Malware Analysis Report

2024-07-28 14:46

Sample ID 240531-b6ds1saf3t
Target 85a241e9b28d7c602503a9276f413662_JaffaCakes118
SHA256 96f6f725178d648dd98d16d7e9095457b42bfe7b15419c0e470dc312b697890d
Tags
banker collection discovery evasion impact privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

96f6f725178d648dd98d16d7e9095457b42bfe7b15419c0e470dc312b697890d

Threat Level: Likely malicious

The file 85a241e9b28d7c602503a9276f413662_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact privilege_escalation stealth trojan

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Queries information about running processes on the device

Loads dropped Dex/Jar

Reads the contacts stored on the device.

Reads the content of SMS inbox messages.

Tries to add a device administrator.

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 01:45

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 01:45

Reported

2024-05-31 01:48

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

171s

Command Line

com.dyxnjbcw.ckrchucret

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar N/A N/A
N/A /data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.dyxnjbcw.ckrchucret

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/oat/x86/htbqtqphlo.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
GB 142.250.178.3:443 tcp
DE 85.93.5.109:80 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
DE 85.93.5.109:80 tcp

Files

/data/data/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar

MD5 718583315524e4a1e3382647d755dcff
SHA1 f0f23d239e019cf3fc7dbe0c088732c114ae2fc1
SHA256 a2249042923e68c71766babe513cdf56b5ea1d9dc98ecc53d94edd094d531462
SHA512 5d4cc55cdffa59b2818314d8f6cf49257b9996ef41026236f3e2957656528ce61d3fac4ab4769d7ba50c65642d5d32a444cdb0cca32d60d0dfebfb9f3d1c5f26

/data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar

MD5 8811b67f19cc17b23b91aefec75ea611
SHA1 107ba3f56c102557a6c58b3eabec318ed3c7fe28
SHA256 f3876a99c5b66df9a3dbd4cf1be2ec1ddde6532a232d2ef67a35777c00e0c33a
SHA512 8e45b1235cd60fc35586fde71870e635e12e4493ee70b058e551df2309d31ff72b39a91d6b5ccea8b6732ab34f81bb459d011efac44cfc0ee4ddb46abb4680ad

/data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar

MD5 c68626c1255c1eee24099bc813b8b9bf
SHA1 ed4bb060afad9d118ade433d733fa33a7d15def8
SHA256 12c94913e48ece102979120fdbd939046fc53f5b0a0ba1ec82639edb8ca35857
SHA512 d39401d8dafa163347ed1a8ed720262ef78bf4e74c67a3203adb3bd4874c2c253ce2aadde4309ea90597beaac65f1bd0195db7584f9dfd46d6b36dad55e5fad3

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 01:45

Reported

2024-05-31 01:48

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

178s

Command Line

com.dyxnjbcw.ckrchucret

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.dyxnjbcw.ckrchucret

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 85.93.5.109:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
DE 85.93.5.109:80 tcp

Files

/data/data/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar

MD5 718583315524e4a1e3382647d755dcff
SHA1 f0f23d239e019cf3fc7dbe0c088732c114ae2fc1
SHA256 a2249042923e68c71766babe513cdf56b5ea1d9dc98ecc53d94edd094d531462
SHA512 5d4cc55cdffa59b2818314d8f6cf49257b9996ef41026236f3e2957656528ce61d3fac4ab4769d7ba50c65642d5d32a444cdb0cca32d60d0dfebfb9f3d1c5f26

/data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar

MD5 8811b67f19cc17b23b91aefec75ea611
SHA1 107ba3f56c102557a6c58b3eabec318ed3c7fe28
SHA256 f3876a99c5b66df9a3dbd4cf1be2ec1ddde6532a232d2ef67a35777c00e0c33a
SHA512 8e45b1235cd60fc35586fde71870e635e12e4493ee70b058e551df2309d31ff72b39a91d6b5ccea8b6732ab34f81bb459d011efac44cfc0ee4ddb46abb4680ad

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-31 01:45

Reported

2024-05-31 01:48

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

177s

Command Line

com.dyxnjbcw.ckrchucret

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.dyxnjbcw.ckrchucret

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
DE 85.93.5.109:80 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
DE 85.93.5.109:80 tcp

Files

/data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar

MD5 718583315524e4a1e3382647d755dcff
SHA1 f0f23d239e019cf3fc7dbe0c088732c114ae2fc1
SHA256 a2249042923e68c71766babe513cdf56b5ea1d9dc98ecc53d94edd094d531462
SHA512 5d4cc55cdffa59b2818314d8f6cf49257b9996ef41026236f3e2957656528ce61d3fac4ab4769d7ba50c65642d5d32a444cdb0cca32d60d0dfebfb9f3d1c5f26

/data/user/0/com.dyxnjbcw.ckrchucret/app_ytxlwoke/htbqtqphlo.jar

MD5 8811b67f19cc17b23b91aefec75ea611
SHA1 107ba3f56c102557a6c58b3eabec318ed3c7fe28
SHA256 f3876a99c5b66df9a3dbd4cf1be2ec1ddde6532a232d2ef67a35777c00e0c33a
SHA512 8e45b1235cd60fc35586fde71870e635e12e4493ee70b058e551df2309d31ff72b39a91d6b5ccea8b6732ab34f81bb459d011efac44cfc0ee4ddb46abb4680ad