Malware Analysis Report

2024-11-16 10:46

Sample ID 240603-jjdthagc7w
Target 90fc7aa870a2ee94981fd5406b4cc9a8_JaffaCakes118
SHA256 444bc8f17d282f8e830de8e324d6e873e57900d15c66b6e33d275b9ecc48538f
Tags
discovery persistence evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

444bc8f17d282f8e830de8e324d6e873e57900d15c66b6e33d275b9ecc48538f

Threat Level: Shows suspicious behavior

The file 90fc7aa870a2ee94981fd5406b4cc9a8_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence evasion

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:44

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

138s

Command Line

com.dbgj.stacore

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.dbgj.stacore

getprop ro.board.platform

getprop ro.mediatek.platform

Network

Country Destination Domain Proto
GB 172.217.169.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stat.anquanxia.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/storage/emulated/0/data/.systemid

MD5 8a91b4432ca9d0b2b2cb2f016616fd44
SHA1 7b19aac960f73e53b904760d73c01d5df10eea12
SHA256 b1b5f8ab17360337631a5bba2b462345905ea5854e2c2f3cce3606aaa0913288
SHA512 513ebe4e440ce8234094f1781471102c9b8917d8f5682abf0f7ed8771d1ecebfe67e1dabd0da2b23ad7ce737972df7c98c5c9d5fa5f7526247c42a8f535c81ae

/storage/emulated/0/data/.systemmac

MD5 0f607264fc6318a92b9e13c65db7cd3c
SHA1 c1976429369bfe063ed8b3409db7c7e7d87196d9
SHA256 c248c629af1fe0a8c46b95668064c1d2952a9e91d207bc0cc3c5d584c2f7553a
SHA512 9dbd40b135b46c7be31b8c7d11c75b0b179af3a6550fca52ec447583aeb50aaaedb4b1e9373cf8826615149549a2efaee04efdc9a282e3a6b387c73099c13fb1

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:44

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

144s

Command Line

com.dbgj.stacore

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.dbgj.stacore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 stat.anquanxia.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 107.149.163.133:80 stat.anquanxia.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/storage/emulated/0/data/.systemid

MD5 1c0611719718992a8bab250eb883f988
SHA1 6911573a7d2a2df67f03b766506b710bb119367a
SHA256 096b68dbe3b60f04eafe970f7eaa286284de73676234938aad627cc821546950
SHA512 905fb40ebcff6c348c4a320be717979e77fe8bda05429b2dad8ca4f5d6fdb3019a3f3e70ff9100eebbf47f29c70f31e3951e589ac52bd51f01cdd75a1356b0e1

/storage/emulated/0/data/.systemmac

MD5 0f607264fc6318a92b9e13c65db7cd3c
SHA1 c1976429369bfe063ed8b3409db7c7e7d87196d9
SHA256 c248c629af1fe0a8c46b95668064c1d2952a9e91d207bc0cc3c5d584c2f7553a
SHA512 9dbd40b135b46c7be31b8c7d11c75b0b179af3a6550fca52ec447583aeb50aaaedb4b1e9373cf8826615149549a2efaee04efdc9a282e3a6b387c73099c13fb1

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:42

Platform

android-x64-arm64-20240514-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:45

Platform

android-x64-arm64-20240514-en

Max time kernel

11s

Max time network

136s

Command Line

com.companyname.Space_Program

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.companyname.Space_Program/files/stares/updates/sta.jar N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Processes

com.companyname.Space_Program

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 stat.anquanxia.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/storage/emulated/0/data/.systemid

MD5 8e553b09fb9d45b23cdfad4fc5142153
SHA1 905f77133d4ffa96fc7d57cbce84cf1adb63fdfb
SHA256 e8863732261ad589b0d4faf8c5dbfa7117b9594bb032979a6daae125af617728
SHA512 4bc47d16b7ebaa08350de36064a3783891d7aa72e1a28dde73b052c6056b503754a3e523b3a01b773f5a3dcdb37757a1f658151e69b8b581fd12cd2b99dbcd39

/data/user/0/com.companyname.Space_Program/files/stares/updates/sta.jar

MD5 6bb4a9ad273b9145612ba1b22df71c80
SHA1 b2345dc7429dd5eaf6ac3e01e5ff13d8df983efe
SHA256 3fc5c73077df4f0ab20d662f9581b40cab0812d2a11aedea240416228096068e
SHA512 558afc8776af7a59e886a31f0cb7e799266d371f6c8a12f040b4120a3d861da81c925a14ee12c246555e4d9a2624204e09ae7d1aca81ac923eb4d4841ab040a2

/data/user/0/com.companyname.Space_Program/files/stares/updates/sta.jar

MD5 e86c274dc95a84271f67bbca9d98b4e5
SHA1 18b4cdbcf54d65cfc69123b901d240536fdbb47e
SHA256 e7e5a9e89703911aee3e8db1e8137e9403f6371bb352956fc333490bb71b5495
SHA512 d62d47498deb05ff6b2593f17c6c6a73f9febbdf5f1fa56c6e59c37c6b8ec8b7a8033b8236005326981bb51b9aea7a53eda6a28451bf37ebb61fb5ee6e9a1738

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:42

Platform

android-x86-arm-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:41

Platform

android-x64-20240514-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.227:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:41

Platform

android-x64-arm64-20240514-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:41

Platform

android-x86-arm-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:42

Platform

android-x64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:45

Platform

android-x86-arm-20240514-en

Max time kernel

13s

Max time network

160s

Command Line

com.companyname.Space_Program

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.companyname.Space_Program/files/stares/updates/sta.jar N/A N/A
N/A /data/user/0/com.companyname.Space_Program/files/stares/updates/sta.jar N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Processes

com.companyname.Space_Program

getprop ro.board.platform

getprop ro.mediatek.platform

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.companyname.Space_Program/files/stares/updates/sta.jar --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/user/0/com.companyname.Space_Program/files/stares/updates/oat/x86/sta.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stat.anquanxia.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/storage/emulated/0/data/.systemid

MD5 4122b08ca238e618a6d485b7ae27f840
SHA1 ec69780584b2e4b184f0a3eab61751856f363dc3
SHA256 ca8aa5a681fbb867819b227cf3290eab53a029f3f4ef949cfd445c8005265634
SHA512 a67615ba7b8f035cbc2b3b2a1f43edb9bd8f61df460504fe4fb122205decb853595f305a8ea824798fd39d54cd284d6d95717a512242922e729c4f9d632c3bec

/data/data/com.companyname.Space_Program/files/stares/updates/sta.jar

MD5 6bb4a9ad273b9145612ba1b22df71c80
SHA1 b2345dc7429dd5eaf6ac3e01e5ff13d8df983efe
SHA256 3fc5c73077df4f0ab20d662f9581b40cab0812d2a11aedea240416228096068e
SHA512 558afc8776af7a59e886a31f0cb7e799266d371f6c8a12f040b4120a3d861da81c925a14ee12c246555e4d9a2624204e09ae7d1aca81ac923eb4d4841ab040a2

/data/user/0/com.companyname.Space_Program/files/stares/updates/sta.jar

MD5 e86c274dc95a84271f67bbca9d98b4e5
SHA1 18b4cdbcf54d65cfc69123b901d240536fdbb47e
SHA256 e7e5a9e89703911aee3e8db1e8137e9403f6371bb352956fc333490bb71b5495
SHA512 d62d47498deb05ff6b2593f17c6c6a73f9febbdf5f1fa56c6e59c37c6b8ec8b7a8033b8236005326981bb51b9aea7a53eda6a28451bf37ebb61fb5ee6e9a1738

/data/user/0/com.companyname.Space_Program/files/stares/updates/sta.jar

MD5 930b928b30123dde3a54ec559976a435
SHA1 27c7c40ee682f200d1bfd5960dfd952894cd16e6
SHA256 0d9581f5e4a7b9cd40294f043459f416cc3c1a4ad851d6480c098e6e86602801
SHA512 824447f3f2f48909bfcceafb8f01792313449f51860d575b8f39eae04910581fcc365cb9e34c2c7fa68e2a61da8eeafa49badd36cf3902bad3647dd354eaa26a

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:44

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

155s

Command Line

com.dbgj.stacore

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.dbgj.stacore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stat.anquanxia.com udp
US 107.149.163.133:80 stat.anquanxia.com tcp
US 107.149.163.133:80 stat.anquanxia.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 216.58.213.14:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.212.194:443 tcp
GB 142.250.180.14:443 tcp

Files

/storage/emulated/0/data/.systemid

MD5 a6ab3bb7f744212839dece2d877e4373
SHA1 cb44e79ceada9cbb39c66c88eaf8c0327545cb04
SHA256 dc2acec4caf8f97ae24f6ff5b483eec5c4f6a2565a2b2831f0d945472255b9af
SHA512 979b3d35679cc4bd9ed86d1562fdb84b22505527a7b5038a1c3a1204889a7dd831800d12a4b45bec9bf5b8c123cb03aad6a86cc5ab7dfbe5619b16ae1e807bd1

/storage/emulated/0/data/.systemmac

MD5 0f607264fc6318a92b9e13c65db7cd3c
SHA1 c1976429369bfe063ed8b3409db7c7e7d87196d9
SHA256 c248c629af1fe0a8c46b95668064c1d2952a9e91d207bc0cc3c5d584c2f7553a
SHA512 9dbd40b135b46c7be31b8c7d11c75b0b179af3a6550fca52ec447583aeb50aaaedb4b1e9373cf8826615149549a2efaee04efdc9a282e3a6b387c73099c13fb1

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:41

Platform

android-x64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:41

Platform

android-x64-arm64-20240514-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:41

Platform

android-x64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:42

Platform

android-x64-arm64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:42

Platform

android-x86-arm-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.34:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-03 07:41

Reported

2024-06-03 07:42

Platform

android-x86-arm-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A