Malware Analysis Report

2024-10-19 13:18

Sample ID 240602-wkla7aba47
Target 8eef018905d9bc6229ba7d8f3d92a0bf_JaffaCakes118
SHA256 1b311a7dfd7fe71e8dacca65b86ac4f1dd4219303f37a85f85392257fceb1951
Tags
collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1b311a7dfd7fe71e8dacca65b86ac4f1dd4219303f37a85f85392257fceb1951

Threat Level: Shows suspicious behavior

The file 8eef018905d9bc6229ba7d8f3d92a0bf_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Checks CPU information

Queries information about the current Wi-Fi connection

Checks memory information

Checks if the internet connection is available

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 17:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 17:58

Reported

2024-06-02 18:02

Platform

android-x64-arm64-20240514-en

Max time kernel

158s

Max time network

168s

Command Line

china.zh.n.FireHero

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

china.zh.n.FireHero

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.funbox.top udp
US 1.1.1.1:53 yj.ejianad.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 bcs.pubbcsapp.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.98:443 tcp

Files

/storage/emulated/0/download/uaassf/as/u.dat

MD5 a72efc3abeaa8da2539380df9721235a
SHA1 4a872d44a1ab1da9eb3f4be94037a6f714e2c1e3
SHA256 a93b60ff21a7890f58388cd491fd4dbfffb91061dcdf9ba1823e78d18d76f3b0
SHA512 ddb71571ff6effa768ecb67e43d477182a397ec1ab5b1eed7b002e561b455aba5d073a651396c79dda8b926cf5863f7f201f79885ff7e14dbfe49f3f74dbcde1

/data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.tmp.jar

MD5 289aa52188b4a1eb9a3a5904b0638ada
SHA1 3efe010f8832bc5ee7df88152e01ef1f446663c4
SHA256 947be2e29c43127ccaa6ab05b2600405cebd5aef985204a4cf2e17ecf7cfaa91
SHA512 34078ccf3fc42c63f338bb9f62eb139d953ad9e0e5fd813465d9f4d37f708fc20d7309897919cdf6be37acbda2669fd6d32ff4a233279e2cd6e2a0ba62cdc47d

/data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.jar

MD5 96d208e818748da0a0510994de5be961
SHA1 8f093544c3ce04ef1dc323730d2937f889c911c6
SHA256 9fab83f42fe2573d80524e4b91caffaee37f2ca37f56f6a97a2c626fb7927215
SHA512 55a2b0c3a86ed751f31f96774aadebcf9068a4c3b828f0e1f4e30f0a5acd7a66ef14df7361ad2d9cccfe8f560db8e8cb2c67d9a459a75d24fbf762528f32bbf8

/data/user/0/china.zh.n.FireHero/files/oat/__pasys_remote_banner.jar.cur.prof

MD5 5ed1146c31782889e2a3744146613c65
SHA1 458ae15a9437163ff1bd6301fdd88dc093467962
SHA256 6df02afdd5e95add3048ad0e5d81a1fff0659d0963f15f86851263d7566e3ae0
SHA512 fe08b64a313b7b2cccefe5cd2bdf172d30c2060b950e8ffa4519115ea79d9f1146d9c406b3f94f4b168a3c6bc75835ce87170bf79c8ed1045d85ebb41f524ef9

/data/user/0/china.zh.n.FireHero/files/mobclick_agent_cached_china.zh.n.FireHero

MD5 cf95cf64315eeb694152e05296df9905
SHA1 4f91e139a702f248226b268f68fb377ffb3fab50
SHA256 b22c691d9f1dfa06a1ec4018070c43e502877f25a69765975c4356c78cf56eb7
SHA512 5ca5cb88d0479b430b35dec3b8ee916fe6cc91a7d4943357c1e33c636e9263e105b31244c97a9c621530a221162eecd62efbe106cbccbb4258dad3ddb866f045

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 17:58

Reported

2024-06-02 18:02

Platform

android-x86-arm-20240514-en

Max time kernel

154s

Max time network

131s

Command Line

china.zh.n.FireHero

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.jar N/A N/A
N/A /data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.jar N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

china.zh.n.FireHero

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.jar --output-vdex-fd=74 --oat-fd=79 --oat-location=/data/user/0/china.zh.n.FireHero/files/oat/x86/__pasys_remote_banner.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 yj.ejianad.com udp
US 1.1.1.1:53 www.funbox.top udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 bcs.pubbcsapp.com udp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/storage/emulated/0/Download/uaassf/as/u.dat

MD5 a72efc3abeaa8da2539380df9721235a
SHA1 4a872d44a1ab1da9eb3f4be94037a6f714e2c1e3
SHA256 a93b60ff21a7890f58388cd491fd4dbfffb91061dcdf9ba1823e78d18d76f3b0
SHA512 ddb71571ff6effa768ecb67e43d477182a397ec1ab5b1eed7b002e561b455aba5d073a651396c79dda8b926cf5863f7f201f79885ff7e14dbfe49f3f74dbcde1

/storage/emulated/0/Android/data/cjl/IM.DAT

MD5 2b53b6b030d7bdb5da6ea0d501b6a165
SHA1 fa4e9e8d724d91963a3fa3def11790559cac11c1
SHA256 d8209526853a232417c586b6c130ed3ec53af8a2928b95d032ddcee37b4698fc
SHA512 dceddb69f3c907593c47edd56cea3b5cd68e560f020244e6abf9e63c58263d38b36e8736617758f2c5c7292bffd815af44fee3805217aa9065cd143e0599b128

/data/data/china.zh.n.FireHero/files/__pasys_remote_banner.tmp.jar

MD5 289aa52188b4a1eb9a3a5904b0638ada
SHA1 3efe010f8832bc5ee7df88152e01ef1f446663c4
SHA256 947be2e29c43127ccaa6ab05b2600405cebd5aef985204a4cf2e17ecf7cfaa91
SHA512 34078ccf3fc42c63f338bb9f62eb139d953ad9e0e5fd813465d9f4d37f708fc20d7309897919cdf6be37acbda2669fd6d32ff4a233279e2cd6e2a0ba62cdc47d

/data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.jar

MD5 96d208e818748da0a0510994de5be961
SHA1 8f093544c3ce04ef1dc323730d2937f889c911c6
SHA256 9fab83f42fe2573d80524e4b91caffaee37f2ca37f56f6a97a2c626fb7927215
SHA512 55a2b0c3a86ed751f31f96774aadebcf9068a4c3b828f0e1f4e30f0a5acd7a66ef14df7361ad2d9cccfe8f560db8e8cb2c67d9a459a75d24fbf762528f32bbf8

/data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.jar

MD5 981c6cf9b7df281081e05c808cf0afd5
SHA1 48aabea85a9693f461f87e1bdb9f8e76a8b45c1b
SHA256 639cf990e6246c0418adf545481ca1549a3ac1b443bb3ad3f5a3552400e41f0e
SHA512 b6e668c33021b64adaa304a4e085a2c5c88c16c99e811a4c768534fd67cd6cc380e125e960de511c3abc33c7b842be1441a7dd48aff83c2928d62ebaf65f6adc

/data/data/china.zh.n.FireHero/files/oat/__pasys_remote_banner.jar.cur.prof

MD5 6ce02ce7f8fd5e8e2c5be2d088fa8a01
SHA1 6fc1239ad23992feaf6848c9e37e9948f8074a69
SHA256 6d30888da9c77a622d52e09d302b27b29abdbba0a4d58b2b950c00503ff224d9
SHA512 96dfae9f2d69d6ec2078d8967cbfbd50056be2de768691cb7376a046632d743970c7e799d16fbf020436b50640038e4dc760dd1b152902d4e6804e4cf12c9c6a

/data/data/china.zh.n.FireHero/files/mobclick_agent_cached_china.zh.n.FireHero

MD5 1661235479cff8617f6f51614da42182
SHA1 5c4e7dc3fb50e6b16672a4d8c3100788649bfc0f
SHA256 a782e3520ede4a1fb7014a2853e8d43bdb9a8964aa63db236e79eee984934c57
SHA512 36d036a9201cab82b1da0927df06d99d982eb22a973a1ee829f30fcd9784f49b14e52ecb89a6d72598a6988b510d0230aacbe1924416e4fbe97338f33a64cf0d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 17:58

Reported

2024-06-02 18:02

Platform

android-x64-20240514-en

Max time kernel

161s

Max time network

153s

Command Line

china.zh.n.FireHero

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

china.zh.n.FireHero

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.funbox.top udp
US 1.1.1.1:53 yj.ejianad.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 bcs.pubbcsapp.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
HK 103.235.46.61:80 bcs.pubbcsapp.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/storage/emulated/0/Download/uaassf/as/u.dat

MD5 a72efc3abeaa8da2539380df9721235a
SHA1 4a872d44a1ab1da9eb3f4be94037a6f714e2c1e3
SHA256 a93b60ff21a7890f58388cd491fd4dbfffb91061dcdf9ba1823e78d18d76f3b0
SHA512 ddb71571ff6effa768ecb67e43d477182a397ec1ab5b1eed7b002e561b455aba5d073a651396c79dda8b926cf5863f7f201f79885ff7e14dbfe49f3f74dbcde1

/data/data/china.zh.n.FireHero/files/__pasys_remote_banner.tmp.jar

MD5 289aa52188b4a1eb9a3a5904b0638ada
SHA1 3efe010f8832bc5ee7df88152e01ef1f446663c4
SHA256 947be2e29c43127ccaa6ab05b2600405cebd5aef985204a4cf2e17ecf7cfaa91
SHA512 34078ccf3fc42c63f338bb9f62eb139d953ad9e0e5fd813465d9f4d37f708fc20d7309897919cdf6be37acbda2669fd6d32ff4a233279e2cd6e2a0ba62cdc47d

/data/user/0/china.zh.n.FireHero/files/__pasys_remote_banner.jar

MD5 96d208e818748da0a0510994de5be961
SHA1 8f093544c3ce04ef1dc323730d2937f889c911c6
SHA256 9fab83f42fe2573d80524e4b91caffaee37f2ca37f56f6a97a2c626fb7927215
SHA512 55a2b0c3a86ed751f31f96774aadebcf9068a4c3b828f0e1f4e30f0a5acd7a66ef14df7361ad2d9cccfe8f560db8e8cb2c67d9a459a75d24fbf762528f32bbf8