Malware Analysis Report

2025-01-19 06:58

Sample ID 240522-lkn2zaah41
Target 66d009b47bcae4402f92b6dbd06815e2_JaffaCakes118
SHA256 a17894f1f8f612a1518ffec42df26d0aeafa5114811441c920baade5bca040ec
Tags
collection discovery evasion persistence credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a17894f1f8f612a1518ffec42df26d0aeafa5114811441c920baade5bca040ec

Threat Level: Likely malicious

The file 66d009b47bcae4402f92b6dbd06815e2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion persistence credential_access impact

Requests cell location

Queries information about the current nearby Wi-Fi networks

Queries information about the current Wi-Fi connection

Checks CPU information

Queries information about running processes on the device

Queries the mobile country code (MCC)

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Reads device software version

Requests dangerous framework permissions

Checks if the internet connection is available

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 09:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 09:35

Reported

2024-05-22 09:35

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 09:35

Reported

2024-05-22 09:35

Platform

android-x64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 09:35

Reported

2024-05-22 09:35

Platform

android-x64-arm64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 09:35

Reported

2024-05-22 09:38

Platform

android-x86-arm-20240514-en

Max time kernel

23s

Max time network

156s

Command Line

com.nbblabs.toys.singsong

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.nbblabs.toys.singsong

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
US 1.1.1.1:53 k.nbblabs.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.nbblabs.toys.singsong/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/com.nbblabs.toys.singsong/files/__local_last_session.json

MD5 c04de80e43c84bb4d891e816b5fda152
SHA1 45f503868c2aa3aec350939b34d8fd1a6861ed78
SHA256 fc2c039959b0fb7b9e7eec923e3854dddd329e201281744cab03dd7e1ddc33a1
SHA512 dc700b5cde1f9a8b59c3a7c35fab4026a358e119fee80722646fbab9ec6b239895c2c1036d47f2eaafcf1c0d65d100832e2ed078ab926740f558f52d1adf3e83

/data/data/com.nbblabs.toys.singsong/files/__local_last_session.json

MD5 9bd254ace35b4bb93e42f0ecf9968eed
SHA1 b7e4609fa292dcf6e46b7a47e85a7842ef77218e
SHA256 18d50dbe60bb0089de0940841d1b8f38002d766669e3a21a760edb492aba54cd
SHA512 df96a800984e38398af99e12c34737d23fe61a1852fbb323bd96cf8668e80d40341e6865f7925d8c28ff2e0001b7d6ab11dbe621d429a2746c259aff1241c06c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 09:35

Reported

2024-05-22 09:38

Platform

android-x64-20240514-en

Max time kernel

47s

Max time network

132s

Command Line

com.nbblabs.toys.singsong

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads device software version

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getDeviceSoftwareVersionForSlot N/A N/A

Reads information about phone network operator.

discovery

Processes

com.nbblabs.toys.singsong

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 k.nbblabs.com udp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.nbblabs.toys.singsong/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/com.nbblabs.toys.singsong/files/__local_last_session.json

MD5 2d0836f65fca719ac372fdc39d63f629
SHA1 edde58d8b76e2bb37cf329da2856d990945b8832
SHA256 65feca5886a28e24ab12f6e0012d46d0323e616bce841c491f1d1cd0e43abe3b
SHA512 a1963a17a6bbc23e67404f534e8cc01ebdd5eb07b4face82785764265ed48b45dc99ebbf80dd2e35b49ff6826788409c4a597bfe7c9289f85c119dfac9a60367

/data/data/com.nbblabs.toys.singsong/files/__local_last_session.json

MD5 2566418c563231ba484fb385a9a23dcd
SHA1 c35795fac92640f900937e18b5bf934aa0e8ec56
SHA256 20b411761895230161cf25489688f75588856f86f2f1fe2fcb09d27918d7b330
SHA512 5c32a3c1b71031bccf94e208a4e15a462b9e47fdf596139c09c0b0ac542e22ddd821a0c3512c1840020e6e2325631e33109fe82028b994d42155ea32ebfefedc