Malware Analysis Report

2024-10-19 13:17

Sample ID 240602-1nqgjagb3w
Target 8f8be17068fe3b45918f551a433f5f02_JaffaCakes118
SHA256 389a7d67e24a5515510c15c8c52d73a545dd15cce47fd0b9e02c2fa2a6fb9044
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

389a7d67e24a5515510c15c8c52d73a545dd15cce47fd0b9e02c2fa2a6fb9044

Threat Level: Shows suspicious behavior

The file 8f8be17068fe3b45918f551a433f5f02_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks memory information

Queries the mobile country code (MCC)

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 21:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 21:48

Reported

2024-06-02 21:51

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

142s

Command Line

com.iq.khwaz.besh_dollar

Signatures

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.iq.khwaz.besh_dollar

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 info4iq.com udp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
DE 162.55.237.41:80 info4iq.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp

Files

/data/data/com.iq.khwaz.besh_dollar/files/gtex2

MD5 85755a22e22ce20732c88e6a6e5ec2b5
SHA1 b2b75d7f5e889de7bb5718b3a713559321aa0b40
SHA256 42678183fd2ec573cf35ee05941b9a37547997b7fcd0d8879dd152931d5ff6e9
SHA512 4cb5a2a91a1e6e0cb15ae4a7ee9dfa14d68568408fd5c8b95bef90d263e243bccb4f61a0ce69f30235c6a70354c1db87a4a8435b89468d20bb05b410749ac763

/data/data/com.iq.khwaz.besh_dollar/files/fixedRoadsFile

MD5 b730446866770f1a4e5b94f79676cdb6
SHA1 7ec6b5c2c31a28149549d8c9de748c0e34543240
SHA256 80935bdc2ac300b98a6c7c463c14624a9009a44a3f143dfd1dfcd7077ede80d4
SHA512 58d855c398b714ec28468d22c0c040b7ee24cb580f81ced9a3eba6dbc8ab9100b766a043a1a9f1efa963da5bad6ffdd462ac271a785aecf7cdb27e0ba30774ed

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 21:48

Reported

2024-06-02 21:51

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

154s

Command Line

com.iq.khwaz.besh_dollar

Signatures

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.iq.khwaz.besh_dollar

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 info4iq.com udp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp

Files

/data/data/com.iq.khwaz.besh_dollar/files/gtex2

MD5 d48378ccea72aeeddb7157b18d127ac9
SHA1 bb40d76d470a25c39a885b622ebf3abafa7236e5
SHA256 79ad6e6340f9f330341fbff6378233c32a06b4cc2e6efb544aced74aace80233
SHA512 264faf868211c9a0f55f4ad5811ed2a0935a6544445bcbb4bb32e6689907c88e48f44d10ddd613da026197ec01fdb4a71d58322d74e8c99b0b29097d5b586a3c

/data/data/com.iq.khwaz.besh_dollar/files/fixedRoadsFile

MD5 b730446866770f1a4e5b94f79676cdb6
SHA1 7ec6b5c2c31a28149549d8c9de748c0e34543240
SHA256 80935bdc2ac300b98a6c7c463c14624a9009a44a3f143dfd1dfcd7077ede80d4
SHA512 58d855c398b714ec28468d22c0c040b7ee24cb580f81ced9a3eba6dbc8ab9100b766a043a1a9f1efa963da5bad6ffdd462ac271a785aecf7cdb27e0ba30774ed

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 21:48

Reported

2024-06-02 21:51

Platform

android-x64-arm64-20240514-en

Max time kernel

125s

Max time network

132s

Command Line

com.iq.khwaz.besh_dollar

Signatures

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.iq.khwaz.besh_dollar

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 info4iq.com udp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp
DE 162.55.237.41:80 info4iq.com tcp

Files

/data/user/0/com.iq.khwaz.besh_dollar/files/gtex2

MD5 d48378ccea72aeeddb7157b18d127ac9
SHA1 bb40d76d470a25c39a885b622ebf3abafa7236e5
SHA256 79ad6e6340f9f330341fbff6378233c32a06b4cc2e6efb544aced74aace80233
SHA512 264faf868211c9a0f55f4ad5811ed2a0935a6544445bcbb4bb32e6689907c88e48f44d10ddd613da026197ec01fdb4a71d58322d74e8c99b0b29097d5b586a3c

/data/user/0/com.iq.khwaz.besh_dollar/files/fixedRoadsFile

MD5 b730446866770f1a4e5b94f79676cdb6
SHA1 7ec6b5c2c31a28149549d8c9de748c0e34543240
SHA256 80935bdc2ac300b98a6c7c463c14624a9009a44a3f143dfd1dfcd7077ede80d4
SHA512 58d855c398b714ec28468d22c0c040b7ee24cb580f81ced9a3eba6dbc8ab9100b766a043a1a9f1efa963da5bad6ffdd462ac271a785aecf7cdb27e0ba30774ed