Malware Analysis Report

2024-09-09 16:19

Sample ID 240611-1r37sstaql
Target 9fa750cd4ba71b5713883eb5031f1b0e_JaffaCakes118
SHA256 b6d9c4c42b04bb365ba4247ce223ec551c608fe7997215c702ad4d2cf56fe565
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b6d9c4c42b04bb365ba4247ce223ec551c608fe7997215c702ad4d2cf56fe565

Threat Level: Shows suspicious behavior

The file 9fa750cd4ba71b5713883eb5031f1b0e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Queries information about active data network

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 21:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 21:53

Reported

2024-06-11 21:57

Platform

android-x86-arm-20240611.1-en

Max time kernel

63s

Max time network

131s

Command Line

smskb.com

Signatures

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

smskb.com

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 www.smskb.com udp
CN 122.114.120.35:80 www.smskb.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/smskb.com/files/umeng_it.cache

MD5 10f2ec41701965b8424f2a962342231d
SHA1 75f4afbd78ec1a9a98ead60d46020b9c65b935e7
SHA256 f0c9d54fdaaa1eda5c4c0d29168da059162f265a2d1330171ac09a98b2947e4c
SHA512 0422594558077044ac8a1e507541c0a9e88ad5e887d21ae7034e8979bbc54de58a4bd9a3a8115f04b190817ab5a602b675d5ffaa4bce513b2b3c37185ba44a74

/data/data/smskb.com/files/.um/um_cache_1718142908475.env

MD5 2b6c7456ff28171906d41cb3ca6ab2aa
SHA1 07ec89f8b574c0e16635ef0fe11590f330d811c0
SHA256 b18da79293c5d38e6dd8bde0988bd799daad9da6b8d95a9175d4b662694e6ecb
SHA512 be9cc3223c7ec6ef484b6207e12e3b22ff5edaa9810a000613344fd735bd0a580345dc2b3a1ce36db0c89585305b9d9d361f9f0df6f383227fb1b2f9be6a9368

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 21:53

Reported

2024-06-11 21:57

Platform

android-x64-20240611.1-en

Max time kernel

64s

Max time network

132s

Command Line

smskb.com

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

smskb.com

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 oc.umeng.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.smskb.com udp
CN 122.114.120.35:80 www.smskb.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 59.82.23.79:80 oc.umeng.com tcp
GB 216.58.213.14:443 tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/smskb.com/files/umeng_it.cache

MD5 1c84fd39210a6275ec4b60046b7f930f
SHA1 c70c51b80aaaf3331fe2c3c5488d4516ffe6c3f3
SHA256 14175a6e5b73c8ea6404e490465281e728e7e5b862f9e30279cea6d9a4ce850e
SHA512 7e71f89284ba252bb9e1101ca86d3e655ec3351e04eab410f45cd082737019abc8122a58c2855b6b99db182d2beef91b0556b60a3dcfc18af18ab291eba86ddd

/data/data/smskb.com/files/.um/um_cache_1718142907706.env

MD5 c100114a79da80ede29a01d2b38ccd17
SHA1 23cfa2f225c35e27b5f8af7caf729f9e90b771d2
SHA256 36029924a8a27f7bb13bf920e0fc38fc3c80bf8ddc19095d52e284909d893d0e
SHA512 08d89b43716d8721643b32ab267271cf2a2a23a182616b590fd32b488de0dcd1cd24bf6a358e09f9d3b307e05bb877d3c40f8fd72660014134db9a78209ba47f

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 21:53

Reported

2024-06-11 21:54

Platform

android-x86-arm-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-11 21:53

Reported

2024-06-11 21:54

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-11 21:53

Reported

2024-06-11 21:54

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A