Malware Analysis Report

2025-01-19 05:02

Sample ID 240605-2j4n2aah9t
Target 996daf91670c142e762382663dace5fe_JaffaCakes118
SHA256 b816fc8aeb8cd13bec7c8aa043f1ea28f37204ab2724e56b67be2dac495505c3
Tags
banker collection discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b816fc8aeb8cd13bec7c8aa043f1ea28f37204ab2724e56b67be2dac495505c3

Threat Level: Shows suspicious behavior

The file 996daf91670c142e762382663dace5fe_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the content of the browser bookmarks.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 22:37

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 22:37

Reported

2024-06-05 22:40

Platform

android-x86-arm-20240603-en

Max time kernel

6s

Max time network

131s

Command Line

com.appoffer.videoonline

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A
URI accessed for write content://browser/bookmarks N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.appoffer.videoonline

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mobile.video.qq.com udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
HK 129.226.102.98:80 mobile.video.qq.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.appoffer.videoonline/databases/QQ_Wabao_Video-journal

MD5 21087534d358d00435f4bf3854a17140
SHA1 93df7929f39a0cd846018117613b86efd3223265
SHA256 a005d09ede45c76893af0bb732f7d311b749815d3e9bc1cd2808db0293e94e76
SHA512 ac225960ad64dbf1665000cdeedd34321bb699c91e2e34b31a86d1b3086e6dd4ae6b060a83786cf0f91407a0bfa03af48493cfd30df5d94dd1f4072aabb7454a

/data/data/com.appoffer.videoonline/databases/QQ_Wabao_Video

MD5 863215edaf16aef1edd3be6e5b2f38a3
SHA1 d92317515c06ced90a6afd5d328597a0a381d597
SHA256 e1d0e561a3fd744458f4f8319a6963cccd16021dab7363b27b3844292c5b4153
SHA512 89c19100e9142cb882859d9d4322f78caa8f426d72d52fe1c4f4e4317623aadaa593df001246b1b58500667f1703ba65aaceaf2f93f17508e43cea6194316fb5

/data/data/com.appoffer.videoonline/databases/QQ_Wabao_Video-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.appoffer.videoonline/databases/QQ_Wabao_Video-wal

MD5 84575302e827a67a29ba10a24e0d1a22
SHA1 794d97b1d6decd0d339146d4e2af68749a37ff6f
SHA256 37f1e89d5db838e806db7bc85d8210b8d0b314642e9eca9de2bf1a7623494197
SHA512 e1cf0233a4338b77c79322bc65df9b2350acf71229908ab586df643041ad3048c9b632287bd8036c61e49366af00c0517ceb9e96b428420cc28d7c82414288e5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 22:37

Reported

2024-06-05 22:40

Platform

android-x64-20240603-en

Max time kernel

125s

Max time network

152s

Command Line

com.appoffer.videoonline

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A
URI accessed for write content://browser/bookmarks N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.appoffer.videoonline

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.umeng.com udp
US 1.1.1.1:53 mobile.video.qq.com udp
CN 59.82.29.162:80 www.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
HK 129.226.102.98:80 mobile.video.qq.com tcp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 59.82.29.163:80 www.umeng.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
CN 59.82.29.249:80 www.umeng.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
CN 59.82.31.154:80 www.umeng.com tcp
GB 216.58.204.78:443 tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp

Files

/data/data/com.appoffer.videoonline/databases/QQ_Wabao_Video-journal

MD5 2ee1f13beeb2f1825eb848a77772f63c
SHA1 8c7edf469e8ff622946bd7e23bb82b952073f42a
SHA256 808767d80ff1812adce18dcf0a7349a7cbc37b6daed5d5f85f234d1e300534bc
SHA512 b88a4c011cd999cc65c5dbd7f623a893a4867ec8cba2b3fc5f4e08c4cb62083727f6919090582142df59c8ebea3bd4197f6b2341a9394a25ab9b50d45d68c108

/data/data/com.appoffer.videoonline/databases/QQ_Wabao_Video

MD5 4e549408aa980c4c0098a1333026d5e5
SHA1 5a680a4554343e57d5047905b23441c61287d020
SHA256 6e690c82c0b4ffdb62cf1e9adf9985fc6110c3a87922cea35e067001167fd8fe
SHA512 39995fd2cec71410aab08796233415c9692383668f166c697437b1442eaa5a5def3b03d947fa6e17bd25d6e1ab4f3570b060ef4bfb0635fd947d50fd275b4082

/data/data/com.appoffer.videoonline/databases/QQ_Wabao_Video-journal

MD5 1c5d6be5f7870f8ca5b967d64323e21a
SHA1 6a74ca2d2f7b6da2f36f45305e8b4f5f33038b92
SHA256 f80a8bf10e35d84f979bdff904477aafa25dcc1c71cd70166a06c7d55d04ace3
SHA512 6b1982c6a5177dea96a57a99d6c10ed096eb4f78296c61ccceba37fe6b2cc193de19e4c02c719aa47d099fd0c3e291073a7e576ef5ced4ee053fbfdbb2583da4

/data/data/com.appoffer.videoonline/databases/QQ_Wabao_Video-journal

MD5 2add7a24f9116598535701844be3db1e
SHA1 ca96d54ee41403502405c6f3e5b9c5c8d75763d6
SHA256 f5d88616a3150e7aeca646d86cc1ecc195a4667d3dec1a1c18c7d70ab812e229
SHA512 76b9792f9f117eb9d8b3c63f5b8d7af9f98a5abf0254703d54410eff9527879b075b633881b3be3fb3677a750e685e0a395f60f711f87c509ff92786639c5b8c

/data/data/com.appoffer.videoonline/files/mobclick_agent_cached_com.appoffer.videoonline

MD5 da0b1c61d6cd59d7fed18adbfe787e3d
SHA1 20cf364d2313911bbdb57b489ad4d6c5ca54c5df
SHA256 7bc6e222283b85147d769337627cb1ab8d0304316fefee5f6c4dfd79dc18f526
SHA512 402e25c3902a148554f656be26556e9fcce298eaa13498f029309e7b4143752fec87044aa91186539aa9ba39069805028437e9bfb15edca77410f12e0d143485

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 22:37

Reported

2024-06-05 22:40

Platform

android-x64-arm64-20240603-en

Max time kernel

6s

Max time network

132s

Command Line

com.appoffer.videoonline

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.appoffer.videoonline

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 mobile.video.qq.com udp
US 1.1.1.1:53 www.umeng.com udp
HK 129.226.102.98:80 mobile.video.qq.com tcp
CN 59.82.29.162:80 www.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.appoffer.videoonline/databases/QQ_Wabao_Video-journal

MD5 588f0446381787cb119306cbb3c0cc04
SHA1 df613cb301aead3012ef04f820649c3452dc2135
SHA256 741c180530591014b2bcdd38a3b96f1e5d8806767a27baa165a660a3f1192880
SHA512 9c3afb5ca544ff9876303bd0536748ce8231ad53ecb7c3b1dcb05ba8e9f7855887a53dd122722799a3f08f24785cbba0f9a9964608a69abde5d184578296b8a8

/data/user/0/com.appoffer.videoonline/databases/QQ_Wabao_Video

MD5 3c1c16a0dc7e5734e76da9001267b1c4
SHA1 7be1e61ace2f04d7dbe1077446aff79f8d2c989f
SHA256 8b83a45131ed3a79f11235e8e8a98e5df28f754c718186abf9ae4fad73f47e12
SHA512 3745470911844dff37c6ff6c23598a46c0f57edf11609e98a9acb4100b3bbf09a24f03b8d2f93defc91a563dc93becfbb5d691b3f24283dbd7c0b4953ef20668

/data/user/0/com.appoffer.videoonline/databases/QQ_Wabao_Video-journal

MD5 aa8ff3038ff85731d9f5fc56ca37de5a
SHA1 8a07db0ff4e6d6f9795982648b834962c1406abd
SHA256 c2906b987bd293081953389696a062e738357e9bbc36bab5d6001c5fb05dad9c
SHA512 767c9eacb1e23944650db8c25ac5a5da997cca8a45e7a7f512404e9c39f60ea8fe0ecd9548de3229330373766a413da612fa742501df77dede39c3a5a9f26c82

/data/user/0/com.appoffer.videoonline/databases/QQ_Wabao_Video-journal

MD5 25a35fe6645e7a454556aa2d7008e03c
SHA1 7f9a5796e13c56ccd227021069148eadc60df1e2
SHA256 674a5555281d2d741834677f50da53ebf61eed46c889fa1f120b9761abebe25e
SHA512 2c6ff9b2209ba23e26b1f7347916d1e86fb274630d039a8c025d56b6f39c5642b11ad5a8e7241851872863ad3ab3c500c069111cd6ac7af5dbfe73a0326cc78b