Malware Analysis Report

2024-09-09 16:31

Sample ID 240610-t61a5atfpq
Target 9b5741dd8c9e803a3650ac461ec99117_JaffaCakes118
SHA256 955be5bb9d093e6750782f95ed25f390e168c5f3118fec45ae65ceb4424614b7
Tags
discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

955be5bb9d093e6750782f95ed25f390e168c5f3118fec45ae65ceb4424614b7

Threat Level: Likely malicious

The file 9b5741dd8c9e803a3650ac461ec99117_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries information about running processes on the device

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 16:40

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 16:40

Reported

2024-06-10 16:44

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

170s

Command Line

jp.harucolor3.kanmusububblewallpaper

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

jp.harucolor3.kanmusububblewallpaper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 androidquery.appspot.com udp
GB 216.58.204.84:443 androidquery.appspot.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 tpc.googlesyndication.com udp
US 1.1.1.1:53 www.googletagservices.com udp
GB 172.217.169.65:443 tpc.googlesyndication.com tcp
GB 172.217.169.65:443 tpc.googlesyndication.com tcp
GB 142.250.178.2:443 www.googletagservices.com tcp
US 1.1.1.1:53 s0.2mdn.net udp
GB 142.250.200.38:443 s0.2mdn.net tcp
US 1.1.1.1:53 googleads4.g.doubleclick.net udp
GB 142.250.200.2:443 googleads4.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp

Files

/data/data/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/jp.harucolor3.kanmusububblewallpaper/cache/oat/1582435991586.jar.cur.prof

MD5 a3b78d197d786c13687c3f0f89703bd8
SHA1 9967f0726b6b1ed3f198904547b81920f8329621
SHA256 c5e6754556dbe01b055066f23c28ddaaf5fe67cee4baed00d59dc993335b3d97
SHA512 9a47c9bb977edec9d29d22f280e0078ca931a722eaecc2b085c6b5aaf6246d17a6ad07c9faca45070bb5b89a3ee6cf896f5e2c7e73fb033e3ac57471df70a8b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 16:40

Reported

2024-06-10 16:44

Platform

android-x64-20240603-en

Max time kernel

179s

Max time network

153s

Command Line

jp.harucolor3.kanmusububblewallpaper

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

jp.harucolor3.kanmusububblewallpaper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 androidquery.appspot.com udp
GB 216.58.212.212:443 androidquery.appspot.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 tpc.googlesyndication.com udp
GB 142.250.200.1:443 tpc.googlesyndication.com tcp
GB 142.250.200.1:443 tpc.googlesyndication.com tcp
US 1.1.1.1:53 www.googletagservices.com udp
GB 216.58.212.194:443 www.googletagservices.com tcp
US 1.1.1.1:53 googleads4.g.doubleclick.net udp
US 1.1.1.1:53 s0.2mdn.net udp
GB 216.58.204.66:443 googleads4.g.doubleclick.net tcp
GB 172.217.16.230:443 s0.2mdn.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 widgets.outbrain.com udp
GB 23.219.197.58:443 widgets.outbrain.com tcp
US 1.1.1.1:53 zem.outbrainimg.com udp
US 1.1.1.1:53 b1t-eudc1.zemanta.com udp
GB 146.75.74.132:443 zem.outbrainimg.com tcp
NL 213.227.153.230:443 b1t-eudc1.zemanta.com tcp
US 1.1.1.1:53 b1-eudc1.zemanta.com udp
NL 213.227.153.228:443 b1-eudc1.zemanta.com tcp
NL 213.227.153.230:443 b1-eudc1.zemanta.com tcp

Files

/data/data/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/jp.harucolor3.kanmusububblewallpaper/cache/oat/1582435991586.jar.cur.prof

MD5 a3b78d197d786c13687c3f0f89703bd8
SHA1 9967f0726b6b1ed3f198904547b81920f8329621
SHA256 c5e6754556dbe01b055066f23c28ddaaf5fe67cee4baed00d59dc993335b3d97
SHA512 9a47c9bb977edec9d29d22f280e0078ca931a722eaecc2b085c6b5aaf6246d17a6ad07c9faca45070bb5b89a3ee6cf896f5e2c7e73fb033e3ac57471df70a8b1

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 16:40

Reported

2024-06-10 16:44

Platform

android-x64-arm64-20240603-en

Max time kernel

134s

Max time network

163s

Command Line

jp.harucolor3.kanmusububblewallpaper

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

jp.harucolor3.kanmusububblewallpaper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 androidquery.appspot.com udp
GB 142.250.200.20:443 androidquery.appspot.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 widgets.outbrain.com udp
US 1.1.1.1:53 tpc.googlesyndication.com udp
GB 23.219.197.58:443 widgets.outbrain.com tcp
GB 142.250.178.1:443 tpc.googlesyndication.com tcp
US 1.1.1.1:53 www.googletagservices.com udp
GB 142.250.180.2:443 www.googletagservices.com tcp
US 1.1.1.1:53 zem.outbrainimg.com udp
US 1.1.1.1:53 b1t-eudc1.zemanta.com udp
GB 146.75.74.132:443 zem.outbrainimg.com tcp
NL 213.227.153.229:443 b1t-eudc1.zemanta.com tcp
US 1.1.1.1:53 b1-eudc1.zemanta.com udp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
NL 213.227.153.230:443 b1-eudc1.zemanta.com tcp
NL 213.227.153.229:443 b1-eudc1.zemanta.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
US 1.1.1.1:53 s0.2mdn.net udp
GB 172.217.169.6:443 s0.2mdn.net tcp
US 1.1.1.1:53 googleads4.g.doubleclick.net udp
GB 142.250.200.2:443 googleads4.g.doubleclick.net tcp

Files

/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/jp.harucolor3.kanmusububblewallpaper/cache/oat/1582435991586.jar.cur.prof

MD5 f9431a0cde5766b6a47fe517f0dbe91f
SHA1 41ebffb9e03db4e211961286e6c233726d1c704f
SHA256 48409024aacda3669e2112419ca8742dedca12f5310521730db60c8387710616
SHA512 3102a350b8cdbfe686564eb79892a609f3cccd74d4b420f831156b1c57b736853f1cba0988d4dea7bf728f341e3ed2b997274684726afa2d97d31115e5213382