Malware Analysis Report

2024-09-09 16:25

Sample ID 240610-p1ltbswanh
Target 9ab75f3365c07dab83c20afcd56c874a_JaffaCakes118
SHA256 ac4b551c795f36b8ef318e085d16f992f2706ed3f2460e34c2cab23a28656ddc
Tags
banker discovery impact persistence collection credential_access evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ac4b551c795f36b8ef318e085d16f992f2706ed3f2460e34c2cab23a28656ddc

Threat Level: Shows suspicious behavior

The file 9ab75f3365c07dab83c20afcd56c874a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence collection credential_access evasion

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Requests dangerous framework permissions

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 12:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 12:47

Reported

2024-06-10 12:51

Platform

android-x86-arm-20240603-en

Max time kernel

175s

Max time network

188s

Command Line

plus.H5AC8ABAB

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

plus.H5AC8ABAB

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 111.230.47.242:80 tcp
CN 111.230.47.242:80 tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp

Files

/data/data/plus.H5AC8ABAB/files/.imei.txt

MD5 88d524ac6849d413f3ca6816f54c1572
SHA1 3731298ed8816fa75d81f1072643b9d4dabd8d90
SHA256 82425794a0f5f4d23036d4207d9b6beabaa61c7b2929889d87079b0236ad4111
SHA512 52a9218de85f5f08bfa5d130c090527a572366f2b11372209248317c8f79b25c12edc75db79c54ea432a88aa76a66f31835b34b8a0c946fb737f59aa97562c3a

/data/data/plus.H5AC8ABAB/shared_prefs_ext/test_app

MD5 3740ec133217c1b9f3aa5cbfbf0f2e00
SHA1 7580aa11996429af86a2831c85ce6c23f57b7936
SHA256 e414c1f966d89ee57d849c117fd438af0228d23600b3224a51196d844896b8f4
SHA512 3a6291f0e25710ba02e3b8b98cfe69d07715fb57d8a20715b3a27f1c1b0943788ad42196d23e1cd82e6ba4017f8920e73571cb6aad89358c5cc076e9228cfd00

/data/data/plus.H5AC8ABAB/files/cnc3ejE6/eje3cnc

MD5 762298b93820a5cd8b6d8ec469078f7f
SHA1 d5b02a2ff3b235cd2b61ceff53a1d88b8984477d
SHA256 dc3f98a33c26c2796dc294b354831fd5ca9796295f4cb38479c80b145d4807db
SHA512 70f864211ce16679d0538abf9b7071d27c2d22ae458e32409d20065032c762dd186307ef33ede90abd9ac794a4ced8b163404e9799c05f0c515337249684311e

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/css/mui.css

MD5 5836f3f57e3a06a6aebf0475a81d6b16
SHA1 668b1b1d96f9c914b8a546bb6abd03242b082cd4
SHA256 bd7c4f0a849da629ee5ec336e69f9e19d490893c3653630ec7eaac73877a4fd5
SHA512 75c123d8d88f08698325e1486ee3a968ef9fa43c0437cd0738313343187e1d553f662dd96b60cf9c593ef719232a958b2b8c3c05fd71b67f21ceacd0edf367a0

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/css/mui.min.css

MD5 3ae39756b0c6e5a8bf9f7f297d4bdf23
SHA1 09aabd7e2c807f81e5a384d98d02669310f63996
SHA256 d76f633aed9520f7970796ac29faeb767e5f79b2869907aa1dbcfc7bbcfdb3e2
SHA512 43803f0d6358498847d1702993a21d9838736ad6b61b6829b00f38afb4c603f08a51ab5032c46f5f1fba9771779bb974eb925dd3395557756b11a29a3928f8d4

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/fonts/mui.ttf

MD5 8820b7f6582a3c45b7527ae6b183dd2f
SHA1 653442b2b482c577d07a631859ef5a76896d53e1
SHA256 b327c8e38b68245dac1fb9a8b5bf7f19fee0b2c656219b8dfeb3c906c1514ea0
SHA512 758a17a3881de1b8caa7fcbacec7279518909b4c667e3e12a498d29bec3b833c3279f69da07caebc25c4b940545aa1240cce1cce618e5ab939841b8bdb7c2564

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/index.html

MD5 1b7eb418cbfc7d0a276d5678eabd53ba
SHA1 8248c62fd6d1329f0e3c7907b7949f433fe7e79d
SHA256 d4f6fa0e657d44af263df528ba5bb6356f6bc412ac6557892802b39ab6ee1531
SHA512 c7458bfed16165060b25f9426857078bb3945b3e418a7cd94129a3e9d17b8a3fb144eebbe8cc2911907d62893d1de177937512cc7155466f3ec2d98b94f89184

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/js/mui.js

MD5 e0e87339768fe3272600b66ce641b07e
SHA1 e3e7310ab409e1d20e28b7552933979ed5f3d91a
SHA256 57c0d35408afd62475aa889ab6d56adf5431a0d98276a7405f5551c2eb64d5ac
SHA512 9450f6db095dd51515a54e9c0faa5bf3066b99d7f3416c23eec38a2c6e3abe3eac31456d934981277e5fbe0f8e0b812dbd0b1c6c2a4646514e66ae903028b09b

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/js/mui.min.js

MD5 a88c3e002a8e78d4206258241b330d33
SHA1 caffacbbc5ea28a597ea43d3ee7d64d0a1e207f2
SHA256 9568a84477fe05ee578f957e19be5fb15665854a81228561455ad039c73a591a
SHA512 a87c65e035797b701f75a8916afd34113eb30ba6e1f71e950b5499aada8be5ffd3b8d91f129a3abbfae48003be74f29dbb639651dcc9d8cebf1cfae49f31eb20

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/manifest.json

MD5 7932cbbf7edba2b26c5d6dfc465e9ed2
SHA1 cd259bcb2e34ea82fab65070ced679af11058d1d
SHA256 9fd9e3503baa0be0d7d679e8e8f327de7c8409512e0c72c94e3afee53f214ef5
SHA512 5702ae34f5715e42de01c756be1f60071755e63fb7c31a2d744d91a35fd353c394ffc1af4a248575571c6b68fe9224cff07279c79efaec3cf4ccba4e167eb568

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 12:47

Reported

2024-06-10 12:51

Platform

android-x64-20240603-en

Max time kernel

177s

Max time network

187s

Command Line

plus.H5AC8ABAB

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/plus.H5AC8ABAB/[email protected] N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

plus.H5AC8ABAB

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 service.dcloud.net.cn udp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 111.230.47.242:80 tcp
CN 111.230.47.242:80 tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
GB 172.217.169.46:443 tcp
GB 216.58.201.98:443 tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp
CN 124.220.57.196:443 service.dcloud.net.cn tcp
CN 110.40.169.99:443 service.dcloud.net.cn tcp
CN 110.40.181.119:443 service.dcloud.net.cn tcp
CN 111.229.199.57:443 service.dcloud.net.cn tcp
CN 115.159.204.155:443 service.dcloud.net.cn tcp

Files

/data/data/plus.H5AC8ABAB/.00000000000/A3AEECD8.dex

MD5 ed73a80eb949bacc52428b8d5a087fa5
SHA1 07e973549a2cee61ffeeb6439abc419cd8a489a9
SHA256 f0ead1ad60e0cc310c1a40685c28fc7a69aa346604552816c51dd3c1718a1e76
SHA512 4bc26c18ca3a2edfe38ca1e14ad1e1415268b4a69cdff3c0f8e2b8fa910c67c2e4bc4f32c21274e586e8e139122ea3dbde7ec507c4722b4a9a778ee2598090b8

/data/data/plus.H5AC8ABAB/.00000000000/A3AEECD8.dex

MD5 5061e4948844f7d366972ac8005e9f13
SHA1 a2b79a1c79afb095ddebf0f16a1f9db64482bcaf
SHA256 3aa6caecfcd101531539147e01382bc530b4fdc61e98937d63cc4648793c6a45
SHA512 223d18ce248912df18cdea3c8e864ea5e6ec058ca42cc5fde738188c54abcd260d7f24ac53d4987d3e32f4ae3e1e40e01354054d035bb100eef51b2d695f5299

/data/data/plus.H5AC8ABAB/files/.imei.txt

MD5 3cc2ae97727343cb2b187c3785a7b034
SHA1 ea849df6e080f06eefdf473aa9a521604d8985c7
SHA256 c60639d44e55e35af959ee8fdaea3aa43d5634bc746fb927b41084d7f2116817
SHA512 f09f99fc3b3ef31b5396de3eb934ef58d124e7518ecb41041e14f3df94054fc2dc6810299e32cc88a195fa6bd67e164604f13feb1ea881b0c3f4a9e466ee7dd6

/data/data/plus.H5AC8ABAB/shared_prefs_ext/test_app

MD5 3740ec133217c1b9f3aa5cbfbf0f2e00
SHA1 7580aa11996429af86a2831c85ce6c23f57b7936
SHA256 e414c1f966d89ee57d849c117fd438af0228d23600b3224a51196d844896b8f4
SHA512 3a6291f0e25710ba02e3b8b98cfe69d07715fb57d8a20715b3a27f1c1b0943788ad42196d23e1cd82e6ba4017f8920e73571cb6aad89358c5cc076e9228cfd00

/data/data/plus.H5AC8ABAB/files/cnc3ejE6/eje3cnc

MD5 762298b93820a5cd8b6d8ec469078f7f
SHA1 d5b02a2ff3b235cd2b61ceff53a1d88b8984477d
SHA256 dc3f98a33c26c2796dc294b354831fd5ca9796295f4cb38479c80b145d4807db
SHA512 70f864211ce16679d0538abf9b7071d27c2d22ae458e32409d20065032c762dd186307ef33ede90abd9ac794a4ced8b163404e9799c05f0c515337249684311e

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/css/mui.css

MD5 5836f3f57e3a06a6aebf0475a81d6b16
SHA1 668b1b1d96f9c914b8a546bb6abd03242b082cd4
SHA256 bd7c4f0a849da629ee5ec336e69f9e19d490893c3653630ec7eaac73877a4fd5
SHA512 75c123d8d88f08698325e1486ee3a968ef9fa43c0437cd0738313343187e1d553f662dd96b60cf9c593ef719232a958b2b8c3c05fd71b67f21ceacd0edf367a0

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/css/mui.min.css

MD5 3ae39756b0c6e5a8bf9f7f297d4bdf23
SHA1 09aabd7e2c807f81e5a384d98d02669310f63996
SHA256 d76f633aed9520f7970796ac29faeb767e5f79b2869907aa1dbcfc7bbcfdb3e2
SHA512 43803f0d6358498847d1702993a21d9838736ad6b61b6829b00f38afb4c603f08a51ab5032c46f5f1fba9771779bb974eb925dd3395557756b11a29a3928f8d4

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/fonts/mui.ttf

MD5 8820b7f6582a3c45b7527ae6b183dd2f
SHA1 653442b2b482c577d07a631859ef5a76896d53e1
SHA256 b327c8e38b68245dac1fb9a8b5bf7f19fee0b2c656219b8dfeb3c906c1514ea0
SHA512 758a17a3881de1b8caa7fcbacec7279518909b4c667e3e12a498d29bec3b833c3279f69da07caebc25c4b940545aa1240cce1cce618e5ab939841b8bdb7c2564

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/index.html

MD5 1b7eb418cbfc7d0a276d5678eabd53ba
SHA1 8248c62fd6d1329f0e3c7907b7949f433fe7e79d
SHA256 d4f6fa0e657d44af263df528ba5bb6356f6bc412ac6557892802b39ab6ee1531
SHA512 c7458bfed16165060b25f9426857078bb3945b3e418a7cd94129a3e9d17b8a3fb144eebbe8cc2911907d62893d1de177937512cc7155466f3ec2d98b94f89184

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/js/mui.js

MD5 e0e87339768fe3272600b66ce641b07e
SHA1 e3e7310ab409e1d20e28b7552933979ed5f3d91a
SHA256 57c0d35408afd62475aa889ab6d56adf5431a0d98276a7405f5551c2eb64d5ac
SHA512 9450f6db095dd51515a54e9c0faa5bf3066b99d7f3416c23eec38a2c6e3abe3eac31456d934981277e5fbe0f8e0b812dbd0b1c6c2a4646514e66ae903028b09b

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/js/mui.min.js

MD5 a88c3e002a8e78d4206258241b330d33
SHA1 caffacbbc5ea28a597ea43d3ee7d64d0a1e207f2
SHA256 9568a84477fe05ee578f957e19be5fb15665854a81228561455ad039c73a591a
SHA512 a87c65e035797b701f75a8916afd34113eb30ba6e1f71e950b5499aada8be5ffd3b8d91f129a3abbfae48003be74f29dbb639651dcc9d8cebf1cfae49f31eb20

/data/data/plus.H5AC8ABAB/files/apps/H5AC8ABAB/www/manifest.json

MD5 7932cbbf7edba2b26c5d6dfc465e9ed2
SHA1 cd259bcb2e34ea82fab65070ced679af11058d1d
SHA256 9fd9e3503baa0be0d7d679e8e8f327de7c8409512e0c72c94e3afee53f214ef5
SHA512 5702ae34f5715e42de01c756be1f60071755e63fb7c31a2d744d91a35fd353c394ffc1af4a248575571c6b68fe9224cff07279c79efaec3cf4ccba4e167eb568