Malware Analysis Report

2024-10-19 12:06

Sample ID 240521-m6rknabc4t
Target 6311dbe19b9ec870859f47a134941e57_JaffaCakes118
SHA256 93a0f9c688ee9c17ca883f0eb186ea450bd0f6b39c13e97723d9ce17a9ae26d1
Tags
discovery evasion execution persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

93a0f9c688ee9c17ca883f0eb186ea450bd0f6b39c13e97723d9ce17a9ae26d1

Threat Level: Likely malicious

The file 6311dbe19b9ec870859f47a134941e57_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution persistence stealth trojan collection credential_access impact

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Checks CPU information

Checks memory information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 11:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 11:04

Reported

2024-05-21 11:08

Platform

android-x86-arm-20240514-en

Max time kernel

23s

Max time network

131s

Command Line

com.devolver.reigns.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.devolver.reigns.hack

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 freegeoip.net udp
US 172.67.165.196:443 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 172.67.165.196:80 freegeoip.net tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db-journal

MD5 930d7746abfb1b4fdbc67def5a8c83ca
SHA1 38d455db9dda5c816924e81a0997ad59da41974b
SHA256 c57f2bd036134d29f13e1cc53e209f6ccf1c28675bbdb712fae20cb05eea2b1c
SHA512 7db6788c31eba410008a3bcbfd023e0b968dc6869904144a1e2fc4f740fa612d4a7ecb8e37b8299558d3e0d8ad2315b53c393db4352866dca9ece6eb2c519126

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db

MD5 5d85664f8e614fcaef42be2e6f649027
SHA1 09c6288922102f6114a823f4992415fd3373d61e
SHA256 55f8907e91226ef43a05583c7b4623b4e26994b62d20c8603975ccc1fa3b9409
SHA512 3d6006a3e82d00fe9bc443e940acc5df12ec84114fcbcf8fbc8099c085cb1229b21a217b7445129b50558bfef5100894686d7359eb80b7ef087b65c7be3bc6e9

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db-wal

MD5 5878eabd1b79af33e80d7af722c64a89
SHA1 d36382b38b35566d63ad08d9a5cf007f8eb3e944
SHA256 d55329e8513cae67c8c4a7ad70eb6b79dc37987e2debcae475d47edbaa4ecd1c
SHA512 d0a09c4f3da854b7e29d98ce27bfd69f345f6bf6cc8571614269326d5fc4cbcdc9162b026d7d06d1bf5def4f9705fcdd28418db57d2764ec4a9e874bec7d714c

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db-wal

MD5 b5fa5b1c8e84000ae5db5dd2238ea358
SHA1 edb888b0a5292c1f75d637ebf8625dcd8b62d71a
SHA256 6207f2d3383b38d633cd9daa97fde85e0579c2bb78666508944f088b6ab46c92
SHA512 91d01febb23cfb43e675c0afe194a6c9b437b11a5242731955159bd259653a52a9843a1b03a868d5e1e1880b5da53f1b42e51b08cad4cd6d5f0cb29fb646849b

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db

MD5 593ef231a9c8beeace88169f40f3db0e
SHA1 82216bd72eb854fabc1a331a59fddb5f0c7bdcf9
SHA256 a332f409d367f8b67d890f985dad62239f17a0f79f9e8df7a42dfd1096883e7c
SHA512 e32ad8e882443bcda769f6b46be8712cf3c0c61a68d1a9af2efbcd212b0087227c9c1a65269beab73d6222c3e73babaaf5a6dbfd61d3963284e7bbc296843263

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 11:04

Reported

2024-05-21 11:08

Platform

android-x64-20240514-en

Max time kernel

48s

Max time network

151s

Command Line

com.devolver.reigns.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.devolver.reigns.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 freegeoip.net udp
US 172.67.165.196:443 freegeoip.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 172.67.165.196:80 freegeoip.net tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp

Files

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db-journal

MD5 876b3e3ddeb69a87de1ddeca158acaaf
SHA1 e7a3f733bdbbbcc62315730125bfdbbddca7868b
SHA256 7bc497fa45c14e6f3312724c3d4ceb38da5f85371d075077660416ca54270007
SHA512 0f450a4108d4dbd0cb2383d7881b1c8dc796c801f28c714506e44299190dcfb897d5ead8f1b48330fbdd16d6a3b99e4d2c1c5290c4e8593bf65a86d79aa293d7

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db

MD5 12627a2ec645c4a4bc50dba5903afd59
SHA1 504005c938517e61bcf68b65a055c2faba635c2e
SHA256 f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA512 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db-journal

MD5 b8bed42b9a0ae1cee6816c30bc728d12
SHA1 dbcc0a6789e73c1a2fc785df72ce91f2e0a67d83
SHA256 11a029314baa1d6c7aa3a4e989f00ff7bb7ff945cbb942ec163280d04777bc14
SHA512 95ce8e1893264f2ddfb47d6634d86adbf472970dfbb7ce615333a4230ff225aeb394a73629e1ccb81103a40b6c86063cb778ca66281dbe26d527715e7ad9954b

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db-journal

MD5 4185ce15770d972713629662a5eb1141
SHA1 16a70c2e89d21de8a857ee920940b19dc9c360f5
SHA256 743257cce6b7bbfff0ea8eaf2feebd5122c209fe74140e3dc64d4c547b076f1e
SHA512 203556631bd12fb99456f3a544ecfd24a34d20c89395cb07da0bfaa3e6fc6aa1dbfc404c07561e7826078261505589bcd86e92e1849612d1d12210422a5a4f7d

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db-journal

MD5 b5e0e483ae2c1921263146b1c1315ec2
SHA1 7f37486fe9cf71f80ab6be362dc815c6eda78ef5
SHA256 2f28c03635ad74fce6923b4ba097a6d5283a12d6c4deece8fa50c2e38a1be50e
SHA512 42e894cfa573fefe6e732aaaeba906bafd5943c278e610138fe2eb2a27ddb426f7534badddd09c8dcce9ec6e0dc58982e37b53c0ac91ac741e329ae575f1f072

/data/data/com.devolver.reigns.hack/databases/evernote_jobs.db

MD5 cd7fe4e65d71fc4332f1c30e861a011c
SHA1 2488ad0723446e9db84323040c2223011d9aedbe
SHA256 5a9e8a739530ba4547a4f3ecb522d75cf84f5fa6c0db8773c299086b7dec16a4
SHA512 0b61991e2288687571375abefa08931c6608b3f74aeff3684d41f0bf3d58efb042dcae6f6564fdfdb65a64876fb22b01ee5d89e27bab22b826a8d6315e415b98

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 11:04

Reported

2024-05-21 11:08

Platform

android-x64-arm64-20240514-en

Max time kernel

25s

Max time network

132s

Command Line

com.devolver.reigns.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.devolver.reigns.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 freegeoip.net udp
US 172.67.165.196:443 freegeoip.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 172.67.165.196:80 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp

Files

/data/user/0/com.devolver.reigns.hack/databases/evernote_jobs.db-journal

MD5 95cc4a3e2e5679b67fd73f1208959423
SHA1 23da7e75585eba4ca6e2c0643e2a492d3dc5b9c7
SHA256 2dea4430727e2f86d56882c05cc722febe404fdd8ab76907ffef043f6fd9c799
SHA512 e063eb82d40588f30e93f43a240ba323b2254a2d8c437282b55ca49cae2ff7f00d00a0ff09c6bd256dd667b02b0ac7dd4a4635171336f2d2bb84ff8a4dce8abd

/data/user/0/com.devolver.reigns.hack/databases/evernote_jobs.db

MD5 58c0b6e45328752b20ac6e719ac034f8
SHA1 372b2638afd00bbbc4034657b3df3d2e428fb367
SHA256 9d74f93afa5a179b1ba2f19f154b2880aa8b99c88209802099045a0874d2426a
SHA512 2d347d5824b9ab701e341c89e8327a95fd6bab8e92ee15ce9550da368d773e22bff304072a4854df5ab763750a7401f7aa61a49e3292d62c27fa9f20536eb3ab

/data/user/0/com.devolver.reigns.hack/databases/evernote_jobs.db-journal

MD5 f669eac4e9a3122732d123108f814b04
SHA1 814f2aef84fd97a41bbfb507e4b5489f6c46aa82
SHA256 2a39b5fcf67dd9cdbeb5637d0720d0c2306a8b3f8d77367af9cf08565fa3ae01
SHA512 97aa798b3acac9547caa596851108d085e7d8feeaddffc86efc7af8e55cdf957052f31d91b48512e5efd0ee2cddccacea35373072b86fc55232e7fda25b8d650

/data/user/0/com.devolver.reigns.hack/databases/evernote_jobs.db-journal

MD5 899f8b7a89faa688a011c16865d46571
SHA1 33ab33660f666dd30a56e49152da51f73a8ecbb4
SHA256 f33dba49d7a67011e3f37b2e82567668c690db693118bfab43bc16f61e378c68
SHA512 4b401640c5b54bb65aaf72f63614ee825c4160fbbbf1769928d10b89086ed0c2ac4c24a77da643e61726918136534b187d1467b47778544dee0441e11942eece

/data/user/0/com.devolver.reigns.hack/databases/evernote_jobs.db-journal

MD5 df6d277a3f1d92cd47d1d7f9b88e33e0
SHA1 92215fd78afa1072baaa7806e009c0257142cce5
SHA256 f52949ab546d9e6693366ff1d642913bbdb13a4b2a2508fe77347f677cd333dc
SHA512 cb6bba8a30b2d14690ad35600315f73ec85843a0b89b8c1bd13f052ed54a1a74f4306e020c6418364ab6c7c48b8cb9ba2b81e4c6f99f2486620e03dc185c45d3

/data/user/0/com.devolver.reigns.hack/databases/evernote_jobs.db

MD5 9123ffe00ee2c7e99c81acf570555299
SHA1 a51cf98456972b14f3bae49b13e12d1d88175385
SHA256 6d250f86664c28ec3751f0f9130a03a8ce42e10998725aa386323f22e43a1c81
SHA512 800e38b5caba5ceb1a5d3947f35c498d47f3ed7df54e3ea0163c282585df84e91c9cc31566d7d00e7bfd7f65c06d75f1384f0562e58564ef786b369eb7e2f6dd