Malware Analysis Report

2024-10-19 12:06

Sample ID 240520-karvfacc2s
Target 5e15c92f3aad1e990539450b84e2febc_JaffaCakes118
SHA256 1efc9c9bcc22e543b04f17a75ff7511ea9f5e77f5a1bc6bf677e2f2ef11779d1
Tags
discovery evasion impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1efc9c9bcc22e543b04f17a75ff7511ea9f5e77f5a1bc6bf677e2f2ef11779d1

Threat Level: Likely malicious

The file 5e15c92f3aad1e990539450b84e2febc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 08:24

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 08:24

Reported

2024-05-20 12:00

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

130s

Command Line

com.cold.toothbrush

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cold.toothbrush

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.cold.toothbrush/files/af812f95-5da2-4ae3-9d99-cca2e6b7178f.dat

MD5 cbc6f3b8274f624f276d179b33802aeb
SHA1 813f926419070d297a61c2c5623c8ce651804b34
SHA256 4eeb5d754c6771277cda6fda15a659ac14544f51b1732fb57947da9760d0582f
SHA512 edc8140147dff416749fda8dcee6b4e865626946cdff04af528ce440bb84995342ea4de804ac8ef2a3d6d60d7b2f764d7f949fc23f966093a4c769d670b7b7b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 08:24

Reported

2024-05-20 08:27

Platform

android-x64-20240514-en

Max time network

156s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.204.74:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-20 08:24

Reported

2024-05-20 08:27

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

132s

Command Line

com.cold.toothbrush

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cold.toothbrush

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.cold.toothbrush/files/af812f95-5da2-4ae3-9d99-cca2e6b7178f.dat

MD5 e42d23bfb1ae141dbaa435b4f4823034
SHA1 997b3a818ed2b38667496274aaf538e1fd54a455
SHA256 35e2fa0a66da65162cafa53dcf915583df3f742caa76b311e95c89aeb5f54be8
SHA512 704f7fda6c0efae9bacdeb8e02646e6de6ce0d9d0523918ad1bfa68b7990f0e26c6b00f50150a72a37755d0662261cb804a4a203850f82ad970f2f3d0c80e2fe