Malware Analysis Report

2025-01-19 08:06

Sample ID 240606-cryqbaff26
Target 99cb54c8251809a995e1ebe8ae984bc6_JaffaCakes118
SHA256 810377aec8c8a795b8338736aeecdf3e681f0fbf3b9755d213c7a03dcb87d9eb
Tags
evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

810377aec8c8a795b8338736aeecdf3e681f0fbf3b9755d213c7a03dcb87d9eb

Threat Level: Shows suspicious behavior

The file 99cb54c8251809a995e1ebe8ae984bc6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion impact persistence

Loads dropped Dex/Jar

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 02:19

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:33

Platform

android-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:42

Platform

android-x86-arm-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:32

Platform

android-x64-20240603-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:42

Platform

android-x86-arm-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:46

Platform

android-x86-arm-20240603-en

Max time kernel

7s

Max time network

131s

Command Line

com.sakai.imikowa2.pj

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Android/data/com.sakai.imikowa2.pj/cache/pujia/patch.apk N/A N/A
N/A /storage/emulated/0/Android/data/com.sakai.imikowa2.pj/cache/pujia/patch.apk N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.sakai.imikowa2.pj

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/com.sakai.imikowa2.pj/cache/pujia/patch.apk --output-vdex-fd=48 --oat-fd=105 --oat-location=/storage/emulated/0/Android/data/com.sakai.imikowa2.pj/cache/pujia/oat/x86/patch.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 setting.adzcore.com udp
US 1.1.1.1:53 setting.adzcore.com udp
US 1.1.1.1:53 setting.adzcore.com udp
US 1.1.1.1:53 setting.adzcore.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/com.sakai.imikowa2.pj/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/data/com.sakai.imikowa2.pj/databases/partytrack-journal

MD5 539f03a6f21bbc3210ab4a02fe577143
SHA1 e4439dcdee30e9c87e7c92d43d2bde5f5af81ab5
SHA256 6d4dfed2d2d11e3dc991e0aabac380ea8e20b0640b90a6b12359b30f2f02caa7
SHA512 9246c66c4653884ac4fa93950894007197e8ccde8a6bf5a204be5e8557b274481c0a6192e3c54bfcd679ac7c157d6d434c72880c938289b130b4bc199910e243

/data/data/com.sakai.imikowa2.pj/databases/partytrack

MD5 3fabf09ddda0c5c50006154a5101223b
SHA1 4ba5de973e1edf5b0259cd617808fc45e3c320e4
SHA256 cd16181d54b4b2fb2a46c517648bc09c59650144de19ef7164c26c4f4100cd69
SHA512 91c868e590803eec6d572d19a0f836587aa2ee174877b524763cda8509293e458174184fab61509c956ad51d641d31ddc4c40f86a3ad044c22067c42f576e1b4

/data/data/com.sakai.imikowa2.pj/databases/partytrack-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sakai.imikowa2.pj/databases/partytrack-wal

MD5 cf60f2fd6e4b79fe471c7bb32b23ae5c
SHA1 1d7c4306109d83717b252802e501a2e950942bd4
SHA256 f46cfe1c260a0b235a2442f7fdca90211a0a30f1b111b194522711ff6ed022b1
SHA512 af9537790a80da9d0f8c0c5abaf5db01edf13593d03bbec89adea09c6aa5c6ac637c31a2694d624bbc929b2f77812a122c4bc4813e3531bda2e482087953f686

/storage/emulated/0/Android/data/com.sakai.imikowa2.pj/cache/pujia/patch.apk

MD5 4fbbfb5f86156ed67af4d6c6a4f3bb99
SHA1 cd0912603a759b9e74899ada8b18aa418c278b28
SHA256 4fef18a19ac2625a353e3d9ccecbce3fedb5a71925b7419a5752dc8c02aafd4b
SHA512 e14edf5a79f479c5c69fb3593d16ed64dec7b8f2c6ebbd8bbdd8927ff06ab9447d7c9e8ff6759b3e569dd414702a7396cc2f37dfb8845293754cd0ee01c28736

/storage/emulated/0/Android/data/com.sakai.imikowa2.pj/cache/pujia/patch.apk

MD5 2b53405cabedd6139a945b097d292072
SHA1 fe01d81e66a5ad1539c51343e31acd7b684b4823
SHA256 4d55b97d362af2cd13957e0f79a1f8a070f7644d337e7f57c628230247a3f0cd
SHA512 d224c03104f75e2b8335158efc160b7dc125d389fd2a85ede2676375ec03a155306145cd53ea0ee3a3d1f34d201bf350d3b035e1cd17e24163662c83df74a63f

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:33

Platform

android-x64-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:32

Platform

android-x64-arm64-20240603-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:43

Platform

android-x86-arm-20240603-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:43

Platform

android-x64-arm64-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:42

Platform

android-x86-arm-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:32

Platform

android-x64-arm64-20240603-en

Max time network

10s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:42

Platform

android-x64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:42

Platform

android-x86-arm-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-06 02:19

Reported

2024-06-06 02:32

Platform

android-x64-20240603-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A