Malware Analysis Report

2024-09-09 19:09

Sample ID 240504-lrd6caad2x
Target 12296f2dad04f985a4e8613680577401_JaffaCakes118
SHA256 d158a9505c196100b495278f98b2bb76f9128e4feda95276c2709d099f75da3f
Tags
collection credential_access discovery evasion impact privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d158a9505c196100b495278f98b2bb76f9128e4feda95276c2709d099f75da3f

Threat Level: Shows suspicious behavior

The file 12296f2dad04f985a4e8613680577401_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact privilege_escalation

Tries to add a device administrator.

Checks CPU information

Checks memory information

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Checks if the internet connection is available

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-04 09:45

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 09:45

Reported

2024-05-04 09:47

Platform

android-x86-arm-20240221-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 09:45

Reported

2024-05-04 09:48

Platform

android-33-x64-arm64-20240229-en

Max time kernel

155s

Max time network

132s

Command Line

com.jkw.avrplayerpronbg.yelyup.avrplayerpro

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jkw.avrplayerpronbg.yelyup.avrplayerpro/app_app_apk/avrplayerpro.dat.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.jkw.avrplayerpronbg.yelyup.avrplayerpro

Network

Country Destination Domain Proto
GB 142.250.200.4:443 tcp
GB 216.58.212.202:80 play.googleapis.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.4:443 udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 zzwx.ru udp
DE 185.53.178.7:80 zzwx.ru tcp
US 1.1.1.1:53 c.parkingcrew.net udp
DE 185.53.178.30:80 c.parkingcrew.net tcp
US 1.1.1.1:53 d38psrni17bvxu.cloudfront.net udp
GB 142.250.178.4:80 www.google.com tcp
GB 99.86.249.202:80 d38psrni17bvxu.cloudfront.net tcp
US 1.1.1.1:53 api.tridrongo.info udp
US 1.1.1.1:53 partner.googleadservices.com udp
US 172.67.161.129:443 api.tridrongo.info tcp
US 1.1.1.1:53 data.flurry.com udp
GB 216.58.201.98:443 partner.googleadservices.com tcp
US 74.6.138.65:443 data.flurry.com tcp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
GB 142.250.187.238:443 www.adsensecustomsearchads.com tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 172.217.16.225:443 afs.googleusercontent.com tcp
GB 172.217.16.225:443 afs.googleusercontent.com tcp
GB 142.250.187.238:443 www.adsensecustomsearchads.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 udp
GB 216.58.212.206:443 tcp
GB 216.58.212.206:443 tcp
GB 216.58.212.206:443 udp
US 172.67.161.129:443 api.tridrongo.info tcp
US 172.67.161.129:443 api.tridrongo.info tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 udp
GB 142.250.200.4:443 udp
GB 142.250.200.46:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp

Files

/data/user/0/com.jkw.avrplayerpronbg.yelyup.avrplayerpro/app_app_apk/avrplayerpro.dat.jar

MD5 96bc192b4e5f9d9cb889c7e0460de8fa
SHA1 18d8ca61858aa3f27b3036f38fc2ef2faa39a936
SHA256 0633e93620e67e6ee90863fdf87ef52ecc2c5fb990764a319a65320f1e33380f
SHA512 5c4c87542215177e6c69ee6989c0e2fa69e828e08d964963443cb50cc9a7d9b2d9585339a0565bd1b4c8e82831a25bf27af32420a313c1562ab88727cf065376

/data/user/0/com.jkw.avrplayerpronbg.yelyup.avrplayerpro/app_app_apk/avrplayerpro.dat.jar

MD5 226bf1bb1dacf1c6f7ba1c4926f215da
SHA1 d0460824e639b2b8b7ef2f3878a7829d2e95db08
SHA256 cc866593a53c0da4c02d2b74f924814a204a33ee2b15e829f50d651669e8428b
SHA512 351cd5b6a9bf345423f0d0da003601506f8c6c538b407b6b89493ae571120cd8feed7abd05733c4bb89334bee2aacf472da8bc081c567ca59f7df0bae89eff69

/data/user/0/com.jkw.avrplayerpronbg.yelyup.avrplayerpro/files/.yflurrydatasenderblock.06ca87a4-b1dd-41f9-904c-bd0edb7cbbb0

MD5 00b6dfbe21318ae366e3506490f0067a
SHA1 15f145b24d35a486c0b12bf6fa9bd37ba8103565
SHA256 654a2ec172f44e69c7efbec68023012dc012aa5c19d39e3b820cbe4717d3c501
SHA512 b62c2831b62770f212a388c895684cb6e9d95350f1f027331dadabd01b7d041b7c01eec39d9f776378aae23f243effbbb180557e67d215598e2f67510793b818

/data/user/0/com.jkw.avrplayerpronbg.yelyup.avrplayerpro/files/.YFlurrySenderIndex.info.AnalyticsData_K69G95JC7T5MMWGF62XJ_228

MD5 729fbb88b2745d7d14c8874e74b17743
SHA1 03be21523eed2bc9503d2ecc7fa0c8f538bb00de
SHA256 9db2df6bc5a230590ae050fa94248bb37a4f8c875195e43276b68e9c8c8bd50f
SHA512 1b8bbe31ef8a05eb8457560e4179d842378749a7786ff8c34eda7f17cb29094592dc3ed7cd20548e8b3e20a4b4344d5385bb93f2b47b720b4b112d14bb6cfd74

/data/user/0/com.jkw.avrplayerpronbg.yelyup.avrplayerpro/files/.YFlurrySenderIndex.info.AnalyticsMain

MD5 c83cb890fa8acf1042b3ebfd4c1431d7
SHA1 cd7bf7c86064e2194e70bf4432d3153fc2e3bf08
SHA256 2ecf1acfd0cfe851ddb3cfdb529d7b2bceebe3296401bfa76c5e124e84134f10
SHA512 65317c818c7a4b0546a2be2368b8aa2d6703cc183cab62e40537991606aa548636c88fe5598fd72ac7aa670c92792a303f47daa9723fe5a18fb651c547a7da68

/data/user/0/com.jkw.avrplayerpronbg.yelyup.avrplayerpro/files/.yflurryreport.731bb495fc32489f

MD5 88d23f350d4c5065c3485694ba57d922
SHA1 41ed98f476b1f3e1c3cfecb5ad72fba8f5837601
SHA256 7984b9689409bc0298bdd0453ae33539c9a29a4c7c6fc07255dfa5684a22a12b
SHA512 ea0e7606427ee8a0e01fe9a2c6eeb5ff1e3fe0c6233c9c42b90a300f598ff1c9f73e59dce4a607be78930a23c411cca3f2348051b03f84a7b6b6eec83548ed34

/data/user/0/com.jkw.avrplayerpronbg.yelyup.avrplayerpro/files/.yflurryreport.731bb495fc32489f

MD5 5eb751af3fd0c5ccc60860fa3bd431ed
SHA1 efbb29bbca596281e86a61f7f88f7072687cf859
SHA256 f88aa7286d9a2dc257b953ef072c70efa2523c23158a68a8c1ad6e75bf3122b2
SHA512 b67cc26a2ddac132ad899ca1d9644ca78a6ea6e40c603746a965ac5c0c4ac2d5897db542e287b602c4eeaa860d4b31b68c868f9313d993ef82c372c65e295fb9

/data/user/0/com.jkw.avrplayerpronbg.yelyup.avrplayerpro/files/.yflurryreport.731bb495fc32489f

MD5 bf63c1f1da6a690352177721cbce5565
SHA1 f7b9f8ec919787c42a32859846e7ba546aabc40a
SHA256 d0000729043ae9c7eb7edd8c0779597c0b3df64c1331d8160c3d6e79badd9046
SHA512 46e3951c5e7ec523c78c0f9897beb2b27ba74ff6532a89090f48115904920cc32d9e52e0c736d4af1842de43b223c7166bc939ff914287f67b7e9f582346f630