Malware Analysis Report

2024-11-16 10:46

Sample ID 240603-lcq7csaa4y
Target 91451cea3589211c691c39dfa8ee9296_JaffaCakes118
SHA256 f64e3527dd7a9fe72687fdb7b191ac55e21404a10a7823adf88558756f6261c8
Tags
discovery persistence collection evasion ransomware
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f64e3527dd7a9fe72687fdb7b191ac55e21404a10a7823adf88558756f6261c8

Threat Level: Shows suspicious behavior

The file 91451cea3589211c691c39dfa8ee9296_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection evasion ransomware

Reads the content of SMS inbox messages.

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Makes use of the framework's foreground persistence service

Reads the content of the SMS messages.

Reads the content of the call log.

Requests dangerous framework permissions

Checks if the internet connection is available

Changes the wallpaper (common with ransomware activity)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:23

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:23

Reported

2024-06-03 09:26

Platform

android-x86-arm-20240514-en

Max time kernel

8s

Max time network

156s

Command Line

com.baoruan.theme.klbezecdcmVKTZRPfYh

Signatures

N/A

Processes

com.baoruan.theme.klbezecdcmVKTZRPfYh

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.180.2:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:23

Reported

2024-06-03 09:26

Platform

android-x64-20240514-en

Max time kernel

8s

Max time network

132s

Command Line

com.baoruan.theme.klbezecdcmVKTZRPfYh

Signatures

N/A

Processes

com.baoruan.theme.klbezecdcmVKTZRPfYh

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
GB 216.58.212.194:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 09:23

Reported

2024-06-03 09:26

Platform

android-x64-arm64-20240514-en

Max time kernel

8s

Max time network

133s

Command Line

com.baoruan.theme.klbezecdcmVKTZRPfYh

Signatures

N/A

Processes

com.baoruan.theme.klbezecdcmVKTZRPfYh

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-03 09:23

Reported

2024-06-03 09:26

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

160s

Command Line

com.baoruan.launcher2

Signatures

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.baoruan.launcher2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.3:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp

Files

/data/data/com.baoruan.launcher2/databases/launcher2.db-journal

MD5 ee9106d5e78747b41f5307bb54d3faa0
SHA1 bacd6eecd80e204b76ee8ff7837a2e2492717d8f
SHA256 432035a362089830bd8115edd868294d458062002a564704cfebe51f873b8fde
SHA512 496cf4e7e54b167d4a7df824b7ed56371126a7c995aa7b31c33d51a89cf944028228dc45d2c732ea9494ba69cc4598c01e419e89ee5b64dcc314f280bcf5bf16

/data/data/com.baoruan.launcher2/databases/launcher2.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.baoruan.launcher2/databases/launcher2.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.baoruan.launcher2/databases/launcher2.db-wal

MD5 2ac4dcbdffc18ed388c3bc0a3a0a2ec2
SHA1 ca4f43750cde7665a968db9bd4a82d40978e7d82
SHA256 bfda9cae76d1b9807af7925553229663a0c4e0f854d2f13d848e81b1e8f66c74
SHA512 c02c930606c0cb63157750e6c598c16d85eb80195211eaf329e619f6c698d91e5bad616eb4535146690f925f12e16580adeed29bb8115f55051df18fc1159088

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-03 09:23

Reported

2024-06-03 09:26

Platform

android-x64-arm64-20240514-en

Max time kernel

176s

Max time network

133s

Command Line

com.baoruan.launcher2

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Changes the wallpaper (common with ransomware activity)

ransomware
Description Indicator Process Target
Framework service call android.app.IWallpaperManager.setWallpaper N/A N/A

Processes

com.baoruan.launcher2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 apitest.baoruan.com udp
CN 150.223.40.148:80 apitest.baoruan.com tcp
CN 150.223.40.148:80 apitest.baoruan.com tcp
CN 150.223.40.148:80 apitest.baoruan.com tcp
CN 150.223.40.148:80 apitest.baoruan.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 150.223.40.148:80 apitest.baoruan.com tcp

Files

/data/user/0/com.baoruan.launcher2/databases/launcher2.db-journal

MD5 9fe8ab600fb118cc06fa5fefa817de96
SHA1 44d43ccbdfdebd01acfabbc43d7b1ad3befdb5c5
SHA256 f1c4760f673d8b2452106dce59bebf078365129f3c0814950b896cef0fa842a3
SHA512 e1e61d0e68e445599763bbebc87b0d1f61efe59d05ee1c0db391d986a90a169a240d818bb0fb6f0b64291f21e9978a41d9742b1f14bb3ae53e13eaa3dc38d4e2

/data/user/0/com.baoruan.launcher2/databases/launcher2.db

MD5 a6a317184e168ccf00f8a5dd5af40c51
SHA1 5c5d7fa23a9ada72d9b91e058925a5517ec8b6d1
SHA256 8378b5a61049e8c2d0fecd275b9ab49cdaf20b6d5f07003c5bf807fa4f8ad033
SHA512 194ae5a5c2d6d89ed43cfb5fe4d80f66badf8554582378e050c7573b165a9d456c58e5bef6d0e500bf1d4ebff266dbc613f0b8c9ceafe3f5e150c2eb66d67ec6

/data/user/0/com.baoruan.launcher2/databases/launcher2.db-journal

MD5 3d47885d3fdc2ce9e3cb4cb7f57e4749
SHA1 eab284a7a85973596ce4f16702a23331dcde8509
SHA256 2b47ea1c2efc8f9d316c98b7ec33e58af97884441f1834f36bc90ed1480bb9c6
SHA512 7b8fbf483cff3ce2234b7ce96ed9e37be045abf402678bfdcda55e5b5efc188827453177168a4307d65b15f3c642cdc9d375f4f2c4b3af70cac4f17efac74f16

/data/user/0/com.baoruan.launcher2/databases/launcher2.db-journal

MD5 c1f8517184dd905168b82655229fa56d
SHA1 47d6d7f4710d08807e4b74bac523c7570a1a83b1
SHA256 2160c48538db975dece919fe082c4f654a99ea0af8e2d81fc446135aacefdb87
SHA512 19d8aae81969f0c1bcb1e9311f391d64638b09a94779865fd380e17396563cf13edece68783bab5567b7639473c2d320a385e2c65ea49fe288a63db713355129

/data/user/0/com.baoruan.launcher2/files/launcher.preferences

MD5 8045cecd3d5a4c893e3a75d47b17121e
SHA1 61f08d6c53ae857cfd4be1bf607a6c80e5e78b23
SHA256 9bd54ce2fe34faa03d173df22621b5c747e544ed354e521889b692c031ba99b3
SHA512 70d34c24ccb3f90cdf930f0e24d67441e2aafc5baa5ae95c5e288b788cf25df394254f9bf55d45a5893b78457873b6169b8868a4fd45364c2b485f90bd4c0099

/data/system/users/0/wallpaper_orig

MD5 a18f290190de9484ff722117f2c73981
SHA1 fd601d7ff6c4902b8bff8b2fdd11ade0082ca6ba
SHA256 650ea9942baed212c76ec431459c77997f8320de02b5ee88d792531f5c2cc367
SHA512 5b66927104d92490e075ac4596e5dfbbf9f93a037101fadf39c71839396322323ef52164ac926bb78ea7eeb7a7ea914cae8007a9f9ded059db39888e5b3ad21d

/data/user/0/com.baoruan.launcher2/databases/launcher2.db-journal

MD5 332fb7cb2c9efc03e9bd26933a3931d8
SHA1 c45ed96ce6270758e98bfbd66682e48949fe635a
SHA256 f804999a1e2e4bd6b149c05625f7a3c8c168e747da10be6e6a5ab93555f807f6
SHA512 73b7eed49f5946dc59110b3bea6e70ffe2a93b1f93bdf211fa3c67d36f02fae394f11f2d5174a420d62cde2f4e9b3625c55d5d6bade0454fb6b651b1fb00e268

/data/user/0/com.baoruan.launcher2/databases/launcher2.db-journal

MD5 8a5c2eeb55e4800e2e3c57571f272c78
SHA1 0292688b7cce2af3bd569da6737db46248060b79
SHA256 e908d08cc51f5bbbfe18e6126a17ceaed4202cc797a688db3dd808e8d38b2c19
SHA512 b1823fd8db9ad636ca98372b8bd678295f4c22af09df85509ebc7cd856973bc50104da2abb7d961defef0b4a48fac470c022f104fd2c71a8cb4189cf1e57f5dc

/data/user/0/com.baoruan.launcher2/databases/launcher2.db-journal

MD5 047fc69c5c82d1a3776c8db1449cfb7e
SHA1 237a388eff7da6c56a24969c42efd0af0c6e7f85
SHA256 da3e93a417e6c6342cba67dc634c9a465cde5fe107129188c63c01aa5c6577a5
SHA512 1c2471e233a288910b926c0a6d78619db0e14b9bc17669b8e6131b0fc9460efc72da1959d6c2e907bd836e29933112f3a42798f1a254ca62f58eb1f19b49815c