Malware Analysis Report

2024-09-09 17:54

Sample ID 240528-hmqf2ahh5z
Target 7c1244c864160d05f260cdf5b47365db_JaffaCakes118
SHA256 2f07e915c1f9e7589346d19854a70eb1b343800a7d141e1c6d7373da8a650088
Tags
discovery evasion impact privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2f07e915c1f9e7589346d19854a70eb1b343800a7d141e1c6d7373da8a650088

Threat Level: Likely malicious

The file 7c1244c864160d05f260cdf5b47365db_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact privilege_escalation stealth trojan

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Tries to add a device administrator.

Requests dangerous framework permissions

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-28 06:51

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 06:51

Reported

2024-05-28 06:54

Platform

android-x86-arm-20240514-en

Max time kernel

12s

Max time network

156s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 pizdostradalnica.info udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/app.six/databases/a-journal

MD5 4450be9cfb0cba76fcf2f026e7b13d8d
SHA1 8b5fbd26284ffc618bae44628232adc9af8fa0ff
SHA256 10b628ea5d2847e191d2c3b5013a164965911b25207f86216249f9f8335be9ba
SHA512 171322fc7ffc192360e0f9d141f3dd372cd27a0bd1853da7e1efdf7e243bc25dba80de43d629a38d62029e2f8d5fa6b1ee043eb8c14196c178fdf79a77fdc2b1

/data/data/app.six/databases/a

MD5 d0017d12f9fc771e4752f1f43c3d6284
SHA1 766d2cce53d16e58837f9e874c5d7dd2aada7db6
SHA256 ed79a324c11f732ee0225fbe4f1a0d7cd15771e6fb5907c116aee78a73713844
SHA512 ab9ef3ddca8b3bdd9f6a63d37962b8856032ccc892c8c3613de6628862baa87ff94124728c236be30c2adf392ef80a39b858350511421242ae10a611da941b6c

/data/data/app.six/databases/a-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/app.six/databases/a-wal

MD5 38431485e6bf5ba2755eb4963cb43cec
SHA1 3ac03ec843bcb3135c01b9750ced6b20d8b837d1
SHA256 f1f5e61ddf518c31ce72f00fd5e05050900e62a68127381a1703745024bf1a64
SHA512 a60bca08b1beaa81d23131aa1a1c9a78af18c49c1069aa1bdbbc73b107e955b9abe33f2067fe8566cb859e8e849892af225cc5cc3331b388c2a974f7a8683a0f

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 99184380e4d4ecc0d9045e9e45945f7c
SHA1 840ca665ad7352e5bcd4ab396e33218f1798f643
SHA256 e8ad4aa3a8e7da2be7fe99f33ca6bc86c9546a4067f0f8a108929e1658a15745
SHA512 92fb2a7acbec26303cdee50abbb83c7dd5639fecd7974a1a633f9a06e6ca10aaa0af1e4c231d52c6ab16fda619c86a7e51c2ee9d00234aa572a802b158b4fec0

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 9f54728978b34500c46e071c633832dc
SHA1 0e5642552256ef9d4b317d1e7a2b59aea24c06ca
SHA256 bde732597c3ab3066091049b11950560419df226ac259be323a9e538a137976b
SHA512 fdc6a4c3422a4bfd46ee3ba2f7fd34228bf695996190842c4ca52ed336ef29332e48fcdd4b99849d71c9b524c007f6b0e8a8f9dd37450ceabca2d8827b8cc712

/data/data/app.six/databases/sdffsfdsfdsfsd-wal

MD5 a0c6829740807372f3ef36a3ed992a1a
SHA1 326f8aba5219584768a952105d2f4749a30afff4
SHA256 076ea8cd35dd2788c9b59fae8013d2f5293691218460b9bbe0d8b2e3e199f0a6
SHA512 7e5524eeb2f4551952c0164317bd041d3cdb0c82dab25abe70a62545281ff719e1e13dbaa455992d3e776eb2317c51046eb38852add56903bae4bd1f337d76f7

/data/data/app.six/databases/sdffsfdsfdsfsd-wal

MD5 004dce960f18d04ecb3ad08034e48974
SHA1 9d89f65b031374c8844c41012f639158e5055dd7
SHA256 7c576562a4f5fdebc2b7c51377ebe61628d646e3ecc0e7b87264fdbc0062dba6
SHA512 c5bd74e280c87fc4d1ab093f2c03848ab54fc72ac1c3d7621df114793b713523d3fdf0183f3930838447dba4d56dc558f477b3cd31172c13ccad880dd2056456

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 42005fbb6d9d56de7d8b1015fe4c9cbb
SHA1 8010315e7d981b4a08aacc30a351fae6e0ce2f5e
SHA256 14ce15bb6b0861a8cc70061436f14eff05269331a0bf7b46d8a26d84ac31c100
SHA512 e5071ec58a9fd6f103263d034afa1591b6f3e22274d4e2865bb9089cb656742c45bcf4136adf83c2b18a67b8dfd6c1cbe68434ab4b684d75fd885add5b071df6

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 06:51

Reported

2024-05-28 06:54

Platform

android-x64-20240514-en

Max time kernel

14s

Max time network

152s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 pizdostradalnica.info udp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/app.six/databases/a-journal

MD5 8e48122a85079162c9fd76c795e3a9b4
SHA1 674a6ca60a6b225e3914b0658c798bbf8943fda7
SHA256 c37e4549e227bc1c6e89f5c141c6d74b8d1d2e29e1b403aa0aa37faa690aa2b6
SHA512 f088cf81db0bcd8bf21558281aa3bbc2dcc7ab993c3b5a0d9082babd08c1fac1551548a08131f519d0cfa779c343e7ce735b84b01f9f9799fc380b59ee6e68e3

/data/data/app.six/databases/a

MD5 8e5c58d97a70386139008313eb4ba7b5
SHA1 7233908909ef42393c4c5128c70d02d62b0e6186
SHA256 aefa4cbdcca9d7dbeadbba17a57f44a93ab159cb1d6ed33b5c86b119dd6d52fa
SHA512 84d5481a1ee989c00f6564b0b64e092471439ee026099d715f8b622909a442c3b31c5180d2cc5daaae71fee5dd40c02fee015e892caefb7858f89f20320f002b

/data/data/app.six/databases/a-journal

MD5 3820a79972ab7385b1f8b9955a6aca02
SHA1 a733dc59d572110de9a5cc25be05f724e1f390df
SHA256 5579443d4dd4b9a399aadd9fd2e3641f037e01e7f800d3b5efecea279e6f284d
SHA512 962131128ae97849f3656b49b290d1fbf39a84fcbb0764c1cda160812a757b10f696c4cb924fce6b772f1341d47816394e29906a6110579315c3d62e64f2f0ad

/data/data/app.six/databases/a-journal

MD5 98f50729e13999f923286d1006f499d2
SHA1 488c80b7ed2c696cf052236baacd729a0bdccde7
SHA256 63d3e9af07e15bc81ec21dfaffc491d6c0046004b0414821f5ca7ad223498c81
SHA512 941b6dda0d840701355a93edca7f47823e882cabbdeaea047f9b58b189d581f18b09e1f0fdcc36e3d82de6200a7bd53ea43ad6caf9f8c7e5367738a57d6abd66

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 14a9fe374eebb7184c1aeae6f67e8930
SHA1 ab4481b4c0216be4dd148ddef0a47627b3c16d3a
SHA256 392ed7592878e632b95c5de66e925a38f4a15f5b6ea9bb2df305bdc215f5ebf8
SHA512 a9e23287bb2c50f8369a15b03d1ad61bc04e0593338450e8fe24a14e9dca3ebe30a7be5392b1a1fd980270d76bcca4bb442282e8f3c051a6327b2a8bdd117625

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 50c198c9396d252f6ade8d93b26748fe
SHA1 e56153d33595c35705d0f588c52e05f7dcd05fb8
SHA256 b8bc86c2108bc9f2c9f5ddf17b5e461375f817d6b289a2155e1db23adc1a1387
SHA512 4b6dfa01781905c52970e9c737ee4affe1a6e92fb8026d9dcbbdd99e20ecf73c86c1577be7c0780eea253033bf01b5f6434dcfe42f1af193c88c07af27bcf075

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 77f7bbff257541e150a7538857384a45
SHA1 c0548cf9e2bd649440667ac387c5dab67d9d4ff1
SHA256 068454111bac3e6cccdcfd06126492a6565faa5b603afd6d0b95b9368cd92256
SHA512 2df2edce85c8fb909bca2e7649b6cc4197802c2a9f17d6fdd6749eb194571a7285ec9e72869fc1e2f8f45883ee0a1b1983ffb8dcb1e9d95eb3270ed30355dd0c

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 a57ea0e736fd332475a0b0331f31c511
SHA1 efbaa271c61b3f333ca4792f06a8c024875e2fd4
SHA256 bdc09489a3265e71c89b82b7a60f890abcff943c56b7e2bdcc6f5abd7cd22e7e
SHA512 0d1d1677675dee34cb03f8d7fac589ea686c2c4d91e4bcb907acbc035e79ee975addcbce7b7075e8bacfae49eeabfbe53850192ca20e3ebc9f5a924c7594297d

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 6595b8685995641e018eb2b5cca358ed
SHA1 dcc6be5920870e2e3556e0ad3fbc6d668f9831f9
SHA256 6a1df0364f84b7c34986a57a1ba798802d5f8e0bfe9406bbd5a388dfa26aa6c7
SHA512 9dd1707206afb1002459d0d146be1e48b2d914a859bca227733b477e11c4cdfb970b6e2f42ce47544b6633ec8c52d81645d9671f1aab129f1035c0dc98de43de

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 89044fad2654999582f116622ba12917
SHA1 a6fb0cd6295b5d155cd1419ad28b45e4d6599068
SHA256 22761c66c07b6c10ae7df1e4e10bec2f41870391a75ac93f8bc252502e4e3d31
SHA512 74ce814d29897620eb57262bfa04e23d914904ee58c2325fbfdbf7d9f01add4046c28fc2faee1038f1766442798a2da8f8513b26a4772f78e0b628fc77352632

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-28 06:51

Reported

2024-05-28 06:54

Platform

android-x64-arm64-20240514-en

Max time kernel

14s

Max time network

132s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 pizdostradalnica.info udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/app.six/databases/a-journal

MD5 9e7182038ddac1b84969ea6aa4afe37d
SHA1 154709217b92dfe1ec602af4d8d3eb2cf4b516de
SHA256 319d2912b39b54929b69317088ba1f806d54f8a299449b4f9aa2dc01cc156b69
SHA512 7d9c6d8f576720e23b9e5e6e1b98f5da2d61c128d7af70ddebcbe7473ed5a6e341f936e25d527ca28ba54bb2fac92396cb755837cde3fea6fbbd3e135f5fc60f

/data/user/0/app.six/databases/a

MD5 35e0fd029f763446d5048baa90575c00
SHA1 c70072be391880711cc3e8d6a59e349c9cf5efca
SHA256 646eabd5ffe9f4e7a50d6d667306f21a1ab4e0058167a0326b010f39b8dd4b84
SHA512 e350c32750686e42fa31472f1c064d88459670c14ee952d4ffac0186c4f863ee8154b1ee249f7fc784d5c69a69357d1ce91786b0e384ded23316907c9d93c955

/data/user/0/app.six/databases/a-journal

MD5 48279a953020e1a2aab2cf622e1b55e0
SHA1 60d46416910146b4003cc3fff4f04570d354c614
SHA256 d879ea8ff518b3812f4ad5fa0a273de172e0e00f323f15b82ba775623e29bef9
SHA512 f04a0bfd7fe1214678ab6783769446cef5a2155c93910394f37389553c3a9dc80da6caa9a89f91a39bfaac0f23eb3dfbe8dbb6de6fcba992c0c06dae399969ee

/data/user/0/app.six/databases/a-journal

MD5 af6c1c6cafee6c9b083d75a7ef897782
SHA1 7d163a510edaad712d5da7f79b59fd3bf9df1e8c
SHA256 636be82a4caf8b59b34eae6bcf516c875c94a629eeccf6e28ac4a3ae09f458be
SHA512 881b48c6c3239371a8b948bfe27362226a305ddd9779102832359d9241bf662b0c9bb5d3b5fb5d96ed9394a54d0969ed30eec5ec4912528f5e2db424d3c4c5a7

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 a87f66362ee047a134df798401cddf4a
SHA1 246208a6a9e9c961fbd083924f5ca556ab74a13b
SHA256 cb7afbb2880191b188ff1c5bf14723698f0bfac5d023a7c75047114c0399053f
SHA512 ba8485995c910660d8fa80a6b44bc915c47bf70b0a3f33a2610f8fc67eeac091f03065060885383c25189a39e695edc188e3b3a652167e9e15adcadfac24e661

/data/user/0/app.six/databases/sdffsfdsfdsfsd

MD5 e050d8718c1e29fbef094ba4084164ec
SHA1 fab5e9b817616fc16e22afc34f9cb26443b7f9e0
SHA256 9797c3c152ea4257f414eea497498917df58e3175d6e5cee14291cd3af52d998
SHA512 a9fecb65b08531bdf9a819642a8400a38c86c86c4377dd9e970d8c1dc1655e8eb0d3ba6e883b0aaf9fdd615a9f7ae895101fc94c36f183377b3f8e98280ead51

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 197aa0bb8c1b2ee6b65a8969b519b1d1
SHA1 e3b3b9add2e1e94008f9c6f921ae84846a425411
SHA256 4568a00c8881ae64407950a769be27fa4094d249cf1519dfb1a9e03b540e576b
SHA512 35f66b1735181c99b1c3baaefa53701c9657a7fa572ff7c5104b625c789727110f5c62ee2286e46c87035ffcab7b1916d9487ad84bc10266135e0d4f834c9e31

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 b408021ed671d0ee649299cb38effab3
SHA1 0e2c7cd8a1c05f0a98f07fe3171056bd97fc7b2b
SHA256 c5e7793e855404dc549c547531159e8b7c23e904cc01c21e729f4e6c5bc859eb
SHA512 fe171a5938a34e570734371776e1613bb2c67b239e3cf892682552a0bf25a22750649aef10073db2e0271b6ea5f2e09f9b41e09207dcbc7d1dbb84b0a4897c14

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 fa60793e6e6d2e47fc39622af5dd8357
SHA1 78066dfa4d688d961daa53c6e9fc0129fb16b601
SHA256 6be9fed28795b6284001fbaa43097e3290035de6af8d9632e8b3c1fd7abab42c
SHA512 20e79e2807f1e01242e782f5a1cf93b08aa372241d0928d54e4c1eb88453d1c72a13576d899ae1190b3f52936dd0ef24ee091661978806100531aee8912d9162

/data/user/0/app.six/databases/sdffsfdsfdsfsd

MD5 c61754a40628ab302a393c015cbf7ca2
SHA1 3b19f7d900958ddb21de4b6d05a3b265d89a78a5
SHA256 57ab6a608cdf3c57f32e8e02746388170405af6f20b95cfcd99c481e6098076c
SHA512 2067029fc39b96336503405f8d01af74e03a689159a999b32d2f650ab3497fa5613db284a6c56690cf0938abddd5019eba5d4ea2b11d0aff0d6397b8ff0c6aa5