Malware Analysis Report

2024-10-19 12:06

Sample ID 240520-cyhmnsgb3s
Target 5cb9efd6353cc7be470364c79ed5e40c_JaffaCakes118
SHA256 136c126e5946181bdf194d219b882c9d2363c9952ec3e6ba8e0b7823e838a5f6
Tags
banker discovery evasion impact persistence stealth trojan collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

136c126e5946181bdf194d219b882c9d2363c9952ec3e6ba8e0b7823e838a5f6

Threat Level: Likely malicious

The file 5cb9efd6353cc7be470364c79ed5e40c_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence stealth trojan collection credential_access

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Checks memory information

Queries the mobile country code (MCC)

Obtains sensitive information copied to the device clipboard

Checks CPU information

Loads dropped Dex/Jar

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks Android system properties for emulator presence.

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 02:28

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 02:28

Reported

2024-05-20 09:37

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

183s

Command Line

feifei.shasha9.meta.face

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar N/A N/A
N/A /data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

feifei.shasha9.meta.face

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar --output-vdex-fd=48 --oat-fd=51 --oat-location=/data/user/0/feifei.shasha9.meta.face/app_ttmp/oat/x86/t.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.feverpic.in udp
GB 216.58.204.78:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/feifei.shasha9.meta.face/app_ttmp/t.jar

MD5 9aaea567e0c93e51718ba7eade0e83df
SHA1 0005116aad1779361b70093db00fed5ac090ae23
SHA256 b30a95dff6f65f444472971c8aaf895ffc8e66e0117ce242ec4cb8a8a519a5ec
SHA512 2aef1034335d8752f4e25ce6c5823ce03019536cc6e51ee61b5291c77a0f356a2517e0cbe7f2c4cc2d897115dc856449a342cfdc247c9d34d313187d15b2f890

/data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar

MD5 f72c3d07507c3e26d317e9117ba757d1
SHA1 cdede4739e9dd9fd95243aab5e44c24f93f825c3
SHA256 1c65834d9ca018c6496a8b9957589d0e94657911b6635dc21a448d78f9238887
SHA512 3420714252e7503abc13c99274d767b0bc08671d769460dc61823ab9470e145fb75c5dfaadc617d3a05cf251ed5ecf38ea7e8c1d7b343bca4d7e8296f1b805d4

/data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar

MD5 5f187161b6cbaeb08a57c166bc1c8954
SHA1 71897ad46bf5ce055e0891775fbf3949d1e03e10
SHA256 f093e6aed6e100f7c164174270f384493e63a449c02f5df02f88aadfdf0ebaed
SHA512 71c2854911e5a145ac6cc2f63f35f00339c7f63456aaddb4c7a4c7d314eabea729cd5c11393ed415fdd3f25c88ba55a327912d406900245a8ddd35ae59dfd3f4

/data/data/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-journal

MD5 40add1edaa7a63e5717c0eef63a473f2
SHA1 916786df9bcfc56e3c9d0603f5929f5216c86732
SHA256 19254cf595d57b26abd2248bb6e30d7eca907a49defa41c2e2c7624da9ab4fcc
SHA512 958bcd24e3369f982178f7399169c8dac94c427ea47d882eb30b060208407974afe38bce2a4db0ce1f76ebec10a207123b9be91d97e5e63896bcfa1ef3b80694

/data/data/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-wal

MD5 f59d7407eea9fdd4f90816a66765e62a
SHA1 4a6fa9ebde299fc90c15314b6e76cf8a217fe447
SHA256 a88b7d417ec3320a8818a4367cd974717abce1fd9a4e0fd20f429eae1b361794
SHA512 44c136ee423dbe47111ea7e0d251cd8650b6153b1b138153f6f29dace211380e352778f09157c6ad07951ba7514e3919da6f89cf59dcd985bb051f9fe8156ffb

/data/data/feifei.shasha9.meta.face/app_ttmp/oat/t.jar.cur.prof

MD5 e8bc85310cbde19d10a288f5530fea7a
SHA1 5a6fe941cdbb78b2303c0053d4f822ff2a105d03
SHA256 3f029c7aa5dbaef393336b78328bd6dc89976c61642328c8eb122924f14d1f2c
SHA512 b80165bd4102fa0e24f9a66fc2860f771f0ab663803b813702893ebfd1742fcd1b6803ad41c433a18aa43f7e1cf5f1aa66dadfa03cde63cf3891921d5707044c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 02:28

Reported

2024-05-20 02:32

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

131s

Command Line

feifei.shasha9.meta.face

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

feifei.shasha9.meta.face

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
US 1.1.1.1:53 www.feverpic.in udp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

/data/data/feifei.shasha9.meta.face/app_ttmp/t.jar

MD5 9aaea567e0c93e51718ba7eade0e83df
SHA1 0005116aad1779361b70093db00fed5ac090ae23
SHA256 b30a95dff6f65f444472971c8aaf895ffc8e66e0117ce242ec4cb8a8a519a5ec
SHA512 2aef1034335d8752f4e25ce6c5823ce03019536cc6e51ee61b5291c77a0f356a2517e0cbe7f2c4cc2d897115dc856449a342cfdc247c9d34d313187d15b2f890

/data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar

MD5 f72c3d07507c3e26d317e9117ba757d1
SHA1 cdede4739e9dd9fd95243aab5e44c24f93f825c3
SHA256 1c65834d9ca018c6496a8b9957589d0e94657911b6635dc21a448d78f9238887
SHA512 3420714252e7503abc13c99274d767b0bc08671d769460dc61823ab9470e145fb75c5dfaadc617d3a05cf251ed5ecf38ea7e8c1d7b343bca4d7e8296f1b805d4

/data/data/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-journal

MD5 2e51c3e0e05d6c8403c12cdee7f7861d
SHA1 9e89cb402833486f26b424a6fb0b3c240b2e11b2
SHA256 7f753e52567cd867e381a8f6f7a7234072733b852a0eb87fac11580ab0eb899e
SHA512 1bdbc70e6c69fbc3918fe60a0ddaedeefa7bad19a5dc3063617389a7883dd5b463d9612d520ed80b84f91305e7a0fa5d926394e8794a6cea3a8b2709170a3dc7

/data/data/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb

MD5 8a12f5acc416e88148d826666642781b
SHA1 6bdb9e3d51fd75cddd26c911852b6564264916e8
SHA256 eb6e811c32575fb63f98b035c5bebfda0527a4e4a1f8fa3424d77a39e53f1ffd
SHA512 f56ad0492a4b3787cda1ba77046c88a149403274369312bfdfa93400ec064973340763a3e37e280484cd8e21b1c29da2579e7fc6557c1cfcf965b15a8ff21c00

/data/data/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-journal

MD5 527dbafdec582c732bcaf66c034583d4
SHA1 80644f6b24adef1651c706c82f5229a5fb1c49f1
SHA256 d5b50d6b2e6b4fd62406fe692ced396e84404797503a9c637b32250547e74877
SHA512 5bf02479b742404cc3c4d02537c4f4edd311c8ec21ee65035b82b5ce643002bd924781de4fa5db83ef1e433967325884f107cfdbe810a41a6ce0c221fcb1d324

/data/data/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-journal

MD5 c12bb8b5cabbf8e2bc4bb54fe93cdcdc
SHA1 8a286a5a0aaf835384cea8e813814054ebfc65ab
SHA256 49f78c0d06ce66630b410919d518c59dd7e836755cebb4ae5fa2a2f001dd8c07
SHA512 c68a5f6e18a0670bb2df710be1e1a84a75d315525dc0922daa9d95e135e1e03866d6670322ba6865cc5b588b7d83a98c0238c0d8a1f637dbdf2ee3fa81044448

/data/data/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-journal

MD5 a64843018f8c3c209700191668f209e6
SHA1 80b49b2870f2a48d13e51f7c4ca79c9a2b108bc0
SHA256 9c772c6aac5697eeae332b449ffc0ae65964cc17da2c88af57c9161fe345b187
SHA512 12ba530292c72add3f953193bfc024c52484f5899e8727e217a3f0da1ec28ea9c1d22c10e8f4a11f409c726ba1834d7e1ef63e501f4b3a57563385cf0e7cd90e

/data/data/feifei.shasha9.meta.face/app_ttmp/oat/t.jar.cur.prof

MD5 5a2df6fd8221b404071737f975dd6fb0
SHA1 d14af32b57c6f2d77226a8626804b37343d55ced
SHA256 838c6e906a4ac739b2ebc9ea615b4ac11240ac56d378ed1360c9635f4a711098
SHA512 942e3d53f9071f6db897b45ba3c4ff4dcdc4f372b81fcb677a6dcf023e3ed3752e4cc522eaeb1922b7c4bb373b6c4c4538929360c6f8b89ae6f354834836b2ed

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-20 02:28

Reported

2024-05-20 02:32

Platform

android-x64-arm64-20240514-en

Max time kernel

176s

Max time network

132s

Command Line

feifei.shasha9.meta.face

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

feifei.shasha9.meta.face

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
US 1.1.1.1:53 www.feverpic.in udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar

MD5 9aaea567e0c93e51718ba7eade0e83df
SHA1 0005116aad1779361b70093db00fed5ac090ae23
SHA256 b30a95dff6f65f444472971c8aaf895ffc8e66e0117ce242ec4cb8a8a519a5ec
SHA512 2aef1034335d8752f4e25ce6c5823ce03019536cc6e51ee61b5291c77a0f356a2517e0cbe7f2c4cc2d897115dc856449a342cfdc247c9d34d313187d15b2f890

/data/user/0/feifei.shasha9.meta.face/app_ttmp/t.jar

MD5 f72c3d07507c3e26d317e9117ba757d1
SHA1 cdede4739e9dd9fd95243aab5e44c24f93f825c3
SHA256 1c65834d9ca018c6496a8b9957589d0e94657911b6635dc21a448d78f9238887
SHA512 3420714252e7503abc13c99274d767b0bc08671d769460dc61823ab9470e145fb75c5dfaadc617d3a05cf251ed5ecf38ea7e8c1d7b343bca4d7e8296f1b805d4

/data/user/0/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-journal

MD5 1426fff184d545fcc0a3e0ff5f1f7fe5
SHA1 b9da8b97a9f873c4045290a5d211daad1b6e7708
SHA256 1dd6ce5a5d60977dff3560e31eb9199af29eefcbf97197f8bfd9a0c14f4c4ef2
SHA512 709a5f4548b850f0286b3ba02f237f9b583bcb3431b676fbb7011b638d0f4634ce4f622586583323048abc3324aff132f2da4888c9a4b70f53f56afc422ee753

/data/user/0/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb

MD5 0804140c03f5f26114e3a4cec727b615
SHA1 a6cd716a9d24ae58c74d13ec5d51cea1168111b7
SHA256 f9174d94f2e58e5decf5c0bd883902d438d185b625b6f2b99820edd8b74c2921
SHA512 20777408ecf0c6384ac95c94f6b24b7bed5748bbf03ba6e562d4411e568b3e457312a884e1b26a51883db6bcba864eb82e49a5e2d84caa638681ae15f4ecc518

/data/user/0/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-journal

MD5 b7d52530950f26511806bb8f88cc9d50
SHA1 f8fbdda2460dc3a3f4e7b80e8bbc3b89b24c4891
SHA256 27c3a3e07bbd43fd696088584cd6ab3c3ee5e3d069dd563fa83ca3c79108ea61
SHA512 b3de4d50d1fb54557593f7828c0d99334ee00bb15a6c3714852ce43d220bfe42e7044c94e753a37088a77fa499abbae0dbef51ea2ab1adde1cf26a623060d248

/data/user/0/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-journal

MD5 a056e9cfaa35cc566793657daf8d0b22
SHA1 40f23250caf693b80a9ec96628824553199fc3df
SHA256 337a0f40bf05a19b53b77e238b6956a63bf996ec06771d84a6389be686ec91b7
SHA512 a2326c79b23cfb31dd7ddd50009e01725d15801d3f00db985d9b3262914c3cf31316af5122c8360b4dd677a3b4279c3b0a7c5a645eb457d661eefd4ff9afd741

/data/user/0/feifei.shasha9.meta.face/databases/feifei.shasha9.meta.faceb-journal

MD5 9d05bada3bf02aab6470e32a23eabfa9
SHA1 7f6e4faef0596b1eaba48ec2375837b854461536
SHA256 7ad986c3c829d0b3ee6adf5967e6b36770737dd0910cb3b7e5d27718f1fa67c6
SHA512 561b33fd6ed54e789212d6a878a093343c5bc82b56b8fde8efe7a5f975a91d1d23560a172889bbc84508c7e82610c7ff5a428f8054f3f65d9f74d85952a93b5c