Malware Analysis Report

2024-09-09 13:38

Sample ID 240604-yk2paaac55
Target 960f321ea40284d2448f74fa084a4152_JaffaCakes118
SHA256 51a20d14b3b6eca1f88f974f4eb85ccbbd95e6e869434e244b600f9b7cbea4f0
Tags
collection credential_access discovery evasion execution impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

51a20d14b3b6eca1f88f974f4eb85ccbbd95e6e869434e244b600f9b7cbea4f0

Threat Level: Likely malicious

The file 960f321ea40284d2448f74fa084a4152_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion execution impact persistence stealth trojan

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-04 19:51

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 19:51

Reported

2024-06-04 19:54

Platform

android-x64-20240603-en

Max time kernel

48s

Max time network

150s

Command Line

com.blueboat.justtwopics.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.blueboat.justtwopics.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 freegeoip.net udp
US 104.21.81.232:443 freegeoip.net tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 104.21.81.232:80 freegeoip.net tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.46:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-journal

MD5 1ae4ca8be89bb095527e832a3328a20f
SHA1 368e3f7cc30d3ebb309938bce36e67ca34aa112f
SHA256 b4f16be50d1c4ecdeec739d0571fecf91f02f09bc510c152c48e88e4c5b7d7c0
SHA512 ee655fc670a119c0d3484be8f7eaaf333e99cac14e325a5ddee725b0a4a225d38157e0728cb536fcd16de0def0040b082423bded829a178dbde949f12acb3e0f

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db

MD5 12627a2ec645c4a4bc50dba5903afd59
SHA1 504005c938517e61bcf68b65a055c2faba635c2e
SHA256 f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA512 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-journal

MD5 a0ec10e7a526cd48789af7a96938c713
SHA1 bb1e6a1d376bed97209f722eb083b7f2892b38f3
SHA256 4468c261558f1f36ee3ef0ec10bbe18e053536aec208e34bcab2fba51e48352b
SHA512 6966b3122bbb1d494f910edf5d5d76e12d2880f17ec1c84371139427ac8cc107583f18368405f31c25f0e2c9dd922e4521aada81ce7cd2e06684c6e7a320e922

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-journal

MD5 d2645801dec4e8cbe5a6b3d412dd1568
SHA1 9eb9882ac82110897a53eeb92dc45634025541d8
SHA256 57281eef1a055a5962be7db49808ada0065f7d775755033675872cae569db3f9
SHA512 e9400d9543e8402776d7b7c6443231db1ccaa5d464c0107958741e4fb9afc1d89352d3d4eb5f075c1ae5083cca3259e69c63631f9f44de3dbc6f96eb0a92b6d7

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-journal

MD5 1ff85d253b699e562185c8b91b012ed8
SHA1 8c77d6ec42f5aa3c93d9dcc06d0daf5e7490db57
SHA256 f325eadb70de82cd7aa1ddc6a09fca952aef5a42deddc4b4d354f43f7b0c8389
SHA512 216be9c7a060ecccb45fe642b80364cb5f2d3cab3794087d6535c0a502fefe7b032dcccfe93377e46d7461ed7a5c2db81f29f06bf584106a41de9fd4f90d42d2

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db

MD5 67692392248fec118e72bd871a18d872
SHA1 cdd81e22d005b75686ab77ae1991e821880dac2b
SHA256 7be99fc16d9ff5177d792c5c75e6003ecc746a50d9c1b1707db4761e9d30418c
SHA512 efd69441f6c5e2d9fa90317a471c295a136508b7a83e68375cbf65aa57abb5a53407a050821ef5d69b0a9541db58b654c9b96c5dcbf81dba7df4536697339c58

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 19:51

Reported

2024-06-04 19:54

Platform

android-x64-arm64-20240603-en

Max time kernel

148s

Max time network

132s

Command Line

com.blueboat.justtwopics.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.blueboat.justtwopics.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 freegeoip.net udp
US 104.21.81.232:443 freegeoip.net tcp
US 104.21.81.232:80 freegeoip.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 lp.androidapk.world udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-journal

MD5 7b0b4e7b1dc4968dc4ebea717fff53c0
SHA1 1ceec37828d1ac2f636c19334d766703c6c5bec9
SHA256 8d4fdd0e450e1b75d72a29874313b1fd0146caa3d1fe910befc2ab360b5f840f
SHA512 3f90eebe152d7fd43f677a821f5c7df9f778e8a82e8d582ef43d2a529101b1c6fbc0524ac132ee1762b71895cc715bdf6dcad459b0db0c546211c2e5611c87c4

/data/user/0/com.blueboat.justtwopics.hack/databases/evernote_jobs.db

MD5 58c0b6e45328752b20ac6e719ac034f8
SHA1 372b2638afd00bbbc4034657b3df3d2e428fb367
SHA256 9d74f93afa5a179b1ba2f19f154b2880aa8b99c88209802099045a0874d2426a
SHA512 2d347d5824b9ab701e341c89e8327a95fd6bab8e92ee15ce9550da368d773e22bff304072a4854df5ab763750a7401f7aa61a49e3292d62c27fa9f20536eb3ab

/data/user/0/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-journal

MD5 b4efb61cebf894480a5616dc3e670899
SHA1 02c36ebde7095f089168524877e8075f8d2d6ab2
SHA256 efca648a5a0da5c3a3dca6bfa267f5ca8fa71261dc4fe069551013ebc91aeaa2
SHA512 5f83a7483c625a1ff51976776f4d02550da20f9c2fd0030e9cb8d424acc90d7040d6b8d9b699eeb9b2333b066505d3a19cfb42248030b2e8b385a8cb277b9bf9

/data/user/0/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-journal

MD5 f29bf106012921c13a682d9b4167b074
SHA1 379e10f7bcb7b7d12bcc1e865ac2b88e53feba9e
SHA256 660a6c25a4afff1a30c73a1a9adc6408c5da4769d5545d2953c00209b18ef23c
SHA512 3219d6f1d9c9cb59ddb07abecfbb1d40e0bc54939e0f7cddcb37c9e6cfa51f3fa9070a0f07a9e36b827a62cc6d3585bdadb76ad67a15124fe5e4b44f8ff5a2e5

/data/user/0/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-journal

MD5 984ca624ea4dccade8f9524c8653359f
SHA1 ab7649913433659ecf5cb9d0587f44d8e6f59f8b
SHA256 f720577a4ff4737b059e12172f97630a094dc6e828bfb63e2ccaa501d856f566
SHA512 4c32664687bd4af99f211a7e1e743a0578171cc9c3e9d2812beaf117ce1a63bf4b1f7d61d9a695a7507c1326e85decb36bf38358ae4d0963115340fa2e8f7db9

/data/user/0/com.blueboat.justtwopics.hack/databases/evernote_jobs.db

MD5 5053568be969343dfa106ea0d14460dc
SHA1 07cc5c512a932f877055e9b695b6cbf860463c07
SHA256 a0fa5272916a71f34f9861f788302de1b23b91e81ab72218da6f808831bff5ab
SHA512 329f552451e2d42fc46a2c850465365481c4e9a83a51aa74a620b0dd79276ccae5763b1e97eea278312795407631929e9640a5b4820983a0096bba837e4b2b99

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 19:51

Reported

2024-06-04 19:54

Platform

android-x86-arm-20240603-en

Max time kernel

23s

Max time network

130s

Command Line

com.blueboat.justtwopics.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.blueboat.justtwopics.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 freegeoip.net udp
US 172.67.165.196:443 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 172.67.165.196:80 freegeoip.net tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-journal

MD5 46c40ca3fdc24ee3503c435b3d8ac0ed
SHA1 87fef54c7af5e1ff92dbbf270d9647baa50b1982
SHA256 fffe490129a9a077366b98686198a5dbdf3b9f7eb708ea82382845f6bf15ae2e
SHA512 43dbc12b94bcb84ea6b0a936575bfc079640bc75bedca833ddd7ca1a0cd934a4fee2450bf0c9d5eca4ae7f56467c0c97bfba5f19f53b30c419407422c259fa5d

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db

MD5 5d85664f8e614fcaef42be2e6f649027
SHA1 09c6288922102f6114a823f4992415fd3373d61e
SHA256 55f8907e91226ef43a05583c7b4623b4e26994b62d20c8603975ccc1fa3b9409
SHA512 3d6006a3e82d00fe9bc443e940acc5df12ec84114fcbcf8fbc8099c085cb1229b21a217b7445129b50558bfef5100894686d7359eb80b7ef087b65c7be3bc6e9

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-wal

MD5 c3b48885c4ad7866ba7381f9b665ef46
SHA1 0dd05d3355ea14b4e92b0739e070ff016e261dd3
SHA256 33b9ab5a97061ac9e6dcf9c43b960423f117dd6a39a99a868dcf3d3dfc7c6f3d
SHA512 eccd4cdc984025d16f85933545117d900b62f01fb6d37139420d5e1d88817a1779e9c013071351d326878b767d52837013b736200624988612f0817ee1ef85df

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db-wal

MD5 11b68ef625552f4d317774d8a29b64a3
SHA1 cb43883685166373f8d88da8090bf3ef59c5c247
SHA256 fe32da7e7c005ffc081a6041d682c15bec66b0ed8ad82a99ca3f3103b468e890
SHA512 03dbef696972a8ac3c684e7f55d9dd6e7f937eae1e5ef14b5e3c02f3cb9e1381faafc90a861820d8c213defc52f0e55c5e7295fff2427677697915255447f588

/data/data/com.blueboat.justtwopics.hack/databases/evernote_jobs.db

MD5 658cd5828dcf0f655c102c72e9c3cfee
SHA1 876a6614bba1e03a056f1c9ea692272f504be510
SHA256 1ba72c0cf447ae1cd60337de285d60476ee0c1ad656e94886bbe1240f4553259
SHA512 320b89fbcc06c95d45fd4a8d2b69e900cff8ec83506a169504e6409f2b79869f6fa1b0a65638f3cf85fd464ccb2d0c81a70b03b1e9c094a6f9921fe4f2c84316