Malware Analysis Report

2024-09-09 13:34

Sample ID 240611-ejmdestcme
Target 9cebe08988bd976bbc4bd5e2dd2881ec_JaffaCakes118
SHA256 0703556253925e5cf699523d4cb5c9f1586f15f078e7c2271b9ecab41a4ec418
Tags
evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0703556253925e5cf699523d4cb5c9f1586f15f078e7c2271b9ecab41a4ec418

Threat Level: Likely malicious

The file 9cebe08988bd976bbc4bd5e2dd2881ec_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion stealth trojan

Removes its main activity from the application launcher

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 03:58

Reported

2024-06-11 04:01

Platform

android-x64-arm64-20240603-en

Max time kernel

14s

Max time network

133s

Command Line

com.zoka.android.posaobl

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Processes

com.zoka.android.posaobl

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.zoka.android.posaobl/files/ZVxwSBkPs

MD5 a1182e743de579df31f5bbca8d376977
SHA1 07618a06f77ea73dcfdea107ff22b0c2d8a9abb0
SHA256 5633795d78d0e24a5e8fc1e87afeb7a0d5d1c3146e38932c0a3091f6dd6632a7
SHA512 aa2a730ecfd4deb12e232c291b44f97c6f5c70a52da79885b5cb6adcbfc7ab476c9f897b757b9b44b03ffec11936ff120222bd4ddbe9f11d07c207f7f389c8c7

/data/user/0/com.zoka.android.posaobl/files/ZVxwSBkPs

MD5 c93cc31e8bcf6c0be716493e1f528d6c
SHA1 319eb8ed68acafaeb39c5927b9250724dacd1313
SHA256 41e97d56f5d9c96d79d008f66e00e64176ba3c94f135734c325a66ab7202fd32
SHA512 5289d8b562ec3a676a354f7c3cafeb55d26d28768f8fae3954d9b19a498f40beebd4c9da4ea30ccbac075c7d35e181b41f0cb8646142047352dee568b57525b7

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:58

Reported

2024-06-11 04:01

Platform

android-x86-arm-20240603-en

Max time kernel

14s

Max time network

171s

Command Line

com.zoka.android.posaobl

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Processes

com.zoka.android.posaobl

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.zoka.android.posaobl/files/ZVxwSBkPs

MD5 a1182e743de579df31f5bbca8d376977
SHA1 07618a06f77ea73dcfdea107ff22b0c2d8a9abb0
SHA256 5633795d78d0e24a5e8fc1e87afeb7a0d5d1c3146e38932c0a3091f6dd6632a7
SHA512 aa2a730ecfd4deb12e232c291b44f97c6f5c70a52da79885b5cb6adcbfc7ab476c9f897b757b9b44b03ffec11936ff120222bd4ddbe9f11d07c207f7f389c8c7

/data/data/com.zoka.android.posaobl/files/ZVxwSBkPs

MD5 c93cc31e8bcf6c0be716493e1f528d6c
SHA1 319eb8ed68acafaeb39c5927b9250724dacd1313
SHA256 41e97d56f5d9c96d79d008f66e00e64176ba3c94f135734c325a66ab7202fd32
SHA512 5289d8b562ec3a676a354f7c3cafeb55d26d28768f8fae3954d9b19a498f40beebd4c9da4ea30ccbac075c7d35e181b41f0cb8646142047352dee568b57525b7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:58

Reported

2024-06-11 04:01

Platform

android-x64-20240603-en

Max time kernel

15s

Max time network

153s

Command Line

com.zoka.android.posaobl

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Processes

com.zoka.android.posaobl

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/com.zoka.android.posaobl/files/ZVxwSBkPs

MD5 a1182e743de579df31f5bbca8d376977
SHA1 07618a06f77ea73dcfdea107ff22b0c2d8a9abb0
SHA256 5633795d78d0e24a5e8fc1e87afeb7a0d5d1c3146e38932c0a3091f6dd6632a7
SHA512 aa2a730ecfd4deb12e232c291b44f97c6f5c70a52da79885b5cb6adcbfc7ab476c9f897b757b9b44b03ffec11936ff120222bd4ddbe9f11d07c207f7f389c8c7

/data/data/com.zoka.android.posaobl/files/ZVxwSBkPs

MD5 c93cc31e8bcf6c0be716493e1f528d6c
SHA1 319eb8ed68acafaeb39c5927b9250724dacd1313
SHA256 41e97d56f5d9c96d79d008f66e00e64176ba3c94f135734c325a66ab7202fd32
SHA512 5289d8b562ec3a676a354f7c3cafeb55d26d28768f8fae3954d9b19a498f40beebd4c9da4ea30ccbac075c7d35e181b41f0cb8646142047352dee568b57525b7