Malware Analysis Report

2025-01-19 06:58

Sample ID 240522-cvc8sahc77
Target 65ad0375ec7c1b75a36242b2872a3d34_JaffaCakes118
SHA256 44afce93020bdd8f3ba3e0c62a654447371b9e84de8e019832e09df901930b86
Tags
collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

44afce93020bdd8f3ba3e0c62a654447371b9e84de8e019832e09df901930b86

Threat Level: Shows suspicious behavior

The file 65ad0375ec7c1b75a36242b2872a3d34_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks memory information

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks if the internet connection is available

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 02:23

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 02:23

Reported

2024-05-22 02:26

Platform

android-x64-20240514-en

Max time kernel

156s

Max time network

152s

Command Line

com.lurensoft.audior

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.lurensoft.audior

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.lurensoft.audior/files/__pasys_remote_banner.tmp.jar

MD5 289aa52188b4a1eb9a3a5904b0638ada
SHA1 3efe010f8832bc5ee7df88152e01ef1f446663c4
SHA256 947be2e29c43127ccaa6ab05b2600405cebd5aef985204a4cf2e17ecf7cfaa91
SHA512 34078ccf3fc42c63f338bb9f62eb139d953ad9e0e5fd813465d9f4d37f708fc20d7309897919cdf6be37acbda2669fd6d32ff4a233279e2cd6e2a0ba62cdc47d

/data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.jar

MD5 96d208e818748da0a0510994de5be961
SHA1 8f093544c3ce04ef1dc323730d2937f889c911c6
SHA256 9fab83f42fe2573d80524e4b91caffaee37f2ca37f56f6a97a2c626fb7927215
SHA512 55a2b0c3a86ed751f31f96774aadebcf9068a4c3b828f0e1f4e30f0a5acd7a66ef14df7361ad2d9cccfe8f560db8e8cb2c67d9a459a75d24fbf762528f32bbf8

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 02:23

Reported

2024-05-22 02:26

Platform

android-x64-arm64-20240514-en

Max time kernel

155s

Max time network

132s

Command Line

com.lurensoft.audior

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.lurensoft.audior

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp

Files

/data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.tmp.jar

MD5 289aa52188b4a1eb9a3a5904b0638ada
SHA1 3efe010f8832bc5ee7df88152e01ef1f446663c4
SHA256 947be2e29c43127ccaa6ab05b2600405cebd5aef985204a4cf2e17ecf7cfaa91
SHA512 34078ccf3fc42c63f338bb9f62eb139d953ad9e0e5fd813465d9f4d37f708fc20d7309897919cdf6be37acbda2669fd6d32ff4a233279e2cd6e2a0ba62cdc47d

/data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.jar

MD5 96d208e818748da0a0510994de5be961
SHA1 8f093544c3ce04ef1dc323730d2937f889c911c6
SHA256 9fab83f42fe2573d80524e4b91caffaee37f2ca37f56f6a97a2c626fb7927215
SHA512 55a2b0c3a86ed751f31f96774aadebcf9068a4c3b828f0e1f4e30f0a5acd7a66ef14df7361ad2d9cccfe8f560db8e8cb2c67d9a459a75d24fbf762528f32bbf8

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 02:23

Reported

2024-05-22 02:26

Platform

android-x86-arm-20240514-en

Max time kernel

153s

Max time network

131s

Command Line

com.lurensoft.audior

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.jar N/A N/A
N/A /data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.jar N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.lurensoft.audior

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.lurensoft.audior/files/oat/x86/__pasys_remote_banner.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp

Files

/data/data/com.lurensoft.audior/files/__pasys_remote_banner.tmp.jar

MD5 289aa52188b4a1eb9a3a5904b0638ada
SHA1 3efe010f8832bc5ee7df88152e01ef1f446663c4
SHA256 947be2e29c43127ccaa6ab05b2600405cebd5aef985204a4cf2e17ecf7cfaa91
SHA512 34078ccf3fc42c63f338bb9f62eb139d953ad9e0e5fd813465d9f4d37f708fc20d7309897919cdf6be37acbda2669fd6d32ff4a233279e2cd6e2a0ba62cdc47d

/data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.jar

MD5 96d208e818748da0a0510994de5be961
SHA1 8f093544c3ce04ef1dc323730d2937f889c911c6
SHA256 9fab83f42fe2573d80524e4b91caffaee37f2ca37f56f6a97a2c626fb7927215
SHA512 55a2b0c3a86ed751f31f96774aadebcf9068a4c3b828f0e1f4e30f0a5acd7a66ef14df7361ad2d9cccfe8f560db8e8cb2c67d9a459a75d24fbf762528f32bbf8

/data/user/0/com.lurensoft.audior/files/__pasys_remote_banner.jar

MD5 981c6cf9b7df281081e05c808cf0afd5
SHA1 48aabea85a9693f461f87e1bdb9f8e76a8b45c1b
SHA256 639cf990e6246c0418adf545481ca1549a3ac1b443bb3ad3f5a3552400e41f0e
SHA512 b6e668c33021b64adaa304a4e085a2c5c88c16c99e811a4c768534fd67cd6cc380e125e960de511c3abc33c7b842be1441a7dd48aff83c2928d62ebaf65f6adc