Malware Analysis Report

2024-09-09 13:35

Sample ID 240611-eap3ysshme
Target 9ce2406e05e20cd153ff5e9e7e0f5e13_JaffaCakes118
SHA256 6dc315f4084c21a72978629e0af70f0836c2ade0cf28d87d66794e7a713386cc
Tags
banker discovery evasion impact persistence stealth trojan collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6dc315f4084c21a72978629e0af70f0836c2ade0cf28d87d66794e7a713386cc

Threat Level: Likely malicious

The file 9ce2406e05e20cd153ff5e9e7e0f5e13_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence stealth trojan collection credential_access

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:44

Reported

2024-06-11 03:47

Platform

android-x86-arm-20240603-en

Max time kernel

177s

Max time network

131s

Command Line

feifei.tnd11.meta.face

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/feifei.tnd11.meta.face/app_ttmp/t.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

feifei.tnd11.meta.face

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
US 1.1.1.1:53 www.feverpic.in udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/feifei.tnd11.meta.face/app_ttmp/t.jar

MD5 9aaea567e0c93e51718ba7eade0e83df
SHA1 0005116aad1779361b70093db00fed5ac090ae23
SHA256 b30a95dff6f65f444472971c8aaf895ffc8e66e0117ce242ec4cb8a8a519a5ec
SHA512 2aef1034335d8752f4e25ce6c5823ce03019536cc6e51ee61b5291c77a0f356a2517e0cbe7f2c4cc2d897115dc856449a342cfdc247c9d34d313187d15b2f890

/data/user/0/feifei.tnd11.meta.face/app_ttmp/t.jar

MD5 f72c3d07507c3e26d317e9117ba757d1
SHA1 cdede4739e9dd9fd95243aab5e44c24f93f825c3
SHA256 1c65834d9ca018c6496a8b9957589d0e94657911b6635dc21a448d78f9238887
SHA512 3420714252e7503abc13c99274d767b0bc08671d769460dc61823ab9470e145fb75c5dfaadc617d3a05cf251ed5ecf38ea7e8c1d7b343bca4d7e8296f1b805d4

/data/data/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-journal

MD5 f9ba99d9ef002f972017dbcfb7b5c8e0
SHA1 1aaa440075ae12c3d91797487914333656b7e8ca
SHA256 c6e41b762d6d37694ec690f0740dfc68337aa9123cbac318470e8f001cf57e44
SHA512 80eae05f154cd1123de345b1fa1917e9ad4ab6444b74909a62bd04b8cd52f48a0f5d451f932d8367661744104e023842cc5902d97ccaf857c846884adf04f9e0

/data/data/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-wal

MD5 e02e0fa25e09f66b1eb3e0ab658e556e
SHA1 bdc2da56cf842987032edb4a112e4dfc49971ca9
SHA256 8f1cffbbdbf374e11041302716c6f446f8b5d95b69ddf45b6b986ebb8251432e
SHA512 1f0d9ad0d03c8bfb0c7d80b1f9480d8baa546a6b0ca26e884ed6affbaed35ad3b6a5f510bd158b6bb0551ec91f733dd9a2adbb44476b17c38e6bb56425ada811

/data/data/feifei.tnd11.meta.face/app_ttmp/oat/t.jar.cur.prof

MD5 be83a2b20cb08331df3a9c8f762b54ef
SHA1 f3073fca025e571774aad85d4815d8d7c71662a3
SHA256 3fe193869e984f1b2450328591618a1ff272d7e2c3d78966afe1332563324eff
SHA512 d40c93d3eb4f9f55ddfa36ca0b25ea1e578810950032a789c9837b99bb2e661fba549476ed4f4b801f28f4776e330baacdf0e93fd8413dc12cb9165c66bc2ea2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:44

Reported

2024-06-11 03:47

Platform

android-x64-20240603-en

Max time kernel

177s

Max time network

131s

Command Line

feifei.tnd11.meta.face

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/feifei.tnd11.meta.face/app_ttmp/t.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

feifei.tnd11.meta.face

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
US 1.1.1.1:53 www.feverpic.in udp
GB 142.250.187.194:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/feifei.tnd11.meta.face/app_ttmp/t.jar

MD5 9aaea567e0c93e51718ba7eade0e83df
SHA1 0005116aad1779361b70093db00fed5ac090ae23
SHA256 b30a95dff6f65f444472971c8aaf895ffc8e66e0117ce242ec4cb8a8a519a5ec
SHA512 2aef1034335d8752f4e25ce6c5823ce03019536cc6e51ee61b5291c77a0f356a2517e0cbe7f2c4cc2d897115dc856449a342cfdc247c9d34d313187d15b2f890

/data/user/0/feifei.tnd11.meta.face/app_ttmp/t.jar

MD5 f72c3d07507c3e26d317e9117ba757d1
SHA1 cdede4739e9dd9fd95243aab5e44c24f93f825c3
SHA256 1c65834d9ca018c6496a8b9957589d0e94657911b6635dc21a448d78f9238887
SHA512 3420714252e7503abc13c99274d767b0bc08671d769460dc61823ab9470e145fb75c5dfaadc617d3a05cf251ed5ecf38ea7e8c1d7b343bca4d7e8296f1b805d4

/data/data/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-journal

MD5 a2d677996d1e5b167028f6e2b103c2c8
SHA1 e1c320a0b1f1cfe709b7ebb04acbfaa8e3aa0e98
SHA256 cfe3762091ab64c4006376759bab9cbe3a320c3c3c4a67d449a65deb5e757997
SHA512 70d3613307afd5a181c501d8dffe02c1e5d0c9199c3d1518a3ceeb0864d14ecc8ae79fcf7ce06e41132d656f6d61bea5fe12bfe2aa258060541b5a62a303cab7

/data/data/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb

MD5 8b3474d123b7bbe60bb073d84318c0ad
SHA1 8109aa8c2ffaf9abca0a3310fbf67978d305537d
SHA256 4be929f8137debfe744596c40b37c24f163627f25286c799a8fe2542866ca5ca
SHA512 de51e809fa03423372fb8be417464fd8a86bc346fb3df0de1af36c757abdc31f5bddeb21793db74d891939f5046773b6c76152d3786a7f926209bd837d66d86a

/data/data/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-journal

MD5 9be4157486b23381f779b17ea1bcd216
SHA1 9786d2649e0f1e69b622405824a81e55ddf6ee1d
SHA256 77ff75fd980b76c78ea97844e7c553a902874fb74fc08c83700ce127b97d7124
SHA512 805d46c6b011517e26367678a3fb03db57cc576cbe0fad7f5ccf2c910d179e8c5458b7ed5b8c54aae5c62bef0c38fb6567bcdfd366cbf61ae08c672e3c57d9fe

/data/data/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-journal

MD5 ccad961b9d98d7d3af3249ffe0f71c93
SHA1 cd40e281b40cae57f0861bf2d4084d958419af28
SHA256 b98175916be61608c798a960c2fd0a9da2f9ed364ba63f8cec589043d3c8e1f3
SHA512 1fc713dd8d4ddca41b426e3af1bf6f64d85f4113f7ff18fb1bc0c520f95d76f184d41307c0e3b21d97a709fefb584439349c68b9dca3a56a9fd17604589725de

/data/data/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-journal

MD5 d52b5bb51ca54e7c5cebcc3980def954
SHA1 76c262b082fa7344ab886eb53fbd66dd7804f32b
SHA256 167c471ace9d899f97602051b9fe452d7b9751db641ff1bd8a9a6033b99099e6
SHA512 dd4b3bdb94d9c47271e7c4798faed6f86a63bbb266de4e61445cbae6f3d189a1725807716098e69e350b8e4fab95fcd32eab11ada1794c202644266512c8c5a2

/data/data/feifei.tnd11.meta.face/app_ttmp/oat/t.jar.cur.prof

MD5 25eb9151f5a7a88f9ccde2dd006c11be
SHA1 275932d31fbab636f105f9d53a74d77f51f5516d
SHA256 f70d906deb09d31c86b4cbda2f7b3af16ea462132c153815ca178ff91fdcb25e
SHA512 c7d7156e3633af42a17f7a56ed01a31b2afc882e28a76877f53ebc0ca0df8f81334b89e04ab0877b362c14cef8b94f54ecfb2a9a7b51bcc419f0b8191215470f

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 03:44

Reported

2024-06-11 03:47

Platform

android-x64-arm64-20240603-en

Max time kernel

176s

Max time network

132s

Command Line

feifei.tnd11.meta.face

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/feifei.tnd11.meta.face/app_ttmp/t.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

feifei.tnd11.meta.face

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
US 1.1.1.1:53 www.feverpic.in udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/feifei.tnd11.meta.face/app_ttmp/t.jar

MD5 9aaea567e0c93e51718ba7eade0e83df
SHA1 0005116aad1779361b70093db00fed5ac090ae23
SHA256 b30a95dff6f65f444472971c8aaf895ffc8e66e0117ce242ec4cb8a8a519a5ec
SHA512 2aef1034335d8752f4e25ce6c5823ce03019536cc6e51ee61b5291c77a0f356a2517e0cbe7f2c4cc2d897115dc856449a342cfdc247c9d34d313187d15b2f890

/data/user/0/feifei.tnd11.meta.face/app_ttmp/t.jar

MD5 f72c3d07507c3e26d317e9117ba757d1
SHA1 cdede4739e9dd9fd95243aab5e44c24f93f825c3
SHA256 1c65834d9ca018c6496a8b9957589d0e94657911b6635dc21a448d78f9238887
SHA512 3420714252e7503abc13c99274d767b0bc08671d769460dc61823ab9470e145fb75c5dfaadc617d3a05cf251ed5ecf38ea7e8c1d7b343bca4d7e8296f1b805d4

/data/user/0/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-journal

MD5 94a2de3ddc01770d6e6de7c7fa633052
SHA1 51bccd14bafaad89caf20d149119a91479d03369
SHA256 daafe6e7b0dcc09af52e4a455d2ccdda11daf50f2e4979497f2debfe37a72a4a
SHA512 eb4d1ae59a920a6da41980d28b3c0430d60620ce189b47653a750ea3d9eaa3d5c143e561265508d4d30705cdc386ab4c6cb366bad42c53870ea3e6eeb1dc4ac6

/data/user/0/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb

MD5 1888a8cf0bbda190a64db40de375462b
SHA1 05f5fe0a9d62021566bdbc597ab4175d60a5c6ed
SHA256 1ea1dde28647d7801665f6b8246bda8024bf74abe271dd99aae1860d2efee90e
SHA512 865dd435aa89cdd662dbaf998a7e0fe1cf172c316a2168aa053f1faad8d135210810ebb03e04abb01410479ca45d744b2889943a0ef7a0c97560f0c6dada8b3d

/data/user/0/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-journal

MD5 9c2157a69a76dee65a0f2cd2ae6e173f
SHA1 dd130cc1489a5a885a6013907c9ce01dbc4b7567
SHA256 633f034d081f082678814d9eb772e6e2afea445e78910fd4d0643445c07f0674
SHA512 903e60b0327960f205904928431be725e6637e167bd1327c53d6304f1e3ca8b29c06d9d451428ce912a47525110be76904eb10bbeffdeeb18d98cc6031f19645

/data/user/0/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-journal

MD5 04d6c35df56db69e035504bb6325e83a
SHA1 b68a015a6fa2aabe355b40b53eed9dc9a465dfac
SHA256 ffb5ee7877924e5c51eb7121deef46650018712e4a756ed44de4dde473b3f1c9
SHA512 bb2389faa207909e144828fb20a0fea37967e19743ebf4f2097a963d9a1c002aef7188cd3560d5173dc6d8f35d82117c45f5e8131fdaa7fb3103ef1d346fe14c

/data/user/0/feifei.tnd11.meta.face/databases/feifei.tnd11.meta.faceb-journal

MD5 0c03042c335ddbc3b96f826247215b01
SHA1 2ed5e421548631ecd01715aa9b79f0c45ec723a8
SHA256 c54aafb62e5b4734570f827077c600eb410df9953cf3598ab84d7d9815406f6e
SHA512 246ceb6aa7978647f3e9c58f9b296e45fd688e4fbc6d6149f12e13fa909660840d4fdedd108b5dc9ddd185d5a92a06d8a959950ec743a9500e450c4fa4fd52d9