Malware Analysis Report

2024-09-09 16:30

Sample ID 240611-awr28axejj
Target 9c73103c241d5a54e0957b68c6087fb5_JaffaCakes118
SHA256 80c2930914430fb92e04f4764943bceb6304405424250da8a2ed0bb4e3dd8f9f
Tags
discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

80c2930914430fb92e04f4764943bceb6304405424250da8a2ed0bb4e3dd8f9f

Threat Level: Likely malicious

The file 9c73103c241d5a54e0957b68c6087fb5_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 00:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 00:34

Reported

2024-06-11 00:37

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

170s

Command Line

net.indieroms.OmegaFilesJB

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/net.indieroms.OmegaFilesJB/cache/1582435991586.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.indieroms.OmegaFilesJB

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 tpc.googlesyndication.com udp
US 1.1.1.1:53 www.googletagservices.com udp
GB 142.250.187.193:443 tpc.googlesyndication.com tcp
GB 142.250.187.193:443 tpc.googlesyndication.com tcp
US 1.1.1.1:53 widgets.outbrain.com udp
GB 104.115.33.132:443 widgets.outbrain.com tcp
US 1.1.1.1:53 b1t-eudc1.zemanta.com udp
NL 213.227.153.228:443 b1t-eudc1.zemanta.com tcp
US 1.1.1.1:53 zem.outbrainimg.com udp
GB 146.75.74.132:443 zem.outbrainimg.com tcp
US 1.1.1.1:53 b1-eudc1.zemanta.com udp
GB 142.250.200.2:443 www.googletagservices.com tcp
NL 213.227.153.228:443 b1-eudc1.zemanta.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
NL 213.227.153.228:443 b1-eudc1.zemanta.com tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp

Files

/data/data/net.indieroms.OmegaFilesJB/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/net.indieroms.OmegaFilesJB/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/net.indieroms.OmegaFilesJB/cache/oat/1582435991586.jar.cur.prof

MD5 a3b78d197d786c13687c3f0f89703bd8
SHA1 9967f0726b6b1ed3f198904547b81920f8329621
SHA256 c5e6754556dbe01b055066f23c28ddaaf5fe67cee4baed00d59dc993335b3d97
SHA512 9a47c9bb977edec9d29d22f280e0078ca931a722eaecc2b085c6b5aaf6246d17a6ad07c9faca45070bb5b89a3ee6cf896f5e2c7e73fb033e3ac57471df70a8b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 00:34

Reported

2024-06-11 00:37

Platform

android-x64-20240603-en

Max time kernel

179s

Max time network

189s

Command Line

net.indieroms.OmegaFilesJB

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/net.indieroms.OmegaFilesJB/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.indieroms.OmegaFilesJB

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 widgets.outbrain.com udp
GB 2.18.109.60:443 widgets.outbrain.com tcp
US 1.1.1.1:53 tpc.googlesyndication.com udp
GB 216.58.201.97:443 tpc.googlesyndication.com tcp
GB 216.58.201.97:443 tpc.googlesyndication.com tcp
US 1.1.1.1:53 www.googletagservices.com udp
GB 216.58.213.14:443 tcp
GB 142.250.187.226:443 www.googletagservices.com tcp
US 1.1.1.1:53 zem.outbrainimg.com udp
US 1.1.1.1:53 b1t-eudc1.zemanta.com udp
GB 146.75.74.132:443 zem.outbrainimg.com tcp
NL 213.227.153.229:443 b1t-eudc1.zemanta.com tcp
US 1.1.1.1:53 b1-eudc1.zemanta.com udp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
NL 213.227.153.230:443 b1-eudc1.zemanta.com tcp
NL 213.227.153.229:443 b1-eudc1.zemanta.com tcp
GB 142.250.187.194:443 tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 disk.akamaized.net udp
GB 92.123.140.41:443 disk.akamaized.net tcp
US 1.1.1.1:53 events-ams.bidder.kayzen.io udp
US 1.1.1.1:53 impression.appsflyer.com udp
GB 18.245.187.23:443 impression.appsflyer.com tcp
NL 185.56.138.130:443 events-ams.bidder.kayzen.io tcp
NL 185.56.138.130:443 events-ams.bidder.kayzen.io tcp
GB 92.123.140.41:443 disk.akamaized.net tcp
US 1.1.1.1:53 b1t-eudc1.zemanta.com udp
NL 213.227.153.229:443 b1t-eudc1.zemanta.com tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
NL 213.227.153.230:443 b1t-eudc1.zemanta.com tcp
NL 213.227.153.229:443 b1t-eudc1.zemanta.com tcp
US 1.1.1.1:53 widgets.outbrain.com udp
GB 2.18.109.60:443 widgets.outbrain.com tcp

Files

/data/data/net.indieroms.OmegaFilesJB/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/net.indieroms.OmegaFilesJB/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/data/net.indieroms.OmegaFilesJB/cache/oat/1582435991586.jar.cur.prof

MD5 3b916c48baf9e10b03320cb4ed75654c
SHA1 3b950676c3952c8a21c7f4b900c277695440a4bb
SHA256 78b3d8163fa00e6656c09fbc867303fea21dec316ef9377e396b758f4bb3bfc4
SHA512 8546b7219d8aad54569c150f7155f161cc6d7fbfeaebc725c1a6207f0f0e9ffb59b7b3acd96ed7327d918ae6b66d2be37789bbd73553eac663d1b2f44b95b379

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 00:34

Reported

2024-06-11 00:37

Platform

android-x64-arm64-20240603-en

Max time kernel

174s

Max time network

177s

Command Line

net.indieroms.OmegaFilesJB

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/net.indieroms.OmegaFilesJB/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.indieroms.OmegaFilesJB

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 tpc.googlesyndication.com udp
US 1.1.1.1:53 www.googletagservices.com udp
GB 142.250.187.226:443 www.googletagservices.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
US 1.1.1.1:53 widgets.outbrain.com udp
GB 2.18.109.60:443 widgets.outbrain.com tcp
US 1.1.1.1:53 b1t-eudc1.zemanta.com udp
US 1.1.1.1:53 zem.outbrainimg.com udp
NL 213.227.153.229:443 b1t-eudc1.zemanta.com tcp
GB 146.75.74.132:443 zem.outbrainimg.com tcp
US 1.1.1.1:53 b1-eudc1.zemanta.com udp
NL 213.227.153.227:443 b1-eudc1.zemanta.com tcp
NL 213.227.153.229:443 b1-eudc1.zemanta.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/net.indieroms.OmegaFilesJB/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/net.indieroms.OmegaFilesJB/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/net.indieroms.OmegaFilesJB/cache/oat/1582435991586.jar.cur.prof

MD5 f9431a0cde5766b6a47fe517f0dbe91f
SHA1 41ebffb9e03db4e211961286e6c233726d1c704f
SHA256 48409024aacda3669e2112419ca8742dedca12f5310521730db60c8387710616
SHA512 3102a350b8cdbfe686564eb79892a609f3cccd74d4b420f831156b1c57b736853f1cba0988d4dea7bf728f341e3ed2b997274684726afa2d97d31115e5213382