Malware Analysis Report

2024-09-09 19:08

Sample ID 240521-m4qwcabb51
Target 630f4cf1ce4292e41f2b2bbcc95ca0d1_JaffaCakes118
SHA256 5dfc6e5d74d73582a93fe20e2d66e8f2c9cb572ac51f80e3b74dde448b29824b
Tags
discovery evasion stealth trojan impact privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5dfc6e5d74d73582a93fe20e2d66e8f2c9cb572ac51f80e3b74dde448b29824b

Threat Level: Likely malicious

The file 630f4cf1ce4292e41f2b2bbcc95ca0d1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion stealth trojan impact privilege_escalation

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 11:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 11:01

Reported

2024-05-21 11:04

Platform

android-x64-20240514-en

Max time kernel

12s

Max time network

132s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 44448888.ru udp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/app.six/databases/a-journal

MD5 f19d3c48aeee69c5f7493ac18d2a6140
SHA1 07fca8b03871b91eec78c6afed010053013616c9
SHA256 13e04bcfa27b3e34f0d1abd7fa8b74d9921ddeec08b1c22d6ffa88295d884fac
SHA512 fb3924a53c342faa524b0a8571ec6355b86bb5e9cd3303f64b6e8dcb657be51fafafa227c96ede9437029b9658049b938ab4329065700139b909ff1ac36e894c

/data/data/app.six/databases/a

MD5 c69ef7005c3f91851e4e6fbc49e01083
SHA1 ad90dfc9ee0a554d6698dcd1d5c057c2f585effe
SHA256 fcb8a9d175b007f341481140c4a4ca394656864a3938d8c0e15ccf18888aa776
SHA512 7bf02687ffec137b03b6f646c0db6f9ad5feff73ec5fccfb903a37e0e59c3b9cd1211d8038506fc1abdef6e65eccd1ce6634d3d699f2d0fc636b31648a17716a

/data/data/app.six/databases/a-journal

MD5 6024707fe909e243090d035054d76360
SHA1 6179df132b7fd06397e15de230fc9c6545a5303b
SHA256 fd27e60db20719c3904fae4c48828b2e5e194e851cecf79af44df6edd395af0b
SHA512 86ac6505d1e30237c9a07a707cfa6fdf59e0947a2f45e656936733972a836e43ee415bc13142726efa79653c2aef3dbb57dd64c87aa336586ded1d3f3ec51192

/data/data/app.six/databases/a-journal

MD5 1200d9b1860b045a1f375be2e0998ccb
SHA1 2aef1267c5c986db962f64fd72501aff4fd27982
SHA256 c5fb3adf2732b9234325e9d96fac8e8a73beb527f8392b2b81fca0ea3b756866
SHA512 859c2fe54ae95931697f00b9ce7d9e61028fe7dbbd80a99256d2d7aacde31a796a5308353a33ef4094a11b6eacb22aac315aebd258541059de3e6fe263ecaff0

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 48e44b5d26dce44d1ebf734eb1f7cb36
SHA1 38b76008caadd6b77581ed9e32023a1ab404d138
SHA256 0975e0291f1f44bbe48ddcd6b56723bd8e229b77da8b4c61b9e35a78b7ff9c5c
SHA512 604a570434f045242d1eb8ba8ddcfefe5178257a8680afecfbfd02bc33234e0880d6a4b8afa872da42c4a5d261361d0f241cd37d7e3e54830ceb56e080dd9352

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 1633b70e26e9dba7b5a6b9c9f37ba8d7
SHA1 4f9087edc58354e96c340a9449f88cf87cf6a371
SHA256 ea8176c6dbaab371730108cb6488ae11efcba9253b31680567147dd3b2049e8a
SHA512 0058bd77277ee211387ed17a588306eae43eddeedfb36c194e6bce0f0fb8e4402718784987541529d15efc3ab02e7e33f9dd82a018823914ffba4e908100a95a

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 fb6a607f726f3b2363809ef1e2361115
SHA1 5c1c755b82d848488c85537354e241067c353b53
SHA256 74bd9381e847cc7a136c3123b603f8c49d20419ac96e75fb43e930238ee14b6a
SHA512 bf5b66d7c6cc3405333aeb1d4dbccbad208f4051013806f5e515fa3c1dcde215189b7bd373d63bf7a49dbaf9154149f1b628cfdcc368f5649107c7715c9ff400

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 48a45c3093b5e5a26698f963b5dc7e9c
SHA1 e250370b8f668a962ad67f214f14d3d6043f6334
SHA256 d1d4e071701d990d297c944ce3428e16d8b77555f10795ee0de86bcc4fe461c9
SHA512 4739539bb36f670b51bed763a01527cfe1f3ccd78db35fff77a2ea8970deb3eaae7b553fcbe98fc8133e21faad39e433badeb9fc8a42a7249a934dd3acae5a23

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 8af0c8ae8529c35514a1bee81d1743e9
SHA1 1d45ab8105b769408cde45528e926e762cfda1b3
SHA256 f3c31aa56a21d50a3a1b6f856a60bcef58ea5cf415cbcd03ca105369560c5be9
SHA512 f448825c3c5099d46017c374106c6ddf5db943bb5ed364a7481c68812d05dd4f4065fabc44ed532ec85f2a277e50207ed831d2bffa87c5e737d152b80617d407

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 959c00ec9f438df78acac22b723e5b5c
SHA1 c0b767d4251e0fea6e0a0e433da502b28c34a9b8
SHA256 2648643eda131dd2a238903a6deb5e008fba2753bada6acf793f5402236a6fef
SHA512 cd3af1fc48673d0a20ce4b028db66f4dec968d573eee1099c33a4cd5bab046a85f87248c1c5740816cfb5156a3aaeb522b3b6f866490e9a83c9d30e8e2e07c92

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 11:01

Reported

2024-05-21 11:04

Platform

android-x64-arm64-20240514-en

Max time kernel

13s

Max time network

164s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 44448888.ru udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.187.206:443 tcp
GB 172.217.16.226:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/user/0/app.six/databases/a-journal

MD5 dab3bcc1d3895bb52f8e34c2cff23f46
SHA1 6d5f3552f5427c069c47f0188583ddee4c3a675a
SHA256 676f1bd152d5c19b0464a4fd35585ec890f6aa97ab1b49e1a1ec1ccaacfe0b48
SHA512 f8367a41c8018380db3e8950966a96911d190c236a6a361e74bbda18fe62c956d75bd6f8c536c9ca9a52efa4124057fc8bc8bb45febbe3a808e85504d9bb8a87

/data/user/0/app.six/databases/a

MD5 09a1c65be08d5478432c8a2c4c699a06
SHA1 19f8db07639eab80eb0b3d757112bd47076bfb96
SHA256 e4f66f1058ded1727a16c604ec745de9f81950e9b1d79d937ae3f12be2023b2f
SHA512 1703e390f1b373cf02f9ba92cf6e22b7ed4cc4e553e13278e36eb30aae43b28211d1b3c76ae690e8a972dbbf6d7e634c98d8bfc7333258a19950c30d82aec429

/data/user/0/app.six/databases/a-journal

MD5 4d08557b96e61920407b3d33f20baac8
SHA1 12cddeee949eb0c063f1ff484ba3eab000170603
SHA256 5367ce4d7d8037e8671dc14fad1e1250b243e89d17993b4c400a2ee0932b372a
SHA512 4ea3ad184b3252d3402dd165ca273e2719e6c87a092fd46f89ac27600a806de83c92e7ac9565a1794faec61527c16c7934d3ce3a9507280f716726d10a2362c4

/data/user/0/app.six/databases/a-journal

MD5 4c72e6e5781605516a6cbff0c05ed5f8
SHA1 3c26b6b2df512a4b886bc00743806c80c6aed17d
SHA256 774b19cf6af1792e3178b8cff75700423ac8020066300e63604d6a98825f1cd9
SHA512 a97d3c0416306739b700b52170480757f5bbc744384d27a287d25ac2366bbe1cca12a9adf62cfd5951a87f0574ad8c23ae36ba1618dabfab8a9502dbc790a1d3

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 af1b0583beebbf1d1c962eabad50160a
SHA1 33b91254fd498ff0869009b0bd42198c4dc3a561
SHA256 755801e54ee5e9b9e2f240dd27856e702c16e9bef59d72d7e8cdb9028e029562
SHA512 b52761d95ffdad0f5f4c11eb75788ad8fc332d1d124eac867fc6d9529eaf0af83f409b182b40fbf0ca7f60d69136e3f6661065a3e93e7a6ce756f1e52a32c291

/data/user/0/app.six/databases/sdffsfdsfdsfsd

MD5 a36e68ddbf697e707155db56da65ea71
SHA1 c8fc6d011cb8ce162766e052c755ebbb6e9d6a3b
SHA256 595593bc246451db229e4e2cd3679bd0ad943b05a5cc1935e734650b502d4f1a
SHA512 c5e7e8c5bd92c167883486ca469a41660b88da3d89097dea0b716b9aba5aeba3202fc3d18b12fc14474165256f75b4148a39bf0cce256a55342a9fb319e068cf

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 7d640ebaa11cf7201d2555a93a2f918b
SHA1 6d653b69d52a8e0cc4b5c1eef32076b8b9d5e2ab
SHA256 6ef4173793318ae6dfc35c14c41202f02139a36853c644fbbe0f8cc4d9213207
SHA512 073c524139c21d853fa5ff7badaa176404923d76e3f2c0eedcf4252944530f21c06479ec2197881d1a31a1f19098bf0b6533ad446114d8e3f5c6cc43e6eaa009

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 9ec96c919a7b1bea1a5b0114dd110dd2
SHA1 50d3c68f1e95c5fc78c29e39d51c647956f5e0bb
SHA256 2ec78762f4e1fcd1490217b1810c0a916beca3810337318027c4977013cb0a30
SHA512 c0be6cf834840269903b4615f91b358de4901c7fb0f47de9a817ed7f440a11e451ab0fff57ba13dce29381d740b0ae304afccd4d987e59ac79348b4335c0dcd2

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 0e12d7c2458bd3b2a76abd3019deedbe
SHA1 1ce3aaa18dca39139311945c2d657e55e1bc79a6
SHA256 2c167694a4c5a4ed0cb9a19fb5318e95200fc292ee87edc7cb9d5bfa88795ba8
SHA512 07c4d82d5407b886b1db569bfcf533e6537c362a84c4b1eb5bc41a9804d5e8526c9972864e3fd4b405ea22fc25edd57a0bc16caf02cc2c3769d9051bd7bc7ba8

/data/user/0/app.six/databases/sdffsfdsfdsfsd

MD5 b6c1ccd9957e8665f0b405326e274b1f
SHA1 ae3361ce24b025d804a582c9f2592d27df63b648
SHA256 85d7e68702ae1757c9764ce677324b953877e9a1176e721e30b2a020e2763030
SHA512 7dafb38377d5bcf18f238cf40e150abb5ae32c54cdb77b633662504e7332a7f3dd6c1690e5b5fccbf7dbe69b7d954ea2a6c8a0560cfa9a742358a5b3733498e4

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 11:01

Reported

2024-05-21 11:04

Platform

android-x86-arm-20240514-en

Max time kernel

12s

Max time network

151s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 44448888.ru udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp

Files

/data/data/app.six/databases/a-journal

MD5 eac14c5d72ed9583824c2507ca87f741
SHA1 0a788473850bb1307c8c894c311ae421f1bf3596
SHA256 d1e3c3bb5a52f72e35d86041eacd88cb8dc02565b710758fd64918a0a6583ffd
SHA512 4b9fecca62b990e0207c6f39c3e66a8cc6337ea074ef080f83980fd6023247dd4c063dd1314cf8be4c0889f27ecaf147ea73c2c487c7b33898a02d4ce4b70946

/data/data/app.six/databases/a

MD5 56c3b883b89768a572d72d5e24f6037b
SHA1 eb6296d234fbe5bb3958bdcca8d1d21cbf6798b9
SHA256 fe7f7123a850794ea84998f7e6142199110607005384120c337577517c664501
SHA512 0c3f233673b2156194623d3326291337d9c108badc29edee2ac1d4faa4bf6f6d7a73ab8659f676092c144fd510195f663e6dd1ab1edcd04a7b35332da6bdfa9f

/data/data/app.six/databases/a-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/app.six/databases/a-wal

MD5 2953be1d5165dce6719f58ad914d5ca2
SHA1 480c489875ce0a92cc7499dc3a4513416f3f318d
SHA256 f91df176dbe7ffb80c0144c667d02025a80ddc7ec1d6e8306621852eb3fc2fc6
SHA512 a03f01b6e5b445d678a12045fbec3153ae088735ebd29abd9d01680d1e8d598c8004231e11edf2631e2eac6ac8006460ced34433108219af7a554bf11e72494c

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 086c8c66d536dd53bd0b4c68625fb98e
SHA1 ede888b2ea335a4914cf5a2a4de8ddb9c2add854
SHA256 06d6a8904eddd25ae91e587794e52d92b9fb3b72317854174dbf31d58a8a858a
SHA512 995a2aea0704a2e6c90ec0ad38e7dcc3b35654bae36993d700fc05590dcd792d985cf0bae6bdf5c56859266fb2c685d779ebd3848edac044a27bbe2926a871ad

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 5d19fffe05d02d8e36fb6494f2996856
SHA1 0b80e45877f98615f2b197cee823ba3409d5c0a2
SHA256 e6a4924f77a716bf0d48f2a5e46fa5f0020a846e5f00d52c46074c4b4a8098ad
SHA512 4c4b57838972c96dead74bdff3054f56e2c30269b20a0dba8af894355e55f42625f277375a3a488e64f33904cd18fdda053d8b783a2bb9b6ee33e134fc13c868

/data/data/app.six/databases/sdffsfdsfdsfsd-wal

MD5 61e95b72ecbe8d6fc6fc59c0fca0f26d
SHA1 8f26d0bb52489284d90ba2f4eb5d0d4a867c9800
SHA256 58f7839b27143e671772794247fe153d220f5e1454d45e8297c3f2f044c4a32d
SHA512 5a2396893df0fff4ea5b8b4a232b3296469c6eea867324e5f745c0b3c259b290a7286197a668aa944f2dd99a6e11e5bbb5234efc7602691cd487d79472448a4d

/data/data/app.six/databases/sdffsfdsfdsfsd-wal

MD5 e01c786a935bd30c9bebc8d4cb48870c
SHA1 4a63f0320929bb191fb4c6200cfb9b8379263c9f
SHA256 1131a72ab2c76a53c490961cb57a759405b479630b92fdc8f7c4d8c505eb78b5
SHA512 ffd068804d89456241e81df3368b44314a9fc685933c51c36d9672ff07034867b03f4ded1d49c6287ffe561d580b6ca675e775b9b27006bc5344323173cb7328

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 a7fd5080cefd103309a7f1a8f0045dd5
SHA1 3f00e916e505b24e4138dc7e7331f34f79d544b3
SHA256 b84af7a8302be85e71e51b10f45b81cc8ca812e13268da7cd0b215131fb76d64
SHA512 e26c8ffd0a98813eeb00f8fb26fe09303d74cf156daa62923329be446688e7f8c9fa21591c088f4bc69c51d2ba47384bc3dc9f9e429570a4baadf3b76650c580