Malware Analysis Report

2025-05-28 18:46

Sample ID 241103-fc7w8avhja
Target 89b08378b0a8e05a11b0cd65a210b937_JaffaCakes118
SHA256 b4b8622c105d4a4c9e20f07791553b0e0e848d41284a8a8a3ead9c02ec112117
Tags
collection evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b4b8622c105d4a4c9e20f07791553b0e0e848d41284a8a8a3ead9c02ec112117

Threat Level: Shows suspicious behavior

The file 89b08378b0a8e05a11b0cd65a210b937_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection evasion persistence

Reads the contacts stored on the device.

Reads the content of the call log.

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 04:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 04:44

Reported

2024-11-03 04:47

Platform

android-x86-arm-20240624-en

Max time kernel

13s

Max time network

143s

Command Line

com.mgyun.shua.protector

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.mgyun.shua.protector

/system/bin/sh

chmod 777 /data/user/0/com.mgyun.shua.protector/files/share

cat /data/user/0/com.mgyun.shua.protector/files/flag_file1

cat /data/user/0/com.mgyun.shua.protector/files/flag_file1

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.mgyun.shua.protector/files/v.dat

MD5 182be0c5cdcd5072bb1864cdee4d3d6e
SHA1 b6692ea5df920cad691c20319a6fffd7a4a766b8
SHA256 c6f3ac57944a531490cd39902d0f777715fd005efac9a30622d5f5205e7f6894
SHA512 3163a8d6a4540ecf1794ece0245f291154d30e1080359d2e994ef79c1a469aa0cd808769d9c7ee30ca342c6803d2ebcec3eb71a928d6db187dfb1fc2cf640395

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 04:44

Reported

2024-11-03 04:47

Platform

android-x64-20240624-en

Max time kernel

12s

Max time network

133s

Command Line

com.mgyun.shua.protector

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.mgyun.shua.protector

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.mgyun.shua.protector/files/v.dat

MD5 182be0c5cdcd5072bb1864cdee4d3d6e
SHA1 b6692ea5df920cad691c20319a6fffd7a4a766b8
SHA256 c6f3ac57944a531490cd39902d0f777715fd005efac9a30622d5f5205e7f6894
SHA512 3163a8d6a4540ecf1794ece0245f291154d30e1080359d2e994ef79c1a469aa0cd808769d9c7ee30ca342c6803d2ebcec3eb71a928d6db187dfb1fc2cf640395

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 04:44

Reported

2024-11-03 04:47

Platform

android-x64-arm64-20240624-en

Max time kernel

13s

Max time network

133s

Command Line

com.mgyun.shua.protector

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

com.mgyun.shua.protector

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.mgyun.shua.protector/files/v.dat

MD5 182be0c5cdcd5072bb1864cdee4d3d6e
SHA1 b6692ea5df920cad691c20319a6fffd7a4a766b8
SHA256 c6f3ac57944a531490cd39902d0f777715fd005efac9a30622d5f5205e7f6894
SHA512 3163a8d6a4540ecf1794ece0245f291154d30e1080359d2e994ef79c1a469aa0cd808769d9c7ee30ca342c6803d2ebcec3eb71a928d6db187dfb1fc2cf640395