Malware Analysis Report

2025-01-06 10:34

Sample ID 240601-e3spjsae33
Target 895ce02f93f6c715793b18ad07f66ad6_JaffaCakes118
SHA256 9b2decf4631db7072c8a17e2a91aa1b49c936db91e41b2682d1b0267a2e0568a
Tags
banker discovery evasion impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9b2decf4631db7072c8a17e2a91aa1b49c936db91e41b2682d1b0267a2e0568a

Threat Level: Likely malicious

The file 895ce02f93f6c715793b18ad07f66ad6_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Checks if the internet connection is available

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:28

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:28

Reported

2024-06-01 04:31

Platform

android-x86-arm-20240514-en

Max time kernel

174s

Max time network

131s

Command Line

com.androidemu.harvezhadanren

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.androidemu.harvezhadanren

com.androidemu.harvezhadanren:emulator

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ads.wapx.cn udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 app.waps.cn udp
GB 216.58.204.67:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.androidemu.harvezhadanren/nesroms/harvezzhxzlb/harvezhadanren.nes

MD5 6e456b88a318156364066d197a8a43d4
SHA1 b5bcca95dd7ea0ff6f3882e809c560052c212a24
SHA256 0b5d24ccf0335b5f70a02fd162b20fa3a6defb83408f37a8701de83d5fcf2c9a
SHA512 9479b4cb3757fdc1e6b827fc4d1cb84390428fb5052f87739ac11254c09586a81ffa40df01898d35a2caa8e9f21a1539149a2bf35efe2b111a0ad3f65d5044be

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 90b712219627736caa907ea4701c3e64
SHA1 c3c2eb7c5b37129c0f90b54188bc09b7f7a40372
SHA256 c66681851589b6d65249f2f68a45437f4a872849c67cbc82b03abf04df46c4e0
SHA512 9c28ece538c5aeefea56ab15f1bb5b7c4a4e22aa10fab0370c7d300a414cd763ccaac23dcef2586c98c403ac44956d93429edea415ccdf2c259389994f03094a

/storage/emulated/0/Android/data/.class/android

MD5 3d01a0cc7abc4fc30bb3e60da34f59ef
SHA1 a77628ffc105519271a9bdfc24bc0ada1aadd20d
SHA256 687bd1f19832d515445c688a6acdaf9212540c0b08796179b9a1b27497f45e29
SHA512 6d3fffcd24d6a65a48a89313861896434f7dcf4dee695dc84f3b55d6c19e457a7a68dd6f5e464acb007d16922b44192f994e24064d69062c36481f2cf80636fc

/storage/emulated/0/Android/data/cache/AppPackage.dat

MD5 8a315191fe188557163acb5ad69f1b44
SHA1 cdce41aa2155a4c8cd91957846c2f603f009b22d
SHA256 8a6bf3fd34ecf79f09fc45ee0555bc444d9bf437b8a9942819f9c3288b5db2b1
SHA512 2de2e662962323a32f28e76a98d3addf59eecb100e4b977ae23860659319b34f363a63e35a8ad223dc3d07386ba7950708ecb2675b1f27233c95dbb75082e1a0

/storage/emulated/0/Android/data/cache/UnPackage.dat

MD5 79c40fa0eab9353ff1d411d11a2201ff
SHA1 8dac5d4903d6c0b49f25f8da4dfcf7422bda3e71
SHA256 64381b2b90e6e8e31b57bf80ff71dea044ee6dedfdd607e17de3b31b67828e32
SHA512 43694eabe2a9a9d3d503f36ab3587778389f8348d1933854fc702889960e978aa1c71ca70ae57b11badddb80f9731341ce99a3f04a11e047daa9b9ccc692eaef

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:28

Reported

2024-06-01 04:28

Platform

android-33-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.234:443 tcp
GB 142.250.179.228:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.179.228:443 udp

Files

N/A