Malware Analysis Report

2024-09-09 13:38

Sample ID 240605-vmxxbsde38
Target 98b6ebbf3c5a77ac4ec01134f7f28d57_JaffaCakes118
SHA256 b152a6b442b4551b85a132eefe204c323d9e0d1a55808b4cf3f1bd757948e744
Tags
discovery evasion impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b152a6b442b4551b85a132eefe204c323d9e0d1a55808b4cf3f1bd757948e744

Threat Level: Likely malicious

The file 98b6ebbf3c5a77ac4ec01134f7f28d57_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence stealth trojan

Removes its main activity from the application launcher

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-05 17:08

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 17:06

Reported

2024-06-05 17:16

Platform

android-x64-20240603-en

Max time kernel

179s

Max time network

153s

Command Line

com.beacon.drill

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.beacon.drill

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/com.beacon.drill/files/aa8fd1cf-a6b2-4c5d-9885-da4f1f19e7cb.dat

MD5 64a5dc0aeea9044c84f8650ab51d1a5c
SHA1 1b9eea5daf46c15cb5b9d4123d0ade4a43d7cca7
SHA256 876924452bfd65c8c78fe6136b2516631ceacaaf74422cd0b17abf58be34d27a
SHA512 64f4a012a7fed1e0ecd62f5f087d3227132136560ca5e77a1aee43f70326393613c70a80f4c51f018fa4a58fb327b2fd4088cafb9f1d7269d79e34a4c6f89c19

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 17:06

Reported

2024-06-05 17:16

Platform

android-x64-arm64-20240603-en

Max time kernel

179s

Max time network

134s

Command Line

com.beacon.drill

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.beacon.drill

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/data/user/0/com.beacon.drill/files/aa8fd1cf-a6b2-4c5d-9885-da4f1f19e7cb.dat

MD5 dba2a76fd18d3333da19585ae606f0ad
SHA1 d22d9a952fffe515232b31739b7da05ddc4aa17d
SHA256 eefe797bd914e9b51c958ef21076e106079e819b44c4cd79608900c368e88c1a
SHA512 d1c34d3803061d8d49c7f867ab0cb2a3c7de1c0fcfe5e5dbc2f5ca923bdaf6b81ca9a18d317d36674070f0a21e72389097c4f389a7462033685fcd0a098e0ce1

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 17:06

Reported

2024-06-05 17:16

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

132s

Command Line

com.beacon.drill

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.beacon.drill

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.beacon.drill/files/aa8fd1cf-a6b2-4c5d-9885-da4f1f19e7cb.dat

MD5 0dc88ea33c2fe4bbc7f6a9ec838fcc1d
SHA1 4702fa447a158766267ca274d0b6901cce61270f
SHA256 7692d697c8f01ef847c9949edcae82d0f87089ba9a7c5abc13ba6fbd462bc0c3
SHA512 b029e252966baa244053dfb6d464d1dfe2a59896172ad950d58405c715b3feab9c0bfc63e4b8b23e1177a351cc269c1ced5507ef633a3779487cd42f4360e225