Malware Analysis Report

2025-01-02 08:03

Sample ID 240509-2fhbmaac5y
Target 2c0871f71a4ee9a331080dc8b829c27d_JaffaCakes118
SHA256 935e4fa4e25affc6af197c263ba50453affd5ec13a2aa70dcc636af7c713e324
Tags
privateloader discovery evasion impact persistence collection credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

935e4fa4e25affc6af197c263ba50453affd5ec13a2aa70dcc636af7c713e324

Threat Level: Known bad

The file 2c0871f71a4ee9a331080dc8b829c27d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

privateloader discovery evasion impact persistence collection credential_access

Privateloader family

Queries the mobile country code (MCC)

Checks Android system properties for emulator presence.

Checks memory information

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 22:31

Signatures

Privateloader family

privateloader

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 22:31

Reported

2024-05-09 22:35

Platform

android-x86-arm-20240506-en

Max time kernel

34s

Max time network

156s

Command Line

com.btxbfps.drtkt

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.btxbfps.drtkt/.jiagu/classes.dex N/A N/A
N/A /data/data/com.btxbfps.drtkt/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.btxbfps.drtkt/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.btxbfps.drtkt/.jiagu/tmp.dex N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.btxbfps.drtkt

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.btxbfps.drtkt/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.btxbfps.drtkt/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mayi.helpserver.top udp
US 1.1.1.1:53 bxapps.com udp
US 1.1.1.1:53 google.com udp
GB 142.250.187.206:80 google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
DE 91.195.240.12:80 bxapps.com tcp
DE 91.195.240.12:80 bxapps.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
DE 91.195.240.12:80 bxapps.com tcp
GB 172.217.169.10:443 tcp
GB 172.217.169.10:443 tcp
GB 142.250.187.206:443 google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.196:80 www.google.com tcp

Files

/data/data/com.btxbfps.drtkt/.jiagu/libjiagu.so

MD5 f380717bd1e3916c7b697fab8d46c5d8
SHA1 04f51f0d16097214e38be517d93be44cb0603a88
SHA256 8455632be7bacb221468c4daab2f9b5ee33739f08b22244ff81a36a02bec36cc
SHA512 b78fe11f77d2c0ec5b36850e8cc3b955661b31641405233c8842b91205e44dc16a30d7fc1ef18dde1b066c1b98959ae9c18be5472413d2b398b7ab6a6b52c07e

/data/data/com.btxbfps.drtkt/.jiagu/classes.dex

MD5 c18159b2e91a07b4308089a5f9dc6a53
SHA1 641e977b184ed24db1c2982a11490d47ecbd1d53
SHA256 043998476217a1b827a413566df8223d0189d671367bfc8adaf87511acd4f691
SHA512 97776a8b850363bfb2a2ab5180583eb2d143cdbae7923e252b96b3df77a8f25a0a0382482b0f3185f2c891fe7632e64dfae9126c9d408d85ee893f21e7628e55

/data/data/com.btxbfps.drtkt/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.ri

MD5 d926c316573be9370f5bb788ab16ed9e
SHA1 1b4a30b33f241d185df74c4d0faa3f96043907fc
SHA256 adc1f596eedabc3da76c32357cc2d222f3f9c68e32bc25f61d9a9862e07b24c5
SHA512 f7bb98a4ad4b50f14714780668dd743fd134a7f57c16e9f3fa0a5000ba931ff701294142e74a76f2c945ceeb745a7892652b8d3a82225731eadafc2a00df0737

/data/data/com.btxbfps.drtkt/files/.jiagu.lock

MD5 290f4952c9e75dc276a9758631523928
SHA1 563e32a720a9bff50dc145f1ff2f4cb0e375914c
SHA256 50326d52f61ad704ddb34d5c884e2cf0a8da2a915840c3b86e757424aa4bbffe
SHA512 2661fc0c0b11a5e3416a20720765d9fd8be8e56d14c320ab97e1529cbbc949ec6c109e5f5aab9752fc14a82088993906a764f0f6512f57bccc590eb633f1d165

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.rd

MD5 e1c26dabc0226bf3ae489bc901ca1f4a
SHA1 4c2b8b84f17cdadd1e9211187066e05f47399345
SHA256 8cd359cd261811b07bcc57443e2464cda9dfa85220a33d88cc4bd0abaf42f54a
SHA512 7ff06914fe6bee77176d16f16ff4f425a6a24ea7b916d4610c7efc150340576167459a2978fcef317eba1d3434ae07c7aa793fc06d950a29b3936ead6b30e443

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.store

MD5 448e391c59eef34ee1defbe4dee4c41f
SHA1 df1f890987371d7d8e6963c68b787856e42bc146
SHA256 55612e17689f4bb05f27e18b4f6d06ffef92a6a8893a5cfdd3d5b99a6028b549
SHA512 ce336ce895ba861dda7da27e8869dea065eb3c3403cac55cdf1935409e5ebc95b495370f87ed7416af20af533b15615472e333ae9f2fd2713040f526835399b7

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.ac

MD5 759680adaa18e3ab879569f3757d9211
SHA1 d5e27ad9541720f8a5ed2770c76effb72f292084
SHA256 d519bff6ae54786860b2f70452f95c08e96bf0824f7f88be9e77921730bb99b8
SHA512 a4498ef0c12c3290275cbd16c1c84c41d1bdfc089c4692ebaf586097639b555d0c20b88c6b5ceba9199477da533880b2b6b1c0da2d2addb3e9325adf17f9b57d

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.ic

MD5 5c1324b89b94ba1b7034bb2fa1f6f114
SHA1 4049ec7e0a62a2753587ea1246f81113ca1765e9
SHA256 fe66368fc4eb34303eb34f7ac3f8fed1fcb3cd32874c1ccd41f01167a979bef2
SHA512 3be91519021152088b1081c9d9753af9bab8185686ba63931193999c69e10dbefb8d7d86feb7f633bcd59165667b489b32d66d4cefe49ecf69cc7e8de0fd5eea

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.di

MD5 cadf5726b959bbc6571323ed53db459b
SHA1 12ce816ed1525035d4a5604eea4534dfcb051fd8
SHA256 f2862f35efeb79dfc389beb74f34c2f5a4ed90f5306f9e6fd8714d89fd0c7512
SHA512 51efa1fbb4a68a6e27cd883ef08e2e2d2489630e8998615153657316697b519172c1c28c9a4f0d502493d473df6f52df595358881aee5242fcaf5003b56d32b5

/storage/emulated/0/360/.iddata

MD5 78249941bc0a04b09d4450dd3f03c711
SHA1 4694bfc38e3588b1b392fd3f6b48550afcfca6e9
SHA256 f37d841e4f977c2e3402c5ed413da03b927cc503dd8beca290dcb4b357b079ea
SHA512 3b0b8b13c2d7aa97520f348bb267599c6008e1569c81e0fd54387d43b9de5a3ef68788f0322237000220413fb6e1f9573d21bbb3f179f58d76a5409d37a1b024

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.btxbfps.drtkt/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 22:31

Reported

2024-05-09 22:34

Platform

android-x64-20240506-en

Max time kernel

150s

Max time network

159s

Command Line

com.btxbfps.drtkt

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.btxbfps.drtkt/[email protected] N/A N/A
N/A /data/user/0/com.btxbfps.drtkt/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.btxbfps.drtkt

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 mayi.helpserver.top udp
US 1.1.1.1:53 bxapps.com udp
DE 91.195.240.12:80 bxapps.com tcp
DE 91.195.240.12:80 bxapps.com tcp
US 1.1.1.1:53 google.com udp
GB 142.250.179.238:80 google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:80 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
DE 91.195.240.12:80 bxapps.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.238:80 google.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 172.217.169.78:443 tcp
GB 216.58.201.98:443 tcp
GB 216.58.212.202:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.179.238:443 google.com tcp

Files

/data/data/com.btxbfps.drtkt/.jiagu/libjiagu.so

MD5 f380717bd1e3916c7b697fab8d46c5d8
SHA1 04f51f0d16097214e38be517d93be44cb0603a88
SHA256 8455632be7bacb221468c4daab2f9b5ee33739f08b22244ff81a36a02bec36cc
SHA512 b78fe11f77d2c0ec5b36850e8cc3b955661b31641405233c8842b91205e44dc16a30d7fc1ef18dde1b066c1b98959ae9c18be5472413d2b398b7ab6a6b52c07e

/data/user/0/com.btxbfps.drtkt/[email protected]

MD5 c18159b2e91a07b4308089a5f9dc6a53
SHA1 641e977b184ed24db1c2982a11490d47ecbd1d53
SHA256 043998476217a1b827a413566df8223d0189d671367bfc8adaf87511acd4f691
SHA512 97776a8b850363bfb2a2ab5180583eb2d143cdbae7923e252b96b3df77a8f25a0a0382482b0f3185f2c891fe7632e64dfae9126c9d408d85ee893f21e7628e55

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.ri

MD5 e9deb02ba9c5c0b7dee0ceb54e748a53
SHA1 0b1c013b68d60f9fa109265a12e8710194ee6b99
SHA256 85173aea97b35302178eb6521a1d84f69b84e92d1bb5988db08cf9b97985ba86
SHA512 fec7f53e93d4f98fd42cc351e33dfd6ae50fc863a20eb5cad9d05cc109cec0985a7e97195ed1bf20f25c14c9eebe02a0355296f98b8a794b78615f3b81a52bf3

/data/data/com.btxbfps.drtkt/files/.jiagu.lock

MD5 4ad8ef6a9a629e6f9b84be9ef6c2a79a
SHA1 e8c6db8d78ac0040fbd5a9cd1120362602c08110
SHA256 b83767176065070b2d58851fd398234720e1e91447062f0eea76322787620848
SHA512 fa4f925b71e8ea139895a37f6d5f1412a75c1e0776b36658ea335f1f53dc808cc38f850361f91ef0211fb948735ae251eb0b18e84d8fb136f1d629ac32a9c449

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.rd

MD5 c300cbc9d9e41456958345acada47714
SHA1 19af932460e6602fbc2a69e4e4506ca244db0b90
SHA256 b617f8de8fffe6a577714990373e2c1a029bd6b0432426363ab9b1dc527732fb
SHA512 53ffa11b5214ea4bbb55cf353cc410a0fecd820344b7747becd77685f40631fb7553104382e7d5f69a76828968a98ee13b49d932af4e863d19eb825e9b051638

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.store

MD5 448e391c59eef34ee1defbe4dee4c41f
SHA1 df1f890987371d7d8e6963c68b787856e42bc146
SHA256 55612e17689f4bb05f27e18b4f6d06ffef92a6a8893a5cfdd3d5b99a6028b549
SHA512 ce336ce895ba861dda7da27e8869dea065eb3c3403cac55cdf1935409e5ebc95b495370f87ed7416af20af533b15615472e333ae9f2fd2713040f526835399b7

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.ac

MD5 759680adaa18e3ab879569f3757d9211
SHA1 d5e27ad9541720f8a5ed2770c76effb72f292084
SHA256 d519bff6ae54786860b2f70452f95c08e96bf0824f7f88be9e77921730bb99b8
SHA512 a4498ef0c12c3290275cbd16c1c84c41d1bdfc089c4692ebaf586097639b555d0c20b88c6b5ceba9199477da533880b2b6b1c0da2d2addb3e9325adf17f9b57d

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.ic

MD5 5c1324b89b94ba1b7034bb2fa1f6f114
SHA1 4049ec7e0a62a2753587ea1246f81113ca1765e9
SHA256 fe66368fc4eb34303eb34f7ac3f8fed1fcb3cd32874c1ccd41f01167a979bef2
SHA512 3be91519021152088b1081c9d9753af9bab8185686ba63931193999c69e10dbefb8d7d86feb7f633bcd59165667b489b32d66d4cefe49ecf69cc7e8de0fd5eea

/data/data/com.btxbfps.drtkt/files/.jglogs/.jg.di

MD5 65ca90364ed643106c31619fe33b9978
SHA1 6078eacf7fe40bb24e551a5820f16437ca325f69
SHA256 622196650965f817046dd5ab8ff2e5f7ca07c6ab615ba7b478d21a8721214c53
SHA512 f749d138b0bdd7da681242e7cb71a5ff1981bad171479ccf89270237aed6fc0295001755e6ab3456bd1e1507e1f491478b573893ee0bbd06e3a8202a20414575

/storage/emulated/0/360/.iddata

MD5 7b25c9d0f1831ad3b7f1c6af8a83ef0d
SHA1 d85d9c39c0180db001c23d6a9c23732c8147aad8
SHA256 490444ab5f365e69f1ad7e8de6e0651313d6491235748ac375b52c9ed3e22463
SHA512 dbb02659dd5d795e1411dac430e8bb7d776e811ddeb8e616b5472ea0471881b15271700f527542bac1359ec78647b9a315d74862d37ff75bcbbc38ca4f2d29bc

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.btxbfps.drtkt/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.btxbfps.drtkt/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56