Malware Analysis Report

2024-10-19 12:06

Sample ID 240520-c14mxsff42
Target 5cbe9b2a34091eb4eb9cd8613d242439_JaffaCakes118
SHA256 8cedf8bd07b9bcd7df2cd502211b60078bf9bd0605be4b365fd64a0bc2860658
Tags
evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8cedf8bd07b9bcd7df2cd502211b60078bf9bd0605be4b365fd64a0bc2860658

Threat Level: Likely malicious

The file 5cbe9b2a34091eb4eb9cd8613d242439_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 02:33

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 02:33

Reported

2024-05-20 09:34

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

130s

Command Line

com.jjgege.camera3

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jjgege.camera3/files/8888881-1000/comjjgegecamera3.jar N/A N/A
N/A /data/user/0/com.jjgege.camera3/files/8888881-1000/comjjgegecamera3.jar N/A N/A
N/A /data/user/0/com.jjgege.camera3/files/8888881-1000/V4/1716197460895.jar N/A N/A
N/A /data/user/0/com.jjgege.camera3/files/8888881-1000/V4/1716197460895.jar N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.jjgege.camera3

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jjgege.camera3/files/8888881-1000/comjjgegecamera3.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.jjgege.camera3/files/8888881-1000/oat/x86/comjjgegecamera3.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jjgege.camera3/files/8888881-1000/V4/1716197460895.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.jjgege.camera3/files/8888881-1000/V4/oat/x86/1716197460895.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cu.smaxdn.com udp
US 35.91.124.102:8089 cu.smaxdn.com tcp
US 1.1.1.1:53 apply.smaxdn.com udp
US 35.91.124.102:9099 apply.smaxdn.com tcp
GB 142.250.178.3:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.jjgege.camera3/files/8888881-1000/comjjgegecamera3.jar

MD5 5c3c8fed0398447cb0f68fba94709991
SHA1 053da3c028cb697ca1b3eb98383d17ccdc53bebb
SHA256 ad056f2c07e78bf38db7f54f5488e750b7187b66b3521ee8de2e5059d6d43633
SHA512 8eed153d663643892284948d4a7ec5bb95c2dc593b6b98ae43355d981f6d8a3e5e9d1224e81823bb26f998d3a0498b3a1b32bb820df875ec198965d5cbb2c699

/data/user/0/com.jjgege.camera3/files/8888881-1000/comjjgegecamera3.jar

MD5 b507a9f53848ad48486e406ddb37660d
SHA1 fb5ed7f0cec031b590f832785555d1c0b26bcf67
SHA256 04b07c67571240b211a0947506223866f1f3bdeb3b53d942ed8976197daaddfa
SHA512 33a67946caa69aba337d681b78ce5b0ebeccfe925cf77d8d33155718ca76e66bc1fd3d0eb482e86f2a9de36ff6df1226f5dc588db5aa6dea68f7df29a36f66a5

/data/user/0/com.jjgege.camera3/files/8888881-1000/comjjgegecamera3.jar

MD5 4c200f3ab7633657a1d86a094939b063
SHA1 a95262ca64a00e28c852adc76b66c4eb253aec09
SHA256 23223c001de5e93edc3af8556b77c5d83e7a62af9840e7a945a262847b033487
SHA512 18e5f776b8f052ee4b5c4c0a1b6468bf04c0780e967f2fe9b9d211aa4992b3767b2664c51e53dc30209f2f13c724e2c89cad8c3ced7e813e08a960863bb16d3e

/data/data/com.jjgege.camera3/files/8888881-1000/V4/base.so

MD5 c49a117ec047aa41e7efb8f13e1027bb
SHA1 1977d01e63ac06b9c7a04c1b0012cb392379d67e
SHA256 58ca75e48b06ff096cd4a3a8b82ee3d9e75ef66bdd9de15833c488dfcb907989
SHA512 2dadde9392bb5045b579f1d8f28ce3f82c4dec2f08754b846f31b7c5cb77fcf3f93e04a1997f2f68ddfbc8443dd2cb64a9f6d945e1bf4e3d2e2e982ba03ea8ff

/data/data/com.jjgege.camera3/files/8888881-1000/V4/1716197460895.jar

MD5 447bb8682b4936d4c2d412b2913c0aa0
SHA1 3c8218b85ffca484634520d2864e47b1ef26adc6
SHA256 8f4ff38ebb450310721fbad734d7b8b2071b2f3a7f321b5d01fdf5a07e7f3dfc
SHA512 baeb303fdbb79ab5d286437441e916367862e3ec734980f8a0c15421b569a53eb41190b067c8c4a8987dffd16c090686dad32e88ca51e1dba453e425cb3c8d37

/data/user/0/com.jjgege.camera3/files/8888881-1000/V4/1716197460895.jar

MD5 a5a564a613f526e9785fedfc70d07eb8
SHA1 3cc1b6d36d8da5780667e8e7ecf02f7a5c275ed8
SHA256 414140e55ae8fc49b28cb61d24caeb9b8bafe4e399e532eb870c760be88f1f34
SHA512 89d77638a32ceff64e5373b39db39d24414ae8aed44a5446c2d0e3fa6e7b63e27cf33072aeb978588f179b2aeabc5a9fa76701f03a03e3d75f92b1cdd1907bbe

/data/user/0/com.jjgege.camera3/files/8888881-1000/V4/1716197460895.jar

MD5 b15df5ac0775da741df900e4d3da5334
SHA1 bff4c27059fec0dd8a5477c6c1790321ae348fed
SHA256 067711cc3dc059cda4b7f1db13a8915720cd14ea3dda93a0b7a8a060a3e38aca
SHA512 bf41145c8828c7ddee4b83101a0422f1e5dc2ff7fe886f132f697972998285dffbd511d00a7f8f37f22d6dc844eafdacf1b66c59e60f24ab805d6102be18423e

/data/data/com.jjgege.camera3/databases/8888881-1000_point.db-journal

MD5 77f099cd363340c5b64779ce30554f63
SHA1 ccba08e0a1591bd84dae4d6983847f4be4a71df2
SHA256 db04f72cc54e0fbc22be9d1b8c07dfa69d447dd95badcd89c384813b762166dd
SHA512 58838c15ff598e84f780612f49cbd195bb190722e0afde5ff48e1ddf6bf418d2a948e74a6f193499746b92bb2e63d6e85a5656cf71994766f31f3603127382b4

/data/data/com.jjgege.camera3/databases/8888881-1000_point.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jjgege.camera3/databases/8888881-1000_point.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jjgege.camera3/databases/8888881-1000_point.db-wal

MD5 6e89b44c182f0d06e767565174a1fa0e
SHA1 ba76ac7f119df0a6763fa215f9a10ada3d5e46d9
SHA256 0e7f25d583b5c09bbac1fbfe86e99f1ae6491e010affb3b066249ec30354851e
SHA512 fd90079acf88b7b0bd56b4c511e0069cd1845883899d79a9923a5e2ac855acc68e4ec5b032a512a9cb1f3fdd8420062c116e9f910825deda1da46f0907dc96c7

/data/data/com.jjgege.camera3/databases/8888881-1000_com.db-journal

MD5 914d3f4255fed99ad9f268e5dc52fc3b
SHA1 29e7b2b19617644c61c5478bd95117bcf46f78d7
SHA256 9d3a6878553714180e72e5e00d7c9ee92dea23c158e75f896b171bd0a8fdd965
SHA512 0098ef3c058884bb494c856150b798b7c7a727d7905a7a234f281dc40c2efca2f154e523e78e6ffc2957fc530bcde066aaf71e51e91e78de88e45c15426bd4ea

/data/data/com.jjgege.camera3/databases/8888881-1000_com.db-wal

MD5 f8918bc883b3444a166fd7c43f488e0f
SHA1 142320365346dad506620b13247f44a38df4dc1d
SHA256 ee2e286a9f7eb897f4e2b66dfc0b4f139fbb67eef8d4796b4692b063ba5d7dae
SHA512 426022ee9bd3d1a071267f33e067e4e87b8ef222926bfa020068b181865bfa44e4de2b926d52d81d9c8bf422883060fe9ad06223498ade7eb75f2403e6c40883