Malware Analysis Report

2024-12-08 03:08

Sample ID 240510-whp7csda42
Target 3052f098b40e14811eb8f75924dc83c7_JaffaCakes118
SHA256 6aa5b771a8e2414a936daf01672e27b3fc0c332458bcf925799f4f9bb1567ae0
Tags
privateloader banker discovery evasion impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6aa5b771a8e2414a936daf01672e27b3fc0c332458bcf925799f4f9bb1567ae0

Threat Level: Known bad

The file 3052f098b40e14811eb8f75924dc83c7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

privateloader banker discovery evasion impact persistence

Privateloader family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks CPU information

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares services with permission to bind to the system

Checks if the internet connection is available

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 17:55

Signatures

Privateloader family

privateloader

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 17:55

Reported

2024-05-10 17:58

Platform

android-x86-arm-20240506-en

Max time kernel

2s

Max time network

130s

Command Line

com.fgs.rsonw

Signatures

N/A

Processes

com.fgs.rsonw

Network

Country Destination Domain Proto
GB 172.217.169.35:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.fgs.rsonw/.cache/classes.dve

MD5 2891f257389326b20ad32b10608d800b
SHA1 01953f9dc9934d567a35dc8474844346c6bbf20c
SHA256 d00eb2219d342badcccc1026e2ebf7a810c31cf989c52f13245027189a4ca9bd
SHA512 c3615424dc0ef41712dbffaa0b4410c04e39556103618d52286eefc15e00486e553aac9bc5e4383c2effb5b71cdce5fde0530c0fe581a0f56132c8f6d63a8c8b

/data/data/com.fgs.rsonw/.cache/classes.jar

MD5 8e4d5c76200ffada14a5c05de1276aa0
SHA1 21dbfb4b7e1961c09127c570cdaee972134ba0ec
SHA256 d2adb06c231121d07fa0c0ba426666461e405b9562819e50547bf42d937fb696
SHA512 a5ab9d6167d12078dd621519ecffcbf605ae910537c2a73d298bdb5f275c14758ed27de569fdfde1f235fb035c3a914394cd5e006c1fabbf91d52c099f29cdda

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 17:55

Reported

2024-05-10 17:58

Platform

android-x64-arm64-20240506-en

Max time kernel

2s

Max time network

131s

Command Line

com.fgs.rsonw

Signatures

N/A

Processes

com.fgs.rsonw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/com.fgs.rsonw/.cache/classes.dve

MD5 18a1b16eac2188dd4de365e4c0a18749
SHA1 7624eb8d2e969f42a60a236dc00ea9a56a0f0c1f
SHA256 4ff2b4d3d84a6ca8cbe5b9fe55518af4559ab691c7d38b313625d60121fe809b
SHA512 2ed00708f56ab7113d237896756afb5a209df3807f5a3da5fdc499aa27fafc6463f958f61d321c10c7c9280e2d694e5488213ee667b9145078029e0816221fe0

/data/user/0/com.fgs.rsonw/.cache/classes.jar

MD5 8e4d5c76200ffada14a5c05de1276aa0
SHA1 21dbfb4b7e1961c09127c570cdaee972134ba0ec
SHA256 d2adb06c231121d07fa0c0ba426666461e405b9562819e50547bf42d937fb696
SHA512 a5ab9d6167d12078dd621519ecffcbf605ae910537c2a73d298bdb5f275c14758ed27de569fdfde1f235fb035c3a914394cd5e006c1fabbf91d52c099f29cdda

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 17:55

Reported

2024-05-10 17:58

Platform

android-x86-arm-20240506-en

Max time kernel

146s

Max time network

154s

Command Line

com.rtk.app

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rtk.app

com.rtk.app:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.android.ruansky.com udp
CN 116.255.145.165:80 api.android.ruansky.com tcp
CN 116.255.145.165:80 api.android.ruansky.com tcp
CN 116.255.145.165:80 api.android.ruansky.com tcp
CN 116.255.145.165:80 api.android.ruansky.com tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 116.255.145.165:80 api.android.ruansky.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp

Files

/data/data/com.rtk.app/databases/xUtils.db-journal

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rtk.app/databases/xUtils.db

MD5 eb2d2bc2288a64da65f77dd4c451c338
SHA1 addf86ebf717efa84c7da4ca5cf25f87633fbcdf
SHA256 cf02bb040b8f139efd2b41bf38964d2e8591dc869974e3e3b4ee0fcf3f223c7c
SHA512 6151f57d11db67b8f3e9849e1ce7c54be057ba48607237cb18e8c90aabda7c902b1eeca3d4a8c500f61da6bebadfa9698a325bb17f13e7397cc83c559c1bbf62

/data/data/com.rtk.app/databases/xUtils.db-shm

MD5 17a0894816af9d0fb957c81e65cbb541
SHA1 8a94c6235e5db47bf13a5c502e548dded10091b7
SHA256 94bb8f8344716b2dc99222399397ac660e862f1e0f62d09628dc98c774435c0b
SHA512 7e16f6b6a1666c5902830e4c07fc3ddc8699ecbab767272c1af9aa250d2d8290ef728fb92633dce2d1d7ac15760051259d7c4fafc5132c41f437e1c7a9f23c88

/data/data/com.rtk.app/databases/xUtils.db-wal

MD5 19fcd818b49a756d21d9d7def9aa8dfd
SHA1 506cbbf650306073985072bbc5e2fa069314085b
SHA256 b927bc53c7f880526cc1eb5f232c1e0ec3ae61f7267299736b8283e6a77645c2
SHA512 27bea0d7972c3e703a1d9658b107a53fceabc62d1a544afd018109b8f4ef46a85317aad590f51f7fd49b746fc299cecf3b94d8cf8dd2f2218bca3df0dfe25988

/data/data/com.rtk.app/databases/cc/cc.db-journal

MD5 23889c4c22861c77845fa5824734480f
SHA1 c2b874b12231d647eaf23b65b6e001d0157e0fa7
SHA256 a134203ec7a4b43aa4a19393981397fd84ecbe5a9d526837fe15c3f76d6905a2
SHA512 949e4b32fcb2d999eed9f08aa6cd860ffed24718d4a174a376871d45c46134e1b83b3fac7d825d294bab6bfce330968fdc7eaa4af341b2fc7443d9ca219892a9

/data/data/com.rtk.app/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.rtk.app/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rtk.app/databases/cc/cc.db-wal

MD5 01085ee2e75e5a8cc1e2a76793ba2df6
SHA1 5760d54587836fb5986f0b77cd2c0c0f68a1fc37
SHA256 3db012a83b78479965bf432f4e03f474020dbee542bed84f160dde15cb24aaad
SHA512 92cde86745346e04fb3a94e853a782417a2800e70bf1f2063c616cb75a58bc16083048a8cb6e1aac373f3409a788a381bdc6918920dc948e56c987d8932c3e62

/data/data/com.rtk.app/files/umeng_it.cache

MD5 32ff6865fd4b106243f5351349de49de
SHA1 daf371c6df98e435964743a1c1e185f7ba77d147
SHA256 a64faeda35f37efdd1f2ffe5a57001e459273cf6c46c0941fc28b2c5e0f75560
SHA512 ddb03f6a137961632563b95123c7b68dc4894b0dda906a47cdf5d09c7ed50d59281ae03cdc6f490ab2e7edf57441219c4bf6d16d2460e6a80ccdb88a3681fdfb

/data/data/com.rtk.app/files/.umeng/exchangeIdentity.json

MD5 0dd0922f32c2d07a6c66f982f86aa51c
SHA1 604796942cfe448c7aaf6f7634f8e3f019bb1e47
SHA256 2bb97cf3636ccac6b621bcdd878991f7e44806e5eec8c9c48d8c2c40834d014c
SHA512 54c441ddbdf2b6a09cc4c8acf9c61526e47ba8e5ef98be9c0d9343d714961f58cdfeb2435971d5d3493c4e708442adc7874c0a8ff7cfaaae9a633bc90f39896e

/data/data/com.rtk.app/files/exid.dat

MD5 82495018a5ba1bf49824864238e526fb
SHA1 b64fa53f8992a759c6d650a8aad6d9a1a4f0a4de
SHA256 2779a08816074014397af9101f2a9b1ac828307b83d8ef67dc0edf2ef2394b6f
SHA512 c09d161837c185563f71a9cf16aee6e8c0e9d993e5d386e37c9285ae26a4c031623fe371c155ffdec5d6e3a15df88b5d221d7fa53a4b95a2fb35741b29738a0d

/data/data/com.rtk.app/databases/cc/cc.db-wal

MD5 9fa7b4e28c2c2ebb169d30521f106457
SHA1 337588cd5741cd53c0a61db012e051ef72efbf93
SHA256 c2b15ed72deb10552c662c4a71682edc644afea023022299eeff6720b9d70121
SHA512 3aac8cdbbf2c9f0ad92e69ddeefa3e40a5dee7efc6d0a0dc50b08d9ee9986eefee487957b642595f4452099a1834f8faf093139ac6f248d0149f1bc5a1e75e9f

/data/data/com.rtk.app/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.rtk.app/files/.um/um_cache_1715363880374.env

MD5 d818be8a57409779d66375ebef59b0d1
SHA1 ae8ad51c143125715aa786f1d6a9303e82d28007
SHA256 87d492d64058d72ebb1cdcfb31c84c123fc83e05a844c04067114495fa814436
SHA512 8fab26b9e0489b8c6e99fa66a9ceb56341a88fd6b68f7efd8fdbab3f5dcbe1178e49576a017d0b504e1d6ae763cd30d190a8bff23218924d303b584242f9f33e