Malware Analysis Report

2024-09-09 19:07

Sample ID 240516-3z4veafe4x
Target 4da60f3cdb66fdb051a98dca81bdd0a0_JaffaCakes118
SHA256 80f600c8eb74f0af863ecc99466d73ba04a7451b1531e0e77eb867776752a027
Tags
collection credential_access discovery evasion impact persistence stealth trojan privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

80f600c8eb74f0af863ecc99466d73ba04a7451b1531e0e77eb867776752a027

Threat Level: Likely malicious

The file 4da60f3cdb66fdb051a98dca81bdd0a0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence stealth trojan privilege_escalation

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Reads the content of outgoing SMS messages.

Queries the mobile country code (MCC)

Tries to add a device administrator.

Queries the phone number (MSISDN for GSM devices)

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Checks if the internet connection is available

Acquires the wake lock

Requests dangerous framework permissions

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 23:58

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 23:58

Reported

2024-05-17 00:02

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

148s

Command Line

com.zsbmxif.hwikjbicgj

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of outgoing SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/sent N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.zsbmxif.hwikjbicgj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 vezde.podmishek.net udp
US 1.1.1.1:53 alko.starushek.net udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.194:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/data/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar

MD5 15743087e733102d262fdbdd208a2fa5
SHA1 e406c46a46a97e31a1259b91c75512f37592b9bc
SHA256 8ebb04733c802b174e1e7181f0ba4473f3c67be3cc9ebbe4479381045bba4885
SHA512 06cc4ed0a44c81938797a9c34ad2471b766f2e3dc070106e23f110d7d2e1541f9b00ea8b1361f1f8b57d65ae0b27d6783ce002187297d9afc2d4c702bdca6ea9

/data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar

MD5 b3ae6a69f73f0238ce1f09ca1dfaec13
SHA1 13552bc01eba72ce910c1fdf9eeea6bf82220d9c
SHA256 bcb4468f2a28458e7cb16e35d4075614b8eb8087ccb7dd955ef03b627592091d
SHA512 3596ab530083c1be94e795fa2ec3c8c0bfcf8097c7dad1f166ac2536e73c71910a8248d3d3ae8c9286dea739059dd686fe2bec6b124f905cf85b324cb7f4fba2

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-16 23:58

Reported

2024-05-17 00:02

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

132s

Command Line

com.zsbmxif.hwikjbicgj

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of outgoing SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/sent N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.zsbmxif.hwikjbicgj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 vezde.podmishek.net udp
US 1.1.1.1:53 alko.starushek.net udp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar

MD5 15743087e733102d262fdbdd208a2fa5
SHA1 e406c46a46a97e31a1259b91c75512f37592b9bc
SHA256 8ebb04733c802b174e1e7181f0ba4473f3c67be3cc9ebbe4479381045bba4885
SHA512 06cc4ed0a44c81938797a9c34ad2471b766f2e3dc070106e23f110d7d2e1541f9b00ea8b1361f1f8b57d65ae0b27d6783ce002187297d9afc2d4c702bdca6ea9

/data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar

MD5 b3ae6a69f73f0238ce1f09ca1dfaec13
SHA1 13552bc01eba72ce910c1fdf9eeea6bf82220d9c
SHA256 bcb4468f2a28458e7cb16e35d4075614b8eb8087ccb7dd955ef03b627592091d
SHA512 3596ab530083c1be94e795fa2ec3c8c0bfcf8097c7dad1f166ac2536e73c71910a8248d3d3ae8c9286dea739059dd686fe2bec6b124f905cf85b324cb7f4fba2

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 23:58

Reported

2024-05-17 00:01

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

149s

Command Line

com.zsbmxif.hwikjbicgj

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar N/A N/A
N/A /data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of outgoing SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/sent N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.zsbmxif.hwikjbicgj

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/oat/x86/dncpcbziu.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 vezde.podmishek.net udp
US 1.1.1.1:53 alko.starushek.net udp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar

MD5 15743087e733102d262fdbdd208a2fa5
SHA1 e406c46a46a97e31a1259b91c75512f37592b9bc
SHA256 8ebb04733c802b174e1e7181f0ba4473f3c67be3cc9ebbe4479381045bba4885
SHA512 06cc4ed0a44c81938797a9c34ad2471b766f2e3dc070106e23f110d7d2e1541f9b00ea8b1361f1f8b57d65ae0b27d6783ce002187297d9afc2d4c702bdca6ea9

/data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar

MD5 b3ae6a69f73f0238ce1f09ca1dfaec13
SHA1 13552bc01eba72ce910c1fdf9eeea6bf82220d9c
SHA256 bcb4468f2a28458e7cb16e35d4075614b8eb8087ccb7dd955ef03b627592091d
SHA512 3596ab530083c1be94e795fa2ec3c8c0bfcf8097c7dad1f166ac2536e73c71910a8248d3d3ae8c9286dea739059dd686fe2bec6b124f905cf85b324cb7f4fba2

/data/user/0/com.zsbmxif.hwikjbicgj/app_gigelywchk/dncpcbziu.jar

MD5 d928d7adad4bfdac56fef4c61c7321b4
SHA1 afb016fd0acfd0675f2d4f6133cc3e2962fc6e99
SHA256 2d984939ab470fa49e65c8f0d5e6241e9f5baf1ba446de013a2ea1c190d0c556
SHA512 02930cb7a24f87a6ead2e4b2a4f6528212543403abc3be3dc3cd6c28637236fc2bd03e7cc73c8faa4ec5c60d2ace606f453055e761f5672260a9f344b4ab643b