Malware Analysis Report

2025-01-06 11:47

Sample ID 240603-e81mcach77
Target 908d02efb93d719e71d03abe05b790c7_JaffaCakes118
SHA256 9e296344784c613b2d5610826f08c0c399a4a4daa1adeb2b5f784246472d4be2
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9e296344784c613b2d5610826f08c0c399a4a4daa1adeb2b5f784246472d4be2

Threat Level: Likely malicious

The file 908d02efb93d719e71d03abe05b790c7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Queries information about the current Wi-Fi connection

Checks memory information

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Queries information about the current nearby Wi-Fi networks

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries information about running processes on the device

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:37

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-03 04:37

Reported

2024-06-03 04:37

Platform

android-x64-arm64-20240514-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:37

Reported

2024-06-03 04:40

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

131s

Command Line

com.BF.TVGame.DuelOfSheep

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar N/A N/A
N/A /storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.BF.TVGame.DuelOfSheep

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar --output-vdex-fd=105 --oat-fd=110 --oat-location=/storage/emulated/0/bianfeng/sdk/plgs/baseSdk/oat/x86/baseSdk_8.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 bfas.bianfeng.com udp
CN 112.124.29.85:5004 tcp
CN 42.121.236.133:8080 tcp
US 1.1.1.1:53 gaandroid.talkingdata.net udp
CN 8.136.189.76:80 bfas.bianfeng.com tcp
CN 8.136.189.76:80 bfas.bianfeng.com tcp
US 1.1.1.1:53 mobile.bianfeng.com udp
US 1.1.1.1:53 reguser.bianfeng.com udp
CN 115.238.30.10:80 reguser.bianfeng.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 mobile-info-interface-01.bfun.cn udp
CN 42.120.19.26:5002 mobile-info-interface-01.bfun.cn tcp
US 1.1.1.1:53 mapi.bianfeng.com udp
CN 112.124.16.18:443 mapi.bianfeng.com tcp

Files

/storage/emulated/0/bianfeng/DuelOfSheep_channel.dat

MD5 65c8d0861c6fd015908867259c63cc91
SHA1 9bf20656c7951d10a3567a131e02adbc8880dec5
SHA256 3ebb5e9e2705d7df5d7a3bfbc47e835ff6b79ed364d413c5b2a36b479cb15996
SHA512 bfa1348e390047edda2293c3fdd97bef86ab7a72611ad148ae67a4ef81bba9938ee503e7b599c4215789123ac768b805912d4e58c9153606234c9a0899d7c836

/storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar

MD5 cd19ff340657417836328804b4dff06b
SHA1 99bd579a4e42c84c7a7afd056b80d0bfa2e02860
SHA256 c7791c1f07ed6241c69f29f8fa73a0632f809a1fad2d5d0f813f4786500e6318
SHA512 e6a3caf7ef059daa8536c69285045eb1b76754d36488aa2fce0eb2104d28eb84c66a71129f17ce8d57151b6f9ac3c27357c0c295003f76deb31d8c45c4a2946f

/storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar

MD5 56924d654419d58e0b526090bfdcd788
SHA1 729bdbc4300b6486dd5037142a68fefeb711c4f2
SHA256 bf6b4993519b9fd8a7e3087948bdfb58db6ad6a0cb413233697f785c01262192
SHA512 1200b1d4ab180c6442c9b6c053459464e4c11e6a0d5e7cf66de9c0cc8d72acb36ffa32772bcc71bf6e01623dc5e3c3c64e554db8e509238c04a408f0141aa124

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-journal

MD5 a2905e43682c26a8d3f3ddd511cc5498
SHA1 a0aca3f9916cd9829ddf6464f263fe91d3fc8916
SHA256 780b347fa936566a15853c080219bbacb33a303fdbdb0b2da9707683da0d71d7
SHA512 1f522f4f73db19fed50f038406296dcfcddb9583bdf6e8c0cbe1dc1f7db8cfa12e53ff9edefeccb38f4752f3cda434eaa3a003e6b393cb7c06dc682377a92f8b

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 89ca9df528d5521d02579c1298c05ec1
SHA1 dc16d9094c494d16e77b67495a3c3a3ecab600a1
SHA256 61dbb0abd30b06fdd704187f04015d61167ede3d366e57b7afac3c0a2273b478
SHA512 578c77baaa4cf94838c8fdadd68e06957f420a2a8b730d0f6280b35da8b071ee9a70d9f9a309a17a5b8db9f6c2c731ddd39d95e1786a3fce456446527bef02e0

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 ef18688e373aad76f810746d7fe3e159
SHA1 bbfde5566e12352b4d0b66455fe317d06217865f
SHA256 d8d0f561b4f3d786c00d0e59c0d99d1024eea64fac272ef3bf451841c351c542
SHA512 b25af27f9641a2ee4914524b202d3e09065142fc7f2be5b9beb050303c7dfcc4831a84f14f7b06139354f9d944790037d7f5d84f85d17b010be7e203ede78f75

/storage/emulated/0/.tidbf

MD5 748d9beeaa1899252a7365b780b95fb0
SHA1 2158cbe9044f2b138df0094615afe6616e526c9d
SHA256 59290d2d5a77605f8140feb82e44e8438115fb2f93dc56ed4c225b88c21baaa8
SHA512 cdeb0c4cebf1cc96ebda6940763a940df76120ee991bc7f003480caf055a970f16e4a19ef2ba2c56fa056d539b981e16542ec7239a7b91dd3828585bc2d1e440

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db-journal

MD5 77f4c38bc4f3f3fa699b38dd73efc3c0
SHA1 55d251d636b6ad5f842d57f4036e71c1daa202ff
SHA256 a0786143ebeefa7b41c50d03f5c477e5ca7ff5dc0506c4f24fa59ebce5591c84
SHA512 185dad25f8195742fc00e843a5bcb09e8521218e551203e9d60b5bbdfcf5c799e6dd78db75382dcdb6aa43b329f5406cd15f1607bd3fe5d48c581e682ff2dc4a

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db

MD5 c94926c1b36062b2d022a1c2adc7bff0
SHA1 59f8bfd4129d890543c075c0c55e091bcf599a10
SHA256 9ddc55362074be39f141d9c84062998654ece33fb4216ac5c655bdebfdb8019e
SHA512 fea29698337dc39dafe959543dd77aadd86b4a36b4740788edbcae949a78ed040ca36919cc7500882c42f3dfa75e47cad42c2357175744aeba00b9d8ec2f35f3

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db-wal

MD5 e568958e67c0c99b92d1d800cf8bad96
SHA1 b5a7dcdb55f02a65121fa7753ae290c3de73abcf
SHA256 d61c26f22a0338c94ab3816bb8c1081b5ca06a8f76d4bddb051ab52683e30af1
SHA512 623ddcc66c8ec63485ff07b4490e38be0a8ce6d0f7cf4503b34ef1956645e925ebe015a32f6ac63e787a9fd2060c22a12c23e0604b29e3fe6bb13032e0ad6f64

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db-wal

MD5 33e50d13943b87d54cbb4d5969b61d60
SHA1 8eabc84d29265e323ebd850e73dceab6aa231e95
SHA256 0bc73f2e2d0724f37dcdfd192cffd93d2978e72ac8902edb62b697d9b168ba3c
SHA512 bbeeee8856abfdc58bd2dc815c86def148b2767bb71337e5284f9e5503ba06e445399023439e66ac61deeaa0558be119c953da072114f3cc8c29e0a01587e517

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db

MD5 c1629b6335f91eca118860b49a4a3e3d
SHA1 6877050751e00f9755a8bab2ef416815ec8c5ebf
SHA256 6204edd89c77f9e456a649df2795492a3f27d35e9e8334205afccd871792cb26
SHA512 f35abc3d8c982af263e6f430f3b0cc77748b92f51c77bbd8f4397e6f18909215681893f89663fe7cac31907f2e69e631a8de735b93484ee16abf1349010c7851

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 c253d7d507c839ef067ca8ba413a90a8
SHA1 6d5fcefff7ec3717dae1106c9515c2b9966153bd
SHA256 b22de56ff0aa2141b3282dac119440581fafcab64645be38477cb84e73119c03
SHA512 4d08ece9a792097956c5aee1a724cc97b6de2f14f2ff224694d337e6acbcbdda3dc59124720cc25719a7eb90440d5cc1427d9089e03c28275f1149f98d01cd71

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 99d8292fc8d3736ba0cc279d42bf90f3
SHA1 7836dec85c5dd9118a9ccb0f1b189ee74b2827a8
SHA256 10ffbe190a2224e06b9517d5f0e65c00515a9cf53f9cdf43e97b4357ff7841fb
SHA512 7abc745b5736e9a8fa2fa3532660570f393a0104bcbda7697ccc71c621e6dfa9c29ca83326c3c849e2163fa0a316e56d0df439c98170553708ea7b74f70c176c

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 234debc23bd50e3b1de1703971840c2c
SHA1 190100a945f10ab0feac5138f808b0539a4f7605
SHA256 ff7c39270b1b9e73a6e81f00f29e2ff73e2d05136760ee1e834313f186c6b5af
SHA512 25f1bccb583d7680489babd94ddbe6be2d707e62fe874f65d31c697d23ebe4629b2da343ae1fe6297b9bfc69bcf54b6d6fb25f90a392c4f98619c5b3e10a5562

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 f7918e4add41f950f560fbc25500814f
SHA1 a85439d32efb5621a1b1fddbcd788ca6a21de550
SHA256 e20adc530804864c38bd6ff221e5752b5c8f9a5ff2c23283687bab5378c01c87
SHA512 87a41d93e2af433665d4068496560b0d2ef0e8f7970b80cbf9cdb73dbb11adb80fc29d14c76e320201913cf0d1881fc4163c60adcf590bd924a3194d2fb566f4

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 9620eb9201fe70e58effa607f99a6057
SHA1 00f3e54c3b954ce974d1421f3a1fadf855298119
SHA256 9d304ca653294b69df29bf06e6adac4dcc2d13db6523a41e4135d90996791544
SHA512 9e3a0200df32ae1225b181b7953aeac6c95bd6f595819bfa73f9dd9ad5bfda8ed1fe9030b2e9657e6dc863777dcf93393324da30d3871059dedd96eca65fe447

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 e55c8996d4ec3efb0098fc065935d418
SHA1 9968f9f18d4f1de61ff2c90eee64e76a0bf441ae
SHA256 e0e3d7931520efc165abb46c0773c3c372c8ec2e8f40bbc439e90ae07604199b
SHA512 fa96e8e7776ae134f971a028114be4a3bce518f5f8f42cca118ce725f59251d5f6695e140decace70af57ee3eb5bf7336db812bf3dc163352950ebf4afcb7308

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db-wal

MD5 e7df752881ec8fcc805c098953d4bb1d
SHA1 f3c6b22971478735015fa1b60568902bfeb38837
SHA256 678beb6f6e868bf7cf45b7c4d7b211c927303f40b073efa8891b4f0875a2fa3b
SHA512 6fea6d2328f528781fc5d939222d75473972bec02d4f682d67102f59d73471613bee82937ece706d2f2972e368fe856918cf40e99327c8bfe7a97e25d38668a9

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db

MD5 138c465d53a0d9992ead340daeb02ab8
SHA1 12bc12b42b95765320aae0b9775ee01ad64c8636
SHA256 c49d5206bccdc6b91cfe7d20923e466305b2ce2e55075667412e89cb19427bee
SHA512 338a943e71fb070dd3784ef32d9ac108f9066927f97ddf07b562765faa682f4318f355e68736de62c83e2fd64a3f37375e6a17dfe22dc5cae37d8c94961a4321

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 7bc86f01f0e97f6367f4080b78dfa56a
SHA1 d52ed23ed43692a9c5aa3e9c055a985ecb7f135b
SHA256 45bf9977f59706b99a3e0c8e7964a78b8de30662ecdfaa3731d605e7093e7146
SHA512 37a7c4f35d1c79351911d9c25521526b4915a50ce401dacbf4f544e0465096dd62ad474ce75a66731258d34093838ad2ff59d1a16f1f6e925031653bd0f3f7da

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 334cbfe647dd63071c0fae322f7a856a
SHA1 37b347fc95a8272613bbbbae6ec467dea9de5309
SHA256 3db7db10512d1ef1d28b2c4e663a5bba25a758727169b09cad5486c236cf8224
SHA512 e9bf0219b9f78e82969bdc2b18f72cd493d45fe5cf289cd18b6b5e1264fb20f9aefa234be6f49e0db4cf4a07911679d41ba388038409e66de529db26d5bb37ea

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:37

Reported

2024-06-03 04:37

Platform

android-x86-arm-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 04:37

Reported

2024-06-03 04:37

Platform

android-x64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A