
US 1.1.1.1:53 igamemobi.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 api.adflex.vn udp
VN 125.212.201.144:80 api.adflex.vn tcp

Files

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 85515039863e8b552458c086ca9f13a2
SHA1 b6d7690c43989c66e5669df7c2a7e838c49026fd
SHA256 144f1d01eb4e338318a3564461210c729db41cdd03356860f360acbac08c0553
SHA512 166f1bc86e0b1626aa9600d3b6e4f577fbaa0452dd5dc63ba0fb5de932bc2650e75eee0de955f1fc8eee31ce545b44b363b17b977582596b8401bd94b0151cb1

/storage/emulated/0/tvtas/as.sqlite

MD5 5f3a37a846fa112d9db14009fadcd18e
SHA1 8bd4442f25b1fb1bbc6ce257a542ed4f903dc613
SHA256 a5a9e8d0b73273e7ab1cf04d689ecf742539849d41b33532b235b1f71c39cb07
SHA512 4e2dd27a0ce4283f7a63d62a75779ea3a1392b98fdad2e7205db7ca29342c135405752e9d8f12ed07bea9bb8e0a986f24f82f60e35afcef85120103e041b25a9

/storage/emulated/0/tvtas/as.sqlite-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/storage/emulated/0/tvtas/as.sqlite-wal

MD5 1fe21e8989606a1bf5a12d8341dfbb47
SHA1 299ba694b8e31b9667a14a936ac5d05c14e80b27
SHA256 f1ce7b01f7f3544bdf5771bdb80ab0a855333386ae96bb2d0c3ce842db7121a0
SHA512 62c28a9758531b9c14d7d876e762615c65d97e99dd3f2679fdf7212584e2e7059d57a91c84d2a6d8bca051523a156dc5b949680e0829028b4dc2a7de19d35cd8

/storage/emulated/0/tvtas/as.sqlite-wal

MD5 b634847006ebd4d502b2865562d9eeef
SHA1 81c56ad82f0bf0c53cfb4f3862ddafbf7953f1f0
SHA256 92e233638652c5026c36b65600107a0474e2e5f54df450c627dd5d0dcc19a0c4
SHA512 69a6e9916e6662b1ffe7ad101ff345d689fe305d1182d1db753eaf5518907d1d497f55a35ea83ac69506c9720b880889c1e32a6966451468f6cd4fe7c63a2178

/storage/emulated/0/tvtas/as.sqlite

MD5 bf0cc6831add8537315ae9c1226b9a70
SHA1 e10bd70ce479fec1bb0d0a303d6d732c308656d9
SHA256 97a0b0cabc7ece49f8e23d9c5422d33e47bd0e7a25a5c636777c06eae015cf54
SHA512 3ed8a6f084259cd627e5efcb58a853059f2635e1c0b0096c8b940666a1f843d6e718b99ac40b95e69563489bf088fd226d24bd3686ec24d3ab64138071db7bc2

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 06:25

Reported

2024-11-02 06:28

Platform

android-x64-20240624-en

Max time kernel

49s

Max time network

155s

Command Line

vn.adflex.process

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

vn.adflex.process

com.gasgarena.store

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 update.adflex.vn udp
VN 125.212.201.144:80 update.adflex.vn tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 igamemobi.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 api.adflex.vn udp
VN 123.30.210.79:80 api.adflex.vn tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.201.98:443 tcp

Files

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 07e4ecc422ec8cf4695f50b1b3cc023d
SHA1 d55c7ccee948fa4d226e09659352c23c18df5a5e
SHA256 2ea7ff49cb5c1b47cdaca0362c4f14d1650d2889e0f3c1ea3ecbdb5d7569b48a
SHA512 39c91b0a30950612a74ca9f0634d5dc47a2aab86b552febc3be158ce4ff5303f3a20dbdd77163cada6b498a034ea952c5cb2b33c9514734c371daa6058972ab3

/storage/emulated/0/tvtas/as.sqlite

MD5 3505598dfc9be2e9ed3452a8d0aac1b4
SHA1 6f45cbc1c240696826f3fbc2e2ee74f2bd6ac51c
SHA256 8cfe219a728c310d5cf3e4386d2fa1009dffb661d040aef55b44da30c59b85f4
SHA512 d07611f89c17a12d2a54e5be8ec3e29541689f9fad64e8053a05c38c5b4c17d399e13df3c8950c49dbbf947e870e721d0f58d973e109af416bc17089adf7f6e2

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 c050853f1097c638adcf8d9263755825
SHA1 25f3c9d8f653718d030e5b6409ac10d05082ee66
SHA256 8ad35c148ce2b918c106c1844d7e5adcf046859dfa9df09e4765a0d9176d6f5e
SHA512 13b4ec27c35c5966399df505d442e5135adfb6b190f13d47bd2101a5106c27e232212d4ed62fef2f3da23b73122f6ddbfbd068eb3e7b30949499ed32bdfed079

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 f621f16e415a1d7891efe34baeafac71
SHA1 8bb3e5e8cef4baed695777531e04634fe4f0fc67
SHA256 f1dfd0f8c05e7a11d1d8b356c121bf98e27efd3d1440c1b7e86fc8e620f7e044
SHA512 320a8cdd97729e50141e5e62adef05bead99cf1cfc120c9fc1d8f0a183935e207ca26e782a71d69bf696d9da67ec255a5bd0decbf0c95c89580a9eee88149cb4

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 b2e1d588eacd42f4f6c2c72d4c0c5bb7
SHA1 c78483608a1f07e4e3d0087a53ac37622a2f1d0a
SHA256 a7113306a8f4835d78b477ac2b70dbd0904523d804d8008d011a6ccf49a97159
SHA512 f0def2fa8d3809e0a908578f6dcd31dd7d88d63e8b10940c2cd12680883bcfe79b83bd378da097a42a7509961589ab4128f774635e3a2ae3a990aac1f941fbe8

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 a9316316d2a1f0a3a471bca9c4462c91
SHA1 9304805e36d2ed79007a5811b6357a516ba8c96e
SHA256 de29d99473e2fb71d21ce80575f945492f848b310a83c008aac88084c44c523e
SHA512 4cc59c1b62a59db3fbcf35734309a041efdeb5b8fcf138747cfea69123a260cdd286d875059fa2dddc55595ac0724430588176d68274771d37a05e27dc1f05ee

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 7ab44c3f8508519298b08cd1f29f53e1
SHA1 621853a58dc90cfe4a2ccf49a199fb6f3bc177b4
SHA256 43a85df3262088bfcf7c91290a286dbdd7c91c0f4ec8b79bf511b0790fdcc63c
SHA512 61bc9192a9c327ca1f77a04f9282f4c0d184abe84e50c3dcb5695354a5b6973befbd828ebf4ff1d775bc0e0f0bec8bc38e88600e826dd319627ecf8625176ecd

/storage/emulated/0/tvtas/as.sqlite

MD5 6ac602fee4b97cdd0f2c6dca9f5a3398
SHA1 d31037d532f453330bbcea7e14467090bc0901bd
SHA256 75c4ad29d62d00f70caa6441dc36082ee629b456c3da64c74aa6427860a15676
SHA512 119a2dc635dfcdd86b2617943aeef779b58e2bea4c1eecf2be576c71563c4b8cbe554628325529e1e4454353645427a372782ab2ba079f2f92d6354fe07d488c

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-02 06:25

Reported

2024-11-02 06:28

Platform

android-x64-arm64-20240624-en

Max time kernel

134s

Max time network

147s

Command Line

vn.adflex.process

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

vn.adflex.process

com.gasgarena.store

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 update.adflex.vn udp
US 1.1.1.1:53 igamemobi.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
VN 125.212.201.144:80 update.adflex.vn tcp
US 1.1.1.1:53 api.adflex.vn udp
VN 123.30.210.79:80 api.adflex.vn tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 ecc93bc363df55a565651fcc53b50a51
SHA1 424cb5b0bbebcac09061339a28461541eab17949
SHA256 8901d878db39e23c06bde6c76a3e13a019ad215ec564458ca2d856e5923e8a4c
SHA512 c49dd21bca97094f17354bb54abc724d431a038c50442da26c784bd4ab84b2a7c16a079235eae2dc58d655525c5c1a17311176426d3a6eefd1a21df40e894c4e

/storage/emulated/0/tvtas/as.sqlite

MD5 2b99d5e769d59d539c110dc698e6e75d
SHA1 41accb8bbdc215014bb34a53c3d08c2afc20768b
SHA256 45d7ecb2f4fb0915ae2eec32f931eeca3c1f59e936aaabdfebdf5a64187bdc3a
SHA512 bf9f9d82cfb15a692d2820aa9af51166748ec00e5034c795901fd72e863d71de8408ea1612be590803545f2af4e6ebf5119c482874273b206546efa6230486d1

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 2fbf176bc6e5719cb9b66057cef15ece
SHA1 bfa1f53715986e62dd7583babfd53a98c8a254e1
SHA256 410c91de794573b81cdbc07ae856a3c1d960c1a6871113bf1f52cd8e1fce4e8a
SHA512 0740c88963c8e99d716a3792f75f292d6e6a156e8f2aeef4227022300c41da8ca1966f9abdd9573f81ded3710e6c26b3441e9ce9d1479bc2ca701ed0354dab5c

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 0c35004189e73394c1be15b6690ae8f3
SHA1 b502e9e49475d554ea5eb1d736c1493c2050426c
SHA256 8e8d86039ed98efc11fd7c5958d3ff709e4cbcb32ada631e5c6da751ad8d8368
SHA512 d0fa5a671f9ed3de0cec981998f5cc0bb3b2fed43fc6e5bd7e6cb29ded1bae65fff52588ecbd4fc880cde263300be2a737f17dbc42e2cc989e98e08d594b9893

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 bc3923d8f860bc18f625cd1da0a53d54
SHA1 8fd7ccc90bc12028138da4f53b23a23cf9d6acb6
SHA256 0e619eea55591248456bca21a613c121a0ebecf97bb34599e9129190888eda44
SHA512 260614e96b08ad0f64ede16937a8b2d015af174bda31a1891ff6a1c9bf5b961035737269448c97282bd12f1cca784a474ceab95091a4615b855ef5adb490ac6d

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 4f81cb88fa24d6b4919ce5f58a914068
SHA1 d5bfb43e2c0b1ece86c20e82f4c61fa6249d7741
SHA256 76b43daef9fd88a3fad05dcb579e7ba4b031905772f87c44d32aeeb876641296
SHA512 860932cad7676fc56f72cbc8249da3bc34b7dbc2c0cb04c5a49e30a00bae0568bba1b176bfe65a354b165ab624db7627baf255117cd10ebe110556c241615b61

/storage/emulated/0/tvtas/as.sqlite-journal

MD5 161f0499a5a67f9ef308c6a8ab856530
SHA1 dc9ffe372ce7936c3ef6f2de1afc88114d41a6b6
SHA256 62a520b630d9445e6d1cd05e867ea2bf77c473bbc5488a448212bc3ae319c9a9
SHA512 99d9984c6966965470b4a398ce40a34f4fa8638cf92928ff1481cc86f165a09ca791e638a2bb1e60e707d5a2d37b71718d19f2016c7833d10ae1e242bdcf75c9

/storage/emulated/0/tvtas/as.sqlite

MD5 6473c6cd7f6cd0e2d87bfd77c5e6b3c9
SHA1 20d81d3c278bbec4df54a0dad93d57f6d3112d41
SHA256 88fc468a9d698fd84deafb7c0ef394f403fb0bc72a93dab8849954cb51d63108
SHA512 4ce6af6d8b591cc40f8dad9eb169a50e26ed2406f2bc034862df564df90eabec2ede2486cd49e2daeddc6a0723e3872ffa8bd99eff8d77c78b0438c47187d937