Malware Analysis Report

2025-01-06 07:47

Sample ID 240530-p75vsaae64
Target 843a8935104389f6ddc034f14280bc80_JaffaCakes118
SHA256 ce3061ddfc486252922f8b14592562acca85c0ab3bcfe3197987a2d90530d8e9
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ce3061ddfc486252922f8b14592562acca85c0ab3bcfe3197987a2d90530d8e9

Threat Level: Shows suspicious behavior

The file 843a8935104389f6ddc034f14280bc80_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Requests dangerous framework permissions

Checks if the internet connection is available

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 12:59

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 12:59

Reported

2024-05-30 13:02

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

139s

Command Line

com.yunshu.ku.che

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yunshu.ku.che/files/com.yunshu.ku.che.bc.jar N/A N/A
N/A /data/user/0/com.yunshu.ku.che/files/com.yunshu.ku.che.bc.jar N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yunshu.ku.che

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yunshu.ku.che/files/com.yunshu.ku.che.bc.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.yunshu.ku.che/files/oat/x86/com.yunshu.ku.che.bc.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ic.ie.027ie.com udp
US 1.1.1.1:53 stats.unity3d.com udp
GB 172.217.169.46:80 www.google-analytics.com tcp
US 1.1.1.1:53 api.twitter.com udp
US 104.244.42.194:443 api.twitter.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 news.volvogroup.com udp
SE 153.112.187.161:80 news.volvogroup.com tcp
US 1.1.1.1:53 www.volvogroup.com udp
GB 2.16.34.123:80 www.volvogroup.com tcp
GB 2.16.34.123:443 www.volvogroup.com tcp

Files

/data/data/com.yunshu.ku.che/files/com.yunshu.ku.che.bc.jar

MD5 0dc26a6353349f37f043607e1da7c3e7
SHA1 371cc39e8be5b61871cdf124c3e0443606e9874b
SHA256 cd6e766a792ba83dd2538ee95300d15f025368b49854ba0390b5f24e8a8bed59
SHA512 80e6894b90cacd7ec7dd172db6a4270f11a9574006dff15858fa8f1cee5f873fdfbc05df206967f67f68ed776adbc79ae54f7c751327880a89ed1a8634267f02

/data/user/0/com.yunshu.ku.che/files/com.yunshu.ku.che.bc.jar

MD5 877237b39ad40b467e0ce741a5b8dea3
SHA1 11aa0735af41ea8fa99d51b566b415d9bb9d99d7
SHA256 9dac30cf58a7afe1e88d3e8963e08dfdbf781f2fdf9dbc8da5246ad15a306c35
SHA512 e55a40fa06c491c44d36801a4c3469b94066b459722e0c0ccac87631e905aae2dc7d1de25cc1026acef0531ab5a87bd7a06be1da00849d15dee45f289f1df193

/data/user/0/com.yunshu.ku.che/files/com.yunshu.ku.che.bc.jar

MD5 fde90bc4785b4ebf431f82e96c391960
SHA1 9cedba561079d07f1bf358b16c61de33bd6bde52
SHA256 eb557a82cbf91bc1594811fd2eb6a3d137287236c316cf4330693176bdb373c7
SHA512 f7c695fd4acb45f3698d6c1c46637d4782af858a23620653f4b2e45f001eb5f99673a2d5ff4d74abc752fd6823e6257a240dc19af65dba29abd5805b2edf7ce5

/data/data/com.yunshu.ku.che/files/oat/com.yunshu.ku.che.bc.jar.cur.prof

MD5 4835ccd7fc55c83562183c89ede5d691
SHA1 44eb5e7ac5fabc2196eb95a9bd7cd34c05aa2753
SHA256 2cd523a425414039cb38b1bcb0128d47ed86cdf4b8088c4b442e33c687b0cd6e
SHA512 bad17f784e2def4689dbd75a19cfc92a65a1ed15e688f8258536fcc1a80bc96f5d17efccf7fbdb2a74d51b0c740980d42f263978f79417bd7ce8065bc27dbb40