Malware Analysis Report

2024-09-09 16:22

Sample ID 240611-tqslcatckn
Target 9ec61292fd3e43ce3a4c025166a50f9e_JaffaCakes118
SHA256 4490f03ec73651abc32f6a8f3429838eae6ac6a45c7f5225aced936f3035939f
Tags
discovery impact persistence collection credential_access evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4490f03ec73651abc32f6a8f3429838eae6ac6a45c7f5225aced936f3035939f

Threat Level: Likely malicious

The file 9ec61292fd3e43ce3a4c025166a50f9e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery impact persistence collection credential_access evasion

Checks if the Android device is rooted.

Queries information about running processes on the device

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 16:16

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 16:16

Reported

2024-06-11 16:19

Platform

android-x86-arm-20240611-en

Max time kernel

133s

Max time network

188s

Command Line

com.AliveGameStudio.ChaseTarget

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.AliveGameStudio.ChaseTarget

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
N/A 225.0.0.222:54997 udp
US 1.1.1.1:53 stats.unity3d.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp

Files

/data/data/com.AliveGameStudio.ChaseTarget/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 16:16

Reported

2024-06-11 16:19

Platform

android-x64-arm64-20240611-en

Max time kernel

162s

Max time network

188s

Command Line

com.AliveGameStudio.ChaseTarget

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.AliveGameStudio.ChaseTarget/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.AliveGameStudio.ChaseTarget

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
N/A 225.0.0.222:54997 udp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 stats.unity3d.com udp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 142.250.178.14:80 www.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.180.3:443 tcp

Files

/data/user/0/com.AliveGameStudio.ChaseTarget/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.AliveGameStudio.ChaseTarget/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/com.AliveGameStudio.ChaseTarget/cache/oat/1582435991586.jar.cur.prof

MD5 f9431a0cde5766b6a47fe517f0dbe91f
SHA1 41ebffb9e03db4e211961286e6c233726d1c704f
SHA256 48409024aacda3669e2112419ca8742dedca12f5310521730db60c8387710616
SHA512 3102a350b8cdbfe686564eb79892a609f3cccd74d4b420f831156b1c57b736853f1cba0988d4dea7bf728f341e3ed2b997274684726afa2d97d31115e5213382