Malware Analysis Report

2024-10-19 13:18

Sample ID 240602-pb7z9scc21
Target 8e08208b763b09ffd6d51dabd04d3432_JaffaCakes118
SHA256 2260df3fb1cc7c64e9f84f4a2032659526d28684689d4d1662bc412ae396f1fb
Tags
collection discovery evasion persistence credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2260df3fb1cc7c64e9f84f4a2032659526d28684689d4d1662bc412ae396f1fb

Threat Level: Likely malicious

The file 8e08208b763b09ffd6d51dabd04d3432_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion persistence credential_access impact

Requests cell location

Obtains sensitive information copied to the device clipboard

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Checks memory information

Queries the mobile country code (MCC)

Queries information about the current nearby Wi-Fi networks

Checks CPU information

Acquires the wake lock

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Checks if the internet connection is available

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 12:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 12:10

Reported

2024-06-02 12:13

Platform

android-x86-arm-20240514-en

Max time kernel

160s

Max time network

179s

Command Line

kaixin2.weizhang9

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kaixin2.weizhang9/files/__pasys_remote_banner.jar N/A N/A
N/A /data/user/0/kaixin2.weizhang9/files/__pasys_remote_banner.jar N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

kaixin2.weizhang9

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/kaixin2.weizhang9/files/__pasys_remote_banner.jar --output-vdex-fd=107 --oat-fd=108 --oat-location=/data/user/0/kaixin2.weizhang9/files/oat/x86/__pasys_remote_banner.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.195:443 tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 blog.tianya.cn udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 blog.tianya.cn udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 chaweizhang.eclicks.cn udp
GB 142.250.200.46:443 tcp
GB 142.250.180.2:443 tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp

Files

/data/data/kaixin2.weizhang9/files/__pasys_remote_banner.tmp.jar

MD5 2ad9fb4b2d9b333883b7e38f61c2fd2f
SHA1 5b85041452d173ed0d81d25b9ca78608a998e328
SHA256 b9310a99f1b60959f6b725eea74623dc491adec55da740c17e8c7e02f35818f5
SHA512 6fc04e1e22ebf8920b4928a8086cf3e0814d155f79f80d71622916f6a0911262382710e5ee2acea653db4b387730e201134592cb9992b14f3aef8b09d83bda90

/data/user/0/kaixin2.weizhang9/files/__pasys_remote_banner.jar

MD5 c601107d24f96646ae86f74b0fea880c
SHA1 8a8ce84fe5b6e186ddcd69c8757de4fb1aae7ed1
SHA256 939120d702d97dc47c6963d98dc1d2694e0fae5f5d5199c0755f54741a3c2a16
SHA512 b573a0d74ea8c6e99c3ebad4ac7b42ce46940231f8a90c9b19c887c6c20356235241068d187aab2bae9914c3df84cbe80bca13b5b6d070247353f5e5eb282f33

/data/data/kaixin2.weizhang9/files/oat/__pasys_remote_banner.jar.cur.prof

MD5 5b8a1757e256db7cdd9789e095e8d8ef
SHA1 85c0a3bab25d4b3b678d3998f454f3977bbca753
SHA256 7156301915d54b38b6f255292bba07b4002fd9be022401af25d068e35f900e63
SHA512 5ab0cb8542ea54b968dd4abe4c219cdccce170c342c77adf775d7215fa7ee3fe626788cfffdbc437dbd481cf77590960ff0a0671b0037e634fcc82af042fb55d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 12:10

Reported

2024-06-02 12:13

Platform

android-x64-20240514-en

Max time kernel

163s

Max time network

184s

Command Line

kaixin2.weizhang9

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kaixin2.weizhang9/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

kaixin2.weizhang9

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 blog.tianya.cn udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 blog.tianya.cn udp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 blog.tianya.cn udp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 chaweizhang.eclicks.cn udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp

Files

/data/data/kaixin2.weizhang9/files/__pasys_remote_banner.tmp.jar

MD5 2ad9fb4b2d9b333883b7e38f61c2fd2f
SHA1 5b85041452d173ed0d81d25b9ca78608a998e328
SHA256 b9310a99f1b60959f6b725eea74623dc491adec55da740c17e8c7e02f35818f5
SHA512 6fc04e1e22ebf8920b4928a8086cf3e0814d155f79f80d71622916f6a0911262382710e5ee2acea653db4b387730e201134592cb9992b14f3aef8b09d83bda90

/data/user/0/kaixin2.weizhang9/files/__pasys_remote_banner.jar

MD5 c601107d24f96646ae86f74b0fea880c
SHA1 8a8ce84fe5b6e186ddcd69c8757de4fb1aae7ed1
SHA256 939120d702d97dc47c6963d98dc1d2694e0fae5f5d5199c0755f54741a3c2a16
SHA512 b573a0d74ea8c6e99c3ebad4ac7b42ce46940231f8a90c9b19c887c6c20356235241068d187aab2bae9914c3df84cbe80bca13b5b6d070247353f5e5eb282f33

/data/data/kaixin2.weizhang9/files/oat/__pasys_remote_banner.jar.cur.prof

MD5 c89634c44fd067bf75b53a4d6b94e354
SHA1 8d5d4386b5e140134fb2cb855f5de081545a8284
SHA256 e4c437a456bee1c8fcd32ae317017e63e052f0f4de7c6193adcda11ad98e7617
SHA512 e16f85431a155984b33bc6341c7c55d9361a97f0f04f9c1f6eb581bff9f172f571a0c571e998ef3ad635596dc2c489a3268fda7e8fb3f36aaff7b77f67998e06

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 12:10

Reported

2024-06-02 12:13

Platform

android-x64-arm64-20240514-en

Max time kernel

164s

Max time network

185s

Command Line

kaixin2.weizhang9

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kaixin2.weizhang9/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

kaixin2.weizhang9

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 blog.tianya.cn udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 blog.tianya.cn udp
US 1.1.1.1:53 chaweizhang.eclicks.cn udp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp

Files

/data/user/0/kaixin2.weizhang9/files/__pasys_remote_banner.tmp.jar

MD5 2ad9fb4b2d9b333883b7e38f61c2fd2f
SHA1 5b85041452d173ed0d81d25b9ca78608a998e328
SHA256 b9310a99f1b60959f6b725eea74623dc491adec55da740c17e8c7e02f35818f5
SHA512 6fc04e1e22ebf8920b4928a8086cf3e0814d155f79f80d71622916f6a0911262382710e5ee2acea653db4b387730e201134592cb9992b14f3aef8b09d83bda90

/data/user/0/kaixin2.weizhang9/files/__pasys_remote_banner.jar

MD5 c601107d24f96646ae86f74b0fea880c
SHA1 8a8ce84fe5b6e186ddcd69c8757de4fb1aae7ed1
SHA256 939120d702d97dc47c6963d98dc1d2694e0fae5f5d5199c0755f54741a3c2a16
SHA512 b573a0d74ea8c6e99c3ebad4ac7b42ce46940231f8a90c9b19c887c6c20356235241068d187aab2bae9914c3df84cbe80bca13b5b6d070247353f5e5eb282f33

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-02 12:10

Reported

2024-06-02 12:10

Platform

android-x86-arm-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-02 12:10

Reported

2024-06-02 12:10

Platform

android-x64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-02 12:10

Reported

2024-06-02 12:10

Platform

android-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A