Malware Analysis Report

2025-01-02 08:03

Sample ID 240509-1ja62sfh61
Target 2bd6622f5ac557ad7d32a0324c0f1822_JaffaCakes118
SHA256 688e92692871ed190bc2130d6f1e47547caa9b725b6abfc1304b8e2dfd7ad813
Tags
privateloader discovery evasion persistence collection credential_access impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

688e92692871ed190bc2130d6f1e47547caa9b725b6abfc1304b8e2dfd7ad813

Threat Level: Known bad

The file 2bd6622f5ac557ad7d32a0324c0f1822_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

privateloader discovery evasion persistence collection credential_access impact

Privateloader family

Obtains sensitive information copied to the device clipboard

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 21:40

Signatures

Privateloader family

privateloader

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 21:40

Reported

2024-05-09 21:43

Platform

android-x86-arm-20240506-en

Max time kernel

150s

Max time network

130s

Command Line

com.borisk.tinysurvivor

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.borisk.tinysurvivor/app_.gpg.classloader/4da25210572e7e07ea67142ded62c42e.jar N/A N/A
N/A /data/user/0/com.borisk.tinysurvivor/app_.gpg.classloader/4da25210572e7e07ea67142ded62c42e.jar N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.borisk.tinysurvivor

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.borisk.tinysurvivor/app_.gpg.classloader/4da25210572e7e07ea67142ded62c42e.jar --output-vdex-fd=126 --oat-fd=133 --oat-location=/data/user/0/com.borisk.tinysurvivor/app_.gpg.classloader/oat/x86/4da25210572e7e07ea67142ded62c42e.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sdk.mofang.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 42.121.118.238:80 sdk.mofang.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.borisk.tinysurvivor/files/umeng_it.cache

MD5 86efb7d98738e0a3a652769c221e92fc
SHA1 4d9ad24058a12d18d02c9216178fdb5fa7072b94
SHA256 9487e47956eef90a8cf1afe0c802f5395090e5d518628c6eb10c1baee36b6bd1
SHA512 c39a0d5387c23b7ed05b47bbf195e8059c0257bb443c97d6a915df8e0be2842eb53d783dbceca38da8f3b7e21c21d98d68380e53fb8b72b70fbf411b0c5b1ba0

/data/data/com.borisk.tinysurvivor/app_.gpg.classloader/4da25210572e7e07ea67142ded62c42e.jar

MD5 4da25210572e7e07ea67142ded62c42e
SHA1 90a1c878188ca1fc0698ce4bd79ad9af471db8cc
SHA256 e2a2c7f4aa75d7a62207a092749ad41de4b198ca421b75a155cf5c965300a95a
SHA512 d0358e06fa94537f7f8d3591e08146d72276569bd913200b00d60aed891e54d6320f41c635cf0869594f04fbf1d4541b4aaa96825703fef65319a724c624688b

/data/user/0/com.borisk.tinysurvivor/app_.gpg.classloader/4da25210572e7e07ea67142ded62c42e.jar

MD5 f6a1f0b1e553a90ee1f3acc570253e76
SHA1 130d8829484acc589bdf997ced0b37e95d1f6890
SHA256 49eee2abe0b3da24dd6bdcc24575e7cf219141ef17afd72f2e043056b4e24283
SHA512 64c0e9591dc264baedcac22d19f434e12db148d47f286b3f12f5d2734e83b0b4ec5dcfc6036c35d7d4afb99de6016929daab4000382633b5558acb2258d1d7d5

/data/user/0/com.borisk.tinysurvivor/app_.gpg.classloader/4da25210572e7e07ea67142ded62c42e.jar

MD5 e773527f09901f9fdcca8fc094fe6d7e
SHA1 deb703e22097ae9586027d6e86aca3d44a48118d
SHA256 0345efbf7d8075bd259f02e50d485a4d90458a727bd0e79e48ef53a093214fad
SHA512 d804548c8a80db8c5b0892d9920e118f775a073452ed4bdf62e2730504bf529f61aa32e50fa67035befd7f8c2fc97eae8a5a93db80fe64f51c3bb61991059c55

/data/data/com.borisk.tinysurvivor/files/mobclick_agent_sealed_com.borisk.tinysurvivor

MD5 3326b4db704e2682009e0837d98dcef2
SHA1 c9b7f4978bb17fa516d98758d693e460cbe5b68a
SHA256 53e24bc89045839e188ff8dcc69c170ed8e15b712e34d682316cf1541c7a49e1
SHA512 e4dddff30dc57a0307086f136b5f5cdf9d5fe97e47027631bcc2aa8aa56751b23a42ef7bb987d58e0d9f06be81cfed983b93adcf4038b672556a4029fd2402d6

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 21:40

Reported

2024-05-09 21:43

Platform

android-x64-20240506-en

Max time kernel

68s

Max time network

131s

Command Line

com.borisk.tinysurvivor

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.borisk.tinysurvivor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 sdk.mofang.com udp
CN 42.121.118.238:80 sdk.mofang.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 172.217.16.226:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.borisk.tinysurvivor/files/umeng_it.cache

MD5 d10f776b3b950494802e36d4133b3607
SHA1 26016e0f2e15ea87f05fc7c6fd2d003e335eecce
SHA256 0f8d4451d81b04bf61a90924170010c5d44e4ab576f961a7f9c2089ad324b5b6
SHA512 f2f7b8237b60d562d8e76f8a48db72d3720993599cb50444f3c1283f93f8d529ca2e4801ae1fc1277ed180f8c9ff228ef51c8d08876036216ab71784b1d5da0b

/data/data/com.borisk.tinysurvivor/files/mobclick_agent_sealed_com.borisk.tinysurvivor

MD5 558de1cb63c97e4d0060767397a32530
SHA1 120e9ce5e35dc3f31dae6bd586e2654deb35ef0f
SHA256 107642c8853116d908dc206ce7103710c7c486d2b54cd3fee01cb91961725985
SHA512 ae1920ee02d0029e28b6f66c98686019f0c81bd3aaf87bc9330c5d92afb2c9ab80c1aad87eb983a1030f60ec591314bd180444efc9f79a9dba5f0f004ba99e92