Malware Analysis Report

2024-09-09 16:30

Sample ID 240610-jd9c8aef43
Target 9a6e0298e290d194e2e92285753daf67_JaffaCakes118
SHA256 d2577719bd1817b27f5ea0f143ac5a67c238c5e7d93399dc960a4923e60bf45c
Tags
discovery persistence collection credential_access impact evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d2577719bd1817b27f5ea0f143ac5a67c238c5e7d93399dc960a4923e60bf45c

Threat Level: Shows suspicious behavior

The file 9a6e0298e290d194e2e92285753daf67_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact evasion

Queries information about the current nearby Wi-Fi networks

Obtains sensitive information copied to the device clipboard

Requests cell location

Reads information about phone network operator.

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 07:36

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 07:34

Reported

2024-06-10 07:39

Platform

android-x86-arm-20240603-en

Max time kernel

28s

Max time network

131s

Command Line

com.msxf.localapp8512

Signatures

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.msxf.localapp8512

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
US 1.1.1.1:53 www.msxf.net udp
CN 119.29.168.97:80 www.msxf.net tcp
US 1.1.1.1:53 api.msxf.net udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/data/data/com.msxf.localapp8512/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/com.msxf.localapp8512/files/__local_last_session.json

MD5 caa989b9f9e859533be52f8284f9f03f
SHA1 f258b65d7fd29013d4b7fb4ed7f9e7dfab998224
SHA256 61bc5b84f65d14ecf80bace3518e59368e7a15ced56bb7f8e7b4d57f28bcbb6b
SHA512 d741681103063f1463a07b1492e868211f8feede83173de9c058bc37e7e2a5dd2556cf988c26db5f3aa4ccaab7795b6901674a5cebcf2a20ac5f507789344fe9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 07:34

Reported

2024-06-10 07:39

Platform

android-x64-20240603-en

Max time kernel

47s

Max time network

150s

Command Line

com.msxf.localapp8512

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.msxf.localapp8512

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.msxf.net udp
CN 119.29.168.97:80 www.msxf.net tcp
US 1.1.1.1:53 api.msxf.net udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
GB 142.250.200.14:443 tcp

Files

/data/data/com.msxf.localapp8512/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/com.msxf.localapp8512/files/__local_last_session.json

MD5 b5f457a26b047044648e82d77f049e40
SHA1 8880fd02f10a18bb8ab8c828d6ab4d6879c47e80
SHA256 9f15fa818752fa23a548d073a7973d379e284f2537226bbd97773939363074d2
SHA512 4cc098cced169811c462edae8268dbbc9557a78eae8b2cad6747f0b9110f5ec87f799568cc4a46fb9110519cf8e63eaa11531ae93c2eaba5a0ab125a8290af42

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 07:34

Reported

2024-06-10 07:39

Platform

android-x64-arm64-20240603-en

Max time kernel

28s

Max time network

132s

Command Line

com.msxf.localapp8512

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.msxf.localapp8512

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.msxf.net udp
CN 119.29.168.97:80 www.msxf.net tcp
US 1.1.1.1:53 api.msxf.net udp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.msxf.localapp8512/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/user/0/com.msxf.localapp8512/files/__local_last_session.json

MD5 7271ef9efda796eaebd8a3ee7b1adc30
SHA1 99b706855895006ad03346a930a4490624946e98
SHA256 80b47ee9da83725556b0c964d648acbe14b39a8c6811b84e9906afc075673ae7
SHA512 a4234ca69735614870553b6a2d8f277211bbfa27dd4c72b7b997148740b5cc36113f175ee17920467436cc3bb7894200b8c157c5e776787f7aa6cb5ca048c7d3

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 07:34

Reported

2024-06-10 07:39

Platform

android-x86-arm-20240603-en

Max time kernel

3s

Max time network

131s

Command Line

com.alipay.android.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

N/A