Malware Analysis Report

2024-10-19 12:06

Sample ID 240521-hebmxabf8x
Target 625cb702476486e20e7d86d3616cc79c_JaffaCakes118
SHA256 d322d9e216c5479453051cc3d96927efc827c8e0ca6de62a6963c2dee4760e30
Tags
banker discovery evasion impact persistence stealth trojan collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d322d9e216c5479453051cc3d96927efc827c8e0ca6de62a6963c2dee4760e30

Threat Level: Likely malicious

The file 625cb702476486e20e7d86d3616cc79c_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence stealth trojan collection credential_access

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks Android system properties for emulator presence.

Checks memory information

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Checks CPU information

Loads dropped Dex/Jar

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 06:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 06:38

Reported

2024-05-21 08:05

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

130s

Command Line

com.pro.fla.off

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pro.fla.off/app_ttmp/t.jar N/A N/A
N/A /data/user/0/com.pro.fla.off/app_ttmp/t.jar N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pro.fla.off

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pro.fla.off/app_ttmp/t.jar --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.pro.fla.off/app_ttmp/oat/x86/t.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:80 www.youtube.com tcp

Files

/data/data/com.pro.fla.off/app_ttmp/t.jar

MD5 f06ab1caa33597d6410dc5edad0bf259
SHA1 5407d16f2d2704565ab532a2f54520fa3c2ec755
SHA256 095b2e7e0a7e3226fb6a43c90d5d0b7db59408e28991f3f7b970d2baef79a9cb
SHA512 e9dd43fea9e081281fc721ff4ceeb7959085cdbd4b8300227a2c2f4300f19ad7ecae4bea552cd95473ab59e347811d3ee1ac1a063a9c90e37839af2ecbbe4138

/data/user/0/com.pro.fla.off/app_ttmp/t.jar

MD5 6a6cdb4b514dcc313ebbbf4677eef772
SHA1 81b1d963a7c7a385193a28cb0001ac0faaa57b87
SHA256 1e706adcc6521f04efabff9d8a2fa193ab6540b88894859320c1f34fdec57310
SHA512 1777ff00aca9205380eb5de58fd40a0133ad44d73286435f7d19c40c3e3bff56349697fd417dec8365ba071e8ebdf1d4e153454076d870efb73fe5bad1054b2b

/data/user/0/com.pro.fla.off/app_ttmp/t.jar

MD5 3b15dd60fd2d407da2f26722c6849aff
SHA1 86de0a56f144df75ac2b06a6bafad5155166366b
SHA256 18ec562cf1e1c3325b3e252d80725f92990ea397632aeec32ef0a5a8bab27408
SHA512 ccabbeead605602a4ecaebc69d7a7b0dba9e4e4a80383cab4ec79ef68f6b9a68aa0abfef0f4b15a42e878c3d6e0b1cc19810cc805fc600dd5bddb8df10df0ed0

/data/data/com.pro.fla.off/databases/com.pro.fla.offb-journal

MD5 acb682c7e82ffdac6a1038451a150086
SHA1 a4e3800285d7444c556bf8ec42c70061c52113e4
SHA256 de677107511928a0c357079c4ce9453b06f5371a5c5d377d3958be9d9b8f38f0
SHA512 84bd145938bde0c7516f7f83ec8d023c0a1af9ac5128dfa383cb588b20449a99cf9b0fb949d7d42ecf3708d679a458161d6f7f5cf75e0e6b03957ce70f111871

/data/data/com.pro.fla.off/databases/com.pro.fla.offb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.pro.fla.off/databases/com.pro.fla.offb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.pro.fla.off/databases/com.pro.fla.offb-wal

MD5 1e82a1a524aac35021ec4e5047ff4b78
SHA1 bd61633f3ab038b0d345597dc2c5223dd08ea4c3
SHA256 f4b6e943a0c015530fd7eb44ef7f654e6aef742e5e721429a9a2a8880b253cfe
SHA512 e754535c3459b24b6cbd913e19bb4c5ed4d5197ae223629d38e1a4a31ff6b5d8a94f22ffe7d87e39658fad47f3254bc028927952196fbd0c4465fb13b907ae2c

/data/data/com.pro.fla.off/app_ttmp/oat/t.jar.cur.prof

MD5 f5247242797c35fbcfe5a02e7f71d547
SHA1 6d30eff24ada674d35495b763e611851240e953e
SHA256 23abb80cfd94b464bfa22654c451d40ad0820854f03752c5670a45d2a0c0289f
SHA512 37ca22734b25d98dd2c9c204fa17ecfc29aaecc00294a9cd69c2e09ebb7b444989a588359b4878e17f4eb1bf122579e8ba78b3df3f9bcbc9b5fbac63da4f078b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 06:38

Reported

2024-05-21 08:06

Platform

android-x64-20240514-en

Max time kernel

177s

Max time network

139s

Command Line

com.pro.fla.off

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pro.fla.off/app_ttmp/t.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pro.fla.off

Network

Country Destination Domain Proto
GB 216.58.213.10:443 tcp
GB 216.58.213.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.212.194:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/com.pro.fla.off/app_ttmp/t.jar

MD5 f06ab1caa33597d6410dc5edad0bf259
SHA1 5407d16f2d2704565ab532a2f54520fa3c2ec755
SHA256 095b2e7e0a7e3226fb6a43c90d5d0b7db59408e28991f3f7b970d2baef79a9cb
SHA512 e9dd43fea9e081281fc721ff4ceeb7959085cdbd4b8300227a2c2f4300f19ad7ecae4bea552cd95473ab59e347811d3ee1ac1a063a9c90e37839af2ecbbe4138

/data/user/0/com.pro.fla.off/app_ttmp/t.jar

MD5 6a6cdb4b514dcc313ebbbf4677eef772
SHA1 81b1d963a7c7a385193a28cb0001ac0faaa57b87
SHA256 1e706adcc6521f04efabff9d8a2fa193ab6540b88894859320c1f34fdec57310
SHA512 1777ff00aca9205380eb5de58fd40a0133ad44d73286435f7d19c40c3e3bff56349697fd417dec8365ba071e8ebdf1d4e153454076d870efb73fe5bad1054b2b

/data/data/com.pro.fla.off/databases/com.pro.fla.offb-journal

MD5 a47a239a30fc715eb06cf278436bd8c0
SHA1 ba2d7fe516b17e4a8c8fa8d918e9e9858df1b2a0
SHA256 d9292f48d0cbf02d73d14a08606a1890b88c75916a50c17bd6f0606de0931f27
SHA512 87c8aae2156b676ab0bebed0a9d94f6fb016e447ca79bc7dc35baaf11a3f06f1abbffc30b6e7de588a5cf4c0ff4caeb5030fb46ab0149164546acce414e267ad

/data/data/com.pro.fla.off/databases/com.pro.fla.offb

MD5 dc991f7d899dd7fae28c452b20a9d718
SHA1 b01fb5f63b1ccfae46d0e5975eaacf7fdcd31ec0
SHA256 767ccd60308b3bd13637343484d90847eca74e0577f3699e22021696cb25e738
SHA512 074c4547301c2621f75b4f2aea57889c820523d6358aca75ac359d27ec5e8315f5a1239220ee64111d12b76829222dd4e965f573c8f3900704c2690353b8ea39

/data/data/com.pro.fla.off/databases/com.pro.fla.offb-journal

MD5 3369f73038be961488612d4de95e8924
SHA1 f054b93974e5960281091f9db863cd8697dd45b4
SHA256 b7e2d7b77cebd8b50fa8958f2c2b7dfc2d99bb2fc7de976c5b873d4122fc4688
SHA512 2e6a133f589c7098ba7589715244f964bfc694cb58bb28614171a6295b31a0cc30c9d684db62a5bac7771b12e9e654c129346b8a34fcff6c51b3d23cba974fdb

/data/data/com.pro.fla.off/databases/com.pro.fla.offb-journal

MD5 227e17a368bd21e33626e931dac4b5fe
SHA1 bb5fe9c84eeb13a4be3dd170abbb64ef4d35d621
SHA256 cd9a90beb5f255a420b41ed25410a825e5bd10236a23f89393cc7e63520b8e92
SHA512 9e768c91198dcbff763eadefc622312ccde8000c989835af94af18f7b9baa757a32adebe26743d917ca4627854d68c6b6603ebcbbf9b9e41d787363cee4f14eb

/data/data/com.pro.fla.off/databases/com.pro.fla.offb-journal

MD5 81ec3e8da2bc2235908261ee4dd51fc2
SHA1 6d8c04dde2f4a0f3c4a0d9061d1bbdcf858378df
SHA256 1df4844c71a8be8aede6268971918538c2f541611cb31f4fba3d4e25861e2ee8
SHA512 7d65a200d98943b26065104fc973e04e4229ae42423cb19b7808121b1e0cf2756191384d48a4ac47b428c31dd31d94576b62e9f11bd706d054d9c4e815a645c5

/data/data/com.pro.fla.off/app_ttmp/oat/t.jar.cur.prof

MD5 ebf4daeab1a091c4fd5c8866a1063d67
SHA1 2999607d17c4f8d93ca8f4e41474b89f83490523
SHA256 9491ab984fe92e294e763508c44a896d009e145a9fbdb69e64f7d0d72d94cdb9
SHA512 6a7c14722fea4816995eeb5e069e3ebac786dc4c704f13d43e2204d855ff2f8ad653d99ca6e45bc53d6c8917453e40d2fb330a7bcd102044a3fcafecc92121f8

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 06:38

Reported

2024-05-21 08:06

Platform

android-x64-arm64-20240514-en

Max time kernel

17s

Max time network

132s

Command Line

com.pro.fla.off

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pro.fla.off/app_ttmp/t.jar N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.pro.fla.off/app_ttmp/t.jar] N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pro.fla.off

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.pro.fla.off/app_ttmp/t.jar

MD5 f06ab1caa33597d6410dc5edad0bf259
SHA1 5407d16f2d2704565ab532a2f54520fa3c2ec755
SHA256 095b2e7e0a7e3226fb6a43c90d5d0b7db59408e28991f3f7b970d2baef79a9cb
SHA512 e9dd43fea9e081281fc721ff4ceeb7959085cdbd4b8300227a2c2f4300f19ad7ecae4bea552cd95473ab59e347811d3ee1ac1a063a9c90e37839af2ecbbe4138

/data/user/0/com.pro.fla.off/app_ttmp/t.jar

MD5 6a6cdb4b514dcc313ebbbf4677eef772
SHA1 81b1d963a7c7a385193a28cb0001ac0faaa57b87
SHA256 1e706adcc6521f04efabff9d8a2fa193ab6540b88894859320c1f34fdec57310
SHA512 1777ff00aca9205380eb5de58fd40a0133ad44d73286435f7d19c40c3e3bff56349697fd417dec8365ba071e8ebdf1d4e153454076d870efb73fe5bad1054b2b

/data/user/0/com.pro.fla.off/databases/com.pro.fla.offb-journal

MD5 05f809e6fa3c46a4015977edd95f74a3
SHA1 854e41520113a6bee80eead868cfb456463d00bb
SHA256 cbb35af39b54771608e55e52f85d89c54080e29e851504da3728c869228af26c
SHA512 294af5cf0785cc7a37aeba67ff370b41f719a1632b48460f40b206f10dfa0e7d5a6870244f5a0b52380118c9e48240a59261d0c9224dba0ae809dcc3bf84297d

/data/user/0/com.pro.fla.off/databases/com.pro.fla.offb

MD5 22b3f2110ff9444d4ee7d512b637a1cb
SHA1 7a39d4544751c9da2853a3301783e0b3b3da2e39
SHA256 48e08255dce4bf78261d12668d58e1573a80ca0033d8c174bbba864512b2dd55
SHA512 634211d903575fd3bf3cc945eb5e3d931e4c540246ea8e4b5e03f57ea0410cf82f45004af6bb82bd9327256963f07fc9d8e9fa7959afee3e9c5c0b33c657c6c1

/data/user/0/com.pro.fla.off/databases/com.pro.fla.offb-journal

MD5 786839764d8989688a5425f5b0ba6830
SHA1 2e37d6c44ee0ae58fc15b8b3b901220f4630c5b1
SHA256 7f2ffa744d7114e7d0fafeb3db71afa36e7670886c589641133abdeb15fd63f0
SHA512 d10cfd7930dd1eee201e7841e0a67987cdbb7d30044825033e3cf1331042e910e9536b5ebafea2f45bd0f8401e3a43177de0fcda52fa8fcdc6d372127126a0c3

/data/user/0/com.pro.fla.off/databases/com.pro.fla.offb-journal

MD5 3f75bcba081e988b845843fed547a4bc
SHA1 d5ccf915154f1a0f9f112c1f87106776cb2ef420
SHA256 8347a224d755e490b8e9318004cc13078c06e9872f7877ab9ff1c27832c20ecf
SHA512 32f8833d4c0b9bd4fb40e7332d10262dd419fc3efe25dc1b9e7f9f7854a5a506892f4f12d0bc80721644c4c68e26b1e9df3228afab9496f8adeec822842b9581

/data/user/0/com.pro.fla.off/databases/com.pro.fla.offb-journal

MD5 0dccc1d3970204296ab6bd952f8fe04c
SHA1 02841cfa62b0398ac8dd38b8b44699afc5af665c
SHA256 651bfcf69eb26e11ea0fe24ddb4fa2b73a8ccef2f44106b8a47556f2978b0e11
SHA512 2728f267d2be1e766ad97a4ac9f2073a0da49cfb237e7a4585384186421d9998398fddd1bf42feacf7049be3c754899c2b6d4eab4266cd8d07718a4e798d13fa