Malware Analysis Report

2024-09-09 19:08

Sample ID 240513-xq7xtaag89
Target 3c51095d53ba281e1c885dae0aae6dd7_JaffaCakes118
SHA256 4ca6c1399a98efbf459f92d289dd30841cfafe4818db55d059443bbcaef3955d
Tags
discovery evasion impact persistence privilege_escalation stealth trojan collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4ca6c1399a98efbf459f92d289dd30841cfafe4818db55d059443bbcaef3955d

Threat Level: Likely malicious

The file 3c51095d53ba281e1c885dae0aae6dd7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence privilege_escalation stealth trojan collection credential_access

Removes its main activity from the application launcher

Checks CPU information

Loads dropped Dex/Jar

Tries to add a device administrator.

Obtains sensitive information copied to the device clipboard

Checks memory information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Checks if the internet connection is available

Declares broadcast receivers with permission to handle system events

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-13 19:04

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 19:04

Reported

2024-05-13 19:07

Platform

android-x86-arm-20240506-en

Max time kernel

150s

Max time network

130s

Command Line

com.ynu.ablueiriszrs.trlzr.ablueiris

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/ablueiris.dat.jar N/A N/A
N/A /data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/ablueiris.dat.jar N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.ynu.ablueiriszrs.trlzr.ablueiris

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/ablueiris.dat.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/oat/x86/ablueiris.dat.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 zzwx.ru udp
DE 185.53.178.7:80 zzwx.ru tcp
US 1.1.1.1:53 api.tridrongo.info udp
US 172.67.161.129:443 api.tridrongo.info tcp
US 1.1.1.1:53 data.flurry.com udp
US 1.1.1.1:53 c.parkingcrew.net udp
US 1.1.1.1:53 d38psrni17bvxu.cloudfront.net udp
DE 185.53.178.30:80 c.parkingcrew.net tcp
GB 99.86.249.97:80 d38psrni17bvxu.cloudfront.net tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:80 www.google.com tcp
US 1.1.1.1:53 partner.googleadservices.com udp
GB 142.250.187.226:443 partner.googleadservices.com tcp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
GB 142.250.179.238:443 www.adsensecustomsearchads.com tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 172.217.169.65:443 afs.googleusercontent.com tcp
GB 172.217.169.65:443 afs.googleusercontent.com tcp
US 172.67.161.129:443 api.tridrongo.info tcp
US 172.67.161.129:443 api.tridrongo.info tcp
US 74.6.138.67:443 data.flurry.com tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/ablueiris.dat.jar

MD5 3845ef0ca0fc6b68962e74224bc73d01
SHA1 2ff30c4b6fc5121d6d0affa69a780314d9a0d52b
SHA256 8279d2b9ef6dd3e621f01394f520b2ad0475219eff3d6c22fc73a9194a66fde1
SHA512 7b85fa5012eef9e522741c5fdf7a9d37f81dff30b7789d242446f2d0a2f5335dbbe176eb1f50d06b2aa731f31ca325df2fbd6b248715284d350e17ce75028618

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/ablueiris.dat.jar

MD5 e036cb2ddea0b3730adadc91b8345367
SHA1 266facfd9c11a1dbf0836c76c5ff3134f3715b45
SHA256 cf8209aed28a00c776929cb3b4080895496bda70e2a638cda0f36f40a68e13ed
SHA512 f105a5a01572e632595780fed26cf8b9d5696edd80156fa30ff572ddf82b58f3fcfce0bfea9387ff0386ba61b6a2c7546e695bcce5826bb3e5f439514df43ef4

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/ablueiris.dat.jar

MD5 ed28e9185b5cbe088afba9528e29849a
SHA1 47da14905706e40ffb863cd5bfad2302723eba70
SHA256 f8dd4a8064262229e06d5afa1c4dd57792a6a68b6d04c0a763fb35d66dff7323
SHA512 466fd614de3f1410d703dacd88b1359c8ab2bd73e7ccdf3964a925df47f0317072fde4a2857bdd09ae88c2b7ae0022a8fcf38db507b76f38863f3adfd6876471

/data/data/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.yflurrydatasenderblock.382ddcb4-b84d-4edb-b1d8-09368c29ad23

MD5 421fc2c34b7d2c68cfa5f8f3cb4a7f88
SHA1 2b951c599a0e0fe7ba3ddd89b7926d3e0284a1c7
SHA256 14deacd202ee4b0c001ca61b1761cf4ae10fb70229fdaef945dc1a46b83560fe
SHA512 3a19be8a8e9c5bdbd761fa94f2ced83905e9a850ffe01bbc212666661e3e0122268e86fa444ea01914ea2aba7557d67ed54c92927562eaa48a8b3cf082c7bb48

/data/data/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.YFlurrySenderIndex.info.AnalyticsData_K69G95JC7T5MMWGF62XJ_228

MD5 3e3eeceddbea849985cde941e2058ef6
SHA1 0e820215a837c7309f5de5c654c7f5ffb410996f
SHA256 718394522c44c26347c7f1c37d51dc95baae2db56bf32332c17c3f298268c37f
SHA512 e7c22d64c17f0a7a947dd9dcd649fa0cb24667e9997ac7a3279390667c44870ac32da8f600c7d335bce22fc64b16f4ea256b17487be822aa1fe1427c50162d32

/data/data/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.YFlurrySenderIndex.info.AnalyticsMain

MD5 c83cb890fa8acf1042b3ebfd4c1431d7
SHA1 cd7bf7c86064e2194e70bf4432d3153fc2e3bf08
SHA256 2ecf1acfd0cfe851ddb3cfdb529d7b2bceebe3296401bfa76c5e124e84134f10
SHA512 65317c818c7a4b0546a2be2368b8aa2d6703cc183cab62e40537991606aa548636c88fe5598fd72ac7aa670c92792a303f47daa9723fe5a18fb651c547a7da68

/data/data/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.yflurryreport.731bb495fc32489f

MD5 bb31a211987f0f6e7c9292e6d64f23ac
SHA1 5304cc5945be1bcea22c8fcbbc00909494162cf2
SHA256 82839337c0b10addaf9d825b9eebcd7f3aa32bbf16fb1683c2b6b2f38697f461
SHA512 94132b1db4887fc6df2a31af482b489a29abe9742dc2ba78915f782139fa5dad1642b55b11d2402ce9bd4bf74ae5af00efe38b326cedb5b545c77f73cd08cfa0

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 19:04

Reported

2024-05-13 19:07

Platform

android-x64-arm64-20240506-en

Max time kernel

158s

Max time network

141s

Command Line

com.ynu.ablueiriszrs.trlzr.ablueiris

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/ablueiris.dat.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.ynu.ablueiriszrs.trlzr.ablueiris

Network

Country Destination Domain Proto
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 zzwx.ru udp
DE 185.53.178.7:80 zzwx.ru tcp
DE 185.53.178.7:80 zzwx.ru tcp
US 1.1.1.1:53 c.parkingcrew.net udp
DE 185.53.178.30:80 c.parkingcrew.net tcp
US 1.1.1.1:53 d38psrni17bvxu.cloudfront.net udp
GB 99.86.249.97:80 d38psrni17bvxu.cloudfront.net tcp
US 1.1.1.1:53 data.flurry.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 74.6.138.65:443 data.flurry.com tcp
US 1.1.1.1:53 api.tridrongo.info udp
US 172.67.161.129:443 api.tridrongo.info tcp
US 1.1.1.1:53 partner.googleadservices.com udp
GB 142.250.200.34:443 partner.googleadservices.com tcp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
GB 142.250.187.238:443 www.adsensecustomsearchads.com tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 142.250.200.33:443 afs.googleusercontent.com tcp
GB 142.250.200.33:443 afs.googleusercontent.com tcp
US 172.67.161.129:443 api.tridrongo.info tcp
US 172.67.161.129:443 api.tridrongo.info tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.178.2:443 tcp
GB 142.250.180.6:443 tcp
GB 216.58.204.66:443 tcp

Files

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/ablueiris.dat.jar

MD5 3845ef0ca0fc6b68962e74224bc73d01
SHA1 2ff30c4b6fc5121d6d0affa69a780314d9a0d52b
SHA256 8279d2b9ef6dd3e621f01394f520b2ad0475219eff3d6c22fc73a9194a66fde1
SHA512 7b85fa5012eef9e522741c5fdf7a9d37f81dff30b7789d242446f2d0a2f5335dbbe176eb1f50d06b2aa731f31ca325df2fbd6b248715284d350e17ce75028618

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/app_app_apk/ablueiris.dat.jar

MD5 e036cb2ddea0b3730adadc91b8345367
SHA1 266facfd9c11a1dbf0836c76c5ff3134f3715b45
SHA256 cf8209aed28a00c776929cb3b4080895496bda70e2a638cda0f36f40a68e13ed
SHA512 f105a5a01572e632595780fed26cf8b9d5696edd80156fa30ff572ddf82b58f3fcfce0bfea9387ff0386ba61b6a2c7546e695bcce5826bb3e5f439514df43ef4

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.yflurrydatasenderblock.cae9061c-b631-4470-b00c-d547831cd472

MD5 68def42a8fdeceecf8b2ee21695cac38
SHA1 362c287f7c7829e8be5e0a6b287796d0adfcd6fd
SHA256 adae8feaf0eaa25d344492b4787a4bf15ff6818182024ed64c8473236683543c
SHA512 0ebc291a94a5f4d0871910db51e821eee98ef1e32fa9e220b626e24ce2e5b1860fb687ef3ad56efa3398639d20fa8fcb4d3696dc7ce7ad48ba1c90e015ad6f6d

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.YFlurrySenderIndex.info.AnalyticsData_K69G95JC7T5MMWGF62XJ_228

MD5 7a42f0cd54342e9e8f60375810d61033
SHA1 be37005bc64fe0198bcd159d5c8bb70526ff7acf
SHA256 71c592961a0732ca71211939d933aa5379e9e2fa5f60289f9129ee03b55f5f60
SHA512 182251da91664a24b50f262cd1bdb9d41a5cb353619cd4605659ba508a1be53ce5f0fdae3820c027a96375e3298043eefcb71d3f949248ac7b161b5e1fe4fcba

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.YFlurrySenderIndex.info.AnalyticsMain

MD5 c83cb890fa8acf1042b3ebfd4c1431d7
SHA1 cd7bf7c86064e2194e70bf4432d3153fc2e3bf08
SHA256 2ecf1acfd0cfe851ddb3cfdb529d7b2bceebe3296401bfa76c5e124e84134f10
SHA512 65317c818c7a4b0546a2be2368b8aa2d6703cc183cab62e40537991606aa548636c88fe5598fd72ac7aa670c92792a303f47daa9723fe5a18fb651c547a7da68

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.yflurryreport.731bb495fc32489f

MD5 24eaa66c387e2addcf7cf82f81001100
SHA1 7ddf6d0451d3f7b875b2d8b317b63f68f2067da1
SHA256 b96bd21a5b710c5cd3baa1f9cd7fdb72260b6ec7e0a425a768399729d8fe0641
SHA512 6fc5923e3fe54cc39889c42f4e820b2d0fc9919bc7cd9de3b89de5137bd6c6d248ebc296bd168cbfd4a03aa036ba617ef3d4455e06df764ec2bced36d7c3cefc

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.yflurryreport.731bb495fc32489f

MD5 b8ebd60ed3d92269457e87360cef34c2
SHA1 edc3a23127882d7c3e47e1d89ee3a86b2fe20b90
SHA256 f5d600d33631c79cee253642149a66e2c587c8b1601ad2c9905218418dfe9435
SHA512 3400c2fc17ed59e7002dc9340a8396dfd49ba4c5b67ae1acef8aecb3b516c61b54e4302d15cb3d4436353dfdb1e529d1861c40a239852a857aba8683e777fa10

/data/user/0/com.ynu.ablueiriszrs.trlzr.ablueiris/files/.yflurryreport.731bb495fc32489f

MD5 833e8e0109db12d210f1a3f7bc4d6997
SHA1 b22fe4cec87c9ddad65e54efd59754d4047706ba
SHA256 f5300ff3ac531aab45459414f9bab8bd80e092a0379001cf2353e4169949ea16
SHA512 fd99c1a7cc3f1155516f6d5437d6da34378b2fcb65660fc22388bd553c5553b47db4874b986a5979276bd8dc3418106d31e7be62c982f7e012e07982b75c5c7e