Analysis Overview
SHA256
b4b8622c105d4a4c9e20f07791553b0e0e848d41284a8a8a3ead9c02ec112117
Threat Level: Shows suspicious behavior
The file 89b08378b0a8e05a11b0cd65a210b937_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads the contacts stored on the device.
Reads the content of the call log.
Requests dangerous framework permissions
Makes use of the framework's foreground persistence service
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 04:44
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write and read the user's call log data. | android.permission.WRITE_CALL_LOG | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 04:44
Reported
2024-11-03 04:47
Platform
android-x86-arm-20240624-en
Max time kernel
13s
Max time network
143s
Command Line
Signatures
Reads the contacts stored on the device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://com.android.contacts/contacts | N/A | N/A |
Reads the content of the call log.
| Description | Indicator | Process | Target |
| URI accessed for read | content://call_log/calls | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.mgyun.shua.protector
/system/bin/sh
chmod 777 /data/user/0/com.mgyun.shua.protector/files/share
cat /data/user/0/com.mgyun.shua.protector/files/flag_file1
cat /data/user/0/com.mgyun.shua.protector/files/flag_file1
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.mgyun.shua.protector/files/v.dat
| MD5 | 182be0c5cdcd5072bb1864cdee4d3d6e |
| SHA1 | b6692ea5df920cad691c20319a6fffd7a4a766b8 |
| SHA256 | c6f3ac57944a531490cd39902d0f777715fd005efac9a30622d5f5205e7f6894 |
| SHA512 | 3163a8d6a4540ecf1794ece0245f291154d30e1080359d2e994ef79c1a469aa0cd808769d9c7ee30ca342c6803d2ebcec3eb71a928d6db187dfb1fc2cf640395 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 04:44
Reported
2024-11-03 04:47
Platform
android-x64-20240624-en
Max time kernel
12s
Max time network
133s
Command Line
Signatures
Reads the contacts stored on the device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://com.android.contacts/contacts | N/A | N/A |
Reads the content of the call log.
| Description | Indicator | Process | Target |
| URI accessed for read | content://call_log/calls | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.mgyun.shua.protector
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/data/com.mgyun.shua.protector/files/v.dat
| MD5 | 182be0c5cdcd5072bb1864cdee4d3d6e |
| SHA1 | b6692ea5df920cad691c20319a6fffd7a4a766b8 |
| SHA256 | c6f3ac57944a531490cd39902d0f777715fd005efac9a30622d5f5205e7f6894 |
| SHA512 | 3163a8d6a4540ecf1794ece0245f291154d30e1080359d2e994ef79c1a469aa0cd808769d9c7ee30ca342c6803d2ebcec3eb71a928d6db187dfb1fc2cf640395 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-03 04:44
Reported
2024-11-03 04:47
Platform
android-x64-arm64-20240624-en
Max time kernel
13s
Max time network
133s
Command Line
Signatures
Reads the contacts stored on the device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://com.android.contacts/contacts | N/A | N/A |
Reads the content of the call log.
| Description | Indicator | Process | Target |
| URI accessed for read | content://call_log/calls | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Processes
com.mgyun.shua.protector
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp |
Files
/data/user/0/com.mgyun.shua.protector/files/v.dat
| MD5 | 182be0c5cdcd5072bb1864cdee4d3d6e |
| SHA1 | b6692ea5df920cad691c20319a6fffd7a4a766b8 |
| SHA256 | c6f3ac57944a531490cd39902d0f777715fd005efac9a30622d5f5205e7f6894 |
| SHA512 | 3163a8d6a4540ecf1794ece0245f291154d30e1080359d2e994ef79c1a469aa0cd808769d9c7ee30ca342c6803d2ebcec3eb71a928d6db187dfb1fc2cf640395 |