Malware Analysis Report

2024-09-09 19:10

Sample ID 240514-xh2e3abe96
Target 4293504296dad91b884b5e7be64f8294_JaffaCakes118
SHA256 b83bd8c755cb7546ef28bac157e51f04257686a045bbf9d64bec7eeb9116fd8a
Tags
impact privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b83bd8c755cb7546ef28bac157e51f04257686a045bbf9d64bec7eeb9116fd8a

Threat Level: Shows suspicious behavior

The file 4293504296dad91b884b5e7be64f8294_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

impact privilege_escalation

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-14 18:52

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 18:52

Reported

2024-05-14 18:52

Platform

android-x86-arm-20240506-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 18:52

Reported

2024-05-14 18:55

Platform

android-x64-20240514-en

Max time kernel

13s

Max time network

147s

Command Line

com.kmc.prod

Signatures

N/A

Processes

com.kmc.prod

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.kmc.prod/databases/iDataBase.db-journal

MD5 033d4a14880ed270e73240a235820b1c
SHA1 ed3db825f815e61ee4b139fe9b78b413af8119e9
SHA256 acb46e0003abf811ba5b3dae4c824f7bcae118d37aa1b2646e22699fbe416d3a
SHA512 761280c3488d4a0ac512c8ad587a9ebe60a5fc662cc6927904a221c470104fe78f9524abe98775b4ce58d9b3ce613c5914da0f73b8d668b5811f6169ce6aff38

/data/data/com.kmc.prod/databases/iDataBase.db

MD5 92d34fbdd5aa7ca549ea4db14fcebdc6
SHA1 4487ccea90422d1523345df3efabee40acc9466f
SHA256 f5494b50ffd533284da4188f66f930bfbbdf352a20d8954dac3068c63fdd55fc
SHA512 2e1a0c9382f515edc7109cf48e45d80a7c8f8675bdbe39d2de6bf5eff8130feea2e4a381c9770f87eacea1638e7b3f9583314c16b1bc3120f505a0cd268f3780

/data/data/com.kmc.prod/databases/iDataBase.db-journal

MD5 0dce3855eb721204ab7f12aa88badcd6
SHA1 06aacc9931e1b22ae7e8ade8c898eecf00cea756
SHA256 f3bd1540db5d06f4ca3eb4327400de6dc5168a62bab1dbcf63c606bc3c657817
SHA512 295fa11714bd3f96497f1888f92892b227050a61551d514f89a44c5f7ced94d43f48707e6afcbf91ee186c30e885e73810144412983667e3e69ba8e1e9ae9242

/data/data/com.kmc.prod/databases/iDataBase.db-journal

MD5 a98e85433b70cdec3b9c439f06d48442
SHA1 07583ca20fca6383fd52ed76e2a3473cac3163de
SHA256 d45426acf0b335391b2faaab2149b9ee41c67e8de1ff358529bb1a755ec09946
SHA512 a8dd1556c8c91745438fe2a551bff57adf842ad250c586e93f72196c9417f8d36eda2472611e4c4e0b9f38638161a96aa2866472af2783877553fb9c152bcf26

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-14 18:52

Reported

2024-05-14 18:55

Platform

android-x64-arm64-20240514-en

Max time kernel

12s

Max time network

163s

Command Line

com.kmc.prod

Signatures

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.kmc.prod

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.180.3:443 tcp

Files

/data/user/0/com.kmc.prod/databases/iDataBase.db-journal

MD5 2e9e74c560122a952990fd9e1e48c1b2
SHA1 696cc53d955f6b94c22975188313c51173104a8b
SHA256 39cfa163c44ebae4b355c9a787258389ebc0964f0c27765d4695d64d5be06b3b
SHA512 08e2bb8712fee7ba542425fc9cfdf76f0c237bd06cf660d667b79e59e0a50a0266f0a227f46aff51109e5247284e2a5574c5837691c2525ad63e79dfd360ad98

/data/user/0/com.kmc.prod/databases/iDataBase.db

MD5 7f82d3bc5b4b3a819d410d1067f0f166
SHA1 056e506a7e6461673d3232e06d423f8f4e08065f
SHA256 3b5952edacf8c791e51c8f2fb0896930b6eef609a4a25222dd738bb28b7c6c86
SHA512 2e3e0cf96eab3191ea49c39e61bfe4e8211e701e3e4ae8fdf8cf22c6bc12e868ba84e63851f118e18e83b7962038f3321f10a8ded47d51e50a94115d5b9ccbe8

/data/user/0/com.kmc.prod/databases/iDataBase.db-journal

MD5 2094753ed5df21ded53396764033e58f
SHA1 03a0eac42478c8aaeb195d5d1e4fab434b34af51
SHA256 5f01d18918ea3d7ae9ddce2b1fd758849f74c9f76937c8dc2615928f4b18d9f4
SHA512 b8e827c4ebe37ab65c3a0699f7c9665e00eb362cc13e6570727c07669008f2327dc82153673f78156d56a939cb29e506e4c50760a89ba79d432d5ea1bf17a02d

/data/user/0/com.kmc.prod/databases/iDataBase.db-journal

MD5 22862170a54a66adf1cc914fc13428fb
SHA1 0e93e71745130ca7e16e0f9d91a9dfe2b30e2721
SHA256 606a1182a3b765281977fc7985d7e902c5efc105105c2db5a2effd2ab200f4ff
SHA512 f1a440dff646b6a9f46e0817feb019a82544ecbde7b0135a3799227219bec9298e610f45481f6b2c52b72be37c6def728175234a12059353b8dfe772582dfeec