Malware Analysis Report

2024-09-09 19:09

Sample ID 240508-t8mstagc98
Target 25c5c07564fbd738c35d5eb529dfb860_JaffaCakes118
SHA256 6751d123db9e9b26253b16e961afa0ba3662690e8182e714a4d05950e67788fb
Tags
banker discovery evasion impact privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6751d123db9e9b26253b16e961afa0ba3662690e8182e714a4d05950e67788fb

Threat Level: Likely malicious

The file 25c5c07564fbd738c35d5eb529dfb860_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact privilege_escalation

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks CPU information

Queries information about the current Wi-Fi connection

Tries to add a device administrator.

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks if the internet connection is available

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-08 16:43

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 16:43

Reported

2024-05-08 16:46

Platform

android-x86-arm-20240506-en

Max time kernel

3s

Max time network

130s

Command Line

com.onion.lock

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

com.onion.lock

logcat -d -v raw -s AndroidRuntime:E -p com.onion.lock

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 update.apksj.com udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
CN 59.82.29.249:80 www.umeng.com tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 16:43

Reported

2024-05-08 16:46

Platform

android-x64-20240506-en

Max time kernel

15s

Max time network

148s

Command Line

com.onion.lock

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.onion.lock

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 update.apksj.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.204.78:443 tcp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.201.98:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-08 16:43

Reported

2024-05-08 16:46

Platform

android-x64-arm64-20240506-en

Max time kernel

126s

Max time network

134s

Command Line

com.onion.lock

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.onion.lock

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.38:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.226:443 tcp
US 1.1.1.1:53 update.apksj.com udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
CN 59.82.29.249:80 www.umeng.com tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.31.160:80 www.umeng.com tcp
GB 172.217.169.46:443 tcp
GB 216.58.204.66:443 tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp

Files

/data/user/0/com.onion.lock/files/mobclick_agent_cached_com.onion.lock

MD5 277fc77edaa0bcdf22db128adc639b0a
SHA1 2e4489963594fe24bf4d4ecdcd659fa08040e887
SHA256 3d76362e9563040539563757bca7bd97f8f88c53c6c74e1fbdc98ead1ab3ea85
SHA512 9205521042eb9645f85d7656295909b82be2979c2594ac64a8ec87c9443ae031a12c7ea78f5142db290d4b999d838b6b161fecdfb76292c0934d2bdbdd7cb9b7