Malware Analysis Report

2024-10-19 12:06

Sample ID 240521-gv683sab49
Target 624835b3e814541d75a434dfa857c2b4_JaffaCakes118
SHA256 d5529b45ac01fb976a4e99c254ffb7b8302aed9443ea66193d39d834a0c9eade
Tags
discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d5529b45ac01fb976a4e99c254ffb7b8302aed9443ea66193d39d834a0c9eade

Threat Level: Likely malicious

The file 624835b3e814541d75a434dfa857c2b4_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Checks if the internet connection is available

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 06:08

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 06:08

Reported

2024-05-21 07:56

Platform

android-x86-arm-20240514-en

Max time kernel

8s

Max time network

131s

Command Line

com.barbaric.pineapple

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.barbaric.pineapple

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.178.3:443 tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.barbaric.pineapple/files/a5f0467d-699f-4e1a-b9e5-d75746fec235.dat

MD5 5d6e4dfe1cdf6a08c81dd1481ea4ad1c
SHA1 0d980e1f791e4c955d792becf6a71e6e955c5baa
SHA256 2be8354466ba7f4e2542477820a9ac0103b197c39c06d93e12887b75bc18ee03
SHA512 5e99c6aa1e0ff257a920da20796d3d060e4b533194b2ea9c62442ab535c52993af05b0d101da117ab0c69f2c523a34440b6ae2943969d9a6f9772862f400294c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 06:08

Reported

2024-05-21 07:56

Platform

android-x64-20240514-en

Max time kernel

8s

Max time network

149s

Command Line

com.barbaric.pineapple

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.barbaric.pineapple

Network

Country Destination Domain Proto
GB 142.250.179.234:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/data/com.barbaric.pineapple/files/a5f0467d-699f-4e1a-b9e5-d75746fec235.dat

MD5 897ee430f3f471a89a83229401947692
SHA1 80dde4fb47f67e2d25e197cce4ac036a6175d23e
SHA256 741a0ced924256955ab17a3689c7e46379c172e71d685ec165d1ef5097f3b9f6
SHA512 9978480fe98ce6cc60ba1a0781e272865c1c71c0a06091e9bc4be71ce7b3d04c7869c7cbc402f30381f563465eea4b76a4b515c9049f3e2dda56612307e3a3b3

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 06:08

Reported

2024-05-21 07:56

Platform

android-x64-arm64-20240514-en

Max time kernel

8s

Max time network

132s

Command Line

com.barbaric.pineapple

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.barbaric.pineapple

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.barbaric.pineapple/files/a5f0467d-699f-4e1a-b9e5-d75746fec235.dat

MD5 11977d79e1f5de2306a0f12a952fd5e6
SHA1 5a9ebe398b6504781453235a3e3aadde194bf039
SHA256 55110faa25802b1fb4b30c44010aa8c7e46d92a0bda43c23061d4868f442e129
SHA512 c32802c7b191958ff64aa35d2f96c47e78087d41f3a39328c2c60196e94597d91b04ce1600dfd4f1c83e0a54379bd46c3e396d2a43bfbdea4f75d5d5dbe55409