Malware Analysis Report

2025-01-19 08:06

Sample ID 240605-zfzjssha21
Target 9931f48ef055cb08714d8ddf56c8e15b_JaffaCakes118
SHA256 a9ddb9e0b95e80cc1e4d9d75f8379377a4c027be1280e59e6d87d6337b1d6b60
Tags
banker discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a9ddb9e0b95e80cc1e4d9d75f8379377a4c027be1280e59e6d87d6337b1d6b60

Threat Level: Shows suspicious behavior

The file 9931f48ef055cb08714d8ddf56c8e15b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion impact persistence

Queries the phone number (MSISDN for GSM devices)

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about active data network

Requests dangerous framework permissions

Acquires the wake lock

Queries information about the current Wi-Fi connection

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 20:40

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 20:40

Reported

2024-06-05 20:43

Platform

android-x86-arm-20240603-en

Max time kernel

124s

Max time network

131s

Command Line

jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/app_bbb_data/classes.zip N/A N/A
N/A /data/user/0/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/app_bbb_data/classes.zip N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/app_bbb_data/classes.zip --output-vdex-fd=57 --oat-fd=66 --oat-location=/data/user/0/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/app_bbb_data/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 client.bayimob.com udp
US 1.1.1.1:53 client.aqmob.com udp
US 1.1.1.1:53 client.aqmob.com udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 stats.unity3d.com udp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/app_bbb_data/classes.zip

MD5 11307be22eda7459ecc3f37e519df627
SHA1 cdaa06f28e228eef7f9495e17528a4f0b5f8f081
SHA256 c7a7aa7af0bbaec66c906f829818e7d84703820bc88b6c7e9951926886a325ff
SHA512 8215b0b5ea93205b6f41ef22bfd28a8593d60e3b645f347963ff8d3aee5412f4bb9ece4ac0b295395c8e3d8d9129366739e0a06c781b4696b6520a7afbe820c1

/data/user/0/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/app_bbb_data/classes.zip

MD5 032fcd4c7d5c02f9d2c5c6e651c266bb
SHA1 502736d7352fa98036294c16554ca5280a21638f
SHA256 53ab47c839e234f00c542e7a05e3302868558fcd9b06bf702041c5057fa2873d
SHA512 de2714bcac1fd75fc125d0120bd3b54ba8f8a4881972a9389d196e469625727b765fe4fdbbf29155b81667ab0a03d927e16dbe3b45ddec05c729e04c0f6527bb

/data/user/0/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/app_bbb_data/classes.zip

MD5 e79d34c5ff3135f8cd44ccfb34080b05
SHA1 8816504c24655d70cd4d8d9b392144f9ce7d6814
SHA256 044c5866ab5fca8e6f868274b201abfc0fc7dd24dad57729302e3b389efe1096
SHA512 13f66c039f256d435ee157858f3b226f95b5ca3e946c8250cf848e1fab62a7de1ef1662183503f08e1af9fa1e22f8a2ec8e85b094ae3a18ba8d5256eb3a31128

/data/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/databases/bbb_a-db-journal

MD5 0d8d9e93074748e44cea7f9c99b6ec32
SHA1 4a0e9dabeed2ddefa4c85f0c208ce1ee6fd243b1
SHA256 b2b690b833faf062f5be2137eb47b4dc35c8994a3245098cd64425ed5c2ef95a
SHA512 119e91c9c7f16fc9a4d5768a8bcd973c28febf6fc7c7bc8e8c97845f873d60d07764f31df3187c096dc034a9c08f6604218d6108dce8782133bab7d98bf6a09e

/data/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/databases/bbb_a-db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/databases/bbb_a-db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/databases/bbb_a-db-wal

MD5 ac04f0b929a2767d361e65322db017fc
SHA1 5f368bfa57e1f5435e0a2e57da907e7d9bffbd81
SHA256 98f8cd55224b2a39ebeef76554f390aced2302961fd14e1398df4b7120d22337
SHA512 7fdfca109ab2927cb284fd29980df6d8efe44f5bdf9265857c48f2c1ef269614a7ba1aebb126c736f344a930bc7f64322cd9ba1a2f6201b49f8834c404988bd9

/data/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/files/umeng_it.cache

MD5 73a94a52a25f171c23c2c78218f96b04
SHA1 33febb9e3bfd59aeb6857bb4137ad9260d1bff62
SHA256 f6c84d0a6d5929da61b113a7bac74e60019594286a82402fc12882c91fa88af4
SHA512 af9cefe349e24e8d79f99157585756867c6d51a367635aa1f85d3684fab77abfc1a6cdae1d5d9f0bb80f99f108e350ee7179122c725497f6cc89da2ae44e31ef

/storage/emulated/0/Android/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/files/SQRareKochoDate2.db

MD5 be1d0e648764d9506f197b063d3233bd
SHA1 3f7a419e8326c2afbc562bb156caacfa42aa9def
SHA256 48d1c028ff6e5ac6fb153ea749cbbfd34df2aba11b96307bb22a9a278ceaa901
SHA512 75baefc1bf63e2aaaf3dbf70a42fc3ec04900e9d6f10930822fb1d057eb78fbadb17ba887d391e592935c67e48d52bc5cc8a697697e48eee67a8cbd63c4af9be

/storage/emulated/0/Android/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/files/SQLiteSaveDate2.db

MD5 9209a0147ec00f019790f987983b8c34
SHA1 3c774e0a54d1fde2b9566d4b33b54bc9042b17f1
SHA256 c354776987d55da78d613f588e7651c8d8fd00b6de6a4423f7d6b69a93605b5f
SHA512 e17613daea805a084a67e32717b67ac196557b5390c4e2be17d7b32422652f91311dc2b3aece734089d1dc6d5f0df00d044c589e3f3dc46f623618693e57d2ba

/storage/emulated/0/Android/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/files/SQLiteOldText2.db

MD5 64119f5dc03f85444f7e17e5dda82426
SHA1 210e899402b6a6179ff6bbf1ee16441fdda3b7b2
SHA256 02ac74cea4c999c5720691a7c5d508cb01593eb87afd9f2a5d268f6f6299b592
SHA512 263e2f9bd55d9d5cf93a7e29857141d90f6eaea39e40cecd5a29a5133ad69ea965d52c7919f8d58d8487de760bb4b24e0f529a67a864ef501e854d9e2cdaf079

/data/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/app_bbb_data/oat/classes.zip.cur.prof

MD5 713234d5ffa1df2dd192fc2ffedf8d57
SHA1 3b603363c71c4f0076c176335dc4b620d0aaa100
SHA256 243f96fa74201d7e1566b079ab8027168b28ed693f6d732e02a96e0abc357a6e
SHA512 a10ab308b5d827c196888ac323ef5b47ca6a509f9ed24157c9e1a94f3ed40bb1b85b397516a7b2d1b08477ba7f9e23ccbbe387165a5a3b13bf2279623444905a

/data/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/files/.imprint

MD5 e1dcce1ed9cd0e89e3f50639350a8e95
SHA1 717de9f0599acd0e7265310066b63819838dfb38
SHA256 b47cadec1b137a31f111aca3f8b0d018459b0924970373f3caf097957854e0db
SHA512 3417a320526490cd734c64724180fcef8374dc96ff2a12e0a7d1b1e84889f0096c60c6c1d4bdc6661aacc47c166e9c75d5084c93afb2b041770b0d71453c42c4

/data/data/jp.ne.colorful.giraffe.shuji.OreKocho3dUnity.pj/files/umeng_it.cache

MD5 807b7794cfecb8da3201d3f5d435d0df
SHA1 92be57084b1fe8bf0fa88b2a28f720073bd52341
SHA256 5aac1202dfb93096305cba6606ad3a1bb9ec35506882a94a6e75e7d4f42ece1a
SHA512 da57e1952a00cac600245357dfb61020490d110efcff46eadbe6ec9af531fdbe1319ebcf2572b077e236a7d16c05ca0f6bff4ec8c3a21c00062e5fa9ce4bfc00

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 20:40

Reported

2024-06-05 20:40

Platform

android-x86-arm-20240603-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 20:40

Reported

2024-06-05 20:40

Platform

android-x64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-05 20:40

Reported

2024-06-05 20:40

Platform

android-x64-arm64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A