Malware Analysis Report

2024-09-09 16:23

Sample ID 240611-h9wassyera
Target 9d6b0aac78228fdc7f4727ff497c5791_JaffaCakes118
SHA256 5d2cf9397fdeedc424c390e1369edb2244859042b5c8e31785de9ce5e8b88288
Tags
collection credential_access evasion impact discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5d2cf9397fdeedc424c390e1369edb2244859042b5c8e31785de9ce5e8b88288

Threat Level: Shows suspicious behavior

The file 9d6b0aac78228fdc7f4727ff497c5791_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access evasion impact discovery persistence

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 07:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 07:26

Reported

2024-06-11 07:29

Platform

android-x64-arm64-20240603-en

Max time kernel

154s

Max time network

133s

Command Line

com.sku

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sku/app_push_lib/plugin-deploy.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.sku

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 wxmp.99114.com udp
CN 58.83.155.120:80 wxmp.99114.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
CN 58.83.155.120:80 wxmp.99114.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.sku/app_push_lib/plugin-deploy.jar

MD5 610ae20fa40cb991ef4670582bc3996a
SHA1 bad8dbc9b7226fbd4f1b97dabe777c36605ccc9b
SHA256 010690c6a9fe3d6e21c33940453cb2a5c41e26ac24ea42e3732111613701eede
SHA512 8584fa3850e97276d6afef61dff9401531cd7830a3a7660fcc3b75c21c55196a59efad46ad763f1695f59c99874e29aa285ba9d9f43a5989d004a0e115d76b1b

/data/user/0/com.sku/app_push_lib/plugin-deploy.key

MD5 86896cfc29159ebebbdc72a7fea66d3c
SHA1 76f71e17f279e9010cd1f16d9c979f75bb9cbdb6
SHA256 4040246e2cd23768965dd2720eed8ab30b0891eb7324201ac1592e8e39eb7697
SHA512 89d4d3e88c41bf4c9cd527ed6c7af45e14545019b1d86414fd7965fb6dac79a6a8f1e8c4b4de4503e6bef2b98ad32f37d319c7e29e807b2b83d56cd867ab9ca6

/data/user/0/com.sku/app_push_lib/plugin-deploy.jar

MD5 058c9e49195a1ab48863deb84a028f63
SHA1 a35b0dc7822174cff3683e1aa2b5cf85833733df
SHA256 ce04c452c6c3dc56dee78205f036a779c7144eb607dede07aa054f93f77ad049
SHA512 081643598f3bbda4d2f560975f6e6fec8da94c8a578d80c05cf6f035ed3766db65de21cbe3ec92a16060e5ea1c1aebe37bd339de76365daf67648fd5967e5c47

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-11 07:26

Reported

2024-06-11 07:26

Platform

android-x86-arm-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-11 07:26

Reported

2024-06-11 07:26

Platform

android-x64-20240603-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-11 07:26

Reported

2024-06-11 07:26

Platform

android-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 07:26

Reported

2024-06-11 07:29

Platform

android-x86-arm-20240603-en

Max time kernel

152s

Max time network

157s

Command Line

com.sku

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sku/app_push_lib/plugin-deploy.jar N/A N/A
N/A /data/user/0/com.sku/app_push_lib/plugin-deploy.jar N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.sku

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sku/app_push_lib/plugin-deploy.jar --output-vdex-fd=40 --oat-fd=42 --oat-location=/data/user/0/com.sku/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
GB 172.217.169.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 wxmp.99114.com udp
CN 58.83.155.120:80 wxmp.99114.com tcp
CN 58.83.155.120:80 wxmp.99114.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.213.2:443 tcp

Files

/data/data/com.sku/app_push_lib/plugin-deploy.jar

MD5 610ae20fa40cb991ef4670582bc3996a
SHA1 bad8dbc9b7226fbd4f1b97dabe777c36605ccc9b
SHA256 010690c6a9fe3d6e21c33940453cb2a5c41e26ac24ea42e3732111613701eede
SHA512 8584fa3850e97276d6afef61dff9401531cd7830a3a7660fcc3b75c21c55196a59efad46ad763f1695f59c99874e29aa285ba9d9f43a5989d004a0e115d76b1b

/data/data/com.sku/app_push_lib/plugin-deploy.key

MD5 86896cfc29159ebebbdc72a7fea66d3c
SHA1 76f71e17f279e9010cd1f16d9c979f75bb9cbdb6
SHA256 4040246e2cd23768965dd2720eed8ab30b0891eb7324201ac1592e8e39eb7697
SHA512 89d4d3e88c41bf4c9cd527ed6c7af45e14545019b1d86414fd7965fb6dac79a6a8f1e8c4b4de4503e6bef2b98ad32f37d319c7e29e807b2b83d56cd867ab9ca6

/data/user/0/com.sku/app_push_lib/plugin-deploy.jar

MD5 058c9e49195a1ab48863deb84a028f63
SHA1 a35b0dc7822174cff3683e1aa2b5cf85833733df
SHA256 ce04c452c6c3dc56dee78205f036a779c7144eb607dede07aa054f93f77ad049
SHA512 081643598f3bbda4d2f560975f6e6fec8da94c8a578d80c05cf6f035ed3766db65de21cbe3ec92a16060e5ea1c1aebe37bd339de76365daf67648fd5967e5c47

/data/user/0/com.sku/app_push_lib/plugin-deploy.jar

MD5 0f01de9b83dd8195bc640c07b7e45dd3
SHA1 a427c07efaed492839e89ab490db691534da8c21
SHA256 738447a77b1796c32da78df26302a5bef6369f761af0c4622466338806f8c061
SHA512 510c3b4ff8ec84345b45d8cb7ded5fc93dab20f154c8f90f23afb3d9713f27d44b96858e52684dd5cb333134e231a6096f7cef18ea2cccd5c81ee7e98ba61459

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 07:26

Reported

2024-06-11 07:30

Platform

android-x64-20240603-en

Max time kernel

156s

Max time network

131s

Command Line

com.sku

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sku/app_push_lib/plugin-deploy.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.sku

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 wxmp.99114.com udp
CN 58.83.155.120:80 wxmp.99114.com tcp
CN 58.83.155.120:80 wxmp.99114.com tcp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.200.14:443 tcp

Files

/data/data/com.sku/app_push_lib/plugin-deploy.jar

MD5 610ae20fa40cb991ef4670582bc3996a
SHA1 bad8dbc9b7226fbd4f1b97dabe777c36605ccc9b
SHA256 010690c6a9fe3d6e21c33940453cb2a5c41e26ac24ea42e3732111613701eede
SHA512 8584fa3850e97276d6afef61dff9401531cd7830a3a7660fcc3b75c21c55196a59efad46ad763f1695f59c99874e29aa285ba9d9f43a5989d004a0e115d76b1b

/data/data/com.sku/app_push_lib/plugin-deploy.key

MD5 86896cfc29159ebebbdc72a7fea66d3c
SHA1 76f71e17f279e9010cd1f16d9c979f75bb9cbdb6
SHA256 4040246e2cd23768965dd2720eed8ab30b0891eb7324201ac1592e8e39eb7697
SHA512 89d4d3e88c41bf4c9cd527ed6c7af45e14545019b1d86414fd7965fb6dac79a6a8f1e8c4b4de4503e6bef2b98ad32f37d319c7e29e807b2b83d56cd867ab9ca6

/data/user/0/com.sku/app_push_lib/plugin-deploy.jar

MD5 058c9e49195a1ab48863deb84a028f63
SHA1 a35b0dc7822174cff3683e1aa2b5cf85833733df
SHA256 ce04c452c6c3dc56dee78205f036a779c7144eb607dede07aa054f93f77ad049
SHA512 081643598f3bbda4d2f560975f6e6fec8da94c8a578d80c05cf6f035ed3766db65de21cbe3ec92a16060e5ea1c1aebe37bd339de76365daf67648fd5967e5c47