Malware Analysis Report

2024-11-16 10:45

Sample ID 240603-l72lksah9v
Target 9166ad840ba5df762f5264e0cc98eb03_JaffaCakes118
SHA256 aad1625a87aa5dde6bb73410a8e19d48ba25e213963b73e57936191beef794fa
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

aad1625a87aa5dde6bb73410a8e19d48ba25e213963b73e57936191beef794fa

Threat Level: Shows suspicious behavior

The file 9166ad840ba5df762f5264e0cc98eb03_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Makes use of the framework's foreground persistence service

Checks if the internet connection is available

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:11

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:11

Reported

2024-06-03 10:14

Platform

android-x86-arm-20240514-en

Max time kernel

11s

Max time network

140s

Command Line

com.androidemu.harvechi.tankedazhan

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.androidemu.harvechi.tankedazhan

com.androidemu.harvechi.tankedazhan:emulator

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 susapi.lenovomm.com udp
HK 103.30.235.171:80 susapi.lenovomm.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.androidemu.harvechi.tankedazhan/nesroms/harvezzhxzlb/harvechise.nes

MD5 23e88c0c954bb497a24ca7413f26760d
SHA1 e9250d7da4ff73831d9453d2c4b6bfcdf5cbc304
SHA256 291885da6dffa539339a5afb2d586d1260b38b111c40e0a95c5de6b205963523
SHA512 30adc418b43f635d7042307a9fd75547b4f9a1e1ebe986a6df9d6702cc567353935170745d11c6db21df06b88d7b237317d6e14e7992199d7113557d45089113