Malware Analysis Report

2024-09-09 16:29

Sample ID 240610-jmdmxaeg68
Target 9a6e7473d3ea60ac7587580675aab6fc_JaffaCakes118
SHA256 770830abbfacbc0763adaa6dbb80a32c8db62a97adbbf002f9be020f613e4da7
Tags
collection discovery evasion persistence credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

770830abbfacbc0763adaa6dbb80a32c8db62a97adbbf002f9be020f613e4da7

Threat Level: Likely malicious

The file 9a6e7473d3ea60ac7587580675aab6fc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion persistence credential_access impact

Checks if the Android device is rooted.

Queries information about the current nearby Wi-Fi networks

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Requests cell location

Declares services with permission to bind to the system

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries information about active data network

Requests dangerous framework permissions

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 07:46

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 07:46

Reported

2024-06-10 07:50

Platform

android-x86-arm-20240603-en

Max time kernel

24s

Max time network

131s

Command Line

com.mcmlmpnimlmemmna.lei

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mcmlmpnimlmemmna.lei/files/AdDex.3.2.0.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mcmlmpnimlmemmna.lei

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.voiceads.cn udp
CN 114.118.65.26:80 api.voiceads.cn tcp
CN 114.118.65.25:80 api.voiceads.cn tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 114.118.64.21:80 api.voiceads.cn tcp

Files

/data/data/com.mcmlmpnimlmemmna.lei/files/AdDex.3.2.0.dex

MD5 c5e1dd0a8096e3883a437597fa0b3713
SHA1 d24a7d387943916a37c8d613e3e5502aa053efdc
SHA256 a717d86d76a8bb7fa0eb718bbdd5fd176a80ee7571c65ff999ef72f11d1adb8e
SHA512 fb3cdb82eaec7f8f76b6e8b4d48df43efc8448771bc9419eb19ffdfea075f029bbc33dce2706ce042aaf2d698a29e77e1899cb8b6c60d96528a1fb1bdfcc86e2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 07:46

Reported

2024-06-10 07:50

Platform

android-x64-arm64-20240603-en

Max time kernel

107s

Max time network

139s

Command Line

com.mcmlmpnimlmemmna.lei

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mcmlmpnimlmemmna.lei/files/AdDex.3.2.0.dex N/A N/A
N/A /data/user/0/com.mcmlmpnimlmemmna.lei/files/AdDex.3.2.0.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mcmlmpnimlmemmna.lei

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.voiceads.cn udp
CN 114.118.65.26:80 api.voiceads.cn tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
CN 114.118.65.25:80 api.voiceads.cn tcp
CN 114.118.64.21:80 api.voiceads.cn tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 fb3a04aec717dad4f41fbe862c301b96
SHA1 5998b047b670b9fea29532a19cf55c1e1fade606
SHA256 1a8ae4b662bd2210cbd38a4d02cc90904f3ca78c7c146cbdc9515ff0a96aad80
SHA512 2e14f2992c321aebf34f5e5cc15ea5b9713d69d4be5566e7bf361501b9a8601eb236c6c0702b328022484cff5ad62eb1efb31988e602218d98c6ed65fcefb121

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 1aa8bf20b06e2020afeb21601e8b6092
SHA1 38ef6667d6ac125b0c7fe3b364ee21f3e0b4121b
SHA256 981287be46bb5ee46a7111bec973e719dd7d44b96e1c85ea76f69fa9431503f0
SHA512 d7406fea631de71997c0eed332b521df63299aa8eb7f106df096f2b31a51706bba01d315e5da846ed3c4ae2e9506b07dd71d15faf8d0518eb9e06809b075bde2

/data/user/0/com.mcmlmpnimlmemmna.lei/files/AdDex.3.2.0.dex

MD5 c5e1dd0a8096e3883a437597fa0b3713
SHA1 d24a7d387943916a37c8d613e3e5502aa053efdc
SHA256 a717d86d76a8bb7fa0eb718bbdd5fd176a80ee7571c65ff999ef72f11d1adb8e
SHA512 fb3cdb82eaec7f8f76b6e8b4d48df43efc8448771bc9419eb19ffdfea075f029bbc33dce2706ce042aaf2d698a29e77e1899cb8b6c60d96528a1fb1bdfcc86e2

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 3a0a7347b2aa7caea75a5668dd99e469
SHA1 5eabf335df3616688ba8529e5507b207ea9ad147
SHA256 03fdba8d55db740d75e908da76d1cd5c50ffa6a65134d7f855c2ef29ddd816fd
SHA512 5ee5830f65fa9ecb1e427ef99a9468613bd2abfc165b8d9527059a7ebe10f3eafbdef1d350d9d7688eb481f2033aad8c367a1ac1a78d4f50b6ad5ff21ed20621

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 466d6b08f4241f021948c02715c1db59
SHA1 74ecc826e3b6706f5c3bffac4f3a86d44b26fb1e
SHA256 317d7cee5bc2b864b8e58c07e8123847009e4ca262b888d14536d832d74b3556
SHA512 5bedaba0689b446764e96e7077c1119ebc9c52145f6d18785604b5375f8b75b3de57bc51229f813d86a4b5122126fa5586294f4dc8f7851c2b07081206f74b2d