Malware Analysis Report

2024-11-16 10:46

Sample ID 240603-jjmreahe69
Target 90fc919ab5e4e05335504ca51fff848a_JaffaCakes118
SHA256 0e5ecc9da8cab97c51fb6a599e82a6e1c0f461fa43543faba74b0ab8fff8341f
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0e5ecc9da8cab97c51fb6a599e82a6e1c0f461fa43543faba74b0ab8fff8341f

Threat Level: Likely malicious

The file 90fc919ab5e4e05335504ca51fff848a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Reads information about phone network operator.

Requests dangerous framework permissions

Checks if the internet connection is available

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:42

Reported

2024-06-03 07:42

Platform

android-33-x64-arm64-20240514-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.204.68:443 udp
GB 216.58.204.68:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.195:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:42

Reported

2024-06-03 07:45

Platform

android-x86-arm-20240514-en

Max time kernel

127s

Max time network

161s

Command Line

com.paypal.android.p2pmobile

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.paypal.android.p2pmobile

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 142.250.200.42:443 tcp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 www.paypalobjects.com udp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 1.1.1.1:53 api-m.paypal.com udp
US 151.101.193.35:443 api-m.paypal.com tcp
US 151.101.193.35:443 api-m.paypal.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 app.adjust.com udp
NL 185.151.204.15:443 app.adjust.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.paypal.android.p2pmobile/databases/com.paypal.android.p2pmobile.appconfig.db-journal

MD5 43c4d642af3b1299ed88b078560ad71f
SHA1 5ef101756b4ac204aae9c03bc748a00126b1b51f
SHA256 0d1416f4ffdc344009e72815cd2b355e58b35c687fb1b1cf78b9cbd92ac62ca3
SHA512 e3b32796223f452e4896ce6565c831b8730b896724e6304adfbb19f8a1a01459f900b3ba9ffb48171e7369b5aa7abb320f2403882cd3bbba19b949be9cb7cace

/data/data/com.paypal.android.p2pmobile/databases/com.paypal.android.p2pmobile.appconfig.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.paypal.android.p2pmobile/databases/com.paypal.android.p2pmobile.appconfig.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.paypal.android.p2pmobile/databases/com.paypal.android.p2pmobile.appconfig.db-wal

MD5 8830cf16b3c60e0683ef79a92fcb46d1
SHA1 8f98260852ea09c9ea9270b9c58d39c9cb051a5e
SHA256 f06308a504ac3244e9c12abc55b3941d0a856d2229d8262244ef59c2670d8914
SHA512 171cb4bc8c7fb67136f7b14f0bf08ed9488af80efa858754064e460d60d183d92e1448c6b01e4bbae3806cb205dd158ec45f176282267f443ae95fe3d2fc062e

/data/data/com.paypal.android.p2pmobile/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/665D73E002FE-0001-1101-1575B553B71EBeginSession.cls_temp

MD5 d9c53883de5301adb35fdeda67c9c3bd
SHA1 fd6a5fc84657b2645f3abcd6c764a3a7cfd4b350
SHA256 bbe57d37eeda8b5b0a5f51352f6975c0bb1cd90d3d20ab19e8b66e3db0e56452
SHA512 8f8bc4203f848ba72818da3607eac443cd0d3d901dba6b4f72fa97adf863fc6a6f315b4a4919f19f04818c58460a14b248a6abdd0935aae940a0d6d6a763a6b7

/data/data/com.paypal.android.p2pmobile/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/665D73E002FE-0001-1101-1575B553B71ESessionApp.cls_temp

MD5 cd77994a40f7afda144ddcc05e98ca0f
SHA1 a2fc56f4e4ec753c448a93b051a4e9d54929fd55
SHA256 43c2213b166a70adab4be3b95834ad44b3b2fa5b8f8e456d9fe216f02cb10487
SHA512 35cf505e4a7842eea2013ea7a336f2383e1811ec61843eca6db63e2f0341eb2faec01aef6a65ba46be0e90cc7fd947b381292dff1b7759d6b9fe82bcfa5adaf5

/data/data/com.paypal.android.p2pmobile/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/665D73E002FE-0001-1101-1575B553B71ESessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/com.paypal.android.p2pmobile/files/CONFIG_DATA

MD5 5f6ef5af562f1adf3ac7b924e8e8fcaf
SHA1 80eae74a41b495af0ccac7d4f5081b96940d2c44
SHA256 53ad16c256c796a8a5edd6be849f0f8d0214c5a37bf8311cd07c91916e823138
SHA512 1297d50bf1c55681b5a99e48b4cb62da6a092730043b860aabd9ed18f615681d445cda81664983d1813ad321bf6f3647a2431c3417765279c900c7d662c7a67e

/data/data/com.paypal.android.p2pmobile/files/CONFIG_TIME

MD5 209db0d11f40c9e544ea463d97523b75
SHA1 a93a02539f0655db7a6778b8bfd1a4d8647f3efd
SHA256 997ccd5a03325b52a5e05e13ecb94279fbbcea74edc6d6ad00c01d614059ae76
SHA512 541ea0cdd53fc5ed73e3f2bbdbb762ac539e9529782f70c0e8f523dff3c0f89a541b5d7f5f3a7d6ec4fa01efe5555aecfd3f230ce5dda9059e43ba449a81b077

/data/data/com.paypal.android.p2pmobile/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/665D73E002FE-0001-1101-1575B553B71ESessionDevice.cls_temp

MD5 1f1a20b0eebc14f3cd1fb10af50893f8
SHA1 4d7596cbab7fbb1902c98538ae2741c9fad01460
SHA256 64ce5343904e9637510fac505391441cf9f3ef5f5f18f7ecceea2bdf2ae6fe51
SHA512 40dd4996c9cea10acf36ba5e57ca4f1793aa52a72301d384e3175e9d1437fc3d6fe83af36e32a00d071bbe0809a3a3e36119361d4875420be7a4fa620386c0ec

/data/data/com.paypal.android.p2pmobile/files/CoreStateData

MD5 7e7df8d66e70bf73097cac3c3d512bf9
SHA1 39a8f3e7ccf0901922ab46c54d714581e9af421a
SHA256 47d8bce10adb0dfa20d5f1983e5671ee6a25d1b59efb7e8b56fd9c23606fba1b
SHA512 56830eb6937ec497756b8ecffa313561418712d2760d9136051dcb4619b7c946cb10575d25e686d5f680b6b6185cfa1c3a86c06d38a9fc0956f2f0725a1bcfb6

/data/data/com.paypal.android.p2pmobile/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.paypal.android.p2pmobile/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 d060c45fefbd0c9130a3887ee58421a5
SHA1 5f4c8192a37c7f50ce2dad0856c936bb9e2387e6
SHA256 9c8c24bd6a7ee06c082c688c8f0f6504bc74e7e61c9ab3e0f883b4e5bbec27a6
SHA512 cec3d9acb19eb8020229356d9cc3512a3b27e81ef8341c8e560fac1dc7f914bd51eae6953f79d1e081e4d93f2f622b063a7a8f15ce0461d7d28590d08a9298e8

/data/data/com.paypal.android.p2pmobile/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_8be76383-8232-48c8-bc28-2b0cbd660981_1717400547566.tap

MD5 fd3e525dd7549ca7cd408c6d1ab73dfc
SHA1 bd28ce431c812ba6982e359200ea26523ecba394
SHA256 c647ea70fe52686f5bc2e34ede0e8799878958d34ee31c2ee1d152b78d0da0ce
SHA512 2095694e26f93744f79a6bd9d8b0d3bd2ede0b5aa7500cb949be1e03c787c086b3fe369e459243d97fc2fc817fda14c3d7209cd2d374f4fca5a5b41e67d146d6

/data/data/com.paypal.android.p2pmobile/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 76018dd9560f5fb22019adeb60127efc
SHA1 f72d95a10fa4502f841b6461b951508720a47343
SHA256 881e18f37c173c898cda430f5f8fbaee0c71553997104dae169c2421f0bb5319
SHA512 37736c01783688b1da5d6f84cc3e7f1dede41e77822f7aad375c23e3f04b051c6ae8da6a1b68b3c9e613d718c83891ae54d244c4539ea1d5a0b73ac7caf20303

/data/data/com.paypal.android.p2pmobile/files/AdjustIoActivityState

MD5 2a5761ad19459fa6cf73d4641f8c8d39
SHA1 3e58f3dc500d41b57e0275a29dfd4d0b7b4b267e
SHA256 4987f8a8525e13509ed66fad693d10a4ffda87dd9e3cef486a7d5519c3b682d6
SHA512 1db1594af2aec597d525c35c17d48305e8e3e3dcbd6312a6ec34d8eff0e1190edbd6407709b670554d9f4c4f1355d4a5f0cf3137bc553d2e63a4a7d75cf58640

/data/data/com.paypal.android.p2pmobile/files/AdjustIoPackageQueue

MD5 ebf6f743c57ffc4aa7e725791a53f83d
SHA1 b63e4675d90b8d469fa2a9efa8ad19007d75214a
SHA256 cc02a2d90570ad256fac123b0db66ce99636519b24a2bc0646b980758af68a71
SHA512 f6d1ee68154f778fb1cc25c72fad8831b0a67489970bb35fe150e9477a13a1a8f0969b75029dc419b72c9307953d32554a47e6176f553d9a1d20f749ea3918b3

/data/data/com.paypal.android.p2pmobile/files/AdjustIoPackageQueue

MD5 2665c22d9bde026e3fdcf4444b0a85b3
SHA1 411bbd6ac4ad27c445c2a65f625a4b4b75999bc2
SHA256 33d965f41de137b40cf3176c7313a4b4ed90523142de091d6f557f9de7bd5b3f
SHA512 142485854d8559fa185f91a3581214b1dd49e5acc2b33cb8c736d46d403cd4e52b12e8466c590563e8070ed5c07f33b92a7108ea37ad0dbdbecac2dec8d7b0f0

/data/data/com.paypal.android.p2pmobile/files/AdjustIoActivityState

MD5 23565fba7896cad61ecd4eb96a4a0916
SHA1 c28c7f2acdc02f1f689cf859718d0dc0dabe758b
SHA256 0a24326291f63580504020a2fbd88c9b93c769d87b944b24e98c96b1f0db6bf6
SHA512 98af571b2e04f938aacc2f48acda3b715ae17fb4406aaa39d8b6a22da374c261c064e41c0e0c3b850ca2cab6fdf8c0cb13d179f01a47c9b5364ff83213310d65

/data/data/com.paypal.android.p2pmobile/files/AdjustIoActivityState

MD5 cac6e48dd269745172ed037d9b7e3539
SHA1 620118d930086b18dc04e84c8e9f2183055e2c86
SHA256 885b9fdc41e45cb6517199b78daf148579c0e91eb2ebd88cceca284f02199dd6
SHA512 80d1f6c993d3a045cc706ad6b0116b8aaff483cc8c7f60cea2adf1ca63cf7b29b9698c4b6f8ef9458d9e839fd05615840817550ab43347370b31d7edda77246d

/data/data/com.paypal.android.p2pmobile/files/AdjustIoActivityState

MD5 68bf420e40322f39c866d64a06b8b5ff
SHA1 6d38b03829919ce1473f34190c553be658d6f6e6
SHA256 48c6c8a19cf29d7c234da142468a918f26d37328b6c91104066f3544ef99231f
SHA512 7f7e664e15fcf868d61c25fd801356ec1aef9dd60bfe9d96a9fafa0254179b3c73eec65781d61e18b8585ba6edfdee210ef183d796fe4bab68780721dd307168

/data/data/com.paypal.android.p2pmobile/files/AdjustIoPackageQueue

MD5 f04a5693fb414dd569d6b39ebdb1476a
SHA1 565678999739aa537b70e215d780ba346ee90dd6
SHA256 68a60402730b9a3c192cdafee11533de90408e0b1f5c59eca73d35d92ce447b7
SHA512 6eb405608ca095b3fc82ef7331f7a2490977b74b10dd70b1c21f89849aa6ec82797739cb8c60a3c731ef94b7d0c09675e12be7e4eb49848239041c633f740e1e

/data/data/com.paypal.android.p2pmobile/files/AdjustIoActivityState

MD5 cfa054b066d3365a957fb8356fd40579
SHA1 adb129bc72c830e3413f6b33a89b3499f8c3dc53
SHA256 57ba5b69ccc2cb0f5c6ce77b165813ec9550725ffd6e9d84caf022bcfa464bec
SHA512 8a142849d47856d2bdb0d6a6b9c096285d27d55e9067ac41e3bf00673b39c52ed07377ec4605757de6821af5e543d574cd735310902a5c83c6b9f3c874d97e85

/data/data/com.paypal.android.p2pmobile/files/AdjustIoActivityState

MD5 2efe41559a29b689c673c245dedfe7fd
SHA1 93b7b5516f82fd3315aec7757ae947731a514f2a
SHA256 82f159858b314b63cf454ecf5cb62664d04a4b5563c2f990360c83ed4d2615c1
SHA512 552b3bf9a4c92730fcca261cf23b05fbd98f5ae09ce258d7635d2a4a4766d4fd27aaeb2abe43956757bebcf8bbecaadccd040d74b28a0f0b467ec4a50da093b4

/data/data/com.paypal.android.p2pmobile/files/AdjustIoPackageQueue

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1