Malware Analysis Report

2025-01-19 07:57

Sample ID 240610-pvatwawcrp
Target 9ab186f9d38b22dfb652c097d3819d45_JaffaCakes118
SHA256 0d76ddd66117f591a3d7650133292a4ce1d6b58d3471441a23d899f9fd2faff7
Tags
discovery evasion impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0d76ddd66117f591a3d7650133292a4ce1d6b58d3471441a23d899f9fd2faff7

Threat Level: Shows suspicious behavior

The file 9ab186f9d38b22dfb652c097d3819d45_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 12:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 12:38

Reported

2024-06-10 12:42

Platform

android-x86-arm-20240603-en

Max time kernel

10s

Max time network

163s

Command Line

com.whe.yhcygs

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.whe.yhcygs/files/less/ZBaLXFShV.jar N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.whe.yhcygs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.35:443 tcp
CN 116.62.181.149:8080 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp

Files

/data/data/com.whe.yhcygs/files/less/ZBaLXFShV.jar

MD5 d9b9c672b229d0bb26b1ee41ff0db4f9
SHA1 7a1cae056e2c915818c7a8725eb4b33cc79a8e55
SHA256 866bb19f78d98bad7ff65c74aab0f1482efbf92469c51828ab06a6cfd5b73d20
SHA512 565b6b5aca869b82616fd54fc925f1cd5074666db1d16d79b096550eb0195ec4f2a03647ce2b8de46b93b551dfb3fc35f023df5c0b2166ae383b671b6e5407c0

/data/user/0/com.whe.yhcygs/files/less/ZBaLXFShV.jar

MD5 5d9aa2b3757c19de41687e710bf75da9
SHA1 898004702420c5ee65e81360997bfd361ab5682e
SHA256 a99f45c2732a7c907586f35745bf9ab1211b227c1d81b0a17b4ee8b3593426fd
SHA512 44530d5d1fd229566f01ff933871f3ae7fd254d92f81b8df4b9312743df42bd1fa4daa61e6e082f16a0a808d56ee04949c210e8ce10c6dd0e206c05018346e10