Malware Analysis Report

2025-01-06 11:50

Sample ID 240603-d55lfsbc22
Target 906a9b8b116d95971794bdfb1c44670d_JaffaCakes118
SHA256 3d9ec591f829440da0051dd755ecbf326e6f03f83eb3d88c51a6b633cb31b572
Tags
banker collection discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3d9ec591f829440da0051dd755ecbf326e6f03f83eb3d88c51a6b633cb31b572

Threat Level: Likely malicious

The file 906a9b8b116d95971794bdfb1c44670d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Checks CPU information

Checks memory information

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Queries information about the current nearby Wi-Fi networks

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

Reads information about phone network operator.

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:36

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:36

Reported

2024-06-03 03:41

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

187s

Command Line

tv.pps.mobile

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

tv.pps.mobile

df

tv.pps.mobile:remote5

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
GB 142.250.180.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 pdata.video.qiyi.com udp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
US 1.1.1.1:53 update.ppstream.com udp
US 1.1.1.1:53 list3.ppstream.com udp
SG 118.26.120.1:80 list3.ppstream.com tcp
US 1.1.1.1:53 m.irs01.com udp
US 1.1.1.1:53 dy.ugc.pps.tv udp
US 1.1.1.1:53 www.baidu.com udp
US 1.1.1.1:53 vh01.ppstream.com udp
HK 118.26.34.93:80 list3.ppstream.com tcp
US 1.1.1.1:53 vh11.ppstream.com udp
CN 61.155.106.171:17788 udp
CN 183.61.95.101:17788 udp
CN 118.123.243.47:17788 udp
CN 119.188.40.97:17788 udp
CN 183.61.95.11:17788 udp
CN 110.18.247.98:17788 udp
US 1.1.1.1:53 vh02.ppstream.com udp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 103.235.46.246:80 loc.map.baidu.com tcp
US 1.1.1.1:53 vh12.ppstream.com udp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
HK 103.235.46.246:80 loc.map.baidu.com tcp
US 1.1.1.1:53 vh03.ppstream.com udp
SG 118.26.120.1:80 list3.ppstream.com tcp
HK 118.26.34.93:80 list3.ppstream.com tcp
US 1.1.1.1:53 vh13.ppstream.com udp
US 1.1.1.1:53 vh04.ppstream.com udp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
US 1.1.1.1:53 vh14.ppstream.com udp
US 1.1.1.1:53 aph.ppstream.com udp
US 1.1.1.1:53 flux.ppstream.com udp
US 1.1.1.1:53 v2h.ppstream.com udp
US 1.1.1.1:53 flux.hcdn.qiyi.com udp
US 1.1.1.1:53 flux.hcdn.ppstream.com udp
CN 101.227.22.27:17788 udp
CN 183.61.167.76:17788 udp
CN 58.215.125.50:17788 udp
CN 119.188.133.182:17788 udp
CN 119.188.13.158:17788 udp
CN 119.188.13.159:17788 udp
CN 117.139.18.150:17788 udp
CN 183.240.99.202:80 www.baidu.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
CN 183.240.99.24:80 www.baidu.com tcp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp
SG 114.119.175.88:80 pdata.video.qiyi.com tcp

Files

/storage/emulated/0/.pps/uuid.data

MD5 5bd37b876c6061b8a081f75405cabfc1
SHA1 0f5d574e6b9d952675c21810c34e7664d1e2f794
SHA256 b0a1fb963c708b8a57f02cf07fba1b7243ab91e4a1343783861d74086800d8a9
SHA512 17617bc2e96ad6161dec71595d52382d9c3d14b3310e951eebdc73b9ec00ae926c0ea813598411be74b54edcec753ee67aadf04a4f58036641c8cacd3e069521

/storage/emulated/0/.pps/parnter.data

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/tv.pps.mobile/config/ems.conf

MD5 19752653a4563ce98650ae63e410e8f2
SHA1 2dfca04714228e1556537c172f57c65914c934b6
SHA256 f4dab4bd68bbca6a62a861b90670bfa063887661004d68ba5ef8628817fff7f2
SHA512 a2eb75333c917ba7d3a570dd65bddfad250821b7087872e9bef911c4c21d95d39b93bd63109ed20ee4a0628138675b0d990f1977fa589e118d053e61b4f8a247

/data/data/tv.pps.mobile/databases/pps_user_data.db-journal

MD5 cc16bce8ccfc6f3339f222f5d62da2e9
SHA1 626940c19411b6c48d0917e5ebdd0ae6ea225c95
SHA256 e616efdece5e2e0da2a56443c9868b8b40a4bed29134ccd4005804248fa92dc5
SHA512 9856dacc978b3e4ff2332269b385c0417878e8d14c4ec39c89c03f74eeff7196034bff5f4b0af4d68fb5dfa1a69d614119bbecbddeb66421898e76b80aa9d3ae

/data/data/tv.pps.mobile/databases/pps_user_data.db

MD5 210316c00fb8661ff2a62ce8eface6d4
SHA1 08138e73899e2c1f4fdf8d4126f00f660c5fa80e
SHA256 00bc25eb824c3029ea42dc82686a396616df359d629300fbb8f2ad0fd59a9fe1
SHA512 8625ce422af51a79e19caf49e7f9ef413d91702bcaf4ce3923ff2a86ae43e06db92095da24bd649d1fb1c249a501d7a83b626369ba9c6ee3c129d65494fdb46b

/data/data/tv.pps.mobile/databases/pps_user_data.db-shm

MD5 0ae59507c072e83ec6b9d1e1d19f9cea
SHA1 d3fa708bfd73f3be45d18642edb9d55df07a072c
SHA256 e529538b12695b407933679669c86809d4757df1f13d01aec10737f812bd2c72
SHA512 eda88b9101c5307653a2cf15765bb085d1bba939dc7febced7b4dc732cdc544097b4a88e345a8dbb93c4ea1971c260f95ad94e8eb94d2407d71c223e10a829c1

/data/data/tv.pps.mobile/databases/pps_user_data.db-wal

MD5 eb15de62deb34f3353282d2799dd62a1
SHA1 ac18499ae67e8814b4dc58067013576af6b07c5d
SHA256 58a0cad104b25e6cc1fd9988ef9afeb19d1780245c196ec0c86e6d92d3e14d42
SHA512 90c241130d00e4ec8d4583cd8e3dda02100e5123410ae7b1b34a694da672df1f5c8e36f0842e07e881f96cbf4135af3f6f9ca8e03becdf298f49bcb867bfba58

/data/data/tv.pps.mobile/config/ems.conf

MD5 e035539b3fd8ac46db0f341b111ee1a6
SHA1 10bef338afd13bad31e8be41108c73c20ca4471b
SHA256 02a5d75dd31acf5720e768aba128d856f56b03c7237f6e5f307e93372dd4cd25
SHA512 ef6fe06fce635b20f9fe8f2db1bd0896814ce8551a7c7b4e5ed630f1e23ae4cb01afd4800db635cb39a56a7700e7d77e0634a59ab51f8829e49f00b5a904ff7b

/data/data/tv.pps.mobile/ppscache/PSNetwork.ini

MD5 9baa35cb48108d59965c220981c65d16
SHA1 dcd61906db2789b82c37e5954bf2f7a2793a065b
SHA256 987fb9e2400a9e7ffceaa6962a32beddd5203ad8ba1cd653f7b414eea9c8986e
SHA512 01de89d5535ec3789e0b310da6b712f2dcc722f80f629f08ecd21480ae9d0c3b6a5856ae9ef162ad2c436463450d482752c1d255c0667a179aaac6a41c073364

/data/data/tv.pps.mobile/ppscache/PSNetwork.ini

MD5 4171efc03e81f976b5fd33736f376609
SHA1 d5af5cabf0e771ad2235af876579e057a646f67f
SHA256 d930b6e1e4b2497fba39333a4e37da642a38fb56ef64573dc73b871797787e85
SHA512 9891aa155d691ff5cccb7770cac4b48f5c80134fa8f603f776e387246abb9a6057e2dd6ba7235c3a4fdcacd97f9258121413e308ade5ae274a7a80e0a4dbd5f1

/storage/emulated/0/settings/tv.pps.mobile

MD5 a163eb0b7740b3aafe6ae2a28ef061ac
SHA1 d79294523b7eeb29ed9530459e9cea60dc76eb24
SHA256 1e30234a1538a319b8fd81f27006e48fbec43be3a26eda1e26c19d216a712244
SHA512 ee209e237ef59b3cf966dbbfa25cd836d39f5bd46584e9772d044bab4a4ee18cf275db3f4819d55595f66d425da09b031f75fae52893b249d3929c9e6950b5a3

/data/data/tv.pps.mobile/ppscache/pgf.cache-journal

MD5 5d2b3dfe70dcfa6013c43214c765a0d8
SHA1 26bffe95932fbe85d87fd55c90d6babc7de790d7
SHA256 2a603358d030fbe945c4a0e4ec547ea257f561570468d9a536b757358b067282
SHA512 c59efeb1aec6042013eb0eb0cffe02fad85f1b373cfc27a47d61c5cc7f846c0cdffac06b315a9a6d70609fb1a67124a864d8c4a7bca98a93783d00575c454352

/data/data/tv.pps.mobile/ppscache/pgf.cache

MD5 97a07616cf9f7b43a6ec7e90223a685f
SHA1 a5a5cfc78eab371debfef5a373fc5032983919d6
SHA256 f12aee37e7f689df194d6aed47ded7f32e458e390ecbbdbb06d9e56871e97b7f
SHA512 6afde4f4dbe820887045eef95b61d17a063cc81c015c511ebaf768e9044dab421e51949c5a2868fbd926f6a4d0498a33928c53c66d48427743f04348a7a69870

/data/data/tv.pps.mobile/ppscache/pgf.cache-journal

MD5 c52d0984172c9f5245c203cc5dea2f73
SHA1 19d7417ad27af5574c61945458226591c9a6fdfd
SHA256 8638984ff21276a405837559b6591ecb34d1b2159b24f2607bb7b57048252d84
SHA512 75615c09d5e7461ed16a7c0b1b9cbff5f2dcb604b2a85492974dd0b2dab81e1c107b7ce663b838bd2c75d3dda9e0928f5a67c854ad5cee7b71f88d3a1838f159

/data/data/tv.pps.mobile/ppscache/pgf.cache-journal

MD5 1429680bcb0685306f63c882ec2017a9
SHA1 770aac0f82d0e374a0b970318e18f3cd9cfb3c4f
SHA256 f49ebcb5a95931769fdd3f07152075a5e2559253d95a46d3aeff137ff229da40
SHA512 e683cca409dfdaab1640ae5273e5b93983376d3208fc4eec2101922bdc1d464812a570d3e9019824755e3cb8fabf46b0696be43134073dae6952b54ad0304f43

/data/data/tv.pps.mobile/databases/_ire-journal

MD5 b16226d8691f767ae0e0b4a83ea4ef47
SHA1 a8c757c7fe95ce9286f2bba0c2b31aa716283772
SHA256 7556f94114452e4a5f7547ce28dc86e1f407865a1a7a1aa59203ef409e268e2e
SHA512 cad93ff9059f3e074f394cb70d5e55825cf6ecad37af94eced5538276f21831cfcee70aebcc3859b7ea3c765731db7ce259bd5fa18699d0246967a10d5cad502

/data/data/tv.pps.mobile/databases/_ire-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/tv.pps.mobile/databases/_ire-wal

MD5 f1bb264f939edf2594f5be723066c74c
SHA1 859bae910708588a7e1bc77df4135fe8ae817602
SHA256 6a7ecd4aa050bfb66501310a9ce9a2c1b0d62d53dfb171286eff2861ddea8ba9
SHA512 f4a4bedd2adbcfb29a7c6122d0b1ff8236ccc916d1276d34a85b5f50b4ba9bd2f65c64c21e159ecb4f277f1595a64ad722c7dbbe8b12068c89118dcbe2151c93

/data/data/tv.pps.mobile/ppscache/pgf.cache-journal

MD5 abfa19d676ffc78f87f8423f5018fc2d
SHA1 182f0be13fc14d7a9cc5bac0e692b0cc0018debc
SHA256 6c74e6a6fe6af25d0ab652117ad3488caf644247542ab01159534c78bf2930f8
SHA512 93448577e33a363de259a5dd1d2543205404dee1ff66cb4589a7c03362c5b9fa30e6eb412fa6d1a92844bf86a615a34742f66dba80b122dbb1400e634dea3e7b

/data/data/tv.pps.mobile/ppscache/pgf.cache-journal

MD5 b8f8a8c13f7cf7505c3f5affabf7bc79
SHA1 96bbb6564f87a91c198012f7894eb873bca115fd
SHA256 097c7abe613f83e817d2ee1ed5f43b6c3e24af7ba77750fc52e92fef15300341
SHA512 0bf2f02c7a808e1b50825e2ede8a095ecb00a28b6cf9a31d4e6c4d89740796a40e4a7dfc1d05de6d247d3b4da4a469f5932a86496a7e24db69187f1ec127aad6

/data/data/tv.pps.mobile/ppscache/pgf.cache-journal

MD5 0d01fa7f87739d61c609e8dd2e10e3d2
SHA1 979a617bcac47f79e7ebed9008be30fc926d2f93
SHA256 856e57b8b50d622b96d6c931d2e1a18afd9874139e049c106f6a13266df2529c
SHA512 a7a236f0c149c85445e3fd56b0aa2d796db4bdac041f3b1ab4b983776960ae2194be1ce1e4a396966921b8438ba60837abe165eb1a5e5eef6e360514f924d8de

/storage/emulated/0/baidu/tempdata/ls.db-journal

MD5 0b23ffddc279ae262261207ad6429e6f
SHA1 4479f2a706b4d69890f82054a22838c8163334a0
SHA256 2174c4b52370c4ffab2b000fe72e7477d404077eeb218578bf3d66800540d861
SHA512 7a17030be5669c467f18139f5af061af967f796301f668732ff95e0b5840e6d45c338abf83432d7db56ee764dd6763a712bbb0502d77f53f0b742722974af409

/storage/emulated/0/baidu/tempdata/ls.db-wal

MD5 8586a9ac214c4be66b309e1916733110
SHA1 a85492adfbbef75bde2b477a023a363f60b225eb
SHA256 8820488dc7161beb530210e7f7d7d9b3932e4e4e0ad20b4ffd5571a0d2b6bde7
SHA512 f2fa9c9671bad0812368002e86a888ffc7a4ebe0fe30e34969de0eedbb89bd14d5566cbcdc27b7e051aa88f681f29cf7616ecd17351590db4804be75bfcbb3cd

/data/data/tv.pps.mobile/ppscache/pgf.cache-journal

MD5 5d85768056c8be68376a82e90e258ab6
SHA1 8a2189ee3a86068ef6616cd1cfd64aeb908f61ad
SHA256 fcf8587c2cc238bf697e6b6e6b049f281fd6b25a9c9fbbd1e0462cfe3c57e809
SHA512 bca9d47445c11f5036dd6bc48118384e69eafd5dcb5fa3365ab3d905b99a09a23fa6d9705f598810cbf66b2ecb1101b3e21852680062622f6f5ebd48e78dcf66

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:36

Reported

2024-06-03 03:42

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

130s

Command Line

com.alipay.android.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.67:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

N/A