Malware Analysis Report

2024-09-09 16:11

Sample ID 240427-h6n3baec9x
Target 02b5b4f4a13ef384c60db11d12ab44f1_JaffaCakes118
SHA256 bc8fdbdc9464f6a752fe1e013ffef4b8d508065f510cb8dfd3d63ad87cf77b9d
Tags
irata discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc8fdbdc9464f6a752fe1e013ffef4b8d508065f510cb8dfd3d63ad87cf77b9d

Threat Level: Known bad

The file 02b5b4f4a13ef384c60db11d12ab44f1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

irata discovery persistence

Irata family

Irata payload

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about running processes on the device

Checks if the internet connection is available

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-27 07:21

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-27 07:21

Reported

2024-04-27 07:21

Platform

android-x64-20240221-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-27 07:21

Reported

2024-04-27 07:21

Platform

android-x64-arm64-20240221-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 07:21

Reported

2024-04-27 07:23

Platform

android-x86-arm-20240221-en

Max time kernel

4s

Max time network

140s

Command Line

com.jovision.xiaowei

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.jovision.xiaowei

cat /sys/class/net/wlan0/address

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.exc.mob.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 int.dpool.sina.com.cn udp
US 1.1.1.1:53 www.jovetech.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 172.233.148.133:80 www.jovetech.com tcp
US 1.1.1.1:53 octopus.jovcloud.com udp
US 1.1.1.1:53 xwdns1.cloudsee.net udp
US 1.1.1.1:53 octopus.cloudseetech.com udp
US 1.1.1.1:53 octopus.cloudseeplus.com udp
US 1.1.1.1:53 octopus.cloudseetech.com udp
US 1.1.1.1:53 xwcateye.cloudsee.net udp
US 1.1.1.1:53 xwmediasvr.cloudsee.com udp
US 1.1.1.1:53 octopus.jovcloud.com udp
US 1.1.1.1:53 octopus.cloudseeplus.com udp
US 47.254.93.223:35553 octopus.cloudseeplus.com tcp
US 1.1.1.1:53 xwip.cloudsee.net udp
CN 182.92.201.219:8088 xwip.cloudsee.net tcp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/com.jovision.xiaowei/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/SOOVVI/.logaccout/bizacc20240427.log

MD5 1eceaaeedad257bb1ba59af430a9ad9c
SHA1 8ff5dcff3f2091d571bc6965afa782619b4462c3
SHA256 faf26ac171f9cc3ba937365a31112605892eb39915771ae48371a0a8e9ec80c6
SHA512 d1d06a673e1dd2cb30d667602f8535be88201bac8dcc5b66b88f82c96e1bea2e2f183360615509af2a64ae684c29ebb73ab84ff074929b0fc288634b712aaa81

/data/data/com.jovision.xiaowei/cache/OkHttpCache/journal.tmp

MD5 37e8e716e0e2f4a0b05cd9571d95b84d
SHA1 f8d068f6931707bddb8cd69f706f2224ad1fea3c
SHA256 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca
SHA512 e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

/storage/emulated/0/SOOVVI/.logcloud/2024-04-27.txt

MD5 a254890057db977548213f30d55c2d31
SHA1 c6854f253d4a16a8c2ed055688a3459efcd3f3fc
SHA256 06bd3708ddc05c96fab77423aff4443d236c58cc4bd010c529c2abf615fdefc6
SHA512 72f28ecfed663992049ea57fba687662eb5e02b909addead1e17c492551bf8bae7a43052640bb44b8dae9cb01a76beef25aaefecfae70458ba5bc859a4f98ccb

/storage/emulated/0/SOOVVI/.logcloud/pl.log

MD5 318adc180cb146f76142a6e43f1c42be
SHA1 0ffc8be2c8a2e36697efa7f88863c8bf9d45081c
SHA256 f8245988dc3f10b69c9db22ecb2b5975b333e3dd03ebc4da00af4fd4c54a374f
SHA512 ec259ec145d6df05a27eacf06cbea022a14ba362cb9d89aa5aedc6189a0b382749445eddf73884d7dd89d92083028fb47d6e93b0833923a264c876236f4514be

/storage/emulated/0/SOOVVI/.logcloud/2024-04-27.txt

MD5 f4d175f098c48ec0a85953fe6ade3d0a
SHA1 1d1b03bfd8e327d1f5b39c3a39530731a55b0162
SHA256 694c2b41c6e8c630aa923feaae5fcb6e2f873177ae23e7e59aa8dc75ec222e16
SHA512 0d30581e5c32140b0b4467b045bcffef3c5737ed0f3a4876f0032c5bc15e8245aa9da4550b08c6059fd60f2978e4776a9cd0a31748ebeecd8cbd9baa4187c882

/storage/emulated/0/SOOVVI/.logcloud/2024-04-27.txt

MD5 7312a5d983405e3a5953c9e810898865
SHA1 473593a30c49711b9bbe48efa3a1fd517aa496a9
SHA256 5b8c9db85eb2c425b900b65c06e5f201062f028df480fba95450aa3808b3c5a9
SHA512 5187c12c4857ddf561c307d5cb38d91c24c62fc6a7b6c8b4eca2f904a576c7c8eb3cf11d49130e367d809b7e59a6723389a90548f2bafb6219efbd1c57a54b03

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 07:21

Reported

2024-04-27 07:21

Platform

android-x86-arm-20240221-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-27 07:21

Reported

2024-04-27 07:21

Platform

android-x64-20240221-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-27 07:21

Reported

2024-04-27 07:21

Platform

android-x64-arm64-20240221-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 udp
GB 172.217.169.46:443 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-27 07:21

Reported

2024-04-27 07:21

Platform

android-x86-arm-20240221-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A