Malware Analysis Report

2024-11-13 13:29

Sample ID 240604-bsdwvsgc8t
Target 934503993008571ad7ca9b053f415c7a_JaffaCakes118
SHA256 5b87eb6b067ea9b9023acc1bac54750546ce3360e4ee584f9946f0cbea45ff2a
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5b87eb6b067ea9b9023acc1bac54750546ce3360e4ee584f9946f0cbea45ff2a

Threat Level: Likely malicious

The file 934503993008571ad7ca9b053f415c7a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Checks if the Android device is rooted.

Queries information about running processes on the device

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Checks CPU information

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Declares services with permission to bind to the system

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:25

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:24

Reported

2024-06-04 01:28

Platform

android-x86-arm-20240603-en

Max time kernel

147s

Max time network

189s

Command Line

com.sogou.androidtool

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /sbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sogou.androidtool

chmod 777 /data/user/0/com.sogou.androidtool/cache

chmod 777 /data/user/0/com.sogou.androidtool/cache

chmod 777 /data/user/0/com.sogou.androidtool/files

com.sogou.androidtool:remote_proxy

chmod 777 /data/user/0/com.sogou.androidtool/cache

com.sogou.androidtool:push_service

chmod 777 /data/user/0/com.sogou.androidtool/cache

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

com.sogou.androidtool:channel

chmod 777 /data/user/0/com.sogou.androidtool/cache

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 awpping.mse.sogou.com udp
US 1.1.1.1:53 defake.pingback.zhushou.sogou.com udp
US 1.1.1.1:53 mobile.zhushou.sogou.com udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 config.push.sogou.com udp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 get.sogou.com udp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
HK 129.226.103.145:80 get.sogou.com tcp
HK 129.226.103.145:80 get.sogou.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.176:443 ulogs.umeng.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 203.107.1.97:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 tcp
CN 203.107.1.100:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
US 1.1.1.1:53 httpdns-sc.aliyuncs.com udp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 203.107.1.97:443 httpdns-sc.aliyuncs.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 203.107.1.100:443 httpdns-sc.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 59.82.40.77:80 adash.man.aliyuncs.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp

Files

/data/data/com.sogou.androidtool/databases/MessageStore.db-journal

MD5 4cbbc27dbdb1301d23453bafe4725e5d
SHA1 a674d086c56e51af8d9f51af0d3aeb2df5474957
SHA256 d8df56f41323117ccd704df0704e22b7ec699f1956c7fe8a0810d131e48e01f9
SHA512 d5dcc6a3b9b9289f5b3cf8f7ee8938b28c3a14b2d664a9d68548e072875629d2059b17afb3e0ac40a37d5f4d948c42872e3745b30eb4c51d811421074ade7fa7

/data/data/com.sogou.androidtool/databases/downloads_classic.db-journal

MD5 32b1c5473d432ad45cf84aadaf314418
SHA1 dbefe1265dc2bdc906022f1a7d152d275db4d9d2
SHA256 275fbc8af4bef3a2f287f03852faf8317058564fa7f4fd47720a5841f858cb9b
SHA512 9033b7036ac2cdac5cbc33fd20a87ebcc44e4e1f883b9456876a3727923f56abe77791fbf8193b810e66916f76f0a81ee47fdb7b4edeb8fe8d1c1dcfd859e035

/data/data/com.sogou.androidtool/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sogou.androidtool/databases/downloads_classic.db

MD5 24dc3f27ece3d12ba2a4fd220b9d032b
SHA1 e56b4940d2ed9ea2201a4bd3b7773eb59fe466c1
SHA256 dc7b6b4143cd851bb31297b5fdeeb8ca374f909e8a1b9c993e01dcb7bd46d5e2
SHA512 6ce81e900dcab5e8e6f94eea7d45b5f2894753e9949eb8684e31e4e69cdcc806e3eab8c6ff1b7b767b32a02d5d472f7923d08ff18d65f79748b2def2a276a299

/data/data/com.sogou.androidtool/databases/MessageStore.db-shm

MD5 3444d0e5d9f8a399bea255e634b53b8b
SHA1 5fea4696cac1bbdbf2629ded1ee41ca54848364c
SHA256 8adc86836e66a96d9aa134cbd83c53f216d4fddeb6e8d644e4f4ad0c58479a5f
SHA512 35291256302285b9b05d8c75e50c0030d56ce3590ea8eb55dfd0b937593d04ae98885b8bbb226d3f1eb6e15cbc24ca24634fbe8783b65a93e57ca256be1f8504

/data/data/com.sogou.androidtool/databases/MessageStore.db-wal

MD5 be725443d132f886d20f3ea298afc358
SHA1 8a8741576480fff5a77e73d2049cdb0c454e57de
SHA256 2412c60ed218d6a4e5e6f0eaab9a370acb53b28ae2cd9f9e257ea35c85a3d5b8
SHA512 82bf8736b025863be450bbcffaf438d2e553f8700ae8bcbab9f694799d9e6cb4edd50652e73311ad9a437cd637413ff36a3f130d2f1df9d78218969e3dca6922

/data/data/com.sogou.androidtool/databases/downloads_classic.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sogou.androidtool/databases/downloads_classic.db-wal

MD5 c0a674cd2bbb8044454248190b61dc70
SHA1 b54fa0d2f99296467b848ec4d204d33695597fbc
SHA256 26f3ecf372efe2833de3cc73ed171c783c1157f34226504982a95bcca3b37c70
SHA512 56a297ee50e672b4bcdc60d897a88d2b1af745a4d39394ac7e7c6642a16bcb5057a8d98192e02ca4d315e92e9a80b6173f39a226c08dcc326fb378a5d25cd269

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-journal

MD5 de740a9b7671d245ab73b9ec98228b33
SHA1 a27e9a2220f1890d73d3968b9787301e5984ff22
SHA256 5ee9cbb6863a091d83b0b132032c454e2d9454aa6c27f1f689d0c4c60ec7c575
SHA512 01d29ab789a1892739f563cf62fb986d0e15b1aa0dbe2aba073a1b3a4b913ac2b662b0374931c1ef120287a2020ce048075da6c5963e144ebf8c919ef8b8e427

/data/data/com.sogou.androidtool/databases/MsgLogStore.db

MD5 00e0a38f4deb8b18e6aa0e163426da7f
SHA1 6e62ee5a5c9a6d4f44449c4c4d9ab0516d8c0ee2
SHA256 3f57b44111f258abfe1e22186ac98af1d5e798adc0f55f4a6a846d224bfbdaa3
SHA512 9c870ba089497235da58d256f6c8aba133a2c64c1da0a825f5ee37dbebc4c74c5e70c6a838461dc915ab1ebdda8f988dc1c9d848b846780e7d033538aeb86829

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-shm

MD5 f66b2fe03a7c73594c4538a64f7e247e
SHA1 a75c664106d63f02fa86986daf7d631325b40aa6
SHA256 0006904dd3c652afee20b0427af3f638dadf6fb090c1b6a1c3ec42726884ad1b
SHA512 d160631ab7f84e06ea9ce4c9ef0d0c856b27952807db76cfc73fd006df5e3c1a5b67ae4be99323b81db31e70d6377fac49c3a18485bfc8c41f5440932dfb9161

/data/data/com.sogou.androidtool/databases/MsgLogStore.db-wal

MD5 04f909a2e8cc83a7b2be78d8bcfb07da
SHA1 abf10d914f46c4f15c11d88cd96e12641c917771
SHA256 c47a76fb857b7e1456d39c51bdb03693c1d21ba0aee1b6a979e58b4f18ebb173
SHA512 f255a638b0f332fb21a21ec677fb399f355be1a0492a615ecd2b6d4a7413a40628e43a6b1807301507f36f945012f759ab2e4c8c39b3805900fbafac0417228b

/data/data/com.sogou.androidtool/databases/bugly_db_-journal

MD5 e7506eba192b3e3ca1f90add6274038a
SHA1 e2b6a821fd80d672969a4934d6556389d0bb3a6a
SHA256 a945f4c080f0317a5df2de9d99f10f19858006231f40f2fc36db95536e6972c3
SHA512 4e00bcf14e06530ac5e55f18c92e6e80223cf8d0e43f580f44b73ace906426771630caa31afbef89771459db305ddbe863ccf4bad9f27c3ceb5d78c07057caaa

/data/data/com.sogou.androidtool/databases/bugly_db_

MD5 c3b5c8af3c07b464e682d536a8482096
SHA1 51c1a0c2d84e9c473b7f9ce0955ca5c7b4ef581e
SHA256 2ca28876ee2ec053479b03d04479b63c7d0e0813b1298b5b26b2571233c7a517
SHA512 fe2ae57f35d0dfda91fd76f653c5c791d9eab7b128c244f2bd66d7b32b9e196ea06413768cddeb9b819d30739fea4c9a1412617482899648e96013b6c9eea3fd

/data/data/com.sogou.androidtool/databases/bugly_db_-wal

MD5 4be68e2db7350128ff667ef5b7305e9f
SHA1 3d75441dab5514156bb451a7be8a5b2904d624c0
SHA256 5609b75548d82b3851b02021ba2431074c06940c6309a2dfbb75a7d6ec78cd68
SHA512 5d0cf72b8d3d1e115dc536ee71c41fe27d16dd824af3be3db41a0127c333e211315f1243e5df620116492152ebb095abc5f91b037cef52bca581ad5c9b713293

/data/data/com.sogou.androidtool/databases/account.db-journal

MD5 08947f01c854eabd414b809b32205b36
SHA1 dbac51ae3fa5b2c099588ab38419cb80ff32a4bf
SHA256 f6e0f2b57f36b1853724abf57c65d88c65fae8dfeeeab4254aea06df24b6985c
SHA512 ba3fdb0e0bf634f87312879845723f5e0503aaf21b360a8d305da923891d3a1bc68b1f6ca17ef5510fb023f49d72bf74ae4b7a7d30bb4a74112c91c4892956fb

/data/data/com.sogou.androidtool/databases/account.db-wal

MD5 e8f099ca357182adeefd0b906f545c08
SHA1 62918af251523cf6a3e6beb6bec7456859601e03
SHA256 62b11087a5b8d3b2b0eb03a785ef51b29e051ec32a27fde3bc1ef2fde24a8241
SHA512 c41689afa808efe1aae20e81189c0636122c44e095f15b4c9bdc92dea8db683c86b52a1c6326f0ac8c96298b5e5b162c9f31f4889a8391244042f563114a9230

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:24

Reported

2024-06-04 01:25

Platform

android-33-x64-arm64-20240603-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 udp
N/A 224.0.0.251:5353 udp

Files

N/A