Malware Analysis Report

2024-09-09 16:27

Sample ID 240611-nykykswekr
Target 9e1279aed3b53b217c311e9d3288a712_JaffaCakes118
SHA256 e19ba8b72498629cd1e916eea90ade5bf73188582b5264080a831989bf61275d
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e19ba8b72498629cd1e916eea90ade5bf73188582b5264080a831989bf61275d

Threat Level: Shows suspicious behavior

The file 9e1279aed3b53b217c311e9d3288a712_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 11:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-11 11:48

Reported

2024-06-11 11:51

Platform

android-x64-20240603-en

Max time kernel

3s

Max time network

131s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.204.78:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-11 11:48

Reported

2024-06-11 11:51

Platform

android-x64-arm64-20240603-en

Max time kernel

3s

Max time network

132s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 11:48

Reported

2024-06-11 11:51

Platform

android-x86-arm-20240603-en

Max time kernel

8s

Max time network

139s

Command Line

com.vcread.android.screen.phone.ktx

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.vcread.android.screen.phone.ktx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 client.vcread.com udp
TH 8.213.214.23:80 client.vcread.com tcp
TH 8.213.214.23:80 client.vcread.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.vcread.android.screen.phone.ktx/databases/vcread.db-journal

MD5 92794bd7be73b56aa62c9cc07f4f0e27
SHA1 d3e98ec84df7f62654632b2891b778fc352f3d81
SHA256 58230ba578d601a0fbadccc6d8fbf4c054ef7901111a5ac7448afa1a8dec23b9
SHA512 2bebe4c82ac3744b66df47026af14af38e2960cc77c13bf2274054c17d008a2e2b5395a29601ef4f1e692ad44ea17e92e603e63ab97ff98f0e5003e97a801c3f

/data/data/com.vcread.android.screen.phone.ktx/databases/vcread.db

MD5 f7dd71775c8b57e637b6a7244aa92815
SHA1 d2ada86d04b2ebd474ad8cb8cbe77e518268f199
SHA256 d41bfee220a4564d1f40a273704d16662915a0f3c5dd7f0bc30c1f4d96943961
SHA512 fdbc40210dba61ae04f817d3bbc30af74044cb514dc7dde507008f3f4fdb7e9a2b8ac5d2a996dd5358367105962d792134af2bb490b1d76c883d5b10de26d351

/data/data/com.vcread.android.screen.phone.ktx/databases/vcread.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.vcread.android.screen.phone.ktx/databases/vcread.db-wal

MD5 dcbbe415a240b675682440fd20cae081
SHA1 9cce1fa9638fb4989845652a50ef414d3296ef88
SHA256 b847b5480577214e7b56061ab34e9f682ec98471ca98008aa9f5a9b06d21f1e7
SHA512 f49218e4add45231d4cd9377902c13f502887e1298471d9e5c18182d30951349b875f2efa45db1a80be374025df8784fd53642ee0b22585c193eaad3d18c3960

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 11:48

Reported

2024-06-11 11:51

Platform

android-x64-20240603-en

Max time kernel

8s

Max time network

130s

Command Line

com.vcread.android.screen.phone.ktx

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.vcread.android.screen.phone.ktx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 client.vcread.com udp
TH 8.213.214.23:80 client.vcread.com tcp
TH 8.213.214.23:80 client.vcread.com tcp
GB 142.250.187.194:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.vcread.android.screen.phone.ktx/databases/vcread.db-journal

MD5 68cf991bd026885abbe85369a1f02b51
SHA1 3f76099a21ca39667f11073c064327ac9ae6030f
SHA256 154675d5edd979ef08135ea47ec64be4e209bce8c76bc03672708d3975100768
SHA512 bd90028993537cda3d516c5b4dbeb5be4f4401abf40afc242061c995a64ab293933a93ba05c17d7adab324f70890f6fa75cfb4c51a9734934d1c654d782f7b3c

/data/data/com.vcread.android.screen.phone.ktx/databases/vcread.db

MD5 1f9b6e5c617eb970dc2d600c26956037
SHA1 4b07083c4cc52be28b67387ba469148fd2e7a4e2
SHA256 138f999853926b509eca063e0b4dc91b74583b34029fa2cc1cc5dc0e4b8cb0a0
SHA512 8792cbb3fc6639199d4c249d6a2e179f967755cf05cf99905c13597c460e1e030ce20e55ca1a07d2a703aeb1861f45c094346249ca8406c95b98089fdb11f2a8

/data/data/com.vcread.android.screen.phone.ktx/databases/vcread.db-journal

MD5 9ca25b71577c6eb56e29719d2a77b1d2
SHA1 30c4ab28b709aaaff6b06454c6a7ff320a756acc
SHA256 8414798068affa130325dfe305fbe56583930dc9f76bc69e835c4f60a5457a0d
SHA512 de21847de052dc2873f7715620c5f19d7f39a1b579e556ef3663928c4279477af6c33d7c8d7d5979d10f9b95a35440932f53c3830a801c37dc9f9b6bdd366868

/data/data/com.vcread.android.screen.phone.ktx/databases/vcread.db-journal

MD5 0b647265fbfb5eea7992f538b1d343d0
SHA1 1ec517a232c289f21793ae44e4f33ec5f788e4fc
SHA256 167ee666d3392663ffe111355e80f329b33f6d709140b88269b5fdf11189cb2d
SHA512 26a917694ae3d351194870196a674de9578157315f8719c23b82fe046927c0941c1c4f09c159bdf1e0234f888a804acc6da778d4ddfdaddf72abcd93c1265127

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 11:48

Reported

2024-06-11 11:51

Platform

android-x86-arm-20240603-en

Max time kernel

3s

Max time network

131s

Command Line

com.unionpay.uppay

Signatures

N/A

Processes

com.unionpay.uppay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 216.58.213.2:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-11 11:48

Reported

2024-06-11 11:51

Platform

android-x86-arm-20240603-en

Max time kernel

3s

Max time network

164s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp

Files

N/A