Malware Analysis Report

2024-09-09 13:36

Sample ID 240610-pms1gsvcre
Target 9aaa8b2eae812ebdc0e2a0f8984b6ca1_JaffaCakes118
SHA256 c337bcc0bd34d99294e875708995851384494924680327510932bda7f42c3114
Tags
discovery evasion impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c337bcc0bd34d99294e875708995851384494924680327510932bda7f42c3114

Threat Level: Likely malicious

The file 9aaa8b2eae812ebdc0e2a0f8984b6ca1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence stealth trojan

Removes its main activity from the application launcher

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 12:27

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 12:27

Reported

2024-06-10 12:30

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

151s

Command Line

com.confidential.pottery

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.confidential.pottery

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.187.194:443 tcp

Files

/data/data/com.confidential.pottery/files/15251cc7-7f79-46f0-95e5-7c1d708cca9d.dat

MD5 4e41ca70fc9f29fd6947d95ea17199d3
SHA1 181dc48e25211f6954f93b1bc1125da985edf282
SHA256 8bfaa088dbfc4fe30e028fbf69178069cccedf40c5beec5db80ffefd00955915
SHA512 b2778f49ab61eb7e3b314b909fb4f6c477329a4665ac0611a988df6617eec2e0ec28ffcd6cb327fff26f9a51010e8192d41955a5251626e6170860d3a5b44f27

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 12:27

Reported

2024-06-10 12:30

Platform

android-x64-20240603-en

Max time kernel

179s

Max time network

151s

Command Line

com.confidential.pottery

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.confidential.pottery

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.180.10:443 tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/com.confidential.pottery/files/15251cc7-7f79-46f0-95e5-7c1d708cca9d.dat

MD5 2e21beba9c7a29d64e94b34811973a07
SHA1 2f90362b4011f15a9164f36d4ff67326b1a02c19
SHA256 88c41d380685895124551556fa55e9c6e4ffc70cb3687c6254145a003f5e3531
SHA512 77c1e0990298bbb54ea4cba1d6687e7c9c7092050bd0e0894eadc1c95250f67eaccc0249986b271c0818da8746b53da335ef669813f3fd0a86534509378ff9f8

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 12:27

Reported

2024-06-10 12:30

Platform

android-x64-arm64-20240603-en

Max time kernel

179s

Max time network

143s

Command Line

com.confidential.pottery

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.confidential.pottery

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 mmunitedaw.info udp
LT 149.100.158.54:443 mmunitedaw.info tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
LT 149.100.158.54:443 mmunitedaw.info tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.confidential.pottery/files/15251cc7-7f79-46f0-95e5-7c1d708cca9d.dat

MD5 d23b91998af5105ed87a62c82125b84d
SHA1 da845d2365974154f03c234f652dff754a54a386
SHA256 6c1ff3213886451aa75ce41b13b99afe0afba909c72f5798299c084b5ad2c428
SHA512 1325c611879fa7c6ba477e79bdb23936912e6226857acc82dedd492043f01523b8c6ee4a35eab0e33242ed9c5e1597fd0489920249a3931a0c64e1de7d4a131f