Malware Analysis Report

2025-01-19 06:56

Sample ID 240522-wgpjfaba2t
Target 681b10db9feb43c1da1cbac0a81fd195_JaffaCakes118
SHA256 2fab85457935f7da9c8dfe30ba4e7faf28a38c8ef6ae56ccee4a13d115541e12
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2fab85457935f7da9c8dfe30ba4e7faf28a38c8ef6ae56ccee4a13d115541e12

Threat Level: Shows suspicious behavior

The file 681b10db9feb43c1da1cbac0a81fd195_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Checks CPU information

Checks memory information

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 17:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 17:53

Reported

2024-05-22 17:54

Platform

android-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 17:53

Reported

2024-05-22 17:57

Platform

android-x86-arm-20240514-en

Max time kernel

63s

Max time network

131s

Command Line

smskb.com

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

smskb.com

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 www.smskb.com udp
CN 122.114.120.35:80 www.smskb.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/smskb.com/files/umeng_it.cache

MD5 0a9509986f01484669c512261379e88c
SHA1 a3a08aff36b38822fda175af2ae10f7c7f924e50
SHA256 010836c6959e364550ffd4832602c9a1e4b8069f7fa77bc9aa80c15180a095df
SHA512 fa332a933fe20f226cf7918c42438b17aedeb0f8e2768a9f6a3e7b841b1d5a25b7e292c128f1f2ea365f8ff8d281e770304032f93fb1c5a53ab30503b411792a

/data/data/smskb.com/files/.um/um_cache_1716400501756.env

MD5 2e1a94742ad6a747290b45f0a8ba7d2a
SHA1 c45761e27ecf190c68b1e46bd0aa3d381f131b01
SHA256 fd6750d72950aa2a1fd5048219db39bdef29691130bdd3f6b94c509213d97255
SHA512 b56bf8a3834249ded272adfe2f43188d82f3faf32fe92f6dfbb7fcc82b22c100e334b336d3df4945156989215c54b54b80b230c9a431518e13640f2fe76d93f5

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 17:53

Reported

2024-05-22 17:57

Platform

android-x64-20240514-en

Max time kernel

65s

Max time network

153s

Command Line

smskb.com

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

smskb.com

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 www.smskb.com udp
CN 122.114.120.35:80 www.smskb.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/smskb.com/files/umeng_it.cache

MD5 cd7007c75a1472b47db1f7b1e0da77f8
SHA1 a38433c8ffc02c8e4e02975a2c313e85afb1afb2
SHA256 34f014f212526d0a0700387b3ac0e71f085568c7968f01eba6b7dfa9c75063a5
SHA512 56d35033aed86f0881423ab796a04dbc9f2793ce7a7c36025489bf898fc61decee04feeb884c780336d490f104634bad71942b64b96cb842b9486c1bc334c508

/data/data/smskb.com/files/.um/um_cache_1716400501889.env

MD5 a9cfdc436adcc5083b14e9edea85e6fd
SHA1 0506a788e6889c90e58dd96f8d177dbb7984b131
SHA256 935465c6837a1869a14b6f4f83cbe802f99da6e593b404819139c4ad1acb7217
SHA512 b6e1ee8391a7e712260ac96567ace665095dd560ff15186efa2151f7d54a7a41dba615aa24363885439274337c92860136b94fba216dde9bd418c5a0b5bea5c2

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 17:53

Reported

2024-05-22 17:53

Platform

android-x86-arm-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 17:53

Reported

2024-05-22 17:54

Platform

android-x64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A