Malware Analysis Report

2025-01-19 07:01

Sample ID 240522-r5fh8aeh3w
Target 679f92481a5fd52740f69c7639a4311f_JaffaCakes118
SHA256 9e14bedc5f5a619ffd5ed95eb98312384ac0da2667bacbf3daeea5f359b67212
Tags
collection discovery evasion persistence credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9e14bedc5f5a619ffd5ed95eb98312384ac0da2667bacbf3daeea5f359b67212

Threat Level: Shows suspicious behavior

The file 679f92481a5fd52740f69c7639a4311f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence credential_access impact

Checks memory information

Queries the mobile country code (MCC)

Reads the content of SMS inbox messages.

Reads the content of the SMS messages.

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks CPU information

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 14:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 14:46

Reported

2024-05-22 14:49

Platform

android-x86-arm-20240514-en

Max time kernel

162s

Max time network

151s

Command Line

com.tk.tmovie

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.tk.tmovie

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.206:443 tcp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 120.55.16.135:80 tcp
CN 116.62.69.130:80 tcp
CN 116.62.69.130:80 tcp
US 1.1.1.1:53 vod.taiku001.com udp
US 1.1.1.1:53 mvod.lianmengad.com udp
CN 116.62.69.130:443 mvod.lianmengad.com tcp
CN 116.62.69.130:443 mvod.lianmengad.com tcp
CN 116.62.69.130:80 mvod.lianmengad.com tcp
CN 116.62.69.130:80 mvod.lianmengad.com tcp

Files

/storage/emulated/0/2024-05-22WJLog.txt

MD5 ebaa92488a9b5550cd07b745c00e24d8
SHA1 417a47c1adcdf2215d01c90f1fb7c802fda45634
SHA256 a5e11734dc179a116dfeb2064553e22509508140856eacb2fd22d62fe375b681
SHA512 b8c6c9ac3eb732a8aa877fea59dd4b4450271998984fce47389afbb8dbbc2829d40afaeb9a8eda8bf402703e2f9e71d556f9b25a2918f6de558d05be96cb6340

/storage/emulated/0/2024-05-22WJLog.txt

MD5 2500add4ce82941ca9e9704c356ac0bc
SHA1 b28fb6187c62d1a0f21b3c2c03e1c0907e8db401
SHA256 6fa48a0560e639d00a787d99ec1b943cccf91e88adbe0780eab8d2602a9b9e91
SHA512 4a100d3008be0776bd97cae5b98f8369a3c921761ed9dee06e40f49c9c5290d38780e6301782663a575095f0d331addc6f8b3c2be31a909f7a935b9578f35a3c

/storage/emulated/0/2024-05-22WJLog.txt

MD5 df694ea48826dbd66d2d5e79765bb15e
SHA1 a639fbee387df5d8f38afa4db1ac3d592693adc2
SHA256 1ebd4127bfb91b85576bdcd02a6eb9c220acd4d4fc0d6632930fe59e56afe8f1
SHA512 9dffb0ac40277d5bb24a76e86348471e392e5385011655a9c074b46f1e1a03733241e654ae06d1f95be9b7760ea01de9a382966e8cf75ec36c381f5ac652e0c9

/storage/emulated/0/2024-05-22WJLog.txt

MD5 5935cfbf1208145bae8a313db3d9231e
SHA1 1b5fe6c1ccf41cbe2c24c6d5f07815ff2ea830bf
SHA256 c6378e8fe085802a3986a015fac2a8e7c8eaa3c77dafee5a03b97601d955f2de
SHA512 7e287a832cf6565d481bc401fe3780498fdcd2e6f3c2061b53ff77d7e227321c9bd54b93f34929058eb4ad826ddadcd5b345436537ba41fa3854b7ebe4ff1ff5

/storage/emulated/0/2024-05-22WJLog.txt

MD5 8932317bb93e4e05e6e55fc94b614f0b
SHA1 4ad0a6c682869ac3eeefd5fec862cb48ffda596e
SHA256 09cf1fd5791d999579bb8e0984e9b8a4ef1f8135c83505ee197fac3c96e090a2
SHA512 a9a0a1418a4f3547197707e64da980950b4503767ed2e3a12cf078639d9f3320977bfbf83be390ce7cbcda2eb8db0893610fa4a653367448babf18875f9239d5

/storage/emulated/0/2024-05-22WJLog.txt

MD5 3987b2e1da5cee637c2776196c29b674
SHA1 f560ddb36dcdd5115f3cd59457262c93c4259366
SHA256 feaeb32786f314df84e341565b3c4812adc2ecf7558cb7e262cb66b9ae75bc85
SHA512 4956212f601686f9dd5a4acb44a88422f82ee11c6aaa3f740821a715bba319175de2ee86853a509b8a8ead49be2ec140cfbe766b9e13bfd12b30a5e07478ef23

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 14:46

Reported

2024-05-22 14:49

Platform

android-x64-20240514-en

Max time network

138s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.212.194:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 14:46

Reported

2024-05-22 14:49

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

157s

Command Line

com.tk.tmovie

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Processes

com.tk.tmovie

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 120.55.16.135:80 tcp
CN 116.62.69.130:80 tcp
CN 116.62.69.130:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 vod.taiku001.com udp
US 1.1.1.1:53 mvod.lianmengad.com udp
CN 116.62.69.130:443 mvod.lianmengad.com tcp
CN 116.62.69.130:443 mvod.lianmengad.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
CN 116.62.69.130:80 mvod.lianmengad.com tcp
CN 116.62.69.130:80 mvod.lianmengad.com tcp

Files

/storage/emulated/0/2024-05-22WJLog.txt

MD5 07da7fea98503b3e23912f04b0f83867
SHA1 b41e43d2bed950d9d987f36aa71194e324e9e24f
SHA256 3a8a91ac62a312fb043d8113f1c176ae5192bb28727d8c9f23555959c00e58d1
SHA512 5710ad74831de328bdb16f35b26c3261d2f3fb8919c352a06a57649c4e4d2d5ee251199352558a2dfee432865f371ab8c18bac9a5f8295880672a45fe2fc8ad5

/storage/emulated/0/2024-05-22WJLog.txt

MD5 8742bee78770b95805749aaffbd9d826
SHA1 dbd1266bd3c63f67a126c4a06fd0d60736d7ce8a
SHA256 d821c3e84847e6d7b7213c7e8b3298f4aea10f38cf2b39528fc679d765716386
SHA512 6d6d057b78fa9aa20a19454e39913340477a9ba27b5374951cb734b67ee2f533290c33c595b659ece8608eed27d4294f725798934fa4d62319898072f85c272d

/storage/emulated/0/2024-05-22WJLog.txt

MD5 0ca3aa8875a434a060b4d3f05406a441
SHA1 f5126354cc1d21f3b915e984ca348067e9ad0b95
SHA256 d0f3770caf130fb2c65b97aa82bc7047152b5ea630e7acf1f9e8898d9fc563b8
SHA512 5c595dc9e59f4098ea84504048fbdb779da0279d0a98fdf3ffbc4382fe8057f4eca9c0ba415e06747330349ae6bbd5485770ef02771a10b03e7bbdba7c40efdb

/storage/emulated/0/2024-05-22WJLog.txt

MD5 7e273f5bd293e1143934cf45ecc3b4e9
SHA1 f4a1681c9df5d62811ca65af5fd906375076c616
SHA256 ff9f4281580539df1b43c42d67a84943e2a4537d79882dd8b541d83635c62c40
SHA512 8dbf6c458a487070663caad139d594bd28ed128217c175dd13a642f83137cc64b11e97fe9fbb86ff5afbc732dc15b900e1ae2413eb269eef2b90d553ea9bed74

/storage/emulated/0/2024-05-22WJLog.txt

MD5 c84c7bae2623dd42b37416d306d54829
SHA1 c5c40e436b2d3a781667005826b593fab34e4097
SHA256 60999c21e9224c9d163b3684536f341be16ff29b2e54dcb483a39b24d6dfd78a
SHA512 3dde9ab3c0ae7996ce89dacfa37074cc24b188ceb06cc0561723d32657061925792ac55a94777c4650d51a470fa24b9a0d0dcd4ce0fc9cb53c8f2a8226465762

/storage/emulated/0/2024-05-22WJLog.txt

MD5 5f76ad56e49febff284559a69165e509
SHA1 2eb8bece17d3ce9819e32e42855af025bf839768
SHA256 1cd60de7cab492343de6d6bbf3afa0314b96b5e1629cc3420c9c850fb8e6f463
SHA512 f8e3ab3ef7a3b112af924ae8e1e681060d1d9bc49b753cffff7b91139300fc767b4409eea665460c0670eb390cbd77125afef83c1726a9eae9844389303508ca