Malware Analysis Report

2024-10-19 13:18

Sample ID 240602-ym5hysda8v
Target 8f3bc877489a10c7bff9a652590d92e4_JaffaCakes118
SHA256 6bb074f5b0c70b418e1cc8fd1cecf9d417a2463388bc26b2ef3d96c374bcf892
Tags
banker discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6bb074f5b0c70b418e1cc8fd1cecf9d417a2463388bc26b2ef3d96c374bcf892

Threat Level: Likely malicious

The file 8f3bc877489a10c7bff9a652590d92e4_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence collection credential_access

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks CPU information

Loads dropped Dex/Jar

Queries information about running processes on the device

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks memory information

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 19:55

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 19:55

Reported

2024-06-02 19:58

Platform

android-x86-arm-20240514-en

Max time kernel

47s

Max time network

171s

Command Line

io.dcloud.H59529EFD

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

io.dcloud.H59529EFD

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 g.alicdn.com udp
US 1.1.1.1:53 webapi.amap.com udp
US 1.1.1.1:53 at.alicdn.com udp
US 163.181.154.230:443 at.alicdn.com tcp
CN 106.11.23.70:443 webapi.amap.com tcp
US 163.181.154.229:443 at.alicdn.com tcp
CN 106.11.23.70:443 webapi.amap.com tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp
CN 120.77.134.35:443 webapi.amap.com tcp
CN 120.77.134.35:443 webapi.amap.com tcp

Files

/storage/emulated/0/.imei.txt

MD5 5fa23c78d98d99d2ddb610bd08480769
SHA1 6a40532bb926903e06fd58476fcd756c6f6d1177
SHA256 5f5323ed65870f1f5765231ae7cf6de09cc9e250e8fb7923d981ebd19dad3612
SHA512 8e49bde9d33555888dd196cb6f7e83a5fd21b2d38ad3b7cb52d560b666aaaf7f74b1bef17c894bd7f9670e7dae1f34a09ff085ee1e62bbd2e3ec81793ba2ded9

/data/data/io.dcloud.H59529EFD/shared_prefs_ext/test_app

MD5 5a30e992ffb498ed79c34e3e81c25857
SHA1 5e91a95002b067a78b0a11161aa6488d887559b9
SHA256 35c404a89ff2f0ebdb76cb456bfe78c7f4d49a984218f979b50f262607b00a89
SHA512 3f959c734b7f2449080b3010b8848dbcd68ec02d1c8c4f15d5dd507f414e4361cb852054b5b5a0973eaf667de6eb16658b0a314521cd8118b68dd27199424ad4

/data/data/io.dcloud.H59529EFD/files/cnc3ejE6/eje3cnc

MD5 7769d4507985f59116153463f09235a2
SHA1 b081e84d14300ac7a7947aade9c025fa83bc17fb
SHA256 5ba33c69421ad27727832442cb5939d5bc853acecd0d8162d7c10a6b96757dcf
SHA512 ce5bb431a31eaba24c0cf467bedb1abee2205b74c4533067058b09ce7e8f9480b8baa01866e3dc89d1800d07da6007f36c1b4fea811e3da164b187903480d29f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 19:55

Reported

2024-06-02 19:58

Platform

android-x64-arm64-20240514-en

Max time kernel

174s

Max time network

168s

Command Line

io.dcloud.H59529EFD

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/io.dcloud.H59529EFD/[email protected] N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

io.dcloud.H59529EFD

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 at.alicdn.com udp
US 1.1.1.1:53 g.alicdn.com udp
US 1.1.1.1:53 webapi.amap.com udp
US 163.181.154.229:443 g.alicdn.com tcp
US 163.181.154.229:443 g.alicdn.com tcp
SG 47.246.167.93:443 webapi.amap.com tcp
SG 47.246.167.93:443 webapi.amap.com tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
US 1.1.1.1:53 restapi.amap.com udp
CN 203.119.169.174:443 restapi.amap.com tcp
CN 203.119.169.174:443 restapi.amap.com tcp
US 1.1.1.1:53 api.qujieneng.com udp
CN 203.119.169.174:443 restapi.amap.com tcp
CN 203.119.169.174:443 restapi.amap.com tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.180.14:443 tcp
GB 172.217.169.34:443 tcp

Files

/data/user/0/io.dcloud.H59529EFD/.00000000000/A3AEECD8.dex

MD5 ed73a80eb949bacc52428b8d5a087fa5
SHA1 07e973549a2cee61ffeeb6439abc419cd8a489a9
SHA256 f0ead1ad60e0cc310c1a40685c28fc7a69aa346604552816c51dd3c1718a1e76
SHA512 4bc26c18ca3a2edfe38ca1e14ad1e1415268b4a69cdff3c0f8e2b8fa910c67c2e4bc4f32c21274e586e8e139122ea3dbde7ec507c4722b4a9a778ee2598090b8

/data/user/0/io.dcloud.H59529EFD/.00000000000/A3AEECD8.dex

MD5 5061e4948844f7d366972ac8005e9f13
SHA1 a2b79a1c79afb095ddebf0f16a1f9db64482bcaf
SHA256 3aa6caecfcd101531539147e01382bc530b4fdc61e98937d63cc4648793c6a45
SHA512 223d18ce248912df18cdea3c8e864ea5e6ec058ca42cc5fde738188c54abcd260d7f24ac53d4987d3e32f4ae3e1e40e01354054d035bb100eef51b2d695f5299

/storage/emulated/0/.imei.txt

MD5 da99e0be018ca38b6b8cd1ec9ee27b54
SHA1 8bbd1446550dfb22478813a24a989573ac8dcb53
SHA256 9e5002f4123f371edb06b9a1acfac03385343f1c547934a91b4f8cc0591a746e
SHA512 6554488602c6ff90f51ec806521ecf3204c88a3181a4b35498517950976216f8ad5581aed2f3522c3651666ce5a687eea1cd57852a16f4ce390f5f4697f80b56

/data/data/io.dcloud.H59529EFD/shared_prefs_ext/test_app

MD5 5a30e992ffb498ed79c34e3e81c25857
SHA1 5e91a95002b067a78b0a11161aa6488d887559b9
SHA256 35c404a89ff2f0ebdb76cb456bfe78c7f4d49a984218f979b50f262607b00a89
SHA512 3f959c734b7f2449080b3010b8848dbcd68ec02d1c8c4f15d5dd507f414e4361cb852054b5b5a0973eaf667de6eb16658b0a314521cd8118b68dd27199424ad4

/data/user/0/io.dcloud.H59529EFD/files/cnc3ejE6/eje3cnc

MD5 7769d4507985f59116153463f09235a2
SHA1 b081e84d14300ac7a7947aade9c025fa83bc17fb
SHA256 5ba33c69421ad27727832442cb5939d5bc853acecd0d8162d7c10a6b96757dcf
SHA512 ce5bb431a31eaba24c0cf467bedb1abee2205b74c4533067058b09ce7e8f9480b8baa01866e3dc89d1800d07da6007f36c1b4fea811e3da164b187903480d29f