Malware Analysis Report

2025-01-19 07:58

Sample ID 240610-rbcv8sybpd
Target 9ae837da8ace09359db1c22803e159ee_JaffaCakes118
SHA256 ede0f85cee4a2e3fb6b23de922055a758de78a12ba22a3e8ad1087703fd6af78
Tags
discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ede0f85cee4a2e3fb6b23de922055a758de78a12ba22a3e8ad1087703fd6af78

Threat Level: Likely malicious

The file 9ae837da8ace09359db1c22803e159ee_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 14:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 14:00

Reported

2024-06-10 14:03

Platform

android-x86-arm-20240603-en

Max time kernel

71s

Max time network

131s

Command Line

com.nlm.nlmmaster

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.nlm.nlmmaster/mix.dex N/A N/A
N/A /data/data/com.nlm.nlmmaster/mix.dex N/A N/A
N/A /data/data/com.nlm.nlmmaster/mix.dex N/A N/A
N/A /data/data/com.nlm.nlmmaster/mix.dex N/A N/A
N/A /data/data/com.nlm.nlmmaster/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.nlm.nlmmaster

sh -c getprop ro.yunos.version

getprop ro.yunos.version

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.nlm.nlmmaster/mix.dex --output-vdex-fd=49 --oat-fd=58 --oat-location=/data/data/com.nlm.nlmmaster/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&

com.nlm.nlmmaster:pushcore

/system/bin/sh -c getprop ro.board.platform

sh -c getprop ro.yunos.version

getprop ro.board.platform

getprop ro.yunos.version

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

com.nlm.nlmmaster:pushcore

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal

MD5 ce26cba2a2176b6d6d6e6bb089727db0
SHA1 324ff8da12a6ec699e7726b18dcdd015bc05add3
SHA256 7990c78f02e8f65820abc0c0cc9589ab5abbb5b1fa6d73fdb177bc9e882c5cc1
SHA512 8e6a7451ced4152d4c3362c00d70f0afbd3f36d8505ec34fa43bd17d2629799fb8b59d853e0adce3dae528743b6205a83f00192615c91e28ee5ac858c7df412a

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-wal

MD5 5b2c25d73dc6d29b3e097283a6b8b830
SHA1 f137a8fc640b5045a1ea636ac16c140a33cf36ec
SHA256 6b929b19bf535b5309e4290eaa197a5e04131f67d9097dddfaddc5a49a6814b2
SHA512 afe235be2f730b430b3d7e6a16f4cf234706b61d674e39049438d00a9689dec7ccbfe4f77786b100972f06acb91af20c4a3fce7993ab52fa5e329a4771efd684

/data/data/com.nlm.nlmmaster/mix.dex

MD5 852332c7d1fbbc5859b5271875deeee5
SHA1 8cd6c12a45a491a26512ac3eb1812459a7374480
SHA256 5d1a736dc8270dd9b72d796899b15669d47fecd4fd42b0f80e89797cefa47d2b
SHA512 5aff83513d04abb6ee9c0afcdda95a46dc899b497d6cd7f99025ea827cd5d2591f728b8d789d06f22f9d5a0f4aca96dab1e1bb4265470dcacc634b46e258c12f

/data/data/com.nlm.nlmmaster/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload

MD5 6865cb2b6fa422ee615e1c8c043a172d
SHA1 ac5cf0bef227b0b6440fd143e0cc024a0b563c55
SHA256 73b511aadf89ecfcf07ee9ae1641e24c7851c0f35b67f64e36595a92b41b526f
SHA512 613ad3ad48dcb51b3d1a14714bd2c9ecaf6411f5f6c478f8e002ff081c3aa4945b792319adfaf1683724f7949d7a2eb6b4d01e2599cca4fd9e2afec32db3f898

/storage/emulated/0/Android/data/com.nlm.nlmmaster/files/tbslog/tbslog.txt

MD5 b3c8a909ee7873034da85abf1af7c866
SHA1 08a5bab845a81e4a22f920ebc1594e82d36a2e54
SHA256 22429212ef255b8dd01efa83eb7ce83fd31127515a3a555cf2ea5d07afdef13b
SHA512 a46463ee3787be798b3bd5785636f74fbb404dbbd7f045e138027ef3bc32bcd6953e21794ca78b84f5ba1649655f052f2de4b5d140a6d1c6684bde25fcb03c8d

/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload

MD5 e26f7889e724bb4c9c19f47b716b9d05
SHA1 450ca0cd6503d4e04fda37938d1b99d73b38f3ea
SHA256 907174f832e388a9035d3b814baccede6d2b7e7e10cda1b7b11c2268297d0e64
SHA512 f50173d332a38828c1cbc364adc4c8bb1a9f1f09f0245d5da0c2f8db6400280b3d7cbfd2f43d5006f4337f5e02a67056f2dcabf74e008b4df23bed60c8450799

/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload

MD5 4b17ccafa9f9c7c48bab14294ccdcc0e
SHA1 612e753e49d75ae5706a00747283a0fddfa557ea
SHA256 9f280cce95a56c64fbbd3fa3947406b815fe7d2f3cfd43dab7b758588150255c
SHA512 0318e329e0eb198e45dcf2421279fa831de6699f1bc13c31756f46df1acee89380838eac0e2c9f52ba28a345a7b537c4003c3739ba2e5fe569479d9dd85a6a35

/storage/emulated/0/Android/data/com.nlm.nlmmaster/files/tbslog/tbslog.txt

MD5 01c772e2b24817f67f5a82989a46ab22
SHA1 ab3971c1dfe8c1f77603de748749c51181a2b710
SHA256 02ca3015e0647f6f2422efbbeecb977487510fb3f33c68e2d2a0528e33af473e
SHA512 feb6fa47586b90e3061ec8bb63928fd9cdc591359a519304a488efefb0b96643cbd436ea00c06e2248f2bbc036b24c35b4c9a673998260a1b95edc8760213940

/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload

MD5 291b6495ea8cc484755d5cecfded1d48
SHA1 14113de9ca03fa9436b744f16d4ba934ea52e9cc
SHA256 176c0579b7708dafcea27644f49b5bccfbbd6eb4aa8d1bb85e01eacf9ddce193
SHA512 644d5258596ad31e13206ac5c8a4c448d864a9bcb11a936df95592eb369e905c8b44002d65f8a8506c89303e3b6d0d917384eeaecf5e94f419cf435090bed08d

/data/data/com.nlm.nlmmaster/app_tbs/core_private/download_upload

MD5 6474eba054b35f1d238c446e4276d8e8
SHA1 5af1028d6048d67200974a3dee7fae931d2f85cd
SHA256 a3e0b4a76c06e80528817c89bf762f6d80d2fb85458cdbc1baf009c565dc2abc
SHA512 890d6abd1445fa2ffd4f099c1e5285a4f843eb95dde98f9bce4a1a58a3ec47ebc13fd434cb9338e55fb372ac55d1e50505a71de2ca5cf130a3bac3b1b3a01afd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 14:00

Reported

2024-06-10 14:04

Platform

android-x64-20240603-en

Max time kernel

9s

Max time network

147s

Command Line

com.nlm.nlmmaster

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.nlm.nlmmaster/mix.dex N/A N/A
N/A /data/data/com.nlm.nlmmaster/mix.dex N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nlm.nlmmaster

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.34:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal

MD5 78fce74087557718c339a912605b806d
SHA1 4f57fe5202e1df4fb5ecb96537907aa959d4fb66
SHA256 1135a5a135d5e6743e7c0f9afed1799e4418ab30103e21fb3e5b522029fb192c
SHA512 d225baf595dbb0b7097201896749b0515c88ff2245a0aaeee40f436161c12b5bd53f0e9bbb2744004d8533747af458986f6eea9e2d39251e460f055a3dd843ac

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu

MD5 c192151c8378290753e03c65a9cfd545
SHA1 35a4fa172abcb89990b401ee708bd94e5876ac87
SHA256 73bc173f5f65dd34ee842f2eff75500310159d3b608f4aa01b76edb237b0025c
SHA512 2277c7d1716dabe6036d15831979c22c862c2107649cccf5327bcb8ff56570c44f111d6378b897ee124f61f273014586368ae281199f70aab0cf6ce3bde3bd87

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal

MD5 181d21daa0ae795b53d6c29c2ea26479
SHA1 15c97cb7403c5aeb08a7baa7cae42a041e072cd1
SHA256 b01e1f5fa13fcf75fe1cd4254dea869742a70c77f4bdc9585a52263b7f19409a
SHA512 5a19edcf7fa506c5e9baac0277869e9fadda095f0b5b5fe0953b1a611429aca3b5d9550d4a358a209e260b18b18f4e04a36351c02f0f6d6081dab705efce4def

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal

MD5 d11e5f1e9ebf9215b4610087431545b3
SHA1 9b75292d43ce04a8575a4032b28f241c5b31a478
SHA256 91c4a96d56145b4da6abf394937044de140b2eb94461877674b40c5c3d02fadb
SHA512 871bd8e88ea883731a02498c696290cf9493bb7a7a1ec992d055fb87f3cbf100acbc4f382a2e4b5e0267c32427c297078fb6279ffad901a8fdf9d94cbedff6fc

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal

MD5 be4d6cb86bd892b27fa19140652d1ded
SHA1 e6b9a6c23068bae25ffd961e0c6633a8228b9a68
SHA256 63ffe57dfcbeb02755370fdfe66f6fd7faafcaa3ce48d2dae6f1229781649847
SHA512 cbc7610526034a95b3976e733742899c98a1e39f03509fd0c966bc1e8a2f362e7b63f6ff732b024ba49a101e747006080cce5bd9eadaa77c4ce7dba787b713de

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal

MD5 72b5e42b83d11c781353447a4c7ed405
SHA1 2e29468b18c53e49215a3430eff4357d43d00687
SHA256 172eae44f218458cedd01c4cdf52a4ce3800d32a0a5bd8ea1cab7e5f9ca1cd11
SHA512 ae0a6251e30e34262e637f6757da9204b8a15c19993a2bcb25a9aabe3aa2c7bb28c62d72d1f5b8575bcedb92cae38ecd9ea71a10f6658925806132efa7ba7f5f

/data/data/com.nlm.nlmmaster/databases/bugly_db_legu-journal

MD5 ad0a94dac4d6a00b9aa1f12f581c04d2
SHA1 bcfa129c27083156387bd1c5e666872c416b7ea7
SHA256 f0d9d7329191d5bd89a27d59194980d7a664f942777dcc155190c197dbdb4073
SHA512 c0d109a53d32013781f7e5103b243ada2440b2c759b22a8ae7b1ecef761f25eae5d35b114b9f8dc6676d223b205883ab22cd6ca4ad80c5ba386605423489dab7

/data/data/com.nlm.nlmmaster/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.nlm.nlmmaster/app_bugly/tomb_1718028059990.txt

MD5 614c8f2dd11537bedd6919bcc57bb004
SHA1 4e0c9f8b615a944f1a8489826ac67efaf0fa232c
SHA256 8dc9c25accce2fa57469164db53e4aa1a95e16fa5a9179f3a0959abf237a7caa
SHA512 ef322e27d7238d29efc7085d7b75e459d877d32f11edca62c91563c765308b390f7ef82401f16c3dbf36eae2004a9ae7b33342411d005d5b8f4020cf06db1b1d

/data/data/com.nlm.nlmmaster/app_bugly/rqd_record.eup

MD5 f4d883b0c659ea52ed7d107ed02bd580
SHA1 99abe52a5b14da53d33c5a48da095e2a3c9ca2fb
SHA256 7aed857fd960066ecac9d3d820bb2555c8a4b33f8f0f5849c3771ef72fd0d18e
SHA512 ec938b7965f79d33b82e4a90f10bc3d2acc56a9db026dd459a2613fb0b5b1f01403e01b15f921d0edc4f69c1eddb4afb086ff86ca45fb160cbc93c697980c147

/data/data/com.nlm.nlmmaster/app_bugly/rqd_record.eup

MD5 2fdfe05081041895d756ff6265262de4
SHA1 d8522a0f34272e2a525d3ceaa4d83fe8c9f4a2c0
SHA256 768e71022e9fcf218abb5547d6043f8776d1cae13e538afabc43fff29909bc2f
SHA512 8c60537d6accf7b65dbbc3eb89b3aaa14fc46a385e498cbc3cd41705cb71477407c81b30bf4d48ce38d2a291996df68778860faa0298618c99948631624689cf