Malware Analysis Report

2024-09-09 17:55

Sample ID 240604-c1tgysad6t
Target 93180381acdc9d04a9dc73535ea6fbcc_JaffaCakes118
SHA256 eed27b67213d85848905bf61a5a117253bc623686e78923aa4f87c5e5431724d
Tags
banker collection discovery evasion impact privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

eed27b67213d85848905bf61a5a117253bc623686e78923aa4f87c5e5431724d

Threat Level: Likely malicious

The file 93180381acdc9d04a9dc73535ea6fbcc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact privilege_escalation stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries information about running processes on the device

Reads the contacts stored on the device.

Reads the content of SMS inbox messages.

Tries to add a device administrator.

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-04 02:32

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 02:32

Reported

2024-06-04 02:36

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

169s

Command Line

com.hsdxlpwka.zshvfp

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar N/A N/A
N/A /data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.hsdxlpwka.zshvfp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/oat/x86/tzxvzxenl.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 85.93.5.109:80 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
DE 85.93.5.109:80 tcp

Files

/data/data/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar

MD5 6d1ec70684bd943b2891bb83d6c17aa6
SHA1 a13d8f9e7f0327f693f3026e45608aa014661c9a
SHA256 0559ae0fc3dafcf2d4f4744325b782682da597c7d3628bed112f0c7344e83cfc
SHA512 0c853bfd54fe4f94ffaa2dce41ac92b4b28944eec50118ec56f397eff2ab0da436000ed83daca73853b1629a09babbbd21b7aaf470ae8567156a9583ae2d8028

/data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar

MD5 aec2737ee9622bb4d6cfc0707dff4d14
SHA1 f92828999ca098e1e58d50da8d1309dae53e8f15
SHA256 f62e571f4f061eda53c50f7475a8da0e6b037a2e2c14796666e0cfeec1156c28
SHA512 b78d80167cce29c3919c94faff158aeee036a67401a54b64c8a1486779a5e6747c662ce6d535cbc900f710281fcdd67fcfe751b6afdd4856e5605e61d0de24a5

/data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar

MD5 4c4db1f95bfe6c0467355b0f2a46329d
SHA1 9ed25d73e248802226a54066053156eeb65c64fd
SHA256 0ed45557600beca798f14fe340fe9569c1c89d451b264ec211c3667ea47f4222
SHA512 dccb6167829c3aa9231ff2b29e77163b2e183dfc45b11a29a711d02459e4665c4e7fa1c76d462685a104516b973d4268723868f3fb897b4813ae30dbc8d9ac17

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 02:32

Reported

2024-06-04 02:36

Platform

android-x64-20240603-en

Max time kernel

179s

Max time network

176s

Command Line

com.hsdxlpwka.zshvfp

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.hsdxlpwka.zshvfp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
DE 85.93.5.109:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.34:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
DE 85.93.5.109:80 tcp

Files

/data/data/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar

MD5 6d1ec70684bd943b2891bb83d6c17aa6
SHA1 a13d8f9e7f0327f693f3026e45608aa014661c9a
SHA256 0559ae0fc3dafcf2d4f4744325b782682da597c7d3628bed112f0c7344e83cfc
SHA512 0c853bfd54fe4f94ffaa2dce41ac92b4b28944eec50118ec56f397eff2ab0da436000ed83daca73853b1629a09babbbd21b7aaf470ae8567156a9583ae2d8028

/data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar

MD5 aec2737ee9622bb4d6cfc0707dff4d14
SHA1 f92828999ca098e1e58d50da8d1309dae53e8f15
SHA256 f62e571f4f061eda53c50f7475a8da0e6b037a2e2c14796666e0cfeec1156c28
SHA512 b78d80167cce29c3919c94faff158aeee036a67401a54b64c8a1486779a5e6747c662ce6d535cbc900f710281fcdd67fcfe751b6afdd4856e5605e61d0de24a5

/data/data/com.hsdxlpwka.zshvfp/app_dwuaubfhob/oat/tzxvzxenl.jar.cur.prof

MD5 7a688fd385882a38ab1f98a5f19f66ad
SHA1 c189bfb22b818d20be1cbd733c8e6bfebf8b732c
SHA256 26abc66d1b0d6d041bf8d50d07b85ce197cb6f2e59f6829d810e59a4614b2be1
SHA512 e0be69afa779576773c656ae449fedfca51ff23c34263cc09d0339110154bc7aa2c8401fb0df0a83dc99de8baaa7e10690925684b8c78c4c2da32f403c17ca45

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 02:32

Reported

2024-06-04 02:36

Platform

android-x64-arm64-20240603-en

Max time kernel

179s

Max time network

172s

Command Line

com.hsdxlpwka.zshvfp

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.hsdxlpwka.zshvfp

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
DE 85.93.5.109:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 172.217.169.1:443 tcp
GB 216.58.201.97:443 tcp
DE 85.93.5.109:80 tcp

Files

/data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar

MD5 6d1ec70684bd943b2891bb83d6c17aa6
SHA1 a13d8f9e7f0327f693f3026e45608aa014661c9a
SHA256 0559ae0fc3dafcf2d4f4744325b782682da597c7d3628bed112f0c7344e83cfc
SHA512 0c853bfd54fe4f94ffaa2dce41ac92b4b28944eec50118ec56f397eff2ab0da436000ed83daca73853b1629a09babbbd21b7aaf470ae8567156a9583ae2d8028

/data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/tzxvzxenl.jar

MD5 aec2737ee9622bb4d6cfc0707dff4d14
SHA1 f92828999ca098e1e58d50da8d1309dae53e8f15
SHA256 f62e571f4f061eda53c50f7475a8da0e6b037a2e2c14796666e0cfeec1156c28
SHA512 b78d80167cce29c3919c94faff158aeee036a67401a54b64c8a1486779a5e6747c662ce6d535cbc900f710281fcdd67fcfe751b6afdd4856e5605e61d0de24a5

/data/user/0/com.hsdxlpwka.zshvfp/app_dwuaubfhob/oat/tzxvzxenl.jar.cur.prof

MD5 e89bce332fad114e2c9a5aeac44cdb80
SHA1 8ea55f46154aae4801d27d4d6103eee13558f076
SHA256 0b73d316a400fdfa7eb4daf2a62d660d341e8660fbdb18dae2b7acf02500b825
SHA512 ec746f77a5bebb9490e2e0c3b452679d84f7ad516e86e94cf0e9b32986d6d493c146dc0ea69677d77ef1c2e9c9273fc7ff90b0b1791f3149117e96edeca2ef4e