Malware Analysis Report

2024-09-09 13:38

Sample ID 240604-jw7x4sag32
Target 941677b3c1c2aab28af8f38b7b073b42_JaffaCakes118
SHA256 4829fd7e40dfacf0100d5bcaa9420167eb114d291e998a57d8bc4d5a4fec1fbb
Tags
discovery evasion impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4829fd7e40dfacf0100d5bcaa9420167eb114d291e998a57d8bc4d5a4fec1fbb

Threat Level: Likely malicious

The file 941677b3c1c2aab28af8f38b7b073b42_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-04 08:02

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 08:02

Reported

2024-06-04 08:05

Platform

android-x64-arm64-20240603-en

Max time kernel

179s

Max time network

133s

Command Line

com.cold.toothbrush

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cold.toothbrush

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.cold.toothbrush/files/16fa3e88-cfcc-4217-acdd-c86ac725b830.dat

MD5 e6e6b3624d31920868385bcb64d3e8a0
SHA1 90cc8e000ed9264458e524eacb606f8657c17c12
SHA256 4596e894bf0b7a5ee7fcdc0e0f9e1f48735d2db9166ea856962b1daa1757dd35
SHA512 1c60678f6c9bfff5293350eb6b55079488b0bd5357e8668e0f5830716d36b711cf80022361dddbf10963a503b1f98503d2b2c09ed445cec5be4546bb71ebc058

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 08:02

Reported

2024-06-04 08:05

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

131s

Command Line

com.cold.toothbrush

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cold.toothbrush

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.cold.toothbrush/files/16fa3e88-cfcc-4217-acdd-c86ac725b830.dat

MD5 136edba022d498deb824db182eb4f74d
SHA1 32ca0cb04bb840504859588006c03a6d71d89927
SHA256 8e6e5f57aa16f015b861b46b68967bd8b4b85a3cf986254aff853ae24a93d627
SHA512 b9b59dd0ced01cffa0bd5784bf0a82444433e14c7adf34fda49f4fd6ff79a326b36e1d47ebb9e3beed39195c3ce4e5be72250addb7de34070ef49e4d689478eb

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 08:02

Reported

2024-06-04 08:05

Platform

android-x64-20240603-en

Max time kernel

179s

Max time network

151s

Command Line

com.cold.toothbrush

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cold.toothbrush

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.46:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.cold.toothbrush/files/16fa3e88-cfcc-4217-acdd-c86ac725b830.dat

MD5 053a2a8ff4507dc9c6dff1bb066678fa
SHA1 00745b55c1be69439c32ff2c2eab68c3e5769f07
SHA256 47e4269f1d174e73f3fa9753d651dffb0295d5c8363b0bfa028925439641efc5
SHA512 8a1ca67e66e35a878b2908cf3b7e2332df1148ec82f274947586bc12a4d7588377f920461442be726a3539fcd007a220c8e074341d115ea98ded5f8f54cb408f