Malware Analysis Report

2024-10-19 13:18

Sample ID 240602-nfmpfsbd5v
Target 8de6580c8b890804d8f83bf9bede068e_JaffaCakes118
SHA256 cb699a4b8132ee3791dfe7b6746cfdb44d3289d7aac6f48afc6185360ecb1aa7
Tags
discovery evasion impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cb699a4b8132ee3791dfe7b6746cfdb44d3289d7aac6f48afc6185360ecb1aa7

Threat Level: Shows suspicious behavior

The file 8de6580c8b890804d8f83bf9bede068e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Checks CPU information

Queries the mobile country code (MCC)

Obtains sensitive information copied to the device clipboard

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 11:20

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 11:20

Reported

2024-06-02 11:21

Platform

android-x86-arm-20240514-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-02 11:20

Reported

2024-06-02 11:22

Platform

android-x64-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 142.250.180.10:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-02 11:20

Reported

2024-06-02 11:22

Platform

android-x64-arm64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 11:20

Reported

2024-06-02 11:25

Platform

android-x86-arm-20240514-en

Max time kernel

47s

Max time network

157s

Command Line

com.lyztjdb.bt.qipa

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lyztjdb.bt.qipa

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.106.211:80 log.tbs.qq.com tcp
US 1.1.1.1:53 mirh5.lieshenhd.com udp
US 1.1.1.1:53 api.3011.cn udp
CN 39.105.24.45:443 api.3011.cn tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp

Files

/storage/emulated/0/Android/data/com.lyztjdb.bt.qipa/files/tbslog/tbslog.txt

MD5 eb223f98300e06b9ba695f7198d04b40
SHA1 506edb8d3f0511d1bef881009adfe4124f189b52
SHA256 5b7c7a1c8133390f1a72251f9e635187d1b430c8899f506e176d25428e23596f
SHA512 6314fba8343a215da4b5dc7ad9b5e9d0aa1ae9e2311f8e93921b485e1a79bf532f560383fcb5d43e215f55fc5a2def78be9448947bde85b131257c23251dab2f

/data/data/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db-journal

MD5 39f3f26232b1e140a0e87fac9885fa8c
SHA1 1a5da4f0dd7042daf47e73633e16112385c87eab
SHA256 03b9896da654f07382c331b4dd9cde85040c55ef66291704f2897cb29ff6828c
SHA512 d2da65b93742d20ef914c8fc9e760e7aa8adc3bbff412567c82de4079c04fa720d2561e1a162bb750cfade8e4ea97d0ae6d084f571f5b85b3ce1deaf931426da

/data/data/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db

MD5 3fe30614d7e0d11db870b4624f6c50e0
SHA1 053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA256 67c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512 c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae

/data/data/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db-wal

MD5 ef35cfb86e7df6cb5a714693915de918
SHA1 82f0274ba8f01c1f3b050430d6276dcf1279e920
SHA256 bace24718b1cb4505fff2bed7fbc4233b9b6162257c12c50b6faeb4b56301a0e
SHA512 18fec79f43a876bfb1ef7ccb60709ddce1600f5f7865a6dc12ef35098cd4b36e25bd376f0b00bfb192129109cbeae85e86e13b10c4be2aadd45d51d23a70d162

/data/data/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db-wal

MD5 1374e7af879cd4e81a5ef57d0573f294
SHA1 426e8c94e56e3e2ff33cbc77f8258ec49c81660e
SHA256 e2f807c2418f48afcb0149b6d51ed6fda0c4cc5ee7c48188fea49cec2c1e5233
SHA512 cb230b5c13304318755f81899bbd0b2bd6265f5cff3f330c498b8c9e91732a8cb3d80a1f2f14c81ce63bcaf3d2fc176bc76b0cb21257a5c2aa902f7d469425cd

/data/data/com.lyztjdb.bt.qipa/app_tbs/core_private/debug.conf

MD5 6276166988a33abf6cb34237f184ad29
SHA1 5da2a5ff24a70e8c96d410349c483dd17b470767
SHA256 cb3c1b6dc7b20f0880e1018c9053b1e9a14ff0cdbed2f9f5473c01cbd2759205
SHA512 97c4f71f320b24ac5e12370e487a0c4fff621b612c3bb5e9baf3994696ef5a48e40c2d50b3be6843fc8c652699a84741c3a4ef269c2a05816254f99742254a89

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 11:20

Reported

2024-06-02 11:25

Platform

android-x64-arm64-20240514-en

Max time kernel

178s

Max time network

132s

Command Line

com.lyztjdb.bt.qipa

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.lyztjdb.bt.qipa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 mirh5.lieshenhd.com udp
US 1.1.1.1:53 api.3011.cn udp
CN 39.105.24.45:443 api.3011.cn tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/storage/emulated/0/Android/data/com.lyztjdb.bt.qipa/files/tbslog/tbslog.txt (deleted)

MD5 385e9cf6bfbc9ab3f481b1ecd422f393
SHA1 d522be7d422fef4676582662981fffb9841f55ac
SHA256 b2b82f6f9eb5da6dc9a7efcc485a8370d5afc2cdaab4f7618309bff8f112b915
SHA512 0c257695e7c46901162c464c131154fb3d33ab40a78e4bb37ba1d104eca4f56bd4d191709a99d17437f9f659d543b5822f621e2b6af2cf4c018219a51917dbf3

/data/user/0/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db-journal

MD5 87e3a2945ba04e6162e02fc715af242a
SHA1 7881aa1e2922de7447e98d2ef9cec5983febe010
SHA256 746604e61a6448c4e51678a663d28699b7c7cc0ffee1e996da9e28c7790b345d
SHA512 ba489935c4d602b2238c8baa8f4390419c77752cc59851397653bbebe81db60622bafbf685d2168586127c3cacb8b8bac295efc17fd280bc48b018d55325d229

/data/user/0/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db

MD5 171aedf968e17a2744d2585715606cb9
SHA1 bbeddeb3b89fcf809619c35b4a318a80e7d5b029
SHA256 d2ab452d9360848f46af866b870b5c6fc98230b09c72b89cb1a4b2778586678e
SHA512 78a0f517ee3d21c153dda6dbfec4187ebaee9d520d7b1b63f358bcb125d08aea53f26943907a56fdeba40161d9fc7e4fd63f9ae3154dd2ad887ba0162738285b

/data/user/0/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db-journal

MD5 5e5f62dc7ec5077a6e53accba6828fad
SHA1 8366f85c9cec4186c94eead1ab4f173d30f0924d
SHA256 d6a6a4776d96a49ccb8f452a491ca14100bc91233c362c58e4d5b931ac7cd255
SHA512 aa16c843274caeb7be98da21e6a807a985ff6ec3e84554887f67977ab846f54621b299b3c2536a4564b4a5ef74b27a134712e4843679d18a4bcce809e9997ccb

/data/user/0/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db-journal

MD5 b4d244c3867083e906af39e72dd2c5bf
SHA1 9bc87126ac427855c7f5188252994995b3156618
SHA256 2b8be1d4276a406961e05c5d781b35db72eea124ad0e915c3407c6602c06cf9b
SHA512 6330b4d1193ef33af93dff285e4cac9856ad7d7307f376ab9449f238724a866302398f6c9f9658684da29a4f04ff4817352f856f30fc59588fa76086ce0c4a76

/data/user/0/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db

MD5 b9e10ce4641ac1eb042b25c43bc3d8f3
SHA1 85c15efa83a28a083b900375dd8d8f90b307f22c
SHA256 fb2d2d7f4ccb2251604003206df006b69f41705f0b265ddec061ac6beb30dd95
SHA512 ae8944f77dc535d10cde4970cd9966500686c4aecd3411d9eaa5d8d5d548e36a9e6be7225f30fadcf0d2d893fe976966ead7ea391bd89e2bcbbc55feeffa7ccc

/data/user/0/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.lyztjdb.bt.qipa/databases/xUtils_http_cookie.db-wal

MD5 df8dc10113fa47e2bcbf37d9071b2513
SHA1 71e28015d31db171bf2dfa69cb0f4aad4f845a4c
SHA256 f1a9aa80aae51813bbd9813fd9600978ea3d6512ac5d44f7d847e1e604fbb1f4
SHA512 872c2c7d9872cfff206033935a90511ec8d6fdeb3daffd54766feb25d3657066c016de36faf6360ac2dc10b2eba9660845dc422d40c0e5af6d5b0d488f7f7b6c

/data/user/0/com.lyztjdb.bt.qipa/app_tbs/core_private/debug.conf

MD5 6276166988a33abf6cb34237f184ad29
SHA1 5da2a5ff24a70e8c96d410349c483dd17b470767
SHA256 cb3c1b6dc7b20f0880e1018c9053b1e9a14ff0cdbed2f9f5473c01cbd2759205
SHA512 97c4f71f320b24ac5e12370e487a0c4fff621b612c3bb5e9baf3994696ef5a48e40c2d50b3be6843fc8c652699a84741c3a4ef269c2a05816254f99742254a89