Malware Analysis Report

2024-09-09 19:08

Sample ID 240521-xeyvrsef39
Target 645d1f6b879a251b9e6108aafdf118c7_JaffaCakes118
SHA256 6174cc9bfa3c267fc916dbabc3c2885f88d844f1f9b59708f65b9c74a995ae35
Tags
discovery evasion impact persistence privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6174cc9bfa3c267fc916dbabc3c2885f88d844f1f9b59708f65b9c74a995ae35

Threat Level: Likely malicious

The file 645d1f6b879a251b9e6108aafdf118c7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence privilege_escalation stealth trojan

Removes its main activity from the application launcher

Queries the mobile country code (MCC)

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Tries to add a device administrator.

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 18:46

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 18:46

Reported

2024-05-21 18:49

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

131s

Command Line

com.i6uu.knowall

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.i6uu.knowall

system

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.nd-buu.com udp
US 1.1.1.1:53 www.up-4g.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp

Files

/storage/emulated/0/Android/.android/.hzconfig/.okp/BeanZhan/log

MD5 135742eb16b419443f94e025f0fc8b72
SHA1 d71d8bbe0c03f72b1c5e276e213c833e16a25b3d
SHA256 7f7b2e09a8f38432fe7c078f4b65f4e528b832b850dfce83246b74038cbbfd19
SHA512 3f56f6743b25601289570002c55a5a2d3a6903e475db39195b5c57da90d19f168bcc37d2807623c15569d526377c3dca8b98e557cfeac7d8f57a3760a6480d7e

/storage/emulated/0/Android/.android/c-userAgent

MD5 d3c6e16dad4f6aa1e4619391b9eb63ac
SHA1 62534310880c5c89e6739c383975c26b6a7b4d36
SHA256 3bc2accee0bd9675584d0073832695e7e76bd2d47d80ed9883e6b6184f3dfaee
SHA512 e20a51645fdb7b7a4c783e8458f0cd06e2a506d225386fd44313ec329c46bfab3fbb1d2bca972cdc808f9598619cac1655f7702fed2c0da1054c709d62da5be0

/storage/emulated/0/Android/.android/.hzconfig/.okp/BeanZhan/log

MD5 257aff5b76eebd078cd44a412b3c4264
SHA1 2ff8a4542c9ae0a694668c55df691854d9c8813d
SHA256 9fe7fb86b39bbe393f374adc5eddd20f6d4ff2b5178548add095c86240213105
SHA512 e046856e0e4a4555fecdeb965e4d26f620a1e89ec0aefb17a0c75b8ead44bc332e40d4237f3c81dbefa92627cb75bcf2ef79849179b3da7f60f87beecd59353c

/storage/emulated/0/Android/.android/c-imei

MD5 748d9beeaa1899252a7365b780b95fb0
SHA1 2158cbe9044f2b138df0094615afe6616e526c9d
SHA256 59290d2d5a77605f8140feb82e44e8438115fb2f93dc56ed4c225b88c21baaa8
SHA512 cdeb0c4cebf1cc96ebda6940763a940df76120ee991bc7f003480caf055a970f16e4a19ef2ba2c56fa056d539b981e16542ec7239a7b91dd3828585bc2d1e440

/storage/emulated/0/Android/.android/.hzconfig/.okp/BeanZhan/log

MD5 00bf99b40e022253cc4cf68578c40fb8
SHA1 fcaaa46e9399868d13d62a3e74cee966f1419a34
SHA256 f2c6bddcf7fe45fb41146a0ef31c3ab612c15061c292df95f1eed4b70a8e4deb
SHA512 15aaecd110d3389c1ac62c9b601d470e887f987a3aa765b8e7cab8923fa1139073901806cf3569898440ffd5fac575472232c50f871e8e07df4e3709358ef6b5

/storage/emulated/0/Android/.android/c-imsi

MD5 4b75c50754c47755bb6178f186fe81d9
SHA1 052f5e320f526cf3cb4ce981fe49b8e1f5d6464e
SHA256 db76e954e8a83bf685d0ae8f4d80a14ada31d442f60aeff7423457a2474931b6
SHA512 51c5d86f35f4cf6fad0753e03ece31b7d17f1e2be8e63e013dc91b9ace99b1ad92608791495592311d71e53a6f377b0e7eced23ea91be2ed1a19f20420d3cf9e

/storage/emulated/0/Android/.android/.hzconfig/.okp/BeanZhan/log

MD5 17da4cba3b238ff94cf62c3713dd71e3
SHA1 2860bfbf68aca880dd7eb5716204c33b1f0e7534
SHA256 9df1f837be4e75f9fa1bbdf1266632b19bf76fd8d6da26cf43859dc65b3a9a8c
SHA512 a2c251b3d9ba4f89ca65646029cef8ff195441e0632e719cd3dacf72c14b7d875f4cee5985af8eb0981439d8c775c56a225ebcdf05f99edec5e2e241f7867b70

/storage/emulated/0/Android/.android/.hzconfig/.okp/BeanZhan/log

MD5 9932ab958a3ad33779e8a1f943831192
SHA1 22ad5068409a9e44903cc1256324a5e3abd96462
SHA256 bfcb81ff5cd3470d212e2bae4a7b872dfdbcd2a4173ee3758d47c94a1c684a53
SHA512 68910ae3d434a069a08c5715e28ec8d0a318ef1143833fb50f2efc1cf13ac0aedc44a78248f37f2e80b702ce125810f774c1f655a5235aa49af897fe424ec3ee

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/c-intercept

MD5 b68d0e79c4e8e441a14cba2a929408bb
SHA1 82127d8b2466d502294950486e30e7584ee3878d
SHA256 a8b55a9d389ef4c5e03457142b0421421b4873ba011ca61253deeb7726d3ca50
SHA512 010556dbaeaa4cd44ce1773ed35cf893684d46fe9498df97cfc7a3e86c2ce060ef9e7bd14c8c46e19c732de4c1d927281b0009e96ec11529c6183bc03e1348c6

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/c-phone

MD5 03c03447e1afadbc7b36f708595c5d44
SHA1 c4fc425270d098606f7e79b756bd6fbaadc2a718
SHA256 84b9be03b1628f5c6b57506aa699daff7a0ddd54588a63e70dc3570f302fa930
SHA512 8ad31256b987843ce79e327cfabfb8c3d00968573ecd97c081577725acff32c8c5b8cfe7193833aa5be321dc9cafbb0fadf9e4ce06f98b06580709d1544bb9cb

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/c-imsi

MD5 11abca93427a493510ed491065c59d7a
SHA1 9008fdfd52416ea229a86c51158b97a8dec99d73
SHA256 6ba1d8b50f60723da697630dea4bd14da5c2230b6c0bce1c2170641888255157
SHA512 e2dddf4a4c9d29758869cbc42c081879f88480c81db3472ece54a972a0aed8732dc43623edd264d4deaeee38173badaebdc034e6051e52a12bbcbf9fc4abd168

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/c-count

MD5 897316929176464ebc9ad085f31e7284
SHA1 09d2af8dd22201dd8d48e5dcfcaed281ff9422c7
SHA256 9a271f2a916b0b6ee6cecb2426f0b3206ef074578be55d9bc94f6f3fe3ab86aa
SHA512 a546d1300f49037a465ecec8bc1ebd07d57015a5ff1abfa1c94da9b30576933fb68e3898ff764d4de6e6741da822a7c93adc6e845806a266a63aa14c8bb09ebb

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/config

MD5 2cf4c28468037cc93de7b41e627cdb4e
SHA1 8b2c5ffbfd1273600afd48632cc0eab64f827952
SHA256 71117afaa4b3d414d4dc5a74e1061f1745a2b7e9f3d25a5220d51f3172201683
SHA512 228d2260f1c798fe2ebf357c2652ef951a3d015818bae5798cf90b99390578548fc9e7d30a261ac56e1a9436804b6c3802645c2474fcfdbf227954a964a9b42d

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/index

MD5 a3aefbcbf31fa0bc12b9a73bc9d67976
SHA1 b9584684faa01e39bf3fa4db606dbaa86bb46943
SHA256 99a357b646bc6d0d81ac188c8bfffcbf6ab8f8f72a5d262fe81624f6f9a9a66c
SHA512 cd4cac5877e1c6998bb8e17966de516c6fa3169df25e81a8a3d3754288274c6312275782c52ca63bc7b443f4fb6cc629cc65f155ad290458f52abed8225ca5da

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/c-count

MD5 b026324c6904b2a9cb4b88d6d61c81d1
SHA1 e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e
SHA256 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
SHA512 3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

/storage/emulated/0/Android/.android/.szconfig/.okp/BeanLin/log

MD5 e11138cf3171a61f82f68128617ab523
SHA1 190aa7e54847de54497f75bbb022899dbffdc0ba
SHA256 f21bfe1efbeac3f88091a66c2f71cb3c838f75368dfc93eaee8213216018d773
SHA512 387613c84abe233b9a3f0ae0990a0e976db89ff031ac8241048546dac0bc13c7f17c02af6c09576723a85586b701b70ea2cc0a1e57e6342ee5b3150ee3d4de84

/storage/emulated/0/Android/.android/.szconfig/993a943c7a6f65c5f8dafb8d30175e0c/c-intercept

MD5 0a909baa2a7964f6876d98b5924da185
SHA1 17fe9662c6b9ae4e4b642c47529976e69f877670
SHA256 e8bbcd33ef7d5142b898fa7a8727bed5010c3d9e381fb46c658503669c0aa0a5
SHA512 7485b503687c7c173371a03041c153543d2e2c9fd8b183ada4ce7547b65f78c5e712a7274e059ae9dab7a2edc959a7fd4bcb220aa8a680a10d0d2365761d3293

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/index

MD5 ac63f03f800c493b3c24d008a55bee43
SHA1 21199b85aab05db95777c723799a71eb759a66f9
SHA256 4ea437cacd9ae36c26f66a0e6cb928dc583b669a1f1e01ba67a3c45c9929e875
SHA512 e2593bef6957521ab4754ae7cbcb71c4463fceec7dbfe27d843fea392976e511258feea946269b47e7bdef5bec4044573fe098f6a73d2590af7986c9dfdbff74

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/c-lastTime

MD5 1f954c543b8468ce8405e446f652b3bf
SHA1 2127043125b03aeb089ec644005f572d5bc53a77
SHA256 3e637eebdccd8fd582775f8c7a32dd3aa7314e594783684f08e9e5b872083c31
SHA512 f176797debb4ff5018351ad65e84e636cab11b15c6c97405132b14a24d9103e9dff71bb6785bf410ccd8ac893bb4f94dc2b1a3e5df7fb5f9d3fc3517f44c16e4

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/c-nextTime

MD5 e0cf812053ffac15e6aca336855f3c07
SHA1 9f92b2edee0a4ca808385f2888d2efd051a64e46
SHA256 ef68587e6ac4b05484a0ee6901d8534d6af4d22d770d8173d66087d791a5c0db
SHA512 ee7ea6eea4511c565ac2354b51b74c50adc016d96e05ed19c001ec939c3a1c41ea4d00f1f00fba0cb833fdff6d880abea169891fb2fa6fa0701532fb74e356b7

/storage/emulated/0/Android/.android/.hzconfig/993a943c7a6f65c5f8dafb8d30175e0c/c-nextAdTime

MD5 adb03945d0f69e0f8e29e0e58d07d02b
SHA1 3f6efcd4de10f65d159fd9fdb940530ce453a05c
SHA256 f2a8881e9a3808c94de5edae8213b7d3bc5c10d6574805867decff716a2af814
SHA512 5c09d06131dafee1ee142df237edb05898b908c77b5aaf499177b01cf2a5e66a118793d44ae82c987696c88e298c59db935bf13edae50e6c59eb09a49df84b09