Malware Analysis Report

2024-09-09 19:09

Sample ID 240509-shcpgsba49
Target 2a8a87da3a037fbe490c1087ca7e00c5_JaffaCakes118
SHA256 761c805132d2080ce6d68d117bb25a297570dbf9a6cb510fcd68bf99de8e3a39
Tags
banker collection discovery evasion impact privilege_escalation persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

761c805132d2080ce6d68d117bb25a297570dbf9a6cb510fcd68bf99de8e3a39

Threat Level: Likely malicious

The file 2a8a87da3a037fbe490c1087ca7e00c5_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact privilege_escalation persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Registers a broadcast receiver at runtime (usually for listening for system events)

Reads the content of the SMS messages.

Tries to add a device administrator.

Loads dropped Dex/Jar

Reads the contacts stored on the device.

Reads the content of photos stored on the user's device.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-09 15:07

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 15:07

Reported

2024-05-09 15:10

Platform

android-x64-arm64-20240506-en

Max time kernel

150s

Max time network

156s

Command Line

com.mdvmonsxa.lhqhmfqodr

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.mdvmonsxa.lhqhmfqodr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
IT 91.239.64.121:5001 tcp
US 1.1.1.1:53 t.appsflyer.com udp
GB 216.137.44.35:443 t.appsflyer.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp

Files

/data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar

MD5 911384c7a5dcf7687a5648d9a44b65e3
SHA1 00cf45674e8bad8c4f189567e62d55d168d49a81
SHA256 2bd048ba88d634bb5ae468126c8a15512adc20e2d34dc1fdc95b3d697b35efcb
SHA512 5d704d1d9370f52925b426a8a4d6d49d5475b2a3b36b9e504bab99219de435978d60617171aa913c0521c5c97fc88e89151ae7868a8daba1be9a109d7acb265d

/data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar

MD5 f88b900d1b9a248a801509464c45793c
SHA1 b6b18d7dedd7d62509f9a740ef1a17d84c432944
SHA256 6e074fea9a3c5083e173c908d25d4c13e10d49d00a0f3e4ef61b369b9409ebc5
SHA512 d98f8b9570ff807df531f93ea4688e9e7e4a2ccecf820b6dfa27d6af0017c0fefb555b95a8ad4b376ed071e52b13afd03c795a353c9af793bc79fb4101b62cf5

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 15:07

Reported

2024-05-09 15:10

Platform

android-x86-arm-20240506-en

Max time kernel

151s

Max time network

156s

Command Line

com.mdvmonsxa.lhqhmfqodr

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar N/A N/A
N/A /data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mdvmonsxa.lhqhmfqodr

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/oat/x86/qodnigsofy.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
IT 91.239.64.121:5001 tcp
US 1.1.1.1:53 t.appsflyer.com udp
GB 216.137.44.35:443 t.appsflyer.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp

Files

/data/data/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar

MD5 911384c7a5dcf7687a5648d9a44b65e3
SHA1 00cf45674e8bad8c4f189567e62d55d168d49a81
SHA256 2bd048ba88d634bb5ae468126c8a15512adc20e2d34dc1fdc95b3d697b35efcb
SHA512 5d704d1d9370f52925b426a8a4d6d49d5475b2a3b36b9e504bab99219de435978d60617171aa913c0521c5c97fc88e89151ae7868a8daba1be9a109d7acb265d

/data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar

MD5 f88b900d1b9a248a801509464c45793c
SHA1 b6b18d7dedd7d62509f9a740ef1a17d84c432944
SHA256 6e074fea9a3c5083e173c908d25d4c13e10d49d00a0f3e4ef61b369b9409ebc5
SHA512 d98f8b9570ff807df531f93ea4688e9e7e4a2ccecf820b6dfa27d6af0017c0fefb555b95a8ad4b376ed071e52b13afd03c795a353c9af793bc79fb4101b62cf5

/data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar

MD5 374ef4e9d9adc4ef8812ad908e4dbd73
SHA1 b5ab11cc9b11311730f88daf5d87d5ab3441e8e8
SHA256 dd7599ab5a3d0bdd951b4c4b3acddceb5f43bcbcd7ff46bcd300a9349748cf07
SHA512 25c5e10306601bb963eaa7569cf6cea2537cc9c3c69f172e62599eeaff53690554545d665bc18a4977b727f5704f1822ea7dfd01ef00fbeaa9c16e704af9866b

/data/data/com.mdvmonsxa.lhqhmfqodr/app_fctorp/oat/qodnigsofy.jar.cur.prof

MD5 faa06a9c717d3bfdbaa14bd077b9b554
SHA1 8edf00d9441c0b073d5c22d22a2ac2d71e9687e7
SHA256 ea892a14578f0d0bc0a690fd47808d7a4beb3f61ae5561ea10f8f2a3a8a52312
SHA512 aef7548daa3e242e5910b583fef3dd4e17b03f701b626edd8c314ecd6b59f8ea36c7adcd99660b4300b8fde1e112d1f111b641e342bbcd25ba9fa5c008babeb8

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 15:07

Reported

2024-05-09 15:10

Platform

android-x64-20240506-en

Max time kernel

153s

Max time network

160s

Command Line

com.mdvmonsxa.lhqhmfqodr

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.mdvmonsxa.lhqhmfqodr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.200.42:443 tcp
IT 91.239.64.121:5001 tcp
US 1.1.1.1:53 t.appsflyer.com udp
GB 216.137.44.35:443 t.appsflyer.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
GB 216.58.204.78:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.201.98:443 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp
US 192.52.167.100:5001 tcp
IT 91.239.64.121:5001 tcp

Files

/data/data/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar

MD5 911384c7a5dcf7687a5648d9a44b65e3
SHA1 00cf45674e8bad8c4f189567e62d55d168d49a81
SHA256 2bd048ba88d634bb5ae468126c8a15512adc20e2d34dc1fdc95b3d697b35efcb
SHA512 5d704d1d9370f52925b426a8a4d6d49d5475b2a3b36b9e504bab99219de435978d60617171aa913c0521c5c97fc88e89151ae7868a8daba1be9a109d7acb265d

/data/user/0/com.mdvmonsxa.lhqhmfqodr/app_fctorp/qodnigsofy.jar

MD5 f88b900d1b9a248a801509464c45793c
SHA1 b6b18d7dedd7d62509f9a740ef1a17d84c432944
SHA256 6e074fea9a3c5083e173c908d25d4c13e10d49d00a0f3e4ef61b369b9409ebc5
SHA512 d98f8b9570ff807df531f93ea4688e9e7e4a2ccecf820b6dfa27d6af0017c0fefb555b95a8ad4b376ed071e52b13afd03c795a353c9af793bc79fb4101b62cf5