Malware Analysis Report

2024-11-16 10:45

Sample ID 240603-khkq4ahc3y
Target 9124ec1867b71a3cee84bd0127e3cf2e_JaffaCakes118
SHA256 b10d78c4f2aef2e24a037ac5753062d69442e8b2d61d6f249dfb451abc68ba08
Tags
banker collection discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b10d78c4f2aef2e24a037ac5753062d69442e8b2d61d6f249dfb451abc68ba08

Threat Level: Likely malicious

The file 9124ec1867b71a3cee84bd0127e3cf2e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks Android system properties for emulator presence.

Queries information about running processes on the device

Checks memory information

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Queries information about the current nearby Wi-Fi networks

Reads information about phone network operator.

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Checks if the internet connection is available

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 08:36

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 08:36

Reported

2024-06-03 08:39

Platform

android-x86-arm-20240514-en

Max time kernel

18s

Max time network

150s

Command Line

org.chromium.caster_receiver_apk_FMMusic

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.model N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Reads information about phone network operator.

discovery

Processes

org.chromium.caster_receiver_apk_FMMusic

org.chromium.caster_receiver_apk_FMMusic:castlinkerservice

org.chromium.caster_receiver_apk_FMMusic:sandboxed_process0

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/data/org.chromium.caster_receiver_apk_FMMusic/dex/oat/x86/qcast_sdk_core_server.odex --compiler-filter=quicken --class-loader-context=&

org.chromium.caster_receiver_apk_FMMusic:castlinkerservice

org.chromium.caster_receiver_apk_FMMusic:sandboxed_process1

org.chromium.caster_receiver_apk_FMMusic:castlinkerservice

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 data.mistat.xiaomi.com udp
US 1.1.1.1:53 alog.umeng.com udp
NL 20.33.39.104:443 data.mistat.xiaomi.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 discovery.qcast.cn udp
CN 47.97.217.117:80 discovery.qcast.cn tcp
US 1.1.1.1:53 log.qcast.cn udp
CN 47.97.217.117:80 log.qcast.cn tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/my_app.html

MD5 2c8dbceaeb092bb6cd97a98783181510
SHA1 6241a489e63b8baa9535249aa8bd1cf25e7c0402
SHA256 79f19de2ce52f3410a7d09243c3759ec78e0a7ade5d1e486ea2d996f2de15ec0
SHA512 1bb5b729e8dff89517bc684026e184dc89f6b2212d23829aef8f6b5e108f4f41d08df01676c99fd03b47e491bdea742c587710e642349b76fa628929a0a3e1b1

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/my_app.js

MD5 a58ee05434ce8a2c6eb644712d4587a3
SHA1 e84b8dc4150cbe63a88004d5895493867fb9cd22
SHA256 b9f841b677c020cc1e40655ee947dfc8434d6fd5da0abde132f7e64698406475
SHA512 0272d7639071adc778dc38c0ea4742ff4c7dc8005937625050393f160b2f73500a8da26c41c2550a75faeb28f636cc7035551ac7681aa5ce30a0c3fd7bfdc896

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/README

MD5 e1c2ff1c6ad39791142aef2d783d8fec
SHA1 59893468323273b2d8c5c32a2ff6a24c0eb2ce0e
SHA256 cf5e418ac24a2ffccdbdc802dd5262d1d615146849451e5a169e44bafed8ff38
SHA512 c47fd9347b8b53f36caa15b535aa647469457f50a4c5e05edc18b5d65b07e75e729020c7b0360b834f0febb7f77522065946b56638b4410057d410c17db39fee

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/tab_blank_root.html

MD5 2603e3a7eba8b03af315c590c0ebeb76
SHA1 1843c16eaa2dac0570d41c0e3d306151289eef68
SHA256 501b8e6adc184ee1a1ccd7904e60566abf509cbcb1d17580fcd062d28b6b1e50
SHA512 1858d96de812f90e9a8d9d38ad397916e1fc606138708aac765bec26d3ded3d950852f1ee0ea5075140da6f646c4206178d58f066ef782ab15b7e8465579e152

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/utils.js

MD5 8d7b680dd495c8f0809369ce07043831
SHA1 a110f9675184357f10095cc3eb04b325f2413858
SHA256 4f9f84a9a5133f48e07c63a4541c281a4abe49097ad836414b7eec540426f45a
SHA512 8007a03cb9789345998a1e1daa015ab0daf57d2dbf346642e8af9b85964f6b2756c01acf1738e505e00490d98abe52e7e52e1aba83e3571b29572a7cd5a60556

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/websql.js

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/appcontext.js

MD5 cfb4b781ef7f8aa93841df1b35bbb0ee
SHA1 30e43d41a2665d3dbb797efdc3e4174a5988792f
SHA256 714dfde9dc4b7a1c3a881f7e1a1169b77ed32c2dc893430a98b75d52e4b29bc7
SHA512 5a0a873d2ac33246fa5ba342604222319f5671ce8ef57f505c18188526b3237ea5892a9796b3c70a1b6b848c4897d2a6b5c416af064de00e06635ed24fcf0700

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/blank.html

MD5 b8639ac0df7466d734bb2a29d9da93a6
SHA1 3000732c8cbc68a569a3925d0a6a2700e07f415e
SHA256 12333f0a11a4c58c8bff33b44d4585b6bb142caf1b898985a69e44be7c6a8371
SHA512 550e8011fa7357a56aa0c1a9734767434342dacf2658d6781c03ebc226a5a7f02e82a874fec811f4c9603a48f7740debab0f8d2421682fd2f3fb42b3196a8ef9

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/call_by_java.js

MD5 07e7eb9912ab457bc8fcc17c77976c75
SHA1 c3534c94bd1065078f6305e13fe2307d2016b070
SHA256 e73ac11ab21faf81953216d009fbe800e68918774fecc945da168b6a49b5a3f4
SHA512 bdd84d2ca87241151eea7990e39e3c15683fdefb48215341257957c9a6e30a572937c54cfe4dc292754d58b11c5b34b8158a66886ddd5432c1a4db8130356bb3

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/console_log.js

MD5 1f5cac225639ab360f6967cbeec1f59f
SHA1 0557a0e7360a02580c0fe13163779b0a60df9ee8
SHA256 97b71713e185d0cce6969c5b8f5fe9ef98aadfa523b60a20727febe6fae99cac
SHA512 ea5318e437923964ee516527d0455a124197e2130a4b87c114b3b82e9633c5236aa30f0faa7c58e643d2105b6429e587278de16f9d9620934e03b0fa8780d8ed

/data/data/org.chromium.caster_receiver_apk_FMMusic/app_content_shell/paks/content_shell.pak

MD5 736b282401615ae39eb0f278759258f7
SHA1 730db06ab2a8409bb2ab2441848b7706bb120c47
SHA256 c487e0133b3a7e5772d5147365e41d2648a635c2ca2e66047661fc5222bf2874
SHA512 14ada472efbeaf0625e0a55f7e46b91aa2ce2a11cb86e235409f39532b2d68d904ddcc4d8c10b6e537d3e9ed9c3f43c981226f1aea752e7c5c5f34838533006f

/data/data/org.chromium.caster_receiver_apk_FMMusic/app_content_shell/icudtl.dat

MD5 016b7c560b53fe4fcf41f4b2eca9f61f
SHA1 b7e60915aeb077c7e4ba54f87b4b8b8c4f335956
SHA256 86030aafd3e4128b37d50bfa63aecad20bcccacd8037925f9ada49a40620394c
SHA512 867b84f196609c212736904ed733ca9c24a0e9d1a4d3b5246955c053b743801b4e7f1d0b44aceaf2cc108b80c06b016399bb8b27b97e91e0eeca1ce95b56a609

/data/data/org.chromium.caster_receiver_apk_FMMusic/databases/download_v3.db-journal

MD5 7a1d6ccb06b32885912198ab3385159b
SHA1 8f97a6ceaefd7b6908228d76822bc17226f68660
SHA256 97e65ed5b06225a84ee3e0cf354ca0b329febe8097ee0af815e9d6f8807a0787
SHA512 d83925e3e6edfbc9e489d26f95f7de55fa606f09f430137a71df389ad0294b10470cb18aa1e5e78b80721467ea40f4eb3792da7787d805cd58188ad03a70a864

/data/data/org.chromium.caster_receiver_apk_FMMusic/databases/download_v3.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/org.chromium.caster_receiver_apk_FMMusic/databases/download_v3.db-wal

MD5 4e8b936d172d86b15ddf7e05771495a2
SHA1 ff5e63ddd62eaec9f382663a9fa6d384b25ddaf3
SHA256 a0876d98db3130275ac5de56dc92a1150902678ec80847f1442fb9d291d92423
SHA512 4de440dafee528b510c69bd572de47151d1ad1361b61e671235260a0b2e3510e469debcb888ab124220ac35b40df2415b5a344e6ed29db0f4e2c56a48e4d8368

/data/data/org.chromium.caster_receiver_apk_FMMusic/databases/mistat.db-journal

MD5 860810f99338bca622cd56fbfa1d74c3
SHA1 e17d487789b0998f7f0e9331c0f8bd055c5df820
SHA256 702b2e0a9f1d1b717809a9a7d3ed99b256fa3857781a686f509d9776cc647178
SHA512 6a9f6fd50a956d84d5aa538418e53593ef83590dc4e5d1f9d619f579b9a6f5cdf7395a4c06f2f6efe319d96f07547ba892d93062ace6b22b1e93f226dac1506b

/data/data/org.chromium.caster_receiver_apk_FMMusic/databases/mistat.db-wal

MD5 04f2ea793e2bb21794c5e9fb3feeb077
SHA1 b99058e9aac21b2e6dcf244f24807fd8c725adac
SHA256 adc65a48b4ca46837e4fee222fa27edb6607ee08c2e924706e2bb84bae8bd8cd
SHA512 c20e8f0123e69dec98e6864bd21305ac0ad85b1dfb7a09a4a3026338f45f935a043a4c2a376ac16a02688dc291bd862491cbb156518661066c52fb380f521809

/data/data/org.chromium.caster_receiver_apk_FMMusic/files/umeng_it.cache

MD5 aa48d6f337b6ee86b2283fc86a3c6c37
SHA1 4ee0fda1accfb1aca0c2dfa1182bfb6f94053f67
SHA256 148bb088cebcf473b505270a2a7707c33787c451994828339eca1153a8f744d8
SHA512 ec4a71f884fb886dfdfee3db1b3dbe7793bc500b2f6891ee29c552b43bb44746b4f0de604307d4f6a3327ed127cab43c0621c8d4e859027c6877b5649fec47f3

/data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_server.dex

MD5 8ea415a63e02abe51a07d1d4c7987b9f
SHA1 45abb3d8b8cb3ac8a55df29f3f3b80452507c786
SHA256 b0e1409c9e224a1765e41e5abf4b330dcd4eaa9ab043c4bc05cc80960ce08491
SHA512 9911cd78a71c5adf3dabf6cc1162d06174ebc0c618c2dca8cda21521c9ac698f9fc9f263ebd16e19c93f80ee6a6d186a20cd8ebbdfe6abfff2592eff87e3f7dc