Malware Analysis Report

2024-12-08 03:01

Sample ID 240510-2vvv9shb99
Target 3173adb646ad6398e787c6302cdfedc5_JaffaCakes118
SHA256 1666e091ac7c4a82e3c10de78b2cac24402e0fbb52129d55a7aea0add2dc0124
Tags
privateloader discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1666e091ac7c4a82e3c10de78b2cac24402e0fbb52129d55a7aea0add2dc0124

Threat Level: Known bad

The file 3173adb646ad6398e787c6302cdfedc5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

privateloader discovery evasion persistence

Privateloader family

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 22:54

Signatures

Privateloader family

privateloader

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 22:54

Reported

2024-05-10 22:57

Platform

android-x86-arm-20240506-en

Max time kernel

132s

Max time network

151s

Command Line

com.pokemon.pokemontcg

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.pokemon.pokemontcg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stats.unity3d.com udp
US 1.1.1.1:53 dfsqwbwcu8r1a.cloudfront.net udp
DE 108.138.2.32:443 dfsqwbwcu8r1a.cloudfront.net tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/obb/com.pokemon.pokemontcg/main.3255.com.pokemon.pokemontcg.obb

MD5 94a3bfd35728ddb494abee0fde6e96d0
SHA1 800cd6e72dda6aba541f3db1d92532bc876f0ce7
SHA256 709291e891d0a57891f944e31f4d09bf0c85ac2d07069755931ddc43212dc342
SHA512 8a9baa7910d2202eb35515f22eb8f6c094103abf4c7ec6aec51fafd3e5ac01596fcc06c1e0ceba88f04c31bd77dba1c5c6aa76d1fd7c3dfa95609bffff1f5cc6

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 22:54

Reported

2024-05-10 22:57

Platform

android-x64-arm64-20240506-en

Max time kernel

47s

Max time network

135s

Command Line

com.pokemon.pokemontcg

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.pokemon.pokemontcg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 stats.unity3d.com udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.187.226:443 tcp
GB 172.217.169.70:443 tcp
GB 142.250.200.34:443 tcp

Files

N/A