Malware Analysis Report

2024-10-19 13:18

Sample ID 240602-mrhn7sbe38
Target 8dcb6b127c917194b4d676624a4e58b7_JaffaCakes118
SHA256 447819e3551724706ec7010b5501fd6cec02c1ad1d951ea7b3ab71d27ffdc4c8
Tags
discovery evasion persistence collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

447819e3551724706ec7010b5501fd6cec02c1ad1d951ea7b3ab71d27ffdc4c8

Threat Level: Likely malicious

The file 8dcb6b127c917194b4d676624a4e58b7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Checks if the Android device is rooted.

Checks CPU information

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Checks memory information

Loads dropped Dex/Jar

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Checks if the internet connection is available

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 10:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 10:41

Reported

2024-06-02 10:45

Platform

android-x86-arm-20240514-en

Max time kernel

6s

Max time network

131s

Command Line

com.pregnancy.infopm

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks the presence of a debugger

evasion

Processes

com.pregnancy.infopm

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar

MD5 af170c3ab4aacd227ae3b70a955bdf18
SHA1 34287521763a244c2d37d082e614175198b19d10
SHA256 d6e411da16142f7e75bcea4e6c7da49a06554703b77c5dce67b39b2c36a39a60
SHA512 e739fc73307e17a5d38edee078f4d637a2de5d6594ab14dff27ef018cd465d0a0718a3fa981de7ce4ae78fdb030cddb6c4aef7fc277b435093b0fd2e60f0e27e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 10:41

Reported

2024-06-02 10:45

Platform

android-x64-20240514-en

Max time kernel

68s

Max time network

145s

Command Line

com.pregnancy.infopm

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar N/A N/A
N/A /data/user/0/com.pregnancy.infopm/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pregnancy.infopm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 adlic.rjfun.com udp
US 54.186.225.149:80 adlic.rjfun.com tcp
US 1.1.1.1:53 www.woowo.org udp
HK 203.218.238.42:80 www.woowo.org tcp
HK 203.218.238.42:80 www.woowo.org tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.187.194:443 googleads.g.doubleclick.net tcp
HK 203.218.238.42:80 www.woowo.org tcp
HK 203.218.238.42:80 www.woowo.org tcp
HK 203.218.238.42:80 www.woowo.org tcp
HK 203.218.238.42:80 www.woowo.org tcp
GB 142.250.187.194:443 googleads.g.doubleclick.net tcp
GB 142.250.187.194:443 googleads.g.doubleclick.net tcp
GB 216.58.201.98:80 pagead2.googlesyndication.com tcp
US 1.1.1.1:53 stats.g.doubleclick.net udp
US 1.1.1.1:53 analytics.google.com udp
GB 142.250.179.238:443 analytics.google.com tcp
BE 173.194.76.156:443 stats.g.doubleclick.net tcp
US 1.1.1.1:53 m.addthisedge.com udp
US 1.1.1.1:53 m.addthis.com udp
US 1.1.1.1:53 s7.addthis.com udp
US 1.1.1.1:53 connect.facebook.net udp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 157.240.221.16:80 connect.facebook.net tcp
GB 157.240.221.16:443 connect.facebook.net tcp
GB 23.218.76.2:443 s7.addthis.com tcp
GB 23.218.76.2:443 s7.addthis.com tcp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 157.240.221.16:443 connect.facebook.net tcp
US 1.1.1.1:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp

Files

/data/data/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar

MD5 af170c3ab4aacd227ae3b70a955bdf18
SHA1 34287521763a244c2d37d082e614175198b19d10
SHA256 d6e411da16142f7e75bcea4e6c7da49a06554703b77c5dce67b39b2c36a39a60
SHA512 e739fc73307e17a5d38edee078f4d637a2de5d6594ab14dff27ef018cd465d0a0718a3fa981de7ce4ae78fdb030cddb6c4aef7fc277b435093b0fd2e60f0e27e

/data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar

MD5 83256ba2df6312b81d1a644fb9789b60
SHA1 4f637acada64e7954600e5e2cfefc2d5cd6d70eb
SHA256 c02138bc1fbb689e2b0204899b3339e3a689d14b35b601b6d71437ebe6b0b960
SHA512 c558fbde79b8c586390c32ac02a428090167fbd22041ba6bf25ca36da74966b9cf370c5d549c3356aa630fcdff26e720dc1de97aa9ea9d7520521f31f4c8abf0

/data/data/com.pregnancy.infopm/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.pregnancy.infopm/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/com.pregnancy.infopm/cache/oat/1582435991586.jar.cur.prof

MD5 31ade1f8d59483bc2902ad41992b0226
SHA1 0d2bfcf084e5a5251b0e1e4d5961ca56ff57c629
SHA256 82b18a80df2c61864c3b4c7fc049b6ad6efc3bf1cafe5116a9150b63e717a645
SHA512 eb70556c99e4c8608b700178290ccdeb4e62e52d9fb7af5173f1ef9c9ab1325db417eb2191edf1080a9ba98d74238151d7c74d52f623e49ce25bd0a4c14fee63

/data/data/com.pregnancy.infopm/files/oat/ewqeqewqeqewqewqavpcc.jar.cur.prof

MD5 14223abdef89bac4b829bbc1f3f56d9a
SHA1 4ee0f082f57eb727ef3f7f9e2d9d6e6792783503
SHA256 becc742f16181bef97525f96911fe70651e1967220a818b1fe85af6c1cc3c1b2
SHA512 6f93331363c47adf8ac16f1ebe0f2a9179f072bdc614ef88e04eff3df528212176c005e6bbe7695434cd6b449f9c571b9d7ebb7ed45c6d4a2788c19fd5086f89

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 10:41

Reported

2024-06-02 10:45

Platform

android-x64-arm64-20240514-en

Max time kernel

139s

Max time network

145s

Command Line

com.pregnancy.infopm

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar N/A N/A
N/A /data/user/0/com.pregnancy.infopm/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pregnancy.infopm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 adlic.rjfun.com udp
US 52.26.223.62:80 adlic.rjfun.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.woowo.org udp
HK 203.218.238.42:80 www.woowo.org tcp
HK 203.218.238.42:80 www.woowo.org tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
HK 203.218.238.42:80 www.woowo.org tcp
HK 203.218.238.42:80 www.woowo.org tcp
HK 203.218.238.42:80 www.woowo.org tcp
HK 203.218.238.42:80 www.woowo.org tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
GB 142.250.187.226:80 pagead2.googlesyndication.com tcp
US 1.1.1.1:53 stats.g.doubleclick.net udp
US 1.1.1.1:53 analytics.google.com udp
BE 64.233.166.157:443 stats.g.doubleclick.net tcp
US 216.239.36.181:443 analytics.google.com tcp
US 1.1.1.1:53 m.addthisedge.com udp
US 1.1.1.1:53 m.addthis.com udp
US 1.1.1.1:53 s7.addthis.com udp
US 1.1.1.1:53 connect.facebook.net udp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 157.240.214.11:80 connect.facebook.net tcp
GB 157.240.214.11:443 connect.facebook.net tcp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 23.218.76.2:80 s7.addthis.com tcp
GB 157.240.214.11:443 connect.facebook.net tcp
GB 23.218.76.2:443 s7.addthis.com tcp
GB 23.218.76.2:443 s7.addthis.com tcp
GB 23.218.76.2:443 s7.addthis.com tcp
US 1.1.1.1:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar

MD5 af170c3ab4aacd227ae3b70a955bdf18
SHA1 34287521763a244c2d37d082e614175198b19d10
SHA256 d6e411da16142f7e75bcea4e6c7da49a06554703b77c5dce67b39b2c36a39a60
SHA512 e739fc73307e17a5d38edee078f4d637a2de5d6594ab14dff27ef018cd465d0a0718a3fa981de7ce4ae78fdb030cddb6c4aef7fc277b435093b0fd2e60f0e27e

/data/user/0/com.pregnancy.infopm/files/ewqeqewqeqewqewqavpcc.jar

MD5 83256ba2df6312b81d1a644fb9789b60
SHA1 4f637acada64e7954600e5e2cfefc2d5cd6d70eb
SHA256 c02138bc1fbb689e2b0204899b3339e3a689d14b35b601b6d71437ebe6b0b960
SHA512 c558fbde79b8c586390c32ac02a428090167fbd22041ba6bf25ca36da74966b9cf370c5d549c3356aa630fcdff26e720dc1de97aa9ea9d7520521f31f4c8abf0

/data/user/0/com.pregnancy.infopm/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.pregnancy.infopm/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/com.pregnancy.infopm/cache/oat/1582435991586.jar.cur.prof

MD5 f9431a0cde5766b6a47fe517f0dbe91f
SHA1 41ebffb9e03db4e211961286e6c233726d1c704f
SHA256 48409024aacda3669e2112419ca8742dedca12f5310521730db60c8387710616
SHA512 3102a350b8cdbfe686564eb79892a609f3cccd74d4b420f831156b1c57b736853f1cba0988d4dea7bf728f341e3ed2b997274684726afa2d97d31115e5213382

/data/user/0/com.pregnancy.infopm/files/oat/ewqeqewqeqewqewqavpcc.jar.cur.prof

MD5 0c66c78f71a8a69fde03a257cdf6e5c5
SHA1 fd1d079ad91c3fe6f71f50b459a70b1c9fd88788
SHA256 dab8564fed624d7652367793d78798d93183cfe0a586c747b7c38aa86732a569
SHA512 646e2b260fbc5be7ef900ab385698468f63aa888e206fc2327751d16227575ac15acd8aed56ec1c13938d76b61ddaa44b1b64cab7558523bec8782f91760cb78