Malware Analysis Report

2024-09-09 13:38

Sample ID 240603-cepa4sfc8v
Target 90322951bfd2bb251279a4e31585d59b_JaffaCakes118
SHA256 6a14393721d173d8b87d7d00c2b28a6e9f7e3542852282aa9148be324fea4cbc
Tags
discovery evasion execution persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6a14393721d173d8b87d7d00c2b28a6e9f7e3542852282aa9148be324fea4cbc

Threat Level: Likely malicious

The file 90322951bfd2bb251279a4e31585d59b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution persistence stealth trojan collection credential_access impact

Removes its main activity from the application launcher

Checks CPU information

Checks memory information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Schedules tasks to execute at a specified time

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-03 01:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 01:59

Reported

2024-06-03 02:02

Platform

android-x86-arm-20240514-en

Max time kernel

23s

Max time network

130s

Command Line

com.tocaboca.tocaboo.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.tocaboca.tocaboo.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 freegeoip.net udp
US 172.67.165.196:443 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 172.67.165.196:80 freegeoip.net tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp

Files

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal

MD5 240378b18db27dc3322a54cfd545b404
SHA1 5b012694d3a6f7b1d074fdb23002004537d85a5b
SHA256 ec2f83e322db33749f20100dea8e4a6ab300b2b5c74934b6fbaebb577350dbb1
SHA512 61b7df60c57d8bdede996213d3ca9063f92dd032e8692d8a44285b2c4c4541f0abad4c0fabe01e27df87fa0f0edf74f01bd38e25cfdd897db204e4377444b835

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db

MD5 5d85664f8e614fcaef42be2e6f649027
SHA1 09c6288922102f6114a823f4992415fd3373d61e
SHA256 55f8907e91226ef43a05583c7b4623b4e26994b62d20c8603975ccc1fa3b9409
SHA512 3d6006a3e82d00fe9bc443e940acc5df12ec84114fcbcf8fbc8099c085cb1229b21a217b7445129b50558bfef5100894686d7359eb80b7ef087b65c7be3bc6e9

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-wal

MD5 0683e44a880a40b9232a28497fb8b748
SHA1 416fc3ed2980174fc2dbbcdfa06339dbced97df3
SHA256 875dbdb044611e9cdd732089b7b0668a18db985771c56d79af2b2d59fd9e50b1
SHA512 c9a2e259012a004923b50f913c1001e3d23cea5d7434c7a61dd32a9d6ebc8d47d53679e6b6dc8bd80fd9d9df73e0e28ef56a9b00d858f02a41d8ac9d6e84e5f7

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-wal

MD5 cb2c25c8bf007326abc0a56dba509dee
SHA1 b60219627eaf18fe9bbc317d9f957a7897bb56d8
SHA256 89eda6e0eeaef84e334a77678d3eaedf259857e9bdbc605e48f8907dff34aa7c
SHA512 23c6dd18a6b83790b5a525506ab05454b9c9c7fe2cddd9804a017f3c034e0d0e253ea09653da5658cb818bce3e9f1479ea98e1efb31aa2fd870e1571b3046bf6

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db

MD5 4dbe7c13ace5aba5034ac824ed61586e
SHA1 e1a2ce2e6dc45f01afe2e3b5957bb7c7fbd4929e
SHA256 790795cbde73b7d08e5ccbfe13b0227f0d4399a02162e0d80aa4f9dd6d4fbad4
SHA512 6fdb5313c7ddaf26a6acb2a2c5a7240ca06265da1e23d07f8b388b60c234e0079f038ca14470a7d1a6d7023c08dbed5188d945594ceb4ac77f811ae86b88c1cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 01:59

Reported

2024-06-03 02:02

Platform

android-x64-20240514-en

Max time kernel

49s

Max time network

152s

Command Line

com.tocaboca.tocaboo.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.tocaboca.tocaboo.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 freegeoip.net udp
US 172.67.165.196:443 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 172.67.165.196:80 freegeoip.net tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal

MD5 ba7305579fd8df73dd7b98e6d6c2436f
SHA1 a74cba9b62449537b4cf1808f9a10cd93b117116
SHA256 c43855a204b29e3a3f2f948756c177272806db9f20f46608af22aaf33b817575
SHA512 a6384005fea78bf2d6890d15de9221503beb5d29efcbe92bc881abd479cfa7dee9b4ceb6b6ea8912a5d24ed72645206bb7c89766c3282aeef127ae0d50bff5ec

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db

MD5 12627a2ec645c4a4bc50dba5903afd59
SHA1 504005c938517e61bcf68b65a055c2faba635c2e
SHA256 f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA512 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal

MD5 43ed2b84b404c98701eae89f47e06332
SHA1 cb8589359dd9f72df913aaa21115259a2bd34e9e
SHA256 9138aa3e4cfe7813314a35f893eed49fe03f06988cdd69b737566c566852ec36
SHA512 ce61aee1e091fa6c7dbfdf5b9915daabaca9c3ada0622744a9a8ca565e7755ec7178a6a79886969893dd301375f5ac28a51ee9020f15134c21749701829fc8f9

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal

MD5 78c37deb9e070c0dd04c18868e7eb180
SHA1 4e8439f4877f6e5608382e8851ab38a3d22e7ef0
SHA256 aa24d25da192efadc3b8332f941a85cef6566af11e40fd80ff58272581eaedd6
SHA512 fba0a434a9695889ee3c2e0b94cb7e56951bff43c324062fec4e90ab3fb8a862f9be1a040df67c74e3abdb758c00f66c9673b27f2629322ff2a046b3b0322b4d

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal

MD5 3049ad0c6e16454a6565c061d28132c7
SHA1 bd8c0aa15bdc087b4a8769b8538b95a6db9c910a
SHA256 3cee5c2bf0f517190e047b8a8e8601694182089c331d27294771e2dcd1f1b3ec
SHA512 75f89a3e2dbdd6720564bbbfe52ab261a2f3abd5ba9f31e25990a80b34a781ea712680547c627d66327b195c51629a2ea36664fd861a3479884c29885a10dad8

/data/data/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db

MD5 16b4741d88b5ee7ee8f932d7683225f5
SHA1 053c809a592da360004f6dd0dc7c73e8c8f4d568
SHA256 bbda11d595d576c6b012f9ee0a98754af41849736c52ae29b5d260eabaf88021
SHA512 81ca9ebeb82a285ddfba7d9e49f5e8baf4172d4dd6c309a241a8538d9dd0bc2aa3b467c0816e0ec3984acc04efdd043f4187f37131430b9fdd6cd6e6e28ee153

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 01:59

Reported

2024-06-03 02:03

Platform

android-x64-arm64-20240514-en

Max time kernel

25s

Max time network

131s

Command Line

com.tocaboca.tocaboo.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.tocaboca.tocaboo.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 freegeoip.net udp
US 172.67.165.196:443 freegeoip.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 172.67.165.196:80 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal

MD5 8e5b695d2bd79088416703fafbe0ea48
SHA1 460bc77cfd217443c8c213cdc7b622f8a5f160a6
SHA256 e5e3cdaee908e70154cd54ca25ad78ae6aaeca44e7f7694313a7077916f4d538
SHA512 502ff51535baab2625b44213ac0813e2a1b00df8bdbc4e586cb97635cae12e95799628906464b44b242e8cc7be6c04962b7670c6efc6e6795419455cea0ccb13

/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db

MD5 58c0b6e45328752b20ac6e719ac034f8
SHA1 372b2638afd00bbbc4034657b3df3d2e428fb367
SHA256 9d74f93afa5a179b1ba2f19f154b2880aa8b99c88209802099045a0874d2426a
SHA512 2d347d5824b9ab701e341c89e8327a95fd6bab8e92ee15ce9550da368d773e22bff304072a4854df5ab763750a7401f7aa61a49e3292d62c27fa9f20536eb3ab

/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal

MD5 943ce76658156a58ad4418675586accc
SHA1 d80e1ea747d48ccfb11b25239e3d4d9bfd5a7551
SHA256 d9f43fde5170e13b8c28f4163f3ff28b1405fa2086ca15dd2cb0de22562b8238
SHA512 05032f3c145dbf0cc5beed4429be036108363aede4b1c59b80e853f305dec34f8fae4f355ea12e4e32c199b0fd59d23f518158826b3d498e21060b3e2a94bff5

/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal

MD5 2e0987075a781de1bcd7b6a1201185b3
SHA1 368382bd3a3ff4db3836812dc8a934776835e0cd
SHA256 5b85864f1e1eda3118d2e833137170f891d0c471165ff366a467a3a33d16b012
SHA512 4c22ea1a19ced1a6091177a28addf8e5e5b9fe06aa81c5f0d36f70640d66aebd91a01e04f5ffb377954fb05c7ba4312abebcf96f4fcf4459064e722a5066dbe5

/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db-journal

MD5 b9f40da9466818d4e005ca227bac206f
SHA1 9b47455688cca026a45e30a7d88d68ffbb6aa42b
SHA256 3f4f97220488de33e7f8550ff83ebe9e2a54cf224bdf105bcf8ca6ba267d9fd6
SHA512 c183d1cc12fef6a847e5fb7cb909df9551c6365ed7e20489a5fa38aabce54ae86dad8fdd8deab74527d5c7c144d5f2216e803f39741830ac03270a4991a98d2b

/data/user/0/com.tocaboca.tocaboo.hack/databases/evernote_jobs.db

MD5 5703bc52fe64684bff0f0a869b448978
SHA1 9e1e9a0f7d384591bc72576294c490b53318ccaa
SHA256 4e29eab3886d59e7172a73123ab7f7fafc4f695812960d4e2d95a04a0033701a
SHA512 6d9e1e23fbe1724855911531127c9c94b8fcbe7049d6883f2a75f37ca555dfe5dfe5c95044d6bda4d98b0e6ef2a98f87db83b298fb289f4d6983fc26e028b2ad