Malware Analysis Report

2024-09-09 13:38

Sample ID 240603-pg389sfd56
Target 91c22c89a4696a03cf747b1b8640a912_JaffaCakes118
SHA256 5e22b0f84b9d6e30dabd72ad98a8f63117ccea76090e43003db62e2bbf739076
Tags
collection discovery evasion impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5e22b0f84b9d6e30dabd72ad98a8f63117ccea76090e43003db62e2bbf739076

Threat Level: Likely malicious

The file 91c22c89a4696a03cf747b1b8640a912_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence stealth trojan

Removes its main activity from the application launcher

Requests changing the default SMS application.

Queries information about running processes on the device

Checks known Qemu pipes.

Queries the phone number (MSISDN for GSM devices)

Checks Android system properties for emulator presence.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Checks if the internet connection is available

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-03 12:18

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 12:18

Reported

2024-06-03 12:22

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

131s

Command Line

com.plmbvzuvco.elnsyn

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar N/A N/A
N/A /data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.plmbvzuvco.elnsyn

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/oat/x86/cdfkgoexhc.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 23r23tttt.xyz udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar

MD5 60a8dd0c3cb31ca0858bec1ebe6af441
SHA1 ec42790843820a3df940533bfb7f4b42e102c57d
SHA256 2437b2b15f9e9f5c4c8eacbb1b0a0f86bf9ef8dde76f6436536f900e0e80f088
SHA512 23bf26198da382292af17acdcfc0db13f198a9a6e39153248c26f904aba539b55ba952a1b622416d128f50c77085371fe03e1225ebcd536f269a6bfb5dca3cea

/data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar

MD5 643cf358af2c310fa041c73fb0f4e0b2
SHA1 7b85a3cee4752705f7b854b1278a915c83703812
SHA256 6cae3df46a3cc220e9cec9d0fecd2956a9a5c040e1c9cdac94a3bcbd7b8047f7
SHA512 590eab2509a35dcec3b5413eb0166e5e6b80b2b06a0c2cdc502cc26781f1c538d499b53cbd1e6c7550758d7e05ea9b13fb9d560ecff54eace83ffce8b66f5e85

/data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar

MD5 0676ad903b2c15598655fdd86f749979
SHA1 8a110c283475d67ba52645756b6efb48b657ced5
SHA256 a479966c9d1fdfd47b55e73aad22d46e480222153d397875a6fcfee9a8b6a4b7
SHA512 bc49bf9712f4b89b17400545c5114a66462b1979b8f0f8f8145853fcfa0a3c2e77aec7f1fc4a84d71b782230e3e6be44f5267ed52bc35bbf87304a8048fc0ef8

/data/data/com.plmbvzuvco.elnsyn/app_xmqoembomsv/oat/cdfkgoexhc.jar.cur.prof

MD5 03de69e7add65e1a09a448a1fcb983ea
SHA1 e8447a6a3a52fa5b6e1ce66889a0bc715c7a3ce7
SHA256 52f960c15622508193600ef5567f003f0bbb344a9182fdbe41d4c7ab2f29f0ef
SHA512 9f4718dd8c1ad57de4aca037a94cfef2092f35b28ab06e019acd22d577867359539f1fa90d237eb686d9d3014c5e3ba9dd50f7ee35cbb4843c86a371f33c4205

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 12:18

Reported

2024-06-03 12:22

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

167s

Command Line

com.plmbvzuvco.elnsyn

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.bootloader N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.plmbvzuvco.elnsyn

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 23r23tttt.xyz udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp

Files

/data/data/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar

MD5 60a8dd0c3cb31ca0858bec1ebe6af441
SHA1 ec42790843820a3df940533bfb7f4b42e102c57d
SHA256 2437b2b15f9e9f5c4c8eacbb1b0a0f86bf9ef8dde76f6436536f900e0e80f088
SHA512 23bf26198da382292af17acdcfc0db13f198a9a6e39153248c26f904aba539b55ba952a1b622416d128f50c77085371fe03e1225ebcd536f269a6bfb5dca3cea

/data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar

MD5 643cf358af2c310fa041c73fb0f4e0b2
SHA1 7b85a3cee4752705f7b854b1278a915c83703812
SHA256 6cae3df46a3cc220e9cec9d0fecd2956a9a5c040e1c9cdac94a3bcbd7b8047f7
SHA512 590eab2509a35dcec3b5413eb0166e5e6b80b2b06a0c2cdc502cc26781f1c538d499b53cbd1e6c7550758d7e05ea9b13fb9d560ecff54eace83ffce8b66f5e85

/data/data/com.plmbvzuvco.elnsyn/app_xmqoembomsv/oat/cdfkgoexhc.jar.cur.prof

MD5 087a0f0d9094ceb607fb85698de48b97
SHA1 cc3c192eba4429019f244ee522349a33cf15225b
SHA256 fb5bfdb50a97defbb3df9011e74fe90d0704a2559085e5d003bbccc463591bf0
SHA512 3b1ac811804c2f038f08273559cabf5ea6f15ca64c2e84f3f4e98df59d309c2d0d59c5c5f598734bed91da516904b3eeb9ebcb3f5e0f88809aad834d11d9347e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 12:18

Reported

2024-06-03 12:22

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

131s

Command Line

com.plmbvzuvco.elnsyn

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.bootmode N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.plmbvzuvco.elnsyn

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 23r23tttt.xyz udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar

MD5 60a8dd0c3cb31ca0858bec1ebe6af441
SHA1 ec42790843820a3df940533bfb7f4b42e102c57d
SHA256 2437b2b15f9e9f5c4c8eacbb1b0a0f86bf9ef8dde76f6436536f900e0e80f088
SHA512 23bf26198da382292af17acdcfc0db13f198a9a6e39153248c26f904aba539b55ba952a1b622416d128f50c77085371fe03e1225ebcd536f269a6bfb5dca3cea

/data/user/0/com.plmbvzuvco.elnsyn/app_xmqoembomsv/cdfkgoexhc.jar

MD5 643cf358af2c310fa041c73fb0f4e0b2
SHA1 7b85a3cee4752705f7b854b1278a915c83703812
SHA256 6cae3df46a3cc220e9cec9d0fecd2956a9a5c040e1c9cdac94a3bcbd7b8047f7
SHA512 590eab2509a35dcec3b5413eb0166e5e6b80b2b06a0c2cdc502cc26781f1c538d499b53cbd1e6c7550758d7e05ea9b13fb9d560ecff54eace83ffce8b66f5e85