Malware Analysis Report

2025-01-19 05:02

Sample ID 240606-atgtgacg4z
Target 999da9d8651bffa6b2316be1c2a31c98_JaffaCakes118
SHA256 22543c1adeb9a7fd776e6881d059aa27182b3ff9cb43da53515bd19acf0e3ec2
Tags
banker collection discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

22543c1adeb9a7fd776e6881d059aa27182b3ff9cb43da53515bd19acf0e3ec2

Threat Level: Shows suspicious behavior

The file 999da9d8651bffa6b2316be1c2a31c98_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion

Requests cell location

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about active data network

Queries information about the current Wi-Fi connection

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 00:30

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 00:30

Reported

2024-06-06 00:33

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

182s

Command Line

com.cooguo.koipond

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.cooguo.koipond

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 kuzai.cooguo.com udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 app.wapx.cn udp
GB 172.217.169.68:80 www.google.com tcp
US 1.1.1.1:53 banner.cooguo.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.68:80 www.google.com tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 www.cooguo.com udp
GB 172.217.169.74:443 tcp
HK 107.151.99.169:80 www.cooguo.com tcp
HK 107.151.99.169:80 www.cooguo.com tcp

Files

/storage/emulated/0/Download/ads/clst.dat

MD5 9e40021d177b90bd1b1e9fead8db16f3
SHA1 0eb498035e020a1eb479547085b4af989f47233c
SHA256 c750ced6e80066b090f5b14e003edd2acf2246d0f68cbe604d05b05710874a4e
SHA512 f149f033d0d3871ffdfa464f4d54a729c91fde172d5ad1263b2075ea20146bf3fa80a6ca69aa74002213bcdd8fc70c1b92e71d6cca33570254b924dc03944125

/storage/emulated/0/Android/data/code/KI.DAT

MD5 2b53b6b030d7bdb5da6ea0d501b6a165
SHA1 fa4e9e8d724d91963a3fa3def11790559cac11c1
SHA256 d8209526853a232417c586b6c130ed3ec53af8a2928b95d032ddcee37b4698fc
SHA512 dceddb69f3c907593c47edd56cea3b5cd68e560f020244e6abf9e63c58263d38b36e8736617758f2c5c7292bffd815af44fee3805217aa9065cd143e0599b128

/storage/emulated/0/Download/kbanner/clst.dat

MD5 0cb190a76d002d2d3c97a22b1dbf60c4
SHA1 ad0f41d75109b85debde14a6415e6b6a5fda20f3
SHA256 ade4e92cbf9585b4ef582d533ae92e5064fe7baf128b3761dd37e07d81be49b5
SHA512 e1968197ee60800de53def784239da9444647c48d9390f4bf204edb1bc3d68f06c3b373ba41c3e5dfbfb9879873e752f069fe6e6348d8c26dee8ae8fb0e1e544

/data/data/com.cooguo.koipond/databases/bdownloads-journal

MD5 429641ecdf441370b6b27047fc567ddd
SHA1 874a68c7872442999303a105bd773804ffb7b904
SHA256 a7bb392d0a9255746fd8c835689d8371f0dbee7525dd162d03192c5ca284b563
SHA512 27d697b69b82ff29dc416682798927844e4bbd8f1cfe6de196cf98499f69424d4d7dc095b7863120500a20a4bba7bf84c344af84469a83a535e8b78a0a9e7c63

/data/data/com.cooguo.koipond/databases/bdownloads

MD5 b06bd572f18bc2ff6cdedfe3e2a70e67
SHA1 2051cbfe0b2dea86da5244936835d3d0815bd594
SHA256 8904ededa7f206ccf180e4f9bf5cb18d7cd258954d7beb5a5cc517247c359e39
SHA512 4b67b75b7948617c117f99ac9c88cbf196988d8b12191fae4a6b53047353c8fddb476389df8878d3afa00defbedf48f1da4c4f46fa739ab29ab40304c67f1238

/data/data/com.cooguo.koipond/databases/bdownloads-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cooguo.koipond/databases/bdownloads-wal

MD5 960d48e685069eae24889a57cf6d3058
SHA1 f790a90a15a46c4ea1f0fcfce3255b2ba5fb5d26
SHA256 2f525d87756f1a55422147ade9f6add358c041646ac21d6836313c05a2edb4c2
SHA512 21f7bf7aab9b5905a5fe6eb055237402f8d1fd2c3721120591754f68e99b6c7472bf317a8c91df69ca52e97fbd8b14ade1aeb721750d83e9f97edeeadea6fd63

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 461af63f3eaeb820519ec785ffcc5821
SHA1 339e88188a1f054473fc7bca2c2cdc31ead7bf85
SHA256 e43e346a5abb361b9e57f8971fd1277ad6e1385c92a1cb8a502f42e1f1918f0a
SHA512 564bf65182d94642b86e4aee92faf63e812841bd0f277ef390ee0ac939a24f92e140b019e0c4f604a22cd6552cb3ba0cecef451ae9029e102b78088944517837

/storage/emulated/0/Android/custom.dat

MD5 497e67f729d4697613e2dc0e49f179d1
SHA1 371c60d128d85abab865f885250eb6fa5d542883
SHA256 e9295ece849b35e5dd5476d27c0b6966de00f6f115b1f65ec7b67f67bdd34178
SHA512 9ca27ef0de1239bc56f9f940b88a8ba477ee1e76bd1c4e0ca8b3a117b94780444c4991e59ec247d8180e6d8d3fb8a9f0d37f97615c7175a4af54fcdb5aef4f14

/storage/emulated/0/Android/Package.dat

MD5 696ce15b46ebffbeae66dd8253f03fe2
SHA1 34bc4bfc640aeb7496b8b839ab59388d10da0e55
SHA256 64bb0713b4d039551cca71dc4e0c505507095fc71fa42ecd6942f11ddc743ec8
SHA512 9f96f7edd18769ff47cfb31fcbee2b19d43c717254f50819fe43ae5c4600bc0afd529911db328b576ea90f1e3224e69c35a7fb3642225f47e26336a36fd6787e

/storage/emulated/0/Android/data/cache/UnPackage.dat

MD5 4404289c11a0a463a9767cb5176ccb35
SHA1 7b7748ce9c6f1b75ebe23f6d15efad6044ef66c8
SHA256 1ce5ce282e87b42c226bf0fe914ba30aed6436d3da91c9fd6a93cf6e19bec7d6
SHA512 f0e3a0a92c8ba90a0f91e532fa33531201d8cdee4a5fd3f26c60867f556ae8799a628e3d4c93db75eba044b9c1b1eb75678af3f08b08056d10915b8989de1647