Malware Analysis Report

2024-09-09 19:10

Sample ID 240523-xayzzacb79
Target 6be5db63a57e72ad2e7e392515263028_JaffaCakes118
SHA256 d6f8a80f7e5ef5656b672f0cd33a92a3f0a8535eb7ef44536624f9752d5fe3e7
Tags
collection credential_access discovery evasion impact persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d6f8a80f7e5ef5656b672f0cd33a92a3f0a8535eb7ef44536624f9752d5fe3e7

Threat Level: Shows suspicious behavior

The file 6be5db63a57e72ad2e7e392515263028_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence privilege_escalation

Queries the phone number (MSISDN for GSM devices)

Tries to add a device administrator.

Checks CPU information

Checks memory information

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 18:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 18:39

Reported

2024-05-23 18:42

Platform

android-x64-20240514-en

Max time kernel

177s

Max time network

131s

Command Line

pob.xyz

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

pob.xyz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mpbcc.online udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/data/pob.xyz/databases/sms-journal

MD5 ffe4312f05a1e4245b1edb9ffae6ca07
SHA1 1e03813086d97039d22a49d9b19e15cc5d93a968
SHA256 03d232fc261b480456d56a78530392d520cd13b9fa2d77d2f1106fb366cc9e05
SHA512 0cfc6928452b20518aa078a225f256a6e4b82c50142f0f5f4eb7cb9d6323852c3dd22a8ef0110bde3830fe18b6200a6f656c797587a45191d2c2593bd0322bb1

/data/data/pob.xyz/databases/sms

MD5 f75f1a2e4c5a2b0ea72dbdc73eb58bae
SHA1 10a6f42c6b3ed46ac52bf402e5c0b6ec2e770056
SHA256 61b3667c16a7ef98b9f6921ee38a5c8164cea5da99bcf9752baf1cd7aae14338
SHA512 12985e041f1ccae6d733d40c62eeec50a0a8138548ff17b20487ca226e2ffaf8f2689a0d1f401d6c4931c3cf00db3ad7c9c32347f5951110b4d99288d207e0c5

/data/data/pob.xyz/databases/sms-journal

MD5 514640444bc7e940737f4dd453f7dc4c
SHA1 ec55fd2d9828050aad852719a2c81dbe592f7ede
SHA256 be7c3b8185309411a7fa88e898b685032a094fb08eb12a69c393617394290801
SHA512 da5d079e7879cd00a9caf2572df32f68147b3f8321cf721187bf088835b78f310edb8e96c0f77c44075c91d8804952617338a54ea91145d36167fe815f6b6604

/data/data/pob.xyz/databases/sms-journal

MD5 067b4114b4b3b60654e9ef10e07b7455
SHA1 ac3b37debcb3b15043203316ce7b0145535fdaee
SHA256 6753818955dd488b65218e5b56310c233dc4b7073fd650a3d01a2772494ed23a
SHA512 2796b7d4dbca70f487b717d96efc6c91bfc0234f157522a5316ed8ef6d02eff0a953123d8da15ebecfc465cc8e123466a74286b16f1f1fc27e2297d998e893fe

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 18:39

Reported

2024-05-23 18:42

Platform

android-x64-arm64-20240514-en

Max time kernel

178s

Max time network

132s

Command Line

pob.xyz

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

pob.xyz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 mpbcc.online udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/pob.xyz/databases/sms-journal

MD5 6971afcd6c87122cfa6f4705e5a409c4
SHA1 107841d95cddc8a4d7eb7ebaffbf4cfc3a829cc2
SHA256 13ac76309d3f4dd7d9a5ee6eaf83eb81fc91a959f032d4bdbc78479ed4046fa3
SHA512 75d9d5aa8d2fecbcbe857ee5beaacd6d98cbc4a9b960e123f62fccc3d6edafa1a8ac05179b1073c6b7a4e68b1e4e138e830eed81e370266d869f9222271166d0

/data/user/0/pob.xyz/databases/sms

MD5 862c334a6fc3edade14ad9c3e87c6e98
SHA1 6df4251e383583e05a5e1453753bb2478a3c8abb
SHA256 5fc6e53b7d51c7676b37ffa3b0334e649b83bac92a9177f3cfc85d69570ada09
SHA512 7ff529f9b25197fb640bd9128abfaec489b1179485120ace6324758d0fc9eb2e2bbe05bfe32fd693715744367cdb6c0ba8646094e56e35c31c9593392f518d9f

/data/user/0/pob.xyz/databases/sms-journal

MD5 04b1bab721dc5ac7fd53fd5915d1d08b
SHA1 ca6fcb5ab59c7a9631e14fbad8c1a1c64215fdef
SHA256 f51ad9ab083f33d8ba9a42de0182a9015a211c80a5e4ea548c08e85f3ad9932e
SHA512 b9373d9e59914084a502e079dc49f4f0063839b660efb2c6f3ef1366cf0024cbae34242b3978b31a2794ac436c55d55beace6675f5236204d8a0317ec327d001

/data/user/0/pob.xyz/databases/sms-journal

MD5 f93ebd3814812ca324b5d4a511cfdc5b
SHA1 a6a98ff63127c0c50ca265529164e21ae199c07b
SHA256 ef0ebf4fb757cec12a7430ad90c638636c2081ef9ce5695abd6ec8f321d0d9d3
SHA512 38c2c5b3e305488a520fff288ec4a25066c9a72c50695ed71c58715b515dc91e68d75a8f4aa31823b3c5979ad15874d817a256a7ee85eb54c2e6ef24e89b1c4b

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 18:39

Reported

2024-05-23 18:42

Platform

android-x86-arm-20240514-en

Max time kernel

175s

Max time network

131s

Command Line

pob.xyz

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

pob.xyz

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mpbcc.online udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/pob.xyz/databases/sms-journal

MD5 42ff3134315596dfd6be82d5fb9d7aed
SHA1 bd565eef9bb1d7174e4aaeb919e878a70819672b
SHA256 f51f60ba43a564ad9d78328e2a94f80ede5c0044a2bce7dd9d789f928deefa7e
SHA512 529cb58696c86a1f585ca7e1d70ba8b4a3fd27ec95f3a3566b28b8f9d72aa9a4c61d703f299f8cc4ed7234e86feafc57c047cabebf293ac6931c948e06cbef69

/data/data/pob.xyz/databases/sms

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/pob.xyz/databases/sms-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/pob.xyz/databases/sms-wal

MD5 a87c409b5c30a4d28a68ec2984a1e8f0
SHA1 94a0af12979efd21652eae376c8a1067cefc4189
SHA256 3dbcb2d67565562b4ed755e442612a99dbf71d79ba5727192993047f72529c6b
SHA512 d9ee0b7b00218c30fd91232d5b286000ba7e3764773098d05c78fe167963450dd9fb34cb9ab81d3edd313e8b2ab7ba4ec65fe9d6afd5e2d978d065e3606803a4