Malware Analysis Report

2024-09-09 13:38

Sample ID 240603-qeh1zsgh69
Target 91e6b4f1000ece702971b42bab9827cd_JaffaCakes118
SHA256 359e9df94f774ecf19b3bd9b938a0d1528d0767a9c35e45b206268d159d1329d
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

359e9df94f774ecf19b3bd9b938a0d1528d0767a9c35e45b206268d159d1329d

Threat Level: Likely malicious

The file 91e6b4f1000ece702971b42bab9827cd_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Checks CPU information

Loads dropped Dex/Jar

Queries information about running processes on the device

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Queries account information for other applications stored on the device

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Checks if the internet connection is available

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-03 13:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 13:10

Reported

2024-06-03 13:13

Platform

android-x86-arm-20240514-en

Max time network

163s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.227:80 tcp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.180.14:443 tcp
GB 172.217.169.42:443 tcp
GB 216.58.212.227:443 tcp
GB 142.250.200.14:443 tcp
BE 74.125.71.188:5228 tcp
GB 142.250.200.46:443 tcp
GB 142.250.180.2:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 sjalshnhdme udp
US 1.1.1.1:53 jtevhvrn udp
US 1.1.1.1:53 beajlwfgi udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 13:10

Reported

2024-06-03 13:13

Platform

android-x64-20240603-en

Max time kernel

179s

Max time network

178s

Command Line

com.snaz.oout.txvw

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.snaz.oout.txvw/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.snaz.oout.txvw/app_mjf/dz.jar N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.snaz.oout.txvw

com.snaz.oout.txvw:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.10:80 ip.taobao.com tcp
GB 142.250.179.234:443 tcp
CN 59.82.122.10:80 ip.taobao.com tcp
CN 59.82.122.10:80 ip.taobao.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.34:443 tcp
GB 142.250.187.234:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.121.179:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp

Files

/data/data/com.snaz.oout.txvw/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.snaz.oout.txvw/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.snaz.oout.txvw/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.snaz.oout.txvw/databases/lezzd-journal

MD5 0df5dd5e335a8ca73ef2027f98be8bca
SHA1 e64975041afe4a977be2b09a195a12f131c2059d
SHA256 1260a2836adf8d1f961df7c028bd17f31612bd710ccd299034add066e3d7f0ca
SHA512 e9b4c803375cd112a78ebc370b58e5e16c34f82185f441768bbd0bfc2fc18dd1a7f065ca6c4b6ac11e0f56ad463507b8408c21ffe55a89af43df2b6e4b94d885

/data/data/com.snaz.oout.txvw/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.snaz.oout.txvw/databases/lezzd-journal

MD5 cb5ca837a8c54ba41325561c7ec54912
SHA1 993f6fe762af5b3c21c6a1e3ead8a49505801336
SHA256 2d4c5a84664e421fafeba53ade74ccd8631f925533172d256905d10ffcfaf9c7
SHA512 36ea665be0ff2dece9ad284a34139ee8a25a03e71f84285963dc7b8bc006b29e78943ec39ecad37090e264366f967cd1ef6a28c7e42f4b19d044b8b82cff96a0

/data/data/com.snaz.oout.txvw/databases/lezzd-journal

MD5 5e896ec39967765dc1406e4740faf2a9
SHA1 68b576e337c42e69db8eacbdfafbc25da240f7d6
SHA256 f02da2a0719d9055c3e55eb9bb7d5148e37c038b3b2087b83e8cab9d4b52be43
SHA512 94fffa064923e95d4f2e4f73a8cdbe544feea260d734ee74c78401fc805c33c90d9ee6352f722a5dff927069e319d7afad8a9ef52d72646095851ba6bee59095

/data/data/com.snaz.oout.txvw/databases/lezzd-journal

MD5 03885b8d0eebf46824a5ead3f96d5f86
SHA1 cd14b091446c24ce8fa4a097a0ea89bacb96524a
SHA256 1abdf9c9ecb43ceb41df5191edba0cf9fc3195326a9f40dbbb7deee0425459e5
SHA512 5e06dd1f92acf110002bf6361a8b21703ef0b491dfe8c2c6c904fb6b0a5540b4e77d49d9db951a7880c655178840eece56529f59b5e3c49da4fd6ef2704770a6

/data/data/com.snaz.oout.txvw/databases/lezzd-journal

MD5 632243421d802b3338044d8e487191c6
SHA1 0ce2539465d53bbf8377fcda15049a3838997515
SHA256 76646b6e16a29003585401b8574010047f9fc2447169289783d8fced1b3881a6
SHA512 458a8ade10e4d0f37585677dd8f39d716ba2163f1e100cbf0774a801a407055e73a12f7ce294f37dd96b4c7e6724d7a7f296e539d23d16c86288a7986d1e081c

/data/data/com.snaz.oout.txvw/databases/lezzd-journal

MD5 7a27d61b9c118d77777cf0e9362d9cec
SHA1 dcc499bf348c63e5049350747ddd07ea377e04e5
SHA256 28109b16d9775dbe1bf9d8682dcee2f2f604be320635112504f8beb542944f40
SHA512 eb8c119253324503ad6a5c2eddbcf06a7484d729013ca7dbb87d267a451bc8ff02e5fe54203ff85d5559b07cb5b355f3098bf895d316038e31954b67378833da

/data/data/com.snaz.oout.txvw/files/umeng_it.cache

MD5 3ccfe83a63cfd8df668e4d6f87e1c9d7
SHA1 5bfd7fc10e15475346201cf99ed1ee07f1c926c6
SHA256 25550222cb37d79be9d146d6d0fac07fc25303d1bf4d8542a71da0569c56aaf3
SHA512 49e3b54d7343c6592c7571c334acd746ed334037d64f9a45c741265ccc668918fc218f35de9151822a642594da8e39a207f386577e39ca1ff479ab1a55389e54

/data/data/com.snaz.oout.txvw/files/.umeng/exchangeIdentity.json

MD5 f04f989563d8084d8f2a59d48603e4f8
SHA1 ba6d5fb7e627216c517f2ede79bdcdee456de261
SHA256 5d93f2e47c8bb32d75ee287aae6a811dd710563494b81e8bffc07dc1ea4d2f8f
SHA512 8fd7f13a4d8cc31ef393a56129471550f1a76d665639ff788870c4dd98070f83a3af559db6ec044502c04f96c1d279f04aea4af41afa73605331e0dc292cccf1

/data/data/com.snaz.oout.txvw/app_mjf/oat/dz.jar.cur.prof

MD5 23c181a2d36eccbada96c4a58386ff94
SHA1 4cc44adf7fd391ba6474547827d07722270af8e5
SHA256 562322ecfb89a7d02c0bd6a17a66cd1f96c81ec7bbf0e322bce177358f74307a
SHA512 59429c8524df4f4d1d1e2ca1c507f41a82364f2c455aed7000dd95191b5d47da4fc8aba9cfa7439bcaf7bffdaf29f5d550efff8bc06d432e179620c95ab90857

/data/data/com.snaz.oout.txvw/files/.um/um_cache_1717420341356.env

MD5 500f5997db63ca0266df2d2b15271ba6
SHA1 66f091d6a9c1e43468be66ac4946d02762d8dcef
SHA256 a415914e13f60b1cb4486152e6dce4bab9b0f6b9216d5720850e40e3a1618b70
SHA512 7e0a2abac917e361a89a7c800a4febfc07218feaf0f3b2ddb9787d74bc39805377f5b50393db0541a1e17a5d03df52a9ae3b04f7e5541409e12a705fb9f03ddc

/data/data/com.snaz.oout.txvw/files/mobclick_agent_cached_com.snaz.oout.txvw1

MD5 59b5bfe09cf6e35c701845cdf6232a51
SHA1 5d773a31d30d85b92785c6f968863409dfaf38a8
SHA256 0e3d82530c067eb231b4fa3a5ff66948d6e501f35c6a92b74894c1d65da58061
SHA512 bb57258bc4ca24cc9202f1e782800bea3acd3faf6751bbecb62e20040998eaf582068858d75f4c96a080799653cfda3e0395018b5c46582a49361fd5da21f992

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 13:10

Reported

2024-06-03 13:10

Platform

android-x64-arm64-20240514-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A