Malware Analysis Report

2024-10-19 13:18

Sample ID 240602-lrv4vsac97
Target 8da7dc1501f70fecf9fedef7e9b84156_JaffaCakes118
SHA256 f24cdbb1e8b40771f2798543664e39a08ec02c3aa9c6c552ff7008a9d6a75478
Tags
collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f24cdbb1e8b40771f2798543664e39a08ec02c3aa9c6c552ff7008a9d6a75478

Threat Level: Shows suspicious behavior

The file 8da7dc1501f70fecf9fedef7e9b84156_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks memory information

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Checks if the internet connection is available

Requests dangerous framework permissions

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 09:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 09:46

Reported

2024-06-02 09:49

Platform

android-x64-20240514-en

Max time kernel

128s

Max time network

152s

Command Line

com.damaiapp.yyl

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.damaiapp.yyl

com.damaiapp.yyl:push

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 api.m.taobao.com udp
CN 140.205.160.4:80 api.m.taobao.com tcp
US 1.1.1.1:53 yyl.uxi.me udp
CN 59.82.29.163:80 log.umsns.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
CN 59.82.31.154:80 log.umsns.com tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
CN 59.82.31.160:80 log.umsns.com tcp
CN 59.82.31.210:80 log.umsns.com tcp
CN 59.82.31.92:80 log.umsns.com tcp
CN 59.82.31.95:80 log.umsns.com tcp
CN 59.82.60.43:80 log.umsns.com tcp
CN 59.82.60.44:80 log.umsns.com tcp
CN 59.82.112.112:80 log.umsns.com tcp

Files

/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-journal

MD5 192cffbd24709a0a4f35c5d7e6af5e3c
SHA1 8125bf1ac0c7e060695ee437655852834e441710
SHA256 2f0a41d1a36c68d328e38a88a93a0d935a9234169612db4a9f87a246043f0612
SHA512 28933baa51682ee0db6a5b0fa312acf2ab97e8e89b76d975eb62380c22fb3111bc9cfe90374c9090e127298960314330edf73d836c858b355ae939cd293aa07d

/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db

MD5 2fb5e0568801128e0b79bbedbd61eaa7
SHA1 b3762ae9ba2735cf5126032bf79512a8ea17bd8f
SHA256 7afbd4c1c94b41086a7493b1a32585047a3b3fc01a3c3a3688d6e712726381ef
SHA512 a5832add9b0708f68d4a105e27f9b3ac30d10644d35948e63be63aad84415f9d0a5a64a2c5f4fa7c549918c8ded1f7c7df2dbd892d0bc14e93b9818fed8ca9f3

/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-journal

MD5 2ee89a308fb561fe04da45ef7bfaccf9
SHA1 344cb6b3dccdad37cfebd7d4837c744982574f50
SHA256 b252ec6b2684e6c35f296fc70b4e1bc57d0eee2418658393885c324a682c89c5
SHA512 93136d26de542b0395db036875fd77ff9f9f0c6342dac95b0619661c2085c78496cead4865cb1947a52bc2f1e15edbaa53bb34a3ed4fc5726ef38f87801d6c20

/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-journal

MD5 5227e8a027e1fe9371838807997eb177
SHA1 815e7195a7fcbd1b9dd048df12c94b2576c6d24a
SHA256 d20581bb0ed180a0ae4df5124d17c012f0a36c907472b41a0592295aba1bb797
SHA512 87836bbc77962cdc2a9a029c177de09c5a729c23ea417940d96dfdd8d6fe3d74d8814405d971fbb0170d294c25a18cc5583fc0cfd5a17df401cb63d4e5a2af81

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 f2ad664e596d1396e96515d4643d583e
SHA1 568e5f1216479a95b506440e4f253c5639b03612
SHA256 75d14c7567ddf6bce0651f37f4f74b8d7b43ac6b2075bccd92b52367ca5e0cdc
SHA512 88b7429a8ee88d560ecff15f1a3634bcac0d6b71d83aa4f227f43c24b30f49950f1c78de1fc0a10edafdb8acf62b8a97747b12a5e3332bd23b94133b7c770e78

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 d2c91fb4b8935ff1b88b960e2cb01be7
SHA1 5e3414b93d2a3a8b951c178a6c280ddf7899e96d
SHA256 a97764334d66254459a4b786c74cf2aabda2eecb964e989862fd9c385a1697e5
SHA512 8cc1b893bff3f8cf5ab91a2640340ae1ad4426112a081c5170fdd7ab799700d050bfda7f29888f6716d1585abe039cf68e513c6577db933f611d6661f0f57f80

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 61964523ed2c957633219754aeb8bce5
SHA1 2acd2c84d9342d5faceab53ff25bd5a4fe4b3c95
SHA256 ee2ad72586435c383d29aa10fcce5aa6746a97905daf92eef4e62d1f3eb2420c
SHA512 a560a7bbeb3577de5fd9177249f6cb97b8179ebd5aa7ee08760c0bca888f56d79811bfb0d02e8c6224518bfe141a36559f23211c52f33e0ea1122296fb72adca

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 09:46

Reported

2024-06-02 09:49

Platform

android-x86-arm-20240514-en

Max time kernel

126s

Max time network

131s

Command Line

com.damaiapp.yyl

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.damaiapp.yyl

com.damaiapp.yyl:push

cat /sys/class/net/wlan0/address

cat /sys/class/net/wlan0/address

cat /sys/class/net/wlan0/address

cat /sys/class/net/wlan0/address

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 api.m.taobao.com udp
CN 140.205.160.4:80 api.m.taobao.com tcp
US 1.1.1.1:53 yyl.uxi.me udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.201.98:443 tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.112.112:80 log.umsns.com tcp
CN 59.82.60.44:80 log.umsns.com tcp
CN 59.82.31.92:80 log.umsns.com tcp
CN 59.82.31.95:80 log.umsns.com tcp
CN 59.82.60.43:80 log.umsns.com tcp
CN 59.82.31.210:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp

Files

/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-journal

MD5 09ad0d79e37c0c268c2f57972a664b4c
SHA1 9d8c8376b5d76b1af2d974c19e5c02fd2a6b4cea
SHA256 7d71a2691ae8ad62b3f41e18413c15a5ff24473cd59b508c180666116f166d2d
SHA512 4dadc55bffd9b39611a7a70a9ab3e8e2256468c3156a3b525122ab65c831097d22ebdba49547d0538698a26fe8b0900da1d7e07e65b2c97845cfea7d5f93b7cb

/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db

MD5 f5ae32aa1d107b065c2b758b7d8cc54e
SHA1 6f4c6201365aab1b4d6c1a1669213db716eaa1c1
SHA256 d96bd17a72f054221436b1e049350c1a11ad752a4e2dda89019394efd248979a
SHA512 35f7148afc30d4766733709af5daafe22c32039f358d2ef24cb9a1462e960141153ae95905b0516a15eb04c6f380445a52c381a0883e8f591f0711f3b7c6a6ea

/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-shm

MD5 925498e61d387efc74d273222b650e4a
SHA1 c0a6c6e79101032b94d21a4a7d107b9a933274da
SHA256 de33cee842b3970ca9f4777e9f0e3c95e53ca7c031b727befb9c1c5d6a49f9d7
SHA512 6f47bfb71e4509ec60e89ebeda865089728f0526d6f279ae1eaeab8dac08b6c3b3d8689e27dd0e6c4c69e4b7c9007ffa17b69659492a464516d8360719a4e012

/data/data/com.damaiapp.yyl/databases/UmengLocalNotificationStore.db-wal

MD5 611c5bd1100f7b0d15880a802fc1d7ea
SHA1 80b51c2dd977160ce386660daeab20433e963761
SHA256 edfaccb7c759377d78e6647540b4369c38310b0e170ddc9dac95ab7f6cd03f6c
SHA512 9bfaaaa3073697694a50883e396423b9841af6fe8757f933fe36b2a63a579a6bd044f6848a9d6e1e66f68b49f61df13bf380be95629dcc50d02a1923accba35d

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 169d05a158d4c04a06cf663eb1dcced9
SHA1 81a9649d2be11eb27db0ebfbfc2f27c8d7fd90fd
SHA256 8fdab9fe9fffcce810528bfefd82753a367f78fca0977384d326a8841a65f8af
SHA512 03dfff135cbb5a1fa4b0ee8785c722866dc31431d80df09ba70762642fcfc08b49b424f88ff9a268f8a64d22383d915aeb81b9adaeb03afbeba7b320d28d12f0

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 67a428c1200ef80aaeadfbbabf991b63
SHA1 91d57a4e2a878ca4e8a399714ccbd9e962c27bc3
SHA256 100a14a1e3b345e3d84e272dc2a19c3a7774e13962f7106513aec5702eefc691
SHA512 edb5bff46a88dcf651efc6f75258c44c6b79e72f73f41b761839ad4c7121830dda77e67070259133b615be80587cb6b462bfc335a5d533dde42ba59c342a610f

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 658e0884ad8fb7a218f3257c0a4cdca4
SHA1 9efb4e451aaff9e582b0dc0e6799d5d0ee808e71
SHA256 86cd85da6a0b186ccf143dbca7d911625533e9d581fecdb5ab017f75b32f5f25
SHA512 dd6adf31339e7325d8445a620c09c351b187580f1b8c53047041cf79d73432e4dbb9ba3ced21b2b56fc7e6e1274cf86937affe354a47936db87fba473795fb05