Malware Analysis Report

2024-09-09 19:10

Sample ID 240524-hmy36sgh92
Target 6da745b2902991a4035478cf96176ba2_JaffaCakes118
SHA256 3b40c1caeffdf0859dc59a7cab4f59b8d2a3c51cee474e4a35fec05a00566163
Tags
discovery evasion impact privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3b40c1caeffdf0859dc59a7cab4f59b8d2a3c51cee474e4a35fec05a00566163

Threat Level: Likely malicious

The file 6da745b2902991a4035478cf96176ba2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact privilege_escalation stealth trojan

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-24 06:51

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 06:51

Reported

2024-05-24 06:55

Platform

android-x86-arm-20240514-en

Max time kernel

12s

Max time network

131s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 whiteeehat.ru udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/app.six/databases/a-journal

MD5 13374b090868acb8b33f20cec3bf3ca0
SHA1 2c2a55269f65dc297e1a9515ccc05daf8a0fdc45
SHA256 b28c8d4d34f60557f280dcc8081d8331ce5ba762fb94a30b04aacf8b8ab1748d
SHA512 7777bddd65876d226777578b67b52c61b0043ac7dd2b21abc885f5ad36595315e92a486d1dc2cb68408640561111d6ba120bb77a58394bb0211d6ab4803220af

/data/data/app.six/databases/a

MD5 d0017d12f9fc771e4752f1f43c3d6284
SHA1 766d2cce53d16e58837f9e874c5d7dd2aada7db6
SHA256 ed79a324c11f732ee0225fbe4f1a0d7cd15771e6fb5907c116aee78a73713844
SHA512 ab9ef3ddca8b3bdd9f6a63d37962b8856032ccc892c8c3613de6628862baa87ff94124728c236be30c2adf392ef80a39b858350511421242ae10a611da941b6c

/data/data/app.six/databases/a-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/app.six/databases/a-wal

MD5 7abb093dab5c3e6fc24a99a014c5a9b8
SHA1 d6b6716fb677957c07b2854eb9df338c3c4ee11d
SHA256 fd8366ebf5edabb7db7e6d5b3d786a0c2bdc208fceae8b7486751c65bbd79bde
SHA512 1ec51636d1d2c75f337baa5e63a16fe0cdc4a1314c6fdc09732bf99a0d7c71fcfc7865970cf162781efab7633605c15f13c3d60e5d7fd42fa14c747208b07f1e

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 6875f9639b69152521f3d7562cdb359d
SHA1 9551e758633225c329fbc432dd98a360a6b967bb
SHA256 26c7650b2f822656e983926b554ef9a5bc77dc43e8bb72c2ded5043eed2ae95c
SHA512 4a63fe95248ded3ac357f8ea80f44b30a6ff075f1253d3d35281f9d593361c2788fcb180ad25263615ae0969e90c4666b5851de5c63d1c1ce304a2d19cf66e5b

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 5417d1ba3cee1edf5732da4aa4c00db3
SHA1 0be527648c8e31072cfeda9e483e669336bf4255
SHA256 42a5dca47151f3ba4359d5f197fef21c6042f10ef4cd97751c7ac221fcf41b4e
SHA512 b5f194b78ac854f756ead547427cb26134dc357d0961d552cfdc060a4cc865e6969e60450a6375acbf03c0ce9559b027280b67af282d97f234aefc2dd7dea334

/data/data/app.six/databases/sdffsfdsfdsfsd-wal

MD5 27cbe26cb3d596aae029e7c3c00f621d
SHA1 35d29cf5d039cca9b469c41b379cd74e84c0dc4e
SHA256 9f0f669b840f35d1b8d7d043e3581444da09828be6a0508ea97565c04783b88e
SHA512 ca93c501e61c28ba162f623701fb4d8dc25f6bd30f069bc147d4263789687c66851d573c2a936c7b714d30cee4e73eea3df5dcd1775471bf2c44c8ebd69e3801

/data/data/app.six/databases/sdffsfdsfdsfsd-wal

MD5 5942087a4bbd5755dfc82606cefea202
SHA1 cd55170aeacd192c858958f4d706f2b33253151d
SHA256 ba7582b254e59e227b0dbc42b63c3b2be0c21dd4c9aab6389dadf4f8d886632d
SHA512 ee4ba927b13ca530b388cbb84c8466cbca2f6c04f5b3f5cee7b5798adbf52058ab30af9d33fe305a77fd7c009a4cb16e731acc60445ed5460dd2a8df1ad97023

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 be1557d39e687b01dc9559b25c758954
SHA1 21712240df1a5fac3eb209b72ea6197aab12d389
SHA256 f1bd012cc72dc102f1437d8a830af24c3874f8aad3b059e478ac4ee014646267
SHA512 6a7aca6e73f1116a5c2b0c2006f21d9368a03b7d1dae8a739b104c192c26d5d74c87df9a4b94043cce221ddd4696686bc43d19ec771314eeda68aee609f3e352

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 06:51

Reported

2024-05-24 06:55

Platform

android-x64-20240514-en

Max time kernel

13s

Max time network

130s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 whiteeehat.ru udp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/app.six/databases/a-journal

MD5 627796523991a79a6fa12a6f6479538d
SHA1 35ad41136d9da62309ad8d84314df7d4be08775c
SHA256 b113a69220092c34f11c0b956cec914a7c4a2935231455ef08fe06bdc50dc4d2
SHA512 69328a515385c731b553c58a35237674fc0cd2d9bda66f43a9e8efd3eb2070ead76b9ef884b2edf41057ba4c155886eb8674d82bfa4ed5e098e539239439f7f0

/data/data/app.six/databases/a

MD5 8e5c58d97a70386139008313eb4ba7b5
SHA1 7233908909ef42393c4c5128c70d02d62b0e6186
SHA256 aefa4cbdcca9d7dbeadbba17a57f44a93ab159cb1d6ed33b5c86b119dd6d52fa
SHA512 84d5481a1ee989c00f6564b0b64e092471439ee026099d715f8b622909a442c3b31c5180d2cc5daaae71fee5dd40c02fee015e892caefb7858f89f20320f002b

/data/data/app.six/databases/a-journal

MD5 275521fca83f0e1e81a7db4acad0a142
SHA1 ed7534540bed9cc1588652d775ef923361a55740
SHA256 519f290593de491d8a5bebff450d8ed7506672ce70cfd7c82dab48f1d41be487
SHA512 528324d03ac88e98c6634d8c4ffddad7ca94cdaa7175f6a19efcc21b332a95e75f1c4b584448e32007d8db2e82a30a46130fb31c3f1d320d78c54da16f2bed3f

/data/data/app.six/databases/a-journal

MD5 a6c65491274d47ccb126d59e9f0676bc
SHA1 eb7396371935cdfa3f635e4837e39aeca5ac538b
SHA256 bdc211795f35683dc3c60da3e5b80a04417ae7f7045d8b02cacde8f389243533
SHA512 e54dc5b5ad2fabfe7718696860de1a2f668a8971dad4265c9afe858454b9592a19ad5c409702c24632ccf8b6657ecb4c2d9fda0ae9fdd91dd00e5498ed000e2e

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 aebe816275ceb7fda5771bf3478231dc
SHA1 388845cc860e8a3688b2ca4c34484231efde3a1f
SHA256 c1f8a765872865d122d1f87cc537aedbec5ee97955acdd471ece95e4e9626f63
SHA512 de45c03b4f34af8009a2f9076a207038931ad999199cd287483a7378c7e758a3f9b806e9024d619f812e10b71c6f1d34ebee2c731579c78e9b6b7c3f1010b45d

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 fbc3d50f1a57d581192d5b946d354e71
SHA1 70f55966e44c302802b41deb84c6a376551526da
SHA256 8440fc617d6769f3f2045da3fe0e10156a97ae5371df83b7fe6b744fceb74720
SHA512 8e643165e726cf30f61c6fb99f0958ed30f303645f0139ee83cc66cc7a8cead6ed4f15756fdd275d96be17ee02cec31ab2d55f281d3e074a2a8dd80da4327ba8

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 945294416749cd191f4a5fce66161a4f
SHA1 a390e1efcdc3089d3d74a469dca8fba7af82d178
SHA256 0198f61de86f6a124d7cd249e0c0ea01d45b1864ba0fbc8cd932fe063e8f5ec9
SHA512 bbcb68d1d54d6d9fdf73828dc1d50df367cef8b19e292cf07b4846f35cfeb671471e700eeb31d4efa59ae246a43b1cddcfeeef703f6251bf91c5513393cc92d2

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 769816ae6e569cba8ac916c6002b41c0
SHA1 ce6dff657266300fcabb3158cf33d6d69931d2b9
SHA256 872bf61af2e1f8f9774239f0f2b1c6931f8b4f71f0f9a8ea36fac9d6744898b4
SHA512 06615c48faeed4f22bda75643e7b01ba764e88cac6bee4db19a02a554d75d8c236d4d4445c1f6b612bd079b33c5eeb6b915265784386425397d1daefdfb350bb

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 0db95285a227754e97ac17c44b0c7169
SHA1 46dcc6466643ad909f49e0b1351cfa8b32c49402
SHA256 805cf6f15b9c88df39ebd6cf669551f046aad472791241a97c80c612195cd027
SHA512 8aef1a10e8b92fa0ba4aaf7b5326f9804c2224d6de82e4babf644871ddee3f67e226f40f6854eeb7013c4be853c8f4f0345db66a422c56d5808245b9e1f660cc

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 c865220d299f56cbce61bf28fef1a824
SHA1 43050aa574e8d4b3ebe7685c057269f8d9c814a7
SHA256 ca6021a0ba720ef0bff01dd82a3c9354207a5c990b38fefbf0b0bf1f8dfaf1b1
SHA512 89485b763ff0e345729cdd7568f2b9d05a220fdbd63373bc8cd7ff8764b65d1448be01d51063012d480d11261c3852d9d082513c3f589ff04e3a784fca8302e8

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-24 06:51

Reported

2024-05-24 06:55

Platform

android-x64-arm64-20240514-en

Max time kernel

17s

Max time network

130s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 whiteeehat.ru udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/app.six/databases/a-journal

MD5 4a3c79cea80d27b4240675a9144ccbf0
SHA1 a37d11c3f24aa3cdb1887fd8f4eb83d89524625b
SHA256 7a0bbc4d54ba7cba50ef560e17fa69cae1695897e5320c118b2764850957e7b8
SHA512 8de1631bbaa79b78e7c0723254a1b30ead4494b200c0a8f722333d08140bdcef2d4b744b65fa831433cd7310af7a62da2a71457194da7747250c3631090c5624

/data/user/0/app.six/databases/a

MD5 35e0fd029f763446d5048baa90575c00
SHA1 c70072be391880711cc3e8d6a59e349c9cf5efca
SHA256 646eabd5ffe9f4e7a50d6d667306f21a1ab4e0058167a0326b010f39b8dd4b84
SHA512 e350c32750686e42fa31472f1c064d88459670c14ee952d4ffac0186c4f863ee8154b1ee249f7fc784d5c69a69357d1ce91786b0e384ded23316907c9d93c955

/data/user/0/app.six/databases/a-journal

MD5 ede93c40c6e695176d5efa3dca9d73f0
SHA1 11884908518ecbc54ccf17e6ac604e3d6c01eb7b
SHA256 1600bfc41b9e86889a6dab8a64e2832af6795d1a9ffa6fd78de0b54f9a68032f
SHA512 2d23ad3e8a456141a6706ba8621ed34d5918c71d5eae8cbf74feb9054dbd780311606242da126bb2e18f3dc70d4905626733c4deeba96c324a33362d8a3f3438

/data/user/0/app.six/databases/a-journal

MD5 9c14872aa66923e39254e4943e2c8dcd
SHA1 373eb84d04954598986bcdbd36e35c8cc31ef074
SHA256 2b4e176e7dd13e3ed9e04f1fd32e56951137785d987a291cd2f21a96689ed9e5
SHA512 bda314a77fc2e8d102788e38b305aeb5176d031ffbb27c00c8f47ec43090c969249c648fa353ab63dcae029375393fc0023b7e909fb08c92cbf47a20a9b1ab37

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 6872930763e48d0dc802ef76bd3665af
SHA1 63020abb6dfb569ae5975d33974b975a9b543339
SHA256 e3f5e76689da79204b598b2e9220ee00419166ae530710acebff20eb4a948712
SHA512 838c67c31872608ef4afce85599e3a41299e1e9bf771e8cb16d1d53293b4cc23c6fa27625d85c4f07272e1cc6d6a298ef839aa48c83120ef172bcb90fac3b9d8

/data/user/0/app.six/databases/sdffsfdsfdsfsd

MD5 1471a38bf57ec945b46deeb18b5b2a87
SHA1 a37044c5dc70d57ee96c7a92f092f75e3b0b2d65
SHA256 729da931237e668b2e847862ae9cd255a7e1bce5b94d33d6d83a514cb376a627
SHA512 adea56f2fb4544bbe71ddb8cc09348a1d3f485800c62b08b596851322f4388ea7406bd4343d4a9093c94ef4e02bdf7d64c0e0fa4c3db021bb36f7126a5d88850

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 c747f6e38fd0758cebd52ca477d325bf
SHA1 1cc86a1c3a4bd72aebf30a5db09e305c9e77bc97
SHA256 b0baba968332d80a2e0d613b668130f71cf219c51c339b44bdbfa1491eaa006c
SHA512 abebaf2bf47cbccb7a86e4b1cd698fe1b6b956587da7225d919078c44018e6005150295a0b4ad0b491e2df50dbc0b811efe492bb9660bd08ec1f5c930bef42de

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 d4afa6a790294e49521b13475666eb9e
SHA1 527b414b04dd41f87fd1f5e2df83e9d73ff23e59
SHA256 9f1443ac7d02f5fcd7bc69e9dedfde67ec1b3a2fd586dd64a763a311088679f5
SHA512 ca177f3f2f40b6133604d40edfc1cd5f28df0ac07e90ce8560ac4bce9bfacaeea174046c6fb4fa3cb6372f8bdb28fca17ecbe5deb6af70b30202eaf5f5691d80

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 86ec1f7b14a4b617d174bd9e0d8fcfd8
SHA1 1e9b6935df3ecf188eba13473a6c270c6dc0d014
SHA256 e42289fd236623be25a5ec3c20dde79d8fcb6e630373e6665d5395f3a37a4498
SHA512 31d42c0ddec6959c786a08fb5f8260ee08fd032d5cc9793a522655a749ff40ff95e8b2459c41f9562f661a8426c5c09b6c6c4a8183b65de161c9c5eaa5ec2dfb

/data/user/0/app.six/databases/sdffsfdsfdsfsd

MD5 d8d536c7dbfdf6039254a0e0160fb966
SHA1 124b4143034271d992ba8972f725c51e5deda8b2
SHA256 f31390e534449263b21d03d01a7ccfb3e96f59298f31054653d695c3029408e6
SHA512 8fa2a518398b92b3640d11cf03d2f4d16b946f36510a5b6a5d595f52434a91d321ddb5c29a0b1f36e78db76dea90382b2c680f6e9b5226103bd29325cbcdbb98