Malware Analysis Report

2024-09-09 13:38

Sample ID 240605-yrpy3agb2z
Target 9919a0d95f04fb4dcde68cf80a2aac06_JaffaCakes118
SHA256 70bb15b401bb881752a28044daa872abed420704644609f98d63809bb592dec0
Tags
discovery evasion impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

70bb15b401bb881752a28044daa872abed420704644609f98d63809bb592dec0

Threat Level: Likely malicious

The file 9919a0d95f04fb4dcde68cf80a2aac06_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Queries information about active data network

Declares services with permission to bind to the system

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-05 20:01

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 20:01

Reported

2024-06-05 20:04

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

130s

Command Line

com.cold.toothbrush

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cold.toothbrush

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.cold.toothbrush/files/4dcb6219-cd79-4a67-b45a-5a03cc79c961.dat

MD5 ae6272e09d3261dc71d019d652832967
SHA1 712066a176dc4ef9076af456152d269861da1082
SHA256 c39c789e76ac38ab77377fbf5e143035049d6314f620e1b64f9fd79bcd725f24
SHA512 c4f8f92ef5c1198f9bc16458c287c94f49b014aa024f64cf8fd3361f02286525155a05753441fb2001f14b5d324e1f4fca6fff4dc3be0eacdf9b21de89c457a3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 20:01

Reported

2024-06-05 20:04

Platform

android-x64-20240603-en

Max time kernel

179s

Max time network

150s

Command Line

com.cold.toothbrush

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cold.toothbrush

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.66:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.cold.toothbrush/files/4dcb6219-cd79-4a67-b45a-5a03cc79c961.dat

MD5 8fcf79b305ad087e933d63c3b3c39327
SHA1 26271ec8b4aaeb683c8b09719249a2df23d248f6
SHA256 b696cc4060eb34f35891a16a900d7b28169ee2798c1aa47770af5575ccf513e7
SHA512 c471a1bfec8cb7382b7f0b6b3a2ed5027a4324907ec95f84ad0681c6bb8c74a1f8d7b69050cde19ac699ec4f7460ba89555d31c40b8e7a1a17fcea045e223697

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 20:01

Reported

2024-06-05 20:04

Platform

android-x64-arm64-20240603-en

Max time kernel

179s

Max time network

132s

Command Line

com.cold.toothbrush

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cold.toothbrush

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/data/user/0/com.cold.toothbrush/files/4dcb6219-cd79-4a67-b45a-5a03cc79c961.dat

MD5 adf38ea6458f2d585b181b221a8474f1
SHA1 928632005af3ad4899a90ce36e19650f4d45c2a2
SHA256 b03c8eb435e703118d0680f122f59abbb16683eb9477085543062e514b222dc5
SHA512 734ea6963a06a17114f4212cae7f9db12950845ce45d72ffad166cc1fba94a7903af10cf7f8b246682ff5ba23765ce6169a9a21afe61969c0f5b667dd51b59d5