Malware Analysis Report

2024-10-19 12:07

Sample ID 240519-x5tnqsdg85
Target 5b0ea09640c86c25dd2aee85515b8aa7_JaffaCakes118
SHA256 fd988b737500c564d143095972b20f6a0acd5a4f16a0e10fec8c4bb776469601
Tags
banker collection discovery evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fd988b737500c564d143095972b20f6a0acd5a4f16a0e10fec8c4bb776469601

Threat Level: Likely malicious

The file 5b0ea09640c86c25dd2aee85515b8aa7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Reads the content of the browser bookmarks.

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 19:26

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 19:26

Reported

2024-05-19 19:30

Platform

android-x86-arm-20240514-en

Max time kernel

75s

Max time network

130s

Command Line

com.paranbijuv.aijuy

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar N/A N/A
N/A /data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.paranbijuv.aijuy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/oat/x86/kartisx.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 f4iugfng344.ru udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar

MD5 ed67bcfa567bb2d94c16eba935e17306
SHA1 61598d620767220f63d645453ebd12dd49e050a0
SHA256 d54f92c248831084d5b77eb1161f53410c2d3df814680af915918bdfdef0b25a
SHA512 8580021000d0925d86aa609aba40dc91bec176516c7f20daa890c3e9828d33bbaa45902526bdf70ffdf8e933bcefe0f3c374bc22d77821fcbab0ec425ded9a7a

/data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar

MD5 0a2f026036505aeecd65339d26dc3d2f
SHA1 7a0576a8b2138d0e42bf73ca3e4f071b40524c1c
SHA256 3b3437b4b6ebb65dda61331f48da83674fbd144b49fbd883578e9896497cde1b
SHA512 417b842a671a9d4e4496ddadb8f97a281c0b64fb4803b674ba39012897ab45c41921b9e0cac4d17bba1b7435053a6a540103f04b9d52b3fcc0614b0b9e5f4ea4

/data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar

MD5 d0410aa6e99968935f2f9847aaa345e3
SHA1 96c584ff8d9213432fca0521945a841108ab2bcc
SHA256 c5eb7ec669c78613c5a33ef58cc4476ea70bf79040fca60290bb78514d9ae58a
SHA512 5c645306dca93f0fabab23e430d6f2f70c96edd8e713071299cf3a6ea40123712cd2460e81dbf620e9131db3d27807b0c136edaebb5700578b0e80d15ff83acb

/data/data/com.paranbijuv.aijuy/app_sgdgmcumf/oat/kartisx.jar.cur.prof

MD5 be1a695af5b316538aa1678fcce042be
SHA1 e33ca30f2bd3a7dab323b846cf1aa7dc685f3a10
SHA256 070e1ad93c20ca7a780e24acb614b8c006d05804060fc298ae3df7d90dbd4478
SHA512 52970c9c418ff0d3c7d488f43f7bf4b54e60d1ad6c05de414911660f20adf03efff0896ebbeac5d02663caa1d97ee2a6765deac9e60d9ee76d06d2660117f206

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 19:26

Reported

2024-05-19 19:29

Platform

android-x64-20240514-en

Max time kernel

180s

Max time network

144s

Command Line

com.paranbijuv.aijuy

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.paranbijuv.aijuy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 f4iugfng344.ru udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar

MD5 ed67bcfa567bb2d94c16eba935e17306
SHA1 61598d620767220f63d645453ebd12dd49e050a0
SHA256 d54f92c248831084d5b77eb1161f53410c2d3df814680af915918bdfdef0b25a
SHA512 8580021000d0925d86aa609aba40dc91bec176516c7f20daa890c3e9828d33bbaa45902526bdf70ffdf8e933bcefe0f3c374bc22d77821fcbab0ec425ded9a7a

/data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar

MD5 0a2f026036505aeecd65339d26dc3d2f
SHA1 7a0576a8b2138d0e42bf73ca3e4f071b40524c1c
SHA256 3b3437b4b6ebb65dda61331f48da83674fbd144b49fbd883578e9896497cde1b
SHA512 417b842a671a9d4e4496ddadb8f97a281c0b64fb4803b674ba39012897ab45c41921b9e0cac4d17bba1b7435053a6a540103f04b9d52b3fcc0614b0b9e5f4ea4

/data/data/com.paranbijuv.aijuy/app_sgdgmcumf/oat/kartisx.jar.cur.prof

MD5 c542db9e47cde6dd747350d3bfecb470
SHA1 1d4fdb2edefd388e090d93ff867a2df122d8157d
SHA256 a687311e084a33e37fb048655f33501dbe5cd6a1e2539507e0405fd99d591440
SHA512 81cac3816b8107e712aaf03d8a0277040326ecdd21de096d0e675570b942bb6b0d5224b1b9b8d63d332b8bf54550bd5c143735edc7068b33883a282ce08cb6f2

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 19:26

Reported

2024-05-19 19:30

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

130s

Command Line

com.paranbijuv.aijuy

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.paranbijuv.aijuy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 f4iugfng344.ru udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar

MD5 ed67bcfa567bb2d94c16eba935e17306
SHA1 61598d620767220f63d645453ebd12dd49e050a0
SHA256 d54f92c248831084d5b77eb1161f53410c2d3df814680af915918bdfdef0b25a
SHA512 8580021000d0925d86aa609aba40dc91bec176516c7f20daa890c3e9828d33bbaa45902526bdf70ffdf8e933bcefe0f3c374bc22d77821fcbab0ec425ded9a7a

/data/user/0/com.paranbijuv.aijuy/app_sgdgmcumf/kartisx.jar

MD5 0a2f026036505aeecd65339d26dc3d2f
SHA1 7a0576a8b2138d0e42bf73ca3e4f071b40524c1c
SHA256 3b3437b4b6ebb65dda61331f48da83674fbd144b49fbd883578e9896497cde1b
SHA512 417b842a671a9d4e4496ddadb8f97a281c0b64fb4803b674ba39012897ab45c41921b9e0cac4d17bba1b7435053a6a540103f04b9d52b3fcc0614b0b9e5f4ea4