Malware Analysis Report

2024-11-15 05:40

Sample ID 240604-b5na3aha4s
Target 93508e2693621bbf6d2a315d396b3252_JaffaCakes118
SHA256 d69f27f8b2e2f7c479bf795e6e53b6f35f3cd3b24fe1c179cf1bf804e4e56e88
Tags
banker discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d69f27f8b2e2f7c479bf795e6e53b6f35f3cd3b24fe1c179cf1bf804e4e56e88

Threat Level: Likely malicious

The file 93508e2693621bbf6d2a315d396b3252_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:43

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:47

Platform

android-x86-arm-20240603-en

Max time kernel

7s

Max time network

136s

Command Line

com.maple.ticket.dinogame

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Processes

com.maple.ticket.dinogame

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.maple.ticket.dinogame/files/box_djsdk.apk

MD5 7f7781704eb5300c5eedd7bc19b1cb5d
SHA1 1aee8138dacee5e9524d527c6059495002dabc7a
SHA256 4fe1395f98cf5647382442661ae64fb3f8f5b5503a06b355a88b3499422510d3
SHA512 c962697fe7c699416267cfea6059f815d44eb2bd44472009b5b74e27982d65c590a19d8aa4cb64107d0e0ae825ff4e70d9bf9c9b5dfcae2bb6597a772b536ebc

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:47

Platform

android-x64-20240603-en

Max time kernel

9s

Max time network

151s

Command Line

cn.emagsoftware.gamehall

Signatures

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

cn.emagsoftware.gamehall

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.226:443 tcp

Files

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 68dec9b3c6166fe3aa1fb41e7763f4eb
SHA1 31648750a2568658e31992a2fbece3153debea41
SHA256 6f1dcf583d2af8840a2e9206022936d3553aba4953710ecc27bd4d95651cf221
SHA512 965fb5d961c31d111f7e779b513c28897bf2ded891c2613cd16bc730c6ae3c80f102f67adce10d12d03c85ac12e49bffaf5102263692298b4f2402cdf30cc3f7

/data/data/cn.emagsoftware.gamehall/databases/GameCache

MD5 18c57d7fa53a40b1b6fadef97d7c43ca
SHA1 8e6167b7b7eaf2d596ad3f18f9004c64bfd06891
SHA256 64f46157b8b35229f3636c039a1e9c059e2107af0a107c52fe99ea4bbf4d7109
SHA512 68a2dae3fb34c9578a6ad14e9f5dc6a1228c78536f82bde28fefea59b4a7234984c1e744cd9f2efc758b982e767720b7b37d28af95ae81505da353d8245e9d1b

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 55e0d85703082b88b1d21d00101270ba
SHA1 bfddd7fe134b01ab8e3903186c507d523fce98c1
SHA256 cf4f644c733393ad0410564b2ce77ad6bc1862708231c589d7749a762dea83ba
SHA512 1f6947ff8c448ecfe19911d736dc019fc4b6cfcc701e21b224ac3c05a856774bfb636123af227075455fbd65693ecb9ff3fd7e4bd702442845cc9e9fd6c8fe68

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 e0d7f894eb33d8b1a30b3840e7febda4
SHA1 f5d86354c0e4262084889ac2aa1a5dd077414d05
SHA256 f442ef6edf3be80d73695554bf846e95d3ec2cc605e3f4c780b3c4da501580f8
SHA512 06d1f7272be5e8c27f724d51551ee0ce57967383b0b438bd0f52cb8c648bfdae7e4da7e7faf6d66d6f324e3447ab249d679fe9d763e2d6f9e510b9258813fb2f

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:44

Platform

android-x86-arm-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:47

Platform

android-x64-arm64-20240603-en

Max time kernel

2s

Max time network

138s

Command Line

com.upgadata.up7723

Signatures

N/A

Processes

com.upgadata.up7723

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 172.217.169.1:443 tcp
GB 216.58.201.97:443 tcp

Files

/data/user/0/com.upgadata.up7723/.jiagu/libjiagu.so

MD5 6525dc34d4a2656b93c41bc4223fddd2
SHA1 5c2333cb8ad87abc747d13d6352d5f19dc18997b
SHA256 744cdb26f7cf86d52fa8b214813a346952fc7476826400b85a3db96356f5047c
SHA512 b98dc08115cdefc31b2c0679d046a34e788936f985bcd70bb789b1828dcd59d949b023388a3b56ef017bafac31e79c12ebd6f6b623f01a38ea0e6e04a9fd1fc8

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:47

Platform

android-x86-arm-20240603-en

Max time kernel

5s

Max time network

131s

Command Line

com.upgadata.up7723

Signatures

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.upgadata.up7723

chmod 755 /data/user/0/com.upgadata.up7723/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.upgadata.up7723/.jiagu/classes.dex --dex-file=/data/data/com.upgadata.up7723/.jiagu/classes.dex:classes2.dex --oat-file=/data/data/com.upgadata.up7723/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.upgadata.up7723/.jiagu/libjiagu.so

MD5 6525dc34d4a2656b93c41bc4223fddd2
SHA1 5c2333cb8ad87abc747d13d6352d5f19dc18997b
SHA256 744cdb26f7cf86d52fa8b214813a346952fc7476826400b85a3db96356f5047c
SHA512 b98dc08115cdefc31b2c0679d046a34e788936f985bcd70bb789b1828dcd59d949b023388a3b56ef017bafac31e79c12ebd6f6b623f01a38ea0e6e04a9fd1fc8

/data/data/com.upgadata.up7723/.jiagu/classes.dex

MD5 30bd1567e66c287b49fefb522d312f00
SHA1 f784a32eaa2dd12fbfc2bda8d4a1de280a750477
SHA256 937debb4f8ab3d81798733caac8749cc9314c3ced7e8a0650fb07c1bad5259bd
SHA512 377a7977a266140bd350289b67308e614b994310f4389f414f2e9ab0d3fd9d2e59f4cd72ef9b88096acc20590c5f1c0e2077f9154a4ebdf4c6a3b5fa3ada7159

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:47

Platform

android-x86-arm-20240603-en

Max time kernel

8s

Max time network

138s

Command Line

cn.emagsoftware.gamehall

Signatures

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

cn.emagsoftware.gamehall

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 418905c9cd74f497f3442d2d091c356c
SHA1 adae70d85f5de8378e2ef2a54c784f1b37774e41
SHA256 e7ea0c70e8e3a665934d3839110e0c2eea7ed76d85cc569ffc7145d52c0e5f70
SHA512 3b420cf2360ae63cee46a8051bd62fb1ffb5232e961286399c059126287475a0dbbb11e9f964479e5e3f8fa92753b42ad3877d1bc7d4b21788e67666bdcedccb

/data/data/cn.emagsoftware.gamehall/databases/GameCache

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cn.emagsoftware.gamehall/databases/GameCache-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cn.emagsoftware.gamehall/databases/GameCache-wal

MD5 98008765b283174fd9f45ffaddb09cc0
SHA1 f1cbbdce8a4ad532d8fc94da02c1bff91c722bb5
SHA256 7a93c9bd0091078dc51de09c323f159cc711db3501564d97ac152c9316a042d8
SHA512 b83814424cb8022578dbf9140acc52e539c84f4b0952829e77f6d1a7fac396538d474e3350acd8dd7d0316ec85e7e1325e8f3c251139e5c4d0b6bc57750258ba

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:47

Platform

android-x64-arm64-20240603-en

Max time kernel

7s

Max time network

170s

Command Line

cn.emagsoftware.gamehall

Signatures

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

cn.emagsoftware.gamehall

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 7175c5592afc25d60f1ad86d325df359
SHA1 44ac5166fd9d00cafb0b8f5ae7866041a658e769
SHA256 d3e6ad0521924908076f259d1a813d9dbb60d1763fdf407ca757824f65d37245
SHA512 fe3ca5ac0382a8ba73c86d1e14e051d8d669323c93b0bc6e357f02e703dc1106670a568e21580e3f52f5488459a1d625821f9ec32e3006b9973fe956d1c341a5

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache

MD5 f1654b6985eeca3980460f8c663a86ac
SHA1 2685ba462be1ac7a63f6937d28fa7099434ce18b
SHA256 3ad7220c6e66f0a87c2e907fa2adb0ae0d8478bf18c510910e8a0d53a8c07225
SHA512 c10122123608c916d47f57002c70280030714429e8b46b56b9aeb667728efa3bd1e1dd487931353baab0ea804c6c426708678e2b1064d7992380fa6a29c2f78b

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 306748fad487eaba6252f2f642d44382
SHA1 9b9470626529c694dc25ef0e4f5805c85c4d0244
SHA256 f7b111826e672b2fa89e27b10f43a328e3419ba747c0c9d48fa0894fe1a55d0e
SHA512 3698a4bba8e2ecbf4df3b32e15b18f39e2fabd5ea4dd99e48fde766aa8b16b01aa9c7be645e1fc59eac951276200c10c7a27d680b37307b9038c625879e6bd26

/data/user/0/cn.emagsoftware.gamehall/databases/GameCache-journal

MD5 480130ff0f660408e3b08e38826f94d8
SHA1 bd86858cfac33933fff0c447e587886f2321cd5f
SHA256 396dae2d2df01376dc305b4f2319b163663f6d201e61b9c8f65a2b0dc256565e
SHA512 415e735703ce65b14be83f4c4db002b4fea29eeba263cbc168f01a097712778848992634292c41941baddcdc651286de4fd6760b15e65bceeca6be15781eb652

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:44

Platform

android-x64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:44

Platform

android-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp

Files

N/A