Malware Analysis Report

2025-01-19 05:03

Sample ID 240605-wpen7sdf71
Target 98decfef34dec8fdd73bf952e718d2b3_JaffaCakes118
SHA256 41a832af500ccc7822ea1c4b3d68151fcaffbbc9579e988be89a2da782eb0486
Tags
banker collection discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

41a832af500ccc7822ea1c4b3d68151fcaffbbc9579e988be89a2da782eb0486

Threat Level: Shows suspicious behavior

The file 98decfef34dec8fdd73bf952e718d2b3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries information about running processes on the device

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Reads information about phone network operator.

Requests dangerous framework permissions

Requests cell location

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 18:05

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 18:05

Reported

2024-06-05 18:08

Platform

android-x86-arm-20240603-en

Max time kernel

7s

Max time network

140s

Command Line

com.zjy.jp.wf.mobile

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.zjy.jp.wf.mobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 open.play.cn udp
CN 202.102.39.23:80 open.play.cn tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.zjy.jp.wf.mobile/app_td-cache/tdandroidgame

MD5 04005e5a165f68560bcd920d08480104
SHA1 e7fa28a3779731a792f625db9355ef74709b204d
SHA256 dae4441cc34911f948735c1dad273820660f9689136ea76f0e750c83f16effeb
SHA512 e58481d9f350235ece692f8a46159c386d2d0e25f0096b247855e659007b9e5c6be6d620b277a59fa1c6403a70b981e61e186f30aab284feb88eacdf5d7b69f6

/data/data/com.zjy.jp.wf.mobile/files/j123temp

MD5 897d1c2e6f1c8f736cf9b30548549528
SHA1 79d14685b0b1035d34ab7c6a1d9bf8b3ebd46281
SHA256 efb7d441f0fe3b1c9483d1400f52b75fcec2dd8ae0b69822fd6571095608d28e
SHA512 8c8157c927d73ce4151251c2a4656aab13197fcd553dfec4667fd8d9d5368126671ec4a1331be8b94f69359c9dc3ff9baab6045d19368279c7b38efcc84f2bfc

/storage/emulated/0/ShareSDK/.dk

MD5 c9383021bd97affc44be4db7018c4d7b
SHA1 7e680409d1c86e35149bebc22f2cf8c484f0d23e
SHA256 b7b7e032170e3190a84359e5c37adede1d58b6bf4c455ef0c01f73335709bb65
SHA512 7303f068da97319891e2d25c1c737035f1cfdc365d75d954102b612000e54d7e2b5dfafe10bdf909563e2b46ec3ff9e546423bff6f0aa9496880eab1c1c36a81

/data/data/com.zjy.jp.wf.mobile/files/player.txt

MD5 ce4ff85337cdb1b62bc6291819de65b4
SHA1 5f864fb5a53a4c7054600600b0964f97eb6de31e
SHA256 95e9c8e8f4ffdbf2a60229012bd1c338225e3e0a5b1ad03f354fa3a88034aebc
SHA512 ef2a458d549151411a1883a33ce87286473595eec00a3789b36a1ce9a914a5badb02efd85d17868b21022df02c796ca0b308892f8bd78b393d9608b396305414

/data/data/com.zjy.jp.wf.mobile/files/player.txt

MD5 1791db3ce90f930062367bcf218399bb
SHA1 889b3283c9e9af00f91b92932f9fcc823ce94186
SHA256 a2aeccbcb0b493e3075fd71d5bf321aefc677717b659796c03385f900723ac2d
SHA512 5124acdf31af88dc6bdf87f714d1cd71c87417643ac7756420913a78ce17b0b2edbc1fc697a9e81fdedabde72bd3c248ae2ecca58b6b7e2daa40cf248a364aa4

/data/data/com.zjy.jp.wf.mobile/files/player.txt

MD5 03dc8ed8ec923bdce0eb14fd133f2865
SHA1 944e69273a2f71a362e194a8341961391dd329af
SHA256 829e2c8cb1985aaa48dc9aa6f93e98269aea3722e7be8a3a77759a47d4f39d37
SHA512 42efb5c5737aec0002ee07a7af656a422a451fab4d007d17b94a1dfbc83262dc7b2ae49bb36f83f7f5aba0ba052ca55894ca64fc8f779905ffa3b80355948fa8