Malware Analysis Report

2024-11-13 13:29

Sample ID 240604-bbtwragc94
Target 9336481359d14eab6dcf7523e28deb24_JaffaCakes118
SHA256 04a06b7e414b6d8370dfb7e98ae35babc907b7fc460604f8b20e96b3131a8a92
Tags
banker discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

04a06b7e414b6d8370dfb7e98ae35babc907b7fc460604f8b20e96b3131a8a92

Threat Level: Likely malicious

The file 9336481359d14eab6dcf7523e28deb24_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries the mobile country code (MCC)

Checks CPU information

Checks memory information

Checks Android system properties for emulator presence.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:58

Reported

2024-06-04 01:01

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

186s

Command Line

com.g918832149.ibj

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.g918832149.ibj

com.g918832149.ibj:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 s.jpush.cn udp
US 1.1.1.1:53 cfg.imtt.qq.com udp
CN 120.46.84.108:19000 s.jpush.cn udp
HK 43.135.106.117:80 cfg.imtt.qq.com tcp
US 1.1.1.1:53 a.apicloud.com udp
CN 47.93.90.46:443 a.apicloud.com tcp
US 1.1.1.1:53 p.apicloud.com udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
CN 47.94.128.65:443 p.apicloud.com tcp
US 1.1.1.1:53 y.tx9.top udp
HK 43.135.106.117:80 cfg.imtt.qq.com tcp
US 1.1.1.1:53 image.aqcould.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.94.119.240:19000 sis.jpush.io udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.31.166:19000 easytomessage.com udp
US 1.1.1.1:53 tcp
CN 123.60.79.150:19000 udp
CN 124.70.159.59:19000 udp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
CN 123.196.118.23:19000 udp
CN 103.229.215.60:19000 udp
CN 117.121.49.100:19000 udp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.138.15:7000 im64.jpush.cn tcp
CN 139.9.138.15:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.138.15:7003 im64.jpush.cn tcp
CN 139.9.135.156:7004 im64.jpush.cn tcp
CN 139.9.138.15:7004 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 139.9.138.15:7006 im64.jpush.cn tcp
CN 139.9.138.15:7007 im64.jpush.cn tcp
CN 139.9.138.15:7005 im64.jpush.cn tcp
CN 139.9.138.15:7009 im64.jpush.cn tcp
CN 139.9.138.15:7008 im64.jpush.cn tcp
CN 120.46.84.108:19000 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.94.119.240:19000 sis.jpush.io udp
CN 123.60.31.166:19000 easytomessage.com udp
US 1.1.1.1:53 _psis._udp.jpush.cn tcp
CN 123.60.79.150:19000 udp
CN 124.70.159.59:19000 udp
CN 120.46.141.4:19000 udp
CN 121.36.15.222:19000 udp
CN 123.196.118.23:19000 udp
CN 103.229.215.60:19000 udp
CN 117.121.49.100:19000 udp
US 1.1.1.1:53 tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 139.9.138.15:7000 im64.jpush.cn tcp
CN 139.9.138.15:7002 im64.jpush.cn tcp
CN 139.9.135.156:7003 im64.jpush.cn tcp
CN 139.9.138.15:7003 im64.jpush.cn tcp

Files

/storage/emulated/0/Android/data/com.g918832149.ibj/files/tbslog/tbslog.txt

MD5 727a2bd9ecee7970e1d56f5796f13f63
SHA1 24c75d9c9a73b6159c376ae525c6193f658194a8
SHA256 f853bb5ea6056c4dff47506e13a236a702dfe065dfc7f29635fcddfcb9c0f485
SHA512 9a2e02c3c6c47d2064ce492a6237860390c31a68034eb6540d17682bb961d7e3c224aa416b11ed14c235981dd8e10b9fe1f9c5d89bbaf664ec678ef79746960b

/storage/emulated/0/data/.push_deviceid

MD5 f702520f757e228f8a9205077854537d
SHA1 1f7504b27ba9fd08db97239fd7781f891d5b92ec
SHA256 479b4de5ed5bc1a8768d8a4d54e4d65dfa27a79f4ace6b096c60ec7e73a93803
SHA512 fa1c22a2394749ceb68ca195e096909e76c1ab13b40afbc14c13fe3b86cac6769f1534b084f3e597c5e61aa0ff5bd764e381f25850fa46c508d41489f05bac6d

/storage/emulated/0/data/.push_deviceid

MD5 745568abd3c5500b0713400f906a208e
SHA1 d2baca725580ff45c60b340067baab36ae52cddd
SHA256 0790a61e3237a9db3e94665dda7e63587e74c20414b51776a21463ef81a7ad04
SHA512 fd1e171c5ec9236179db7eb3f4c01e726db59261a535b02f4b92a18269b3f7ee1e7c7bd6de5799551fb2941b1d8b32dd71d739093e652facd20521894048a489

/data/data/com.g918832149.ibj/files/jpush_stat_history/active_user/nowrap/958b312b-3ce6-4f5a-bae1-ece7607cf97c

MD5 ee0ea12661ec434290eff8b04ca68029
SHA1 251a9367879f006258c48bc53d5dae34b19d60cb
SHA256 03dcfa5015ecf09ee9cada976db9db54d7751d381d12667ec1fed4f0dae1eaa6
SHA512 4a27b819769b329ac57639755b4a6ff26416753097434a47622f4471cd50873407e747c656e20a79a7e12782a2d4539cb0e66defe7322f755e64934992089ed6