Malware Analysis Report

2025-01-19 05:03

Sample ID 240605-z58h1aae77
Target 994677fdef53b1baa8860952f62a0554_JaffaCakes118
SHA256 27288451a7f4ac6321de7e2a7938a2dc4f1649f5eb3119feb4a5c37de4c24ef1
Tags
banker collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

27288451a7f4ac6321de7e2a7938a2dc4f1649f5eb3119feb4a5c37de4c24ef1

Threat Level: Shows suspicious behavior

The file 994677fdef53b1baa8860952f62a0554_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Requests cell location

Reads the content of the SMS messages.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Checks Android system properties for emulator presence.

Reads the content of SMS inbox messages.

Queries the mobile country code (MCC)

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 21:19

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 21:19

Reported

2024-06-05 21:25

Platform

android-x86-arm-20240603-en

Max time kernel

55s

Max time network

176s

Command Line

com.lko.dvocyu

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lko.dvocyu/files/ne/VLimljko.jar N/A N/A
N/A /data/user/0/com.lko.dvocyu/files/ne/VLimljko.jar N/A N/A
N/A /data/user/0/com.lko.dvocyu/files/Pdd.apk N/A N/A
N/A /data/user/0/com.lko.dvocyu/files/Pdd.apk N/A N/A
N/A /data/user/0/com.lko.dvocyu/app_dex/utopay.jar N/A N/A
N/A /data/user/0/com.lko.dvocyu/app_dex/utopay.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lko.dvocyu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lko.dvocyu/files/ne/VLimljko.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.lko.dvocyu/files/ne/oat/x86/VLimljko.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lko.dvocyu/files/Pdd.apk --output-vdex-fd=60 --oat-fd=65 --oat-location=/data/user/0/com.lko.dvocyu/files/oat/x86/Pdd.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lko.dvocyu/app_dex/utopay.jar --output-vdex-fd=77 --oat-fd=78 --oat-location=/data/user/0/com.lko.dvocyu/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.jtmtht.com udp
US 104.155.138.21:89 app.jtmtht.com tcp
US 104.155.138.21:89 app.jtmtht.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 104.155.138.21:89 app.jtmtht.com tcp
US 104.155.138.21:89 app.jtmtht.com tcp
US 104.155.138.21:89 app.jtmtht.com tcp
US 104.155.138.21:89 app.jtmtht.com tcp
CN 120.55.89.238:8977 tcp
US 1.1.1.1:53 sdk.qipagame.cn udp
US 1.1.1.1:53 jx.hamofo.com udp
US 1.1.1.1:53 xiafa.hamofo.com udp
US 1.1.1.1:53 vpay.api.eerichina.com udp

Files

/data/data/com.lko.dvocyu/files/ne/VLimljko.jar

MD5 1bfeba4503a123ffb1de07c4929a3341
SHA1 9663c66697f5fd1b61bbed816f9b550ecfa19974
SHA256 4889c0ae8d7fc2b4f3bd5cdbe6dd09ff4e988a0b5517c464274a7ee95562ca16
SHA512 1e2becbb19e81e46a81349bfeb2419e8cfe7de3eaa31f9217805eb72200a3d43abf681eb66b77176d8846497a0c091d65c032eeb48d4553af96f0aa0a7436979

/data/user/0/com.lko.dvocyu/files/ne/VLimljko.jar

MD5 94721020cc4ba348a6c4a23cb6d0d365
SHA1 ea13ae50eca0c0595f5b33b32a0477e7c2bdc4f6
SHA256 b3e6668d842599791db9f17b4c6583f6ab6cde3be1e921ea293dc030bd1d945d
SHA512 fec1a3517c0b2aba64f910e713f7290316d5d1e6fa0de73164a7c19fd6aa613784bc836bcc998464b78d0dc9f7718eadad7dba6d0b10a21812e092c925faead8

/data/user/0/com.lko.dvocyu/files/ne/VLimljko.jar

MD5 c577eb0a8e7ab62269f74d76d3b8ead5
SHA1 6734a417c0e08c2adcab030f1e9978448f29407f
SHA256 a678c266f2b3f60c86fa4920e584c3d6e45ef3b4c88419101762cd29204de055
SHA512 589547d7b11c762cdd7cb65d3349aa388aad7b951b95cbdc35a223c242a231e1bad76b2ad4ad43f46244fb762878b9cb33a8be1985e3b07da7e9f372c738cd8b

/data/data/com.lko.dvocyu/files/Pdd.apk

MD5 e8fbf92c750dbd6fb316be82a6b7b7ae
SHA1 2a6ae9568698807cacc8cf4349556446c996b136
SHA256 2a3cb93d0ca14a1d0b0820c2a26df502a461fb2546ef4587524087c130553f10
SHA512 7848191878b5b8ba2d5020c7be953e70ccc4d392d29e400a65a57cd3731604933125de1d81b3732d251b3450fd4766a814ccd01f3975beda2499a9ba585a26e0

/data/user/0/com.lko.dvocyu/files/Pdd.apk

MD5 a4237ef36f11c2db307f6d9701da0062
SHA1 5d11008a4b9275034db8904e538f7115a429ef0d
SHA256 32f697f7444c79efe23be55fdcdab52c8e6f5cd43474cd1735602675feb5639e
SHA512 6921b3cbb4e6a062eb9408c06e46e6d6cd7554f6e485b8f6275d8df3b7a8d23b26220c0cb979d3fe919fb6622d5d49160769b0567eebe61488cc4c7708f3b34d

/data/user/0/com.lko.dvocyu/files/Pdd.apk

MD5 b91783059376e2bebfd7c24802289350
SHA1 9e0f855404908f993a3beb146e7a4e83789674bd
SHA256 46245d65e1d96038918f77ed8412bcde6a72b513c94a72369a751251f568e73c
SHA512 c50af3f34a519fdb34aa9be70128c55c57df169f8112887f17f9dece581a15cd9b6702939ee4f77370bb33a5d2fe449610c42e699008d4233344d406c3563f30

/data/data/com.lko.dvocyu/databases/wochi_v4.db-journal

MD5 36c3fd222d0ba2768240c1cca26c70c4
SHA1 a8a22e527788d8dd8002af45d35a4ec11db8e395
SHA256 6f3d5253af1090b98daedf01ee257f7bd6a398081d68195c33ec5e32e44489cd
SHA512 9e72cf98dd4821e4b69a2504688046bfb25a2c8f8b2b2c6b9e8de62fe59cb9f919a18a8b409d15128c21e30ebb3fc2d28d3110a7d988a978ea57dc1b644ee9fb

/data/data/com.lko.dvocyu/databases/wochi_v4.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lko.dvocyu/databases/wochi_v4.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.lko.dvocyu/databases/wochi_v4.db-wal

MD5 9e378f391daed380141b1d4631b9e9e8
SHA1 4beb37b25116e4856804760d07a66fea17dcb544
SHA256 812811a09a9bb2878f778afaa1b30de5bd8da516fd8e929832e2b5dd0fa9961b
SHA512 823b5e51cfcb6a9de0e27a9c7bbc80241f99d9be4eaa25d11b555a10ef6b8892e117d31ebb19329e44d6396dd570277e5ccb98165b463d0ccfb55edc0b83a19e

/data/data/com.lko.dvocyu/app_dex/utopay.jar

MD5 eb6089c1acfa9f12535e533aebee845e
SHA1 165e39ee07dcd9ed00fc2dc1ff466bc1d6b813c9
SHA256 b825cde84e3dddfc147c71265d2259c422d51a7e56d1dcdba1321e3119b1df07
SHA512 5b1bc26bcbcf05fc331865fb4dd572b673a52650d68ab4d9b028ea15219e0d93c1ec17996953436801913388d78e25c67ea33aa93544d65e96a799eb06cc70f5

/data/data/com.lko.dvocyu/files/log.dat

MD5 ff9229f8e7c92d44d48e25206d43b021
SHA1 be3d75050c16c5b7484652ba292fdd6510f205d3
SHA256 77fc3599be409f7e73e643de843c0ebcfa20662964c498fc59e245c7f5e003a2
SHA512 be7b3aa8d670a2873c6b7bfd4ca93121fd2450723cbbc36d9d06d152fafa3ce90451f0a60ab56bc96bccb81cf5aae0167b404073db14dc17b9513ac73d455c58

/data/user/0/com.lko.dvocyu/app_dex/utopay.jar

MD5 5220524411d0bacd600da60814d1ee9f
SHA1 fef7210ff44e757328bc0ff7aae7bb2191cbf634
SHA256 6286a800597b845785eb664710253ebd20771737dddd5b80067e0e9d37c804b2
SHA512 b2d8af5019c176d682634747d83320e609fb6122ef850f4069a0c78c2415d242087099cf60ecb03039a9ab71902a4e3b22e9cf144de89e506991fb93280f6a5f

/data/user/0/com.lko.dvocyu/app_dex/utopay.jar

MD5 3b8bb9a8679ac8c24e8d179fc5bae999
SHA1 e6ea7a1095524087f481ba04321c4cb6fd2426f3
SHA256 83c996c0d067b5f516897480f427dfffdcfb49ab7654dac9b805376bbd49e1db
SHA512 abf1cbed7a8cf4a29d7a32a83f15aa0a6c9e2be8484c2dd8d9bf16a76e337b17b9c05efa0773598806b3d3da4fe3a9217b583abb9aaf5e3dc054dc77b10cae63

/data/data/com.lko.dvocyu/files/yl_plugin.apk

MD5 5a4c666b43ee7f2b6995aaf3527e4a4d
SHA1 b205bcb022797f3b16635db139c7524c0c388adc
SHA256 05eb3e1ca331b8c6a1f60f92abb2bddbac54a7b2c229ac07bf26c756297fe72a
SHA512 c84fceddbf9928110fc3b85e0989b9cedd06383007ff99dea5a25096d8f892ab52d30ed9b52b72211449041f1274ead85bb42929ec269b58b6b0e616a8545e17

/data/data/com.lko.dvocyu/databases/740410100062013-journal

MD5 cda881482110e42b8f99fe67d38c5401
SHA1 748ddf15cd5b631bd71e8ab341fc8cb8f4a72a0a
SHA256 846f02d567d2b332ea923848634976704428ce19ca6253d32616cbf3671c7f9c
SHA512 a65d5cff0834007d0eb360f80ae75063c98b8a9688ebb95ef33aa4ed4cbce42bd5babd1cf41b096a0f26c74900a84dab5140d72bebd211635414048dd5735bda

/data/data/com.lko.dvocyu/databases/740410100062013-wal

MD5 ac11f59b1be968a18ca2c0081ea9b2d4
SHA1 67a2d6fde5e9a0bb9b7cf32e90037fc5eb34bdc6
SHA256 270cb2598a190b82137a3e0a91b9a1bb8cbde5a7c40d91c066f1be8934564087
SHA512 ed15ef1cfbd853e6098087387b8cccf8491e2a8033bc464d481c89cbde721164b4c96854b86c39ebf0c3e37507fa62d1f3328e4e611231e2b8435ec08d0ed2a3