Malware Analysis Report

2024-09-09 19:10

Sample ID 240427-a7wvjsgd6z
Target 020a9064d3819a0293940a4f0b36dd2a_JaffaCakes118
SHA256 064e31868539641c9b89e144f6de53737a15c5375425ab13e6637e6057b23332
Tags
banker collection credential_access discovery evasion impact privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

064e31868539641c9b89e144f6de53737a15c5375425ab13e6637e6057b23332

Threat Level: Likely malicious

The file 020a9064d3819a0293940a4f0b36dd2a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection credential_access discovery evasion impact privilege_escalation

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Tries to add a device administrator.

Acquires the wake lock

Requests dangerous framework permissions

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-27 00:51

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 00:51

Reported

2024-04-27 00:54

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

156s

Command Line

dehzrmmuephxt.jlspwknqzylvykca

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/dehzrmmuephxt.jlspwknqzylvykca/files/5a411ce47ea10.apk N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

dehzrmmuephxt.jlspwknqzylvykca

ls /sbin/su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 naurrris.com udp
US 1.1.1.1:53 myyron.com udp
US 1.1.1.1:53 bodgerr.com udp
US 1.1.1.1:53 kafffr.com udp
US 1.1.1.1:53 falldaa.com udp
US 1.1.1.1:53 imarrland.com udp
US 1.1.1.1:53 pettross.com udp
US 208.100.26.245:443 pettross.com tcp
US 1.1.1.1:53 doovver.com udp
US 1.1.1.1:53 hoboos.com udp
US 1.1.1.1:53 valkityter.com udp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp
US 208.100.26.245:443 pettross.com tcp

Files

/data/data/dehzrmmuephxt.jlspwknqzylvykca/files/5a411ce47ea10.apk

MD5 156441057e307e0dbca6186b3a31c608
SHA1 55146784fb0e2c92746194569d7922aca40e860d
SHA256 4842519dd8325f030fae94aec3da4a764d60610ea72e736212ce8c78b8221fb3
SHA512 a0f787d30e6d5c99a0990a94d8b68b330d5038519a3ef56eb44de60daa4ae8c3ce8ab5b0892da607835b31c766a5434261a279bf650b87ad6ea22c7fc4ececbd

/data/user/0/dehzrmmuephxt.jlspwknqzylvykca/files/5a411ce47ea10.apk

MD5 9778e03c60275524d3649ce5c92b6618
SHA1 cd7242a2d6ac8e923061612a2d300012e65ec4c4
SHA256 b8d887b0ba0e951714eaa73b9b033dd4aab86ceef3dd698d07ccb676cf3aae1f
SHA512 c5bd221b820465eff85ff573c30a7137b5654016e90a7806aaa386797f6bb5ca8562bc8057f0f10d7a801a1effc5707c868c3547696fba6c62312271e576fe49

/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-journal

MD5 e0560a2121128f22dd3e5e12508350eb
SHA1 dab00bd8db4d9f32f7a30c2b5273cdc70c4e4dcc
SHA256 b921fabf0a14143e3bbc5eb819ca1ab6f8ca52036fb57ab324e27fe91f5fb433
SHA512 589f99bc3830e94ed4fc93af7c30e91aee45896645b38ea8c996cb898b1d9623db72a201f47e0d555d17e9038a10bb245c222e7e9ceef32937a21d1b3ab8269d

/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main

MD5 dafdb8d45d05821439f16ccb1907909d
SHA1 36dec7dd5c8a7e80d9cc24c30585b4ff11e8d0b0
SHA256 6c523a4d63e99f5e17461540bf0e2944b91d85ec0170b7f9d911b29f2819251c
SHA512 f2b4d3cd69aa5d797a430254920b1a5c2244cf84e35edbe70dfa8eba349cc2c37e36ff6420cbe6f6ce380fec1ad149785703efc7d1a356be1d05b298a32723b8

/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-wal

MD5 10a3a7b4602208c16209bacc1ac7fc81
SHA1 9c928d68c89cf04085e816249fc9ab725d314910
SHA256 e3a4aad789356ed828a2969b315b18157215e2ea29d3a3a81b1bc03309727a84
SHA512 ba8780575fb7aee14a8f61c3711aaafc663d413d75428fa2e18c798c89a29dc33d50d95c64cfb4d91726efa5c8e4528f97466c76d2c46618dfb5045e6acc9585

/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-wal

MD5 a0067c5a351eb9f60a139b429c86e148
SHA1 a6f2881d3bfa3243d7ad54aa82603740875c705e
SHA256 39c9966f10723bc430a7f4a689580b7be744fbf91a8d3146ca99a83700bfdcde
SHA512 474644a62d64e24fce17e7d2fc67980a4bcf14e322d2fcc6a21182b3c9f200bed5c5f49245d7860c1b8134a86c9f5ee1d8175deac846ef78f1b2e800e9cdba22

/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main-wal

MD5 4c0c5e8c05f184f9c46c3fd8762c1b89
SHA1 1628e6d5410e8fb7e32d690525dc10d0775f513c
SHA256 ba0bad0be561ea61f34b24feaec67808a6ecf2d8eaaea789573eecf00e31fb7d
SHA512 a115bcd778b86fbfd5d3be034207cef74bd274852483db006a306bea5a1855cc161ecaac759636164090bf818467769378fffeaac5ff88cb8820c4c2eb130fc2

/data/data/dehzrmmuephxt.jlspwknqzylvykca/databases/main

MD5 53d7713c95fddd2d8976c69259594a1d
SHA1 088864004b031cc283e0202bb5664d499ceeb896
SHA256 15d5e809605f735119ced83840be00ddf28a8eb36c0372538874dca32c84e599
SHA512 b66b8d5c49c9fab49ff57071f533a82248e52532da8538b56927ba286cd0d138bcf2b8d45480319d113d70035acc070e8c8545103fb2fc061f338715d960ee80

/data/data/dehzrmmuephxt.jlspwknqzylvykca/files/oat/5a411ce47ea10.apk.cur.prof

MD5 fdc1b25ca9b77024d4f31f36d08f8247
SHA1 1aaa3aa2d55d936b9018353c1ee50fa7cb9152c4
SHA256 22058ea61d1829a2c14194a58e4a6f6344a4e9eeed37d700c87e8b1ac703b8e6
SHA512 189758c86b1dcce792174b88989f629fd2d37fdbaafb0dfa6285025ded713da25b518cb7f9ea5492ac0aa2857e783b7281aff0f5b5350ffb4d6c192aef4b7112